Summary:


NtAdjustPrivilegesToken(>)  1 
NtDeleteAtom(>)  2 
NtGdiBitBlt(>)  7 
NtQueryInformationProcess(>)  15 

NtCallbackReturn(>)  1 
NtEnumerateKey(>)  2 
NtGdiCreateDIBitmapInternal(>)  7 
NtCreateSection(>)  17 

NtCreateMutant(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtGdiGetDCObject(>)  7 
NtGdiDeleteObjectApp(>)  18 

NtCreateProcessEx(>)  1 
NtOpenDirectoryObject(>)  2 
NtGdiGetDCforBitmap(>)  7 
NtReadFile(>)  19 

NtCreateThread(>)  1 
NtOpenEvent(>)  2 
NtGdiGetStockObject(>)  7 
NtContinue(>)  20 

NtDelayExecution(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtGdiRestoreDC(>)  7 
NtQuerySystemInformation(>)  20 

NtDuplicateToken(>)  1 
NtQueryInstallUILanguage(>)  2 
NtGdiSaveDC(>)  7 
NtUserCallOneParam(>)  20 

NtEnumerateValueKey(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtGdiSetDIBitsToDeviceInternal(>)  7 
NtWaitForSingleObject(>)  21 

NtGdiCreatePaletteInternal(>)  1 
NtReadVirtualMemory(>)  2 
NtOpenProcessToken(>)  7 
NtFlushInstructionCache(>)  23 

NtGdiInit(>)  1 
NtTerminateProcess(>)  2 
NtUserDestroyCursor(>)  7 
NtWriteFile(>)  23 

NtGdiQueryFontAssocInfo(>)  1 
NtUserWaitForInputIdle(>)  2 
NtUserSetCursorIconData(>)  7 
NtOpenProcessTokenEx(>)  24 

NtNotifyChangeKey(>)  1 
NtAddAtom(>)  3 
NtGdiCreateBitmap(>)  8 
NtOpenThreadTokenEx(>)  24 

NtOpenKeyedEvent(>)  1 
NtCreateSemaphore(>)  3 
NtQuerySection(>)  8 
NtOpenSection(>)  25 

NtOpenProcess(>)  1 
NtDuplicateObject(>)  3 
NtRequestWaitReplyPort(>)  8 
NtOpenFile(>)  30 

NtQueryInformationJobObject(>)  1 
NtFreeVirtualMemory(>)  3 
NtSetInformationThread(>)  8 
NtQueryAttributesFile(>)  31 

NtQueryObject(>)  1 
NtGdiHfontCreate(>)  3 
NtQueryDebugFilterState(>)  9 
NtQueryInformationToken(>)  31 

NtQuerySystemTime(>)  1 
NtOpenMutant(>)  3 
NtSetInformationFile(>)  9 
NtMapViewOfSection(>)  37 

NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 
NtCreateEvent(>)  10 
NtReleaseMutant(>)  40 

NtResumeThread(>)  1 
NtFsControlFile(>)  4 
NtGdiCreateCompatibleDC(>)  10 
NtAllocateVirtualMemory(>)  41 

NtSecureConnectPort(>)  1 
NtOpenThreadToken(>)  4 
NtGdiExtGetObjectW(>)  10 
NtProtectVirtualMemory(>)  45 

NtTestAlert(>)  1 
NtSetValueKey(>)  4 
NtQueryDirectoryFile(>)  10 
NtUserUnregisterClass(>)  45 

NtUserCallNoParam(>)  1 
NtWriteVirtualMemory(>)  4 
NtCreateFile(>)  11 
NtQueryValueKey(>)  51 

NtUserEnumDisplayMonitors(>)  1 
NtUserRegisterWindowMessage(>)  5 
NtUserGetDC(>)  11 
NtGdiSelectBitmap(>)  57 

NtUserGetKeyboardLayoutList(>)  1 
NtCreateKey(>)  6 
NtUnmapViewOfSection(>)  12 
NtUserRegisterClassExWOW(>)  63 

NtUserGetThreadDesktop(>)  1 
NtQueryDefaultUILanguage(>)  6 
NtQueryDefaultLocale(>)  13 
NtUserGetClassInfo(>)  64 

NtUserSetWindowsHookEx(>)  1 
NtQueryVirtualMemory(>)  6 
NtQueryInformationFile(>)  13 
NtUserFindExistingCursorIcon(>)  72 

NtAccessCheck(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtUserSystemParametersInfo(>)  13 
NtOpenKey(>)  112 

NtCreateIoCompletion(>)  2 
NtSetInformationProcess(>)  6 
NtUserSelectPalette(>)  14 
NtClose(>)  165 


Trace:
 00001   424   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   424   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   424   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   424   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   424   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   424   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   424   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   424   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   424   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   424   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   424   NtClose  (12, ... ) == 0x0
 00014   424   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   424   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   424   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   424   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   424   NtClose  (16, ... ) == 0x0
 00021   424   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   424   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   424   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   424   NtClose  (16, ... ) == 0x0
 00026   424   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   424   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   424   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   424   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   424   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 420, 424, 1500, 0} "\20\311\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 420, 424, 1500, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 420, 424, 1500, 0} "\20\311\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   424   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   424   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   424   NtClose  (16, ... ) == 0x0
 00036   424   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   424   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   424   NtClose  (28, ... ) == 0x0
 00041   424   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   424   NtClose  (28, ... ) == 0x0
 00045   424   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   424   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   424   NtClose  (28, ... ) == 0x0
 00049   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   424   NtClose  (28, ... ) == 0x0
 00052   424   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   424   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 420, 424, 1504, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 420, 424, 1504, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 420, 424, 1504, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   424   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 4, ... (0x31438000), 8192, 128, ) == 0x0
 00057   424   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 128, ... (0x31438000), 8192, 4, ) == 0x0
 00058   424   NtFlushInstructionCache  (-1, 826507264, 8192, ... ) == 0x0
 00059   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   424   NtClose  (28, ... ) == 0x0
 00062   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   424   NtClose  (28, ... ) == 0x0
 00065   424   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 4, ... (0x31438000), 8192, 64, ) == 0x0
 00066   424   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 64, ... (0x31438000), 8192, 4, ) == 0x0
 00067   424   NtFlushInstructionCache  (-1, 826507264, 8192, ... ) == 0x0
 00068   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   424   NtClose  (28, ... ) == 0x0
 00071   424   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 4, ... (0x31438000), 8192, 64, ) == 0x0
 00072   424   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 64, ... (0x31438000), 8192, 4, ) == 0x0
 00073   424   NtFlushInstructionCache  (-1, 826507264, 8192, ... ) == 0x0
 00074   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00076   424   NtClose  (28, ... ) == 0x0
 00077   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00079   424   NtClose  (28, ... ) == 0x0
 00080   424   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 4, ... (0x31438000), 8192, 64, ) == 0x0
 00081   424   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 64, ... (0x31438000), 8192, 4, ) == 0x0
 00082   424   NtFlushInstructionCache  (-1, 826507264, 8192, ... ) == 0x0
 00083   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00085   424   NtClose  (28, ... ) == 0x0
 00086   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00087   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00088   424   NtClose  (28, ... ) == 0x0
 00089   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00091   424   NtClose  (28, ... ) == 0x0
 00092   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00094   424   NtClose  (28, ... ) == 0x0
 00095   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00096   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00097   424   NtClose  (28, ... ) == 0x0
 00098   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00099   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   424   NtClose  (28, ... ) == 0x0
 00101   424   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 4, ... (0x31438000), 8192, 64, ) == 0x0
 00102   424   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 64, ... (0x31438000), 8192, 4, ) == 0x0
 00103   424   NtFlushInstructionCache  (-1, 826507264, 8192, ... ) == 0x0
 00104   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   424   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00106   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00109   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00110   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00111   424   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00112   424   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00113   424   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00114   424   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00116   424   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00117   424   NtClose  (40, ... ) == 0x0
 00118   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00119   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00120   424   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00121   424   NtClose  (40, ... ) == 0x0
 00122   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   424   NtClose  (36, ... ) == 0x0
 00124   424   NtClose  (28, ... ) == 0x0
 00125   424   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00126   424   NtClose  (32, ... ) == 0x0
 00127   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00131   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   424   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   424   NtClose  (32, ... ) == 0x0
 00135   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00136   424   NtClose  (28, ... ) == 0x0
 00137   424   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 4, ... (0x31438000), 8192, 64, ) == 0x0
 00138   424   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 64, ... (0x31438000), 8192, 4, ) == 0x0
 00139   424   NtFlushInstructionCache  (-1, 826507264, 8192, ... ) == 0x0
 00140   424   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00141   424   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00142   424   NtClose  (28, ... ) == 0x0
 00143   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   424   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   424   NtClose  (28, ... ) == 0x0
 00146   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00147   424   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00148   424   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00149   424   NtClose  (28, ... ) == 0x0
 00150   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00151   424   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   424   NtClose  (28, ... ) == 0x0
 00153   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00154   424   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00155   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00157   424   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00158   424   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00159   424   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00160   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00161   424   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00162   424   NtClose  (32, ... ) == 0x0
 00163   424   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00164   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00165   424   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 420, 424, 1515, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 420, 424, 1515, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 420, 424, 1515, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00166   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167   424   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1060864, ) == 0x0
 00168   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00169   424   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00170   424   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00171   424   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00172   424   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00173   424   NtClose  (-2147482020, ... ) == 0x0
 00174   424   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5373952, 4096, ) == 0x0
 00175   424   NtFreeVirtualMemory  (-1, (0x520000), 4096, 32768, ... (0x520000), 4096, ) == 0x0
 00176   424   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00177   424   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00178   424   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   424   NtClose  (-2147482020, ... ) == 0x0
 00180   424   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00181   424   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   424   NtClose  (-2147482020, ... ) == 0x0
 00183   424   NtQueryDefaultLocale  (0, -136312308, ... ) == 0x0
 00184   424   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00185   424   NtUserCallNoParam  (24, ... ) == 0x0
 00186   424   NtGdiCreateCompatibleDC  (0, ...
 00187   424   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5373952, 4096, ) == 0x0
 00186   424   NtGdiCreateCompatibleDC  ... ) == 0x14010320
 00188   424   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00189   424   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00190   424   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x13050404
 00191   424   NtGdiCreateSolidBrush  (0, 0, ...
 00192   424   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8585216, 4096, ) == 0x0
 00191   424   NtGdiCreateSolidBrush  ... ) == 0xe10040a
 00193   424   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00194   424   NtGdiCreateCompatibleDC  (0, ... ) == 0x70010384
 00195   424   NtGdiSelectBitmap  (1879114628, 319095812, ... ) == 0x185000f
 00196   424   NtUserGetThreadDesktop  (424, 0, ... ) == 0x2c
 00197   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00198   424   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00199   424   NtClose  (52, ... ) == 0x0
 00200   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00201   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00202   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00203   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00204   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00205   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00206   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00207   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00208   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00209   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00210   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00211   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00212   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00213   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00214   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00215   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00216   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00217   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00218   424   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00219   424   NtAllocateVirtualMemory  (-1, 5533696, 0, 4096, 4096, 32, ... 5533696, 4096, ) == 0x0
 00218   424   NtUserRegisterClassExWOW  ... ) == 0x810cc020
 00220   424   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00221   424   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc023
 00222   424   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc024
 00223   424   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc025
 00224   424   NtCallbackReturn  (0, 0, 0, ...
 00225   424   NtGdiInit  (... ) == 0x1
 00226   424   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00227   424   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00228   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   424   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00231   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00232   424   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   424   NtClose  (52, ... ) == 0x0
 00234   424   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00235   424   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00236   424   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00237   424   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00238   424   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243532, 0,  (0x1f0003, {24, 52, 0x80, 1243532, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00239   424   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00240   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00241   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00242   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00243   424   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00244   424   NtClose  (60, ... ) == 0x0
 00245   424   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00246   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00247   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00248   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00249   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00250   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00251   424   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   424   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   424   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   424   NtClose  (60, ... ) == 0x0
 00255   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00256   424   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00257   424   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00258   424   NtClose  (60, ... ) == 0x0
 00259   424   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00260   424   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00261   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   424   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   424   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00265   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00266   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00267   424   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00268   424   NtClose  (60, ... ) == 0x0
 00269   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00270   424   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00271   424   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00272   424   NtQueryDefaultUILanguage  (1241768, ...
 00273   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00274   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00275   424   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00276   424   NtClose  (-2147482020, ... ) == 0x0
 00277   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00278   424   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   424   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00280   424   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   424   NtClose  (-2147482032, ... ) == 0x0
 00282   424   NtClose  (-2147482020, ... ) == 0x0
 00272   424   NtQueryDefaultUILanguage  ... ) == 0x0
 00283   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   424   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00285   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00286   424   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00287   424   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 593920, ) == 0x0
 00288   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   424   NtQueryDefaultUILanguage  (2013024600, ...
 00290   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00291   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00292   424   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00293   424   NtClose  (-2147482020, ... ) == 0x0
 00294   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00295   424   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   424   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00297   424   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   424   NtClose  (-2147482032, ... ) == 0x0
 00299   424   NtClose  (-2147482020, ... ) == 0x0
 00289   424   NtQueryDefaultUILanguage  ... ) == 0x0
 00300   424   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00301   424   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00302   424   NtQueryDefaultLocale  (1, 1239804, ... ) == 0x0
 00303   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   424   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 420, 424, 1518, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 420, 424, 1518, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 420, 424, 1518, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ) == 0x0
 00305   424   NtClose  (68, ... ) == 0x0
 00306   424   NtClose  (72, ... ) == 0x0
 00307   424   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00308   424   NtUnmapViewOfSection  (-1, 0x12f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00309   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00310   424   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00312   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238344, ... ) }, 1238344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00315   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00316   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00317   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238936, ... ) }, 1238936, ... ) == 0x0
 00318   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00319   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00320   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00321   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00322   424   NtClose  (68, ... ) == 0x0
 00323   424   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00324   424   NtClose  (76, ... ) == 0x0
 00325   424   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00326   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00327   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00328   424   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00329   424   NtClose  (76, ... ) == 0x0
 00330   424   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00331   424   NtClose  (68, ... ) == 0x0
 00332   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00333   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00334   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00335   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00336   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00337   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00338   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00339   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00340   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00341   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00342   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00343   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00344   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00345   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00346   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00347   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00348   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00349   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00350   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00351   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00352   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00353   424   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240120, ... ) , 42, 1240120, ... ) == 0x0
 00354   424   NtQueryDefaultUILanguage  (1238836, ...
 00355   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00356   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00357   424   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00358   424   NtClose  (-2147482020, ... ) == 0x0
 00359   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00360   424   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   424   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00362   424   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   424   NtClose  (-2147482032, ... ) == 0x0
 00364   424   NtClose  (-2147482020, ... ) == 0x0
 00354   424   NtQueryDefaultUILanguage  ... ) == 0x0
 00365   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00366   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237688, ... ) }, 1237688, ... ) == 0x0
 00367   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00368   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00369   424   NtClose  (68, ... ) == 0x0
 00370   424   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x840000), 0x0, 4096, ) == 0x0
 00371   424   NtClose  (76, ... ) == 0x0
 00372   424   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00373   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237328, ... ) }, 1237328, ... ) == 0x0
 00374   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238028,  (0x80100080, {24, 0, 0x40, 0, 1238028, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00375   424   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00376   424   NtClose  (76, ... ) == 0x0
 00377   424   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x840000), {0, 0}, 4096, ) == 0x0
 00378   424   NtClose  (68, ... ) == 0x0
 00379   424   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00380   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00381   424   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00382   424   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 4096, ) == 0x0
 00383   424   NtQueryInformationFile  (68, 1237648, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00384   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   424   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\31\1\33\0\1\0\2405\37[\2319\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 420, 424, 1519, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2319\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 420, 424, 1519, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\31\1\33\0\1\0\2405\37[\2319\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 420, 424, 1519, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2319\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ) == 0x0
 00386   424   NtClose  (68, ... ) == 0x0
 00387   424   NtClose  (76, ... ) == 0x0
 00388   424   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00389   424   NtUnmapViewOfSection  (-1, 0x12e9e0, ... ) == STATUS_NOT_MAPPED_VIEW
 00390   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00391   424   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00392   424   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00393   424   NtUserGetDC  (0, ... ) == 0x1010053
 00394   424   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00395   424   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00396   424   NtUserSystemParametersInfo  (66, 12, 1240140, 0, ... ) == 0x1
 00397   424   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00398   424   NtAccessCheck  (1344424, 76, 0x1, 1239544, 1239488, 56, 1239572, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00399   424   NtClose  (76, ... ) == 0x0
 00400   424   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00401   424   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   424   NtClose  (76, ... ) == 0x0
 00403   424   NtUserSystemParametersInfo  (41, 500, 1239640, 0, ... ) == 0x1
 00404   424   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00405   424   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00407   424   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   424   NtClose  (68, ... ) == 0x0
 00409   424   NtClose  (76, ... ) == 0x0
 00410   424   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00411   424   NtUserSystemParametersInfo  (4130, 0, 1240164, 0, ... ) == 0x1
 00412   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00413   424   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00414   424   NtClose  (76, ... ) == 0x0
 00415   424   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00416   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc03b
 00417   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc03d
 00418   424   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00419   424   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc03f
 00420   424   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00421   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc041
 00422   424   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00423   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc043
 00424   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc045
 00425   424   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00426   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc047
 00427   424   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00428   424   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc049
 00429   424   NtUserGetClassInfo  (1905590272, 1240060, 1240012, 1240088, 0, ... ) == 0xc049
 00430   424   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00431   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc04b
 00432   424   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00433   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc04d
 00434   424   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00435   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc04f
 00436   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc051
 00437   424   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00438   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc053
 00439   424   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00440   424   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc055
 00441   424   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc057
 00442   424   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00443   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc059
 00444   424   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10013
 00445   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc05b
 00446   424   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00447   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc05d
 00448   424   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00449   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc05f
 00450   424   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00451   424   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc017
 00452   424   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00453   424   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc019
 00454   424   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10013
 00455   424   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc018
 00456   424   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00457   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc01a
 00458   424   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00459   424   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ...
 00460   424   NtAllocateVirtualMemory  (-1, 5537792, 0, 4096, 4096, 32, ... 5537792, 4096, ) == 0x0
 00459   424   NtUserRegisterClassExWOW  ... ) == 0x810cc01c
 00461   424   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00462   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc01e
 00463   424   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00464   424   NtUserRegisterClassExWOW  (1239956, 1240036, 1240020, 1240052, 0, 384, 0, ... ) == 0x810cc01b
 00465   424   NtUserFindExistingCursorIcon  (1239440, 1239456, 1240024, ... ) == 0x10011
 00466   424   NtUserRegisterClassExWOW  (1239952, 1240032, 1240016, 1240048, 0, 384, 0, ... ) == 0x810cc068
 00467   424   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00468   424   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc06a
 00469   424   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00470   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00471   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00472   424   NtTestAlert  (... ) == 0x0
 00473   424   NtContinue  (1244464, 1, ...
 00474   424   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x3143a000,}, 4, ... ) == 0x0
 00475   424   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 68, ) }, ... 68, ) == 0x0
 00476   424   NtQueryValueKey  (68,  (68, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   424   NtClose  (68, ... ) == 0x0
 00478   424   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00479   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) == 0x0
 00480   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1233828, ... ) }, 1233828, ... ) == 0x0
 00481   424   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 420, 424, 1520, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 420, 424, 1520, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 420, 424, 1520, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00482   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233836,  (0x80100080, {24, 0, 0x40, 0, 1233836, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) == 0x0
 00483   424   NtClose  (80, ... ) == 0x0
 00484   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00485   424   NtClose  (-2147482020, ... ) == 0x0
 00484   424   NtCreateFile  ... 80, {status=0x0, info=3}, ) == 0x0
 00486   424   NtSetInformationFile  (68, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00487   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "(7f\0gm6\0am9\0\232\2226\0\335m6\0em6\0%m,\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0eo6\0\337}6\16z\331?\315D\3257L\250L\246\2201\5_sE\35Do\2\37WmE\0Cs\21MTeE\37CnE\30Xd\0\37\26W\14\3\52hg\227em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0em6\0", ) , ) == 0x0
 00488   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00489   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "i\222&\377q\222\232\3<,qU\321\246 Y\250lk\364f%Y\354\361\360,\6(\17)\\302\341W-b\31\317\231?\4\301\210\16!\336\236\310\245\13\275P\2741r\252d\357\203/\11\375\332U\211\340\21\355d/w\241I\346\366\275qS\303uUEL3\0MeR\235V\243A\25\351\335^Wy\12j\211Aw\356HK\32n\35h\24\3120mO\350w\337\275\7\366\220M%y\5\362"lq\330\222\2055g\27]5z\220}\373Z\25\335\241\360\332\1D.\223w\225IC\241\211&I\201k^O0\305\330<`\270/c\251e\314\202\235YY6D\266fd\2255\106v\351W\31"\214\261l\203\376\3106\241\313\320u\303D\360o\211\342\240%f+`\267\74"d\2347\21\346<\372\234`\203\265\33\251\2536gL\273\3460\314F\252SKwvW c\337\1PY\342\220\377\267\372Iph\33\314A\177\26_\260\313\372@\\211\272\343\315\301\32\271%f\366\264k9V\24\241\357a\24\226{k\3\31\325Z\301\15\3150E\325\320\373\316\315\314\16\203\355[0%E\356\21\213'nf9\333\246\34\255Mh\24\232\222\274\326\325\317`\37\365}+\313$Ugl\323II\212\274\201\273M\211\236f\33&\333\220\274'N\336y\215\332\177\263X\211\20\344=f\275\11\335\266C\2guR\233\351\305\277B=c`\204\301\213\245\\202*4%%?s\3>\330^\376zk\22\360"\13u\273n-by\323Y7\262p\7\206\17\321\273,B\244}\2037I\226\12i$A\241\345\3\27\16\213(,s\334\271b\270\266\207\324<\252$)\341 \254L\352Y", ) lq\330\222\2055g\27]5z\220}\373Z\25\335\241\360\332\1D.\223w\225IC\241\211&I\201k^O0\305\330<`\270/c\251e\314\202\235YY6D\266fd\2255\106v\351W\31 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "i\222&\377q\222\232\3<,qU\321\246 Y\250lk\364f%Y\354\361\360,\6(\17)\\302\341W-b\31\317\231?\4\301\210\16!\336\236\310\245\13\275P\2741r\252d\357\203/\11\375\332U\211\340\21\355d/w\241I\346\366\275qS\303uUEL3\0MeR\235V\243A\25\351\335^Wy\12j\211Aw\356HK\32n\35h\24\3120mO\350w\337\275\7\366\220M%y\5\362"lq\330\222\2055g\27]5z\220}\373Z\25\335\241\360\332\1D.\223w\225IC\241\211&I\201k^O0\305\330<`\270/c\251e\314\202\235YY6D\266fd\2255\106v\351W\31"\214\261l\203\376\3106\241\313\320u\303D\360o\211\342\240%f+`\267\74"d\2347\21\346<\372\234`\203\265\33\251\2536gL\273\3460\314F\252SKwvW c\337\1PY\342\220\377\267\372Iph\33\314A\177\26_\260\313\372@\\211\272\343\315\301\32\271%f\366\264k9V\24\241\357a\24\226{k\3\31\325Z\301\15\3150E\325\320\373\316\315\314\16\203\355[0%E\356\21\213'nf9\333\246\34\255Mh\24\232\222\274\326\325\317`\37\365}+\313$Ugl\323II\212\274\201\273M\211\236f\33&\333\220\274'N\336y\215\332\177\263X\211\20\344=f\275\11\335\266C\2guR\233\351\305\277B=c`\204\301\213\245\\202*4%%?s\3>\330^\376zk\22\360"\13u\273n-by\323Y7\262p\7\206\17\321\273,B\244}\2037I\226\12i$A\241\345\3\27\16\213(,s\334\271b\270\266\207\324<\252$)\341 \254L\352Y", ) d\2347\21\346<\372\234`\203\265\33\251\2536gL\273\3460\314F\252SKwvW c\337\1PY\342\220\377\267\372Iph\33\314A\177\26_\260\313\372@\\211\272\343\315\301\32\271%f\366\264k9V\24\241\357a\24\226{k\3\31\325Z\301\15\3150E\325\320\373\316\315\314\16\203\355[0%E\356\21\213'nf9\333\246\34\255Mh\24\232\222\274\326\325\317`\37\365}+\313$Ugl\323II\212\274\201\273M\211\236f\33&\333\220\274'N\336y\215\332\177\263X\211\20\344=f\275\11\335\266C\2guR\233\351\305\277B=c`\204\301\213\245\\202*4%%?s\3>\330^\376zk\22\360 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "i\222&\377q\222\232\3<,qU\321\246 Y\250lk\364f%Y\354\361\360,\6(\17)\\302\341W-b\31\317\231?\4\301\210\16!\336\236\310\245\13\275P\2741r\252d\357\203/\11\375\332U\211\340\21\355d/w\241I\346\366\275qS\303uUEL3\0MeR\235V\243A\25\351\335^Wy\12j\211Aw\356HK\32n\35h\24\3120mO\350w\337\275\7\366\220M%y\5\362"lq\330\222\2055g\27]5z\220}\373Z\25\335\241\360\332\1D.\223w\225IC\241\211&I\201k^O0\305\330<`\270/c\251e\314\202\235YY6D\266fd\2255\106v\351W\31"\214\261l\203\376\3106\241\313\320u\303D\360o\211\342\240%f+`\267\74"d\2347\21\346<\372\234`\203\265\33\251\2536gL\273\3460\314F\252SKwvW c\337\1PY\342\220\377\267\372Iph\33\314A\177\26_\260\313\372@\\211\272\343\315\301\32\271%f\366\264k9V\24\241\357a\24\226{k\3\31\325Z\301\15\3150E\325\320\373\316\315\314\16\203\355[0%E\356\21\213'nf9\333\246\34\255Mh\24\232\222\274\326\325\317`\37\365}+\313$Ugl\323II\212\274\201\273M\211\236f\33&\333\220\274'N\336y\215\332\177\263X\211\20\344=f\275\11\335\266C\2guR\233\351\305\277B=c`\204\301\213\245\\202*4%%?s\3>\330^\376zk\22\360"\13u\273n-by\323Y7\262p\7\206\17\321\273,B\244}\2037I\226\12i$A\241\345\3\27\16\213(,s\334\271b\270\266\207\324<\252$)\341 \254L\352Y", ) , ) == 0x0
 00490   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\14\377\20\377\24\377\254\3YAGU\264\313\26Y\315\1]\364\3Ho<'\11\33^LMUory0\116\34<\260m\35\13\230\220\37\357l\377S\332\361\225A0(jDj\302\204:\33b|\242\257?a\254\276\16D\263\250\310\300f\213P\331\D\252\1\202\265/l\220\354U\354\215'\355\1BA\241,\213\300\275\24>\365u0(z3e SR\370;\225Ap\204\353^2\24\312U\0y\350\22\262\213\7\223\375{%\34h\304"\11\34\356\222\340XQ\278XL\220\30\226l\25\270\314\306\332d)\30\223\22\370\177C\304\344\20I\344\6hOU\250\356<\5\325\31c\314\10\372\202\3704o6!\333Pd\360X>6\23\204a\31G\341\207lu^\310\310S\314\375\320\20\256r\360\12\344\324\240@\13\35`\322j\2"\1\361\1\21\203Q\314\234\5\356\203\33\314\306\0g)\326\3200\251+\234S.\32@WE\16\351\154\324\220\232\332\314I\25\5-\314$\22 _\325\246\314@9\344\214\343\250\254,\271@\13\300\264\16T`\24\304\202W\24\363\26]\3|\270l\301h\240\6E\260\275\315\316\250\2418\203xXm0@(\330\21\356JXf\\266\220\34\310 ^\24\377\377\212\326\260\242V\37\220\20\35\313A8Ql\266$\177\212\331\354\215M\354\363P\33C\266\246\274B#\350y\350\267I\263=\344&\344X\13\213\11\270\333u\2\2\30d\233\214\250\211BX\16V\204\244\346\223\\347G\2%@RE\3[\265h\376\37\6$\360GfC\273\13@Ty\2664\1\262\25j\260\17\264\326\32B\301\20\2657,\373350\22\262\213\7\223\375{%\34h\304 (80, 0, 0, 0, "\14\377\20\377\24\377\254\3YAGU\264\313\26Y\315\1]\364\3Ho<'\11\33^LMUory0\116\34<\260m\35\13\230\220\37\357l\377S\332\361\225A0(jDj\302\204:\33b|\242\257?a\254\276\16D\263\250\310\300f\213P\331\D\252\1\202\265/l\220\354U\354\215'\355\1BA\241,\213\300\275\24>\365u0(z3e SR\370;\225Ap\204\353^2\24\312U\0y\350\22\262\213\7\223\375{%\34h\304"\11\34\356\222\340XQ\278XL\220\30\226l\25\270\314\306\332d)\30\223\22\370\177C\304\344\20I\344\6hOU\250\356<\5\325\31c\314\10\372\202\3704o6!\333Pd\360X>6\23\204a\31G\341\207lu^\310\310S\314\375\320\20\256r\360\12\344\324\240@\13\35`\322j\2"\1\361\1\21\203Q\314\234\5\356\203\33\314\306\0g)\326\3200\251+\234S.\32@WE\16\351\154\324\220\232\332\314I\25\5-\314$\22 _\325\246\314@9\344\214\343\250\254,\271@\13\300\264\16T`\24\304\202W\24\363\26]\3|\270l\301h\240\6E\260\275\315\316\250\2418\203xXm0@(\330\21\356JXf\\266\220\34\310 ^\24\377\377\212\326\260\242V\37\220\20\35\313A8Ql\266$\177\212\331\354\215M\354\363P\33C\266\246\274B#\350y\350\267I\263=\344&\344X\13\213\11\270\333u\2\2\30d\233\214\250\211BX\16V\204\244\346\223\\347G\2%@RE\3[\265h\376\37\6$\360GfC\273\13@Ty\2664\1\262\25j\260\17\264\326\32B\301\20\2657,\3731\361\1\21\203Q\314\234\5\356\203\33\314\306\0g)\326\3200\251+\234S.\32@WE\16\351\154\324\220\232\332\314I\25\5-\314$\22 _\325\246\314@9\344\214\343\250\254,\271@\13\300\264\16T`\24\304\202W\24\363\26]\3|\270l\301h\240\6E\260\275\315\316\250\2418\203xXm0@(\330\21\356JXf\\266\220\34\310 ^\24\377\377\212\326\260\242V\37\220\20\35\313A8Ql\266$\177\212\331\354\215M\354\363P\33C\266\246\274B#\350y\350\267I\263=\344&\344X\13\213\11\270\333u\2\2\30d\233\214\250\211BX\16V\204\244\346\223\\347G\2%@RE\3[\265h\376\37\6$\360GfC\273\13@Ty\2664\1\262\25j\260\17\264\326\32B\301\20\2657,\373227\345fz8\213MAE\334\334\17\216\266\342\271\12\252AD\327 \311!\334Y", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00491   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ".\16bPI\352Z#\7y\0d\5\337*\262\351\7\27l\15\247D\310W\37:t\25\310\25\31I\246L|P%\23\20\366\25u\202*N.\177\340\363\253\244\301a\364\25k\326\3059\317)4\361\321=\17\34\347\232\366+\356\353\17\232\346%W@\12G\267\246\232\202\210(\357*>:\265\31\17\366#\326\5\2300\376\234]\271:2\371\274\347\214na+\2\363#r\360m\340EF\270Uy3\14+uL\10K'`0\23\301\320\33\223\265!\13\345&vX\246f*\227Y\301\214\263\321\256]\270\24\371n\217\201H\216x\361l\301\14\25\254\211\344#\14Zs\342>A\313Erbr\20\107.f\\344\212!IN\2535{r\20gZ\23.\2216A;T\244\274H&)>_\207\222!\272ee\273uj\346J\10b\\366\212kV|\374\20\320\303\13\270\343j\12\227q8\366\246\262\251I\20\234'\177\2767\317\27%I8\1\\225H\335OP\35h\241V\2668B\254aj\275\226\3642c\11\310\270\222\332\355_\312\344\347\11\4f\274G\357G\267\341\232\262I7\35DA\333\3575U\224\3573\215\300\212\11w\247l}/\363\222\202&C\360\264\22\327\4\352\316\14\213Z\3362\200Zj\355\2\276\303\265\321*l\201\17\227'&z\205\322&\301b\223\4rn\32;\17\332\2445\\3546\203<\242\222\347\216\3530\315_\315T7\301\357l\266\373g\37<~bi\226\332\213\265D\2c\36)\23\26}2A\324,"e\340H\370\262\320\273y_\6R:\5\232\312m\350\222\236\351\327", ) e\340H\370\262\320\273y_\6R:\5\232\312m\350\222\236\351\327", ) == 0x0
 00492   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "KcTP,\207l#b\246d`\262\34\262\214j!lh\312r\3102r\14tp\245#\31,\313z|5H%\20\223xC\202O#\30\177\205\236\235\244\244\14\302\25\16\273\3639\252D\2\361\264P9\34\202\367\300+\213\2069\232\203Ha@o*\201\246\377\357\276(\212G\10:\320t9\366F\2733\230U\223\252]\334W\4\371\331\212\272n\4F4\363F\37\306m\205(p\2700\24\5\14N\30z\10.JV0v\254\346\33\366\330\27\13\200K@X\303\13\34\227<\254\272\263\264\303k\270q\224X\217\344%\270x\224\1\367\14p\301\277\344Fals\207Sw\313 \37True\1.\31\322\212D$x\253P\26D\20\27%.\364[w;1\311\212HCD\10_\342\377\27\272\0\10\215u\17\213|\10\71\300\212\16;J\374u\275\365\13\335\216\\12\362\34\16\366\303\337\237Iu\361\21\177\333Z\371\27@$\16\19\370~\335*=+h\304;\2008'\301Wj\330\373\3022\6d\376\270\367\267\333_\257\211\321\11a\13\212G\212*\201\341\377\337\1777x)w\333\212Xc\224\212^\12l|\36\377\302\255\251\13\26\30\217\36\159X\32\200\347\3379\313\1\372\366\6\374\267\0O\21\30\33u\354\261\366\366v\33 \227\353\310?\200\345\337:\32\353\342\35|[\340\366\212l\32\221l\30B\305\222\347Ku\360\321\177\341\4\217\243:\213?\263\4\200?\7\333\2\333\256\203\321O\1\267\17\362J\20z\340\277\20\301\7\3762r\13w\15\17\277\311\3\\211[\265<\307\377\321\216\216]\373_\2509\1\301\212\1\200\373\2r\12~\7\4\240\332\356\330r\2\6s\37\23s\20\4A\261A\24e\205%\316\262\265\326O_c?\14\5\377\247[\350\367\363\337\327", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00493   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\355\347\273\225[\305\316\367\251\210\276\263\24G\3660|1\245&\345\2524\212\352\33\275\316\341WQ\10\355io,\304\317t?\342\317\231\352A\234Bc7I44\273\367\307Um?\3\210\351(ztpT"\214\357a\341mt\234\264\64g\313\200T\301+\13\22y\245\2120\226\6\266\223\353!Q \33\3\201@\13\367i\201\\361x'1@\214Io%\204\347w\221\232\341f\316\26\345\26\3\266\25\364\234\26LPc\226\345\373B\20\346/^Y%^\21{\350h"!\366\213\365\302C#4\377\3\314\3524\3\312\K\270\277\26\364pg\16\364\265\2474\5\16e&\326H\264\362\337aGY\0^=\122m\34\16/I\32\12\207\351q\48YU\12b7\331\228\302\25\206\235w\212\15w>c\242\36\271\224\262\341dxr\233m\27\27\340g\70,\240\16\2277\337\252`\272\223\257&\3604\340^A\304w\340\310\201W\315\4S1\244X\225\206*\30\305\353\12ko\315&\35V\2447p\335wb\17\362\201.!\217\315\216\1\256\331\365^Z\325C\230Hl\35\2710\223\26\335B"\302\26\234\233s\376\22;\33`\1"\356\353O|\312\243\246\256\224\26\273\20=`\361\315\277\326Rt|O\364)\324\20\325\214k\25mq@)#Ow\364&\347$\20\16\3756\16\2217Y\21\235lx`\17\235\232UK\317\244\0\345i2(\373\375\221\1rm\302\202\0)='fx\222\11\302\205\256l\3027\27\363\17\2300\360P\304\336\234\211\2767\32e\232v\370\371>A~P\1`a\215\22&\37y\210,\270\267\225c\3515b(p\221\242\30\311p\251rf\222\2524 \324 \201\110\20\1b\233\206\30\16&\331\223\210i\255\361w\23@\353sh\273>\260", ) \214\357a\341mt\234\264\64g\313\200T\301+\13\22y\245\2120\226\6\266\223\353!Q \33\3\201@\13\367i\201\\361x'1@\214Io%\204\347w\221\232\341f\316\26\345\26\3\266\25\364\234\26LPc\226\345\373B\20\346/^Y%^\21{\350h (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\355\347\273\225[\305\316\367\251\210\276\263\24G\3660|1\245&\345\2524\212\352\33\275\316\341WQ\10\355io,\304\317t?\342\317\231\352A\234Bc7I44\273\367\307Um?\3\210\351(ztpT"\214\357a\341mt\234\264\64g\313\200T\301+\13\22y\245\2120\226\6\266\223\353!Q \33\3\201@\13\367i\201\\361x'1@\214Io%\204\347w\221\232\341f\316\26\345\26\3\266\25\364\234\26LPc\226\345\373B\20\346/^Y%^\21{\350h"!\366\213\365\302C#4\377\3\314\3524\3\312\K\270\277\26\364pg\16\364\265\2474\5\16e&\326H\264\362\337aGY\0^=\122m\34\16/I\32\12\207\351q\48YU\12b7\331\228\302\25\206\235w\212\15w>c\242\36\271\224\262\341dxr\233m\27\27\340g\70,\240\16\2277\337\252`\272\223\257&\3604\340^A\304w\340\310\201W\315\4S1\244X\225\206*\30\305\353\12ko\315&\35V\2447p\335wb\17\362\201.!\217\315\216\1\256\331\365^Z\325C\230Hl\35\2710\223\26\335B"\302\26\234\233s\376\22;\33`\1"\356\353O|\312\243\246\256\224\26\273\20=`\361\315\277\326Rt|O\364)\324\20\325\214k\25mq@)#Ow\364&\347$\20\16\3756\16\2217Y\21\235lx`\17\235\232UK\317\244\0\345i2(\373\375\221\1rm\302\202\0)='fx\222\11\302\205\256l\3027\27\363\17\2300\360P\304\336\234\211\2767\32e\232v\370\371>A~P\1`a\215\22&\37y\210,\270\267\225c\3515b(p\221\242\30\311p\251rf\222\2524 \324 \201\110\20\1b\233\206\30\16&\331\223\210i\255\361w\23@\353sh\273>\260", ) \302\26\234\233s\376\22;\33`\1 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\355\347\273\225[\305\316\367\251\210\276\263\24G\3660|1\245&\345\2524\212\352\33\275\316\341WQ\10\355io,\304\317t?\342\317\231\352A\234Bc7I44\273\367\307Um?\3\210\351(ztpT"\214\357a\341mt\234\264\64g\313\200T\301+\13\22y\245\2120\226\6\266\223\353!Q \33\3\201@\13\367i\201\\361x'1@\214Io%\204\347w\221\232\341f\316\26\345\26\3\266\25\364\234\26LPc\226\345\373B\20\346/^Y%^\21{\350h"!\366\213\365\302C#4\377\3\314\3524\3\312\K\270\277\26\364pg\16\364\265\2474\5\16e&\326H\264\362\337aGY\0^=\122m\34\16/I\32\12\207\351q\48YU\12b7\331\228\302\25\206\235w\212\15w>c\242\36\271\224\262\341dxr\233m\27\27\340g\70,\240\16\2277\337\252`\272\223\257&\3604\340^A\304w\340\310\201W\315\4S1\244X\225\206*\30\305\353\12ko\315&\35V\2447p\335wb\17\362\201.!\217\315\216\1\256\331\365^Z\325C\230Hl\35\2710\223\26\335B"\302\26\234\233s\376\22;\33`\1"\356\353O|\312\243\246\256\224\26\273\20=`\361\315\277\326Rt|O\364)\324\20\325\214k\25mq@)#Ow\364&\347$\20\16\3756\16\2217Y\21\235lx`\17\235\232UK\317\244\0\345i2(\373\375\221\1rm\302\202\0)='fx\222\11\302\205\256l\3027\27\363\17\2300\360P\304\336\234\211\2767\32e\232v\370\371>A~P\1`a\215\22&\37y\210,\270\267\225c\3515b(p\221\242\30\311p\251rf\222\2524 \324 \201\110\20\1b\233\206\30\16&\331\223\210i\255\361w\23@\353sh\273>\260", ) , ) == 0x0
 00494   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\210\212\215\225>\250\370\367\314\345\210\263q*\3000\31\\223&\200\307\2\212\217v\213\316\204:g\10\210\4Y,\241\242B?\207\242\257\352$\361tcR$\24\336\232\361U\10R5\210\214ELt\259\24\214\212\14\327m\21\361\202\6Q\12\375\2001\254\35\13w\24\223\212U\3730\266\366\206\27QEv5\201%f\301i\3441\307xB\v\214,\2\23\204\202\32\247\232\204\13\370\26\200{5\266p\231\252\26)=U\226\200\226t\20\203BhY@3'{\215\5\24!\223\346\303\302&N\2\377f\241\3344f\247jK\335\322 \364\25\128\364\320\312\2\5k\10\20\326-\331\304\337\4*o\0;P<2\10q8/,w<\207\214\3428<8A\364C\212\22\20k\220\0\16\364Zo\21\370\1N`j\360\254U.\242\222\0\200\4\4(\236\220\247\1\27\0\364\202eD\13'\3\25\244\11\247\350\230l\247Z!\363j\365\6\3605\251\350\234\354\323\1\32\0\367@\370\234Sw~5lVa\350\177\20\37\34\345\32\270\322\370U\351P\17\36p\364\317.\311\25\304Df\367\307\2 \261M\267\11U}7b\376\353.\16C\264\245\210\14\300\307wv-\335s\15\326\10\260", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) A\364C\212\22\20k\220\0\16\364Zo\21\370\1N`j\360\254U.\242\222\0\200\4\4(\236\220\247\1\27\0\364\202eD\13'\3\25\244\11\247\350\230l\247Z!\363j\365\6\3605\251\350\234\354\323\1\32\0\367@\370\234Sw~5lVa\350\177\20\37\34\345\32\270\322\370U\351P\17\36p\364\317.\311\25\304Df\367\307\2 \261M\267\11U}7b\376\353.\16C\264\245\210\14\300\307wv-\335s\15\326\10\260", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00495   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\355ZLw@\344n&\22\273\273p}o\1vS\252<\211y\244\271\331-\232$\13Ee`\233w8M\263\244\0;\346\36\255\13K\276\341\\34\271\261\36\7\337\303\214\25\355o2\3078m\210o\263s\13\250\25WP\37i{/\214\250\231+\374/?s6\317\3076U:\346\234\247\267\375\377_\21\256\264@\326raC@\26\207\350\324\1\2548\216NX\5\3250 {\245\0;P\27p%^\3270\332\353X\334\214\370\342\266F\356u\31?Fm\313\21\25\271\256\332\303\316\24\304l\1\330\321\252\363I\314\300%\324:|dT\262\231l\323@\264w\16zFi$\342q2\23g\300l>\15\237\20$W\17\204\242\222; \355C>1\33\2JeE\246\2651\256\366\250D\233\334\4_\37#2\317\14\303ph\5\227j\58Z\360\352\306\377H5]\300\236\27"\346d\325`\252\214V\3\244o\341\266\203\33\345\231\334\31\10_\356an\241\3zKM.U*\34\203\352<\367',r\260Gh\355\7%\305\315$2\25\331\15\177\0p=\322%u\202\3238\25(\322d\256o\350\27C\3438#(\253\306\205\5\344"jF\6v\302!Y\13@f\335'\333\350\3134rp\27\304\14\201\206\26]\362\3417\343'\346\h\243\310\177\14<\212\304\22\205\164\322\365\211DP\13\215:\362`h\355\1\177\215\204\17\342\360\356\12\251VB2\233\355o\12\374\215\1S\275\26\7w\303|\212*\376\1\277\261\221\22:\2266\21`\242\246c.\13-\37a\32\207\234\374\240Y6D\201skm\262\224\244 \314L\216w\11\214-\225p\\351\226`\243\36.\2$\376\16\360M\327V\330d&usfR\16\263h\204\275\350\344\235\321n\325\336>\301Z\23i\317u\374\374\234", ) \346d\325`\252\214V\3\244o\341\266\203\33\345\231\334\31\10_\356an\241\3zKM.U*\34\203\352<\367',r\260Gh\355\7%\305\315$2\25\331\15\177\0p=\322%u\202\3238\25(\322d\256o\350\27C\3438#(\253\306\205\5\344 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\355ZLw@\344n&\22\273\273p}o\1vS\252<\211y\244\271\331-\232$\13Ee`\233w8M\263\244\0;\346\36\255\13K\276\341\\34\271\261\36\7\337\303\214\25\355o2\3078m\210o\263s\13\250\25WP\37i{/\214\250\231+\374/?s6\317\3076U:\346\234\247\267\375\377_\21\256\264@\326raC@\26\207\350\324\1\2548\216NX\5\3250 {\245\0;P\27p%^\3270\332\353X\334\214\370\342\266F\356u\31?Fm\313\21\25\271\256\332\303\316\24\304l\1\330\321\252\363I\314\300%\324:|dT\262\231l\323@\264w\16zFi$\342q2\23g\300l>\15\237\20$W\17\204\242\222; \355C>1\33\2JeE\246\2651\256\366\250D\233\334\4_\37#2\317\14\303ph\5\227j\58Z\360\352\306\377H5]\300\236\27"\346d\325`\252\214V\3\244o\341\266\203\33\345\231\334\31\10_\356an\241\3zKM.U*\34\203\352<\367',r\260Gh\355\7%\305\315$2\25\331\15\177\0p=\322%u\202\3238\25(\322d\256o\350\27C\3438#(\253\306\205\5\344"jF\6v\302!Y\13@f\335'\333\350\3134rp\27\304\14\201\206\26]\362\3417\343'\346\h\243\310\177\14<\212\304\22\205\164\322\365\211DP\13\215:\362`h\355\1\177\215\204\17\342\360\356\12\251VB2\233\355o\12\374\215\1S\275\26\7w\303|\212*\376\1\277\261\221\22:\2266\21`\242\246c.\13-\37a\32\207\234\374\240Y6D\201skm\262\224\244 \314L\216w\11\214-\225p\\351\226`\243\36.\2$\376\16\360M\327V\330d&usfR\16\263h\204\275\350\344\235\321n\325\336>\301Z\23i\317u\374\374\234", ) , ) == 0x0
 00496   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\2107zw%\211X&w\326\215p\30\27v6\307\12\211\34\311\217\331H\367\22\13 \10V\233\22U{\263\301m\15\346{\300=K\333\214j\34\334\334(\7\272\256\272\25\210\2\4\307]\0\276o\326\36=\250p:f\37\14\26\31\214\315\364\35\374JRE6\252\252\0U_\213\252\247\322\220\311_t\303\202@\263\37WC%{\261\350\261l\2328\353#n\5\260]\26{\300m\15Pr\35\23^\262]\354\353=\261\272\370\207\333p\356\20t\11F\10\246'\25\334\303\354\303\253y\362ld\265\347\252\226$\372\300@\271\14|\19\204\231\11\276v\264\22cLF\14I\324qW~Q\300\11S;\237uIa\17\341\317\244;E\200u>Tv4J\0(\220\265T\303\300\250!\366\352\4:r\252\252a\365p\15h\241j`Ul\360\217\253\311HP0\366\236rO\320d\260\15\234\2143n\222o\204\333\265\33\200\364\352\31m2\330a\13\3145z. \30UOq\265\352Y\232\21,\27\335qh\210j\23\305\250I\4\25\274`I\0\25P\344%\20\357\3458pE\344d\313\2\336\27&\216\16#M\306\360\205`\211\24j#k@\302D4=@\3\260\21\333\215\246\2r\25z\362\14\344\353 ]\227\214\1\343B\213jh\306\245I\14Y\347\362\22\340c\2\322\220\344rPn\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\314;t2\376\200Y\12\231\3407S\330{1w\246\21\274*\233l\211\261\364\177\14\226S|V\242\303\16\30\13HrW\32\342\361\312\240<[r\201\26\6[\262\361\311\26\314)\343A\11\351@\243p9\204\240`\306s\30\2A\2238\360(\272`\330\1KCs\3?8\263\15\351\213\350\201\360\347n\260\263\10\301?~_\317\20\221\312\234", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00497   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\371\17\275\373\365z8\322\236\266\214\332\3\222 -aV\335J\16\367\376\331<\202\35U\215\1\22f%\377\225hI\23\21\21\272\12M\312\371\266N\377\342S\377\3411N\21\201J\270\252\263\20\250\267\340|B%S*\337>W\17R\300\343q\306\25f\13>\204\310F\333u\33487\245;\251\22\1Q A\253\340\364\345\31fTcq\16C{\323\367\336\325\324yEzV\3\365\6\223,\52\265\365\256-\3s\214\307L2}\250\212\303\335\301\5\327M,\3/0\303\356\347\323\267xqUH\230K\215v'\301\227'\22\11b\3177k\2004\243\11&S\356p\317J]\206/\310 F,\304\177[\0\330nc\344\24jg\11\220\317r\356;6I\236\256g:;\345\243\372\366\3725\274u\30\3531N#\230\10\324v\265\344\24\306&^\337\1\276et\205\346\257\34e3\2\11\200E\222%\211a\253v,d\7\344\265en\23@\366_\3476\177AP\210a\274>\370+YM~\32\355b=u\235\321\237\223\345;\35H(B\371iw\343q\307\220\333\246Q\275H\4\12\2060\205\267\204\3004X\240FNi%\3530\252\352eNp(\14\21 \33\27uF\15\2b\357\364\263\33}*\344\372\250\254\273\255F\374\15Sbk\20\21pk\0T{\202\205\274\325[a\255M\266\342\233\344\326\366\331\301u\36\377m\15i\21t\277s\4v\306\145p2\311W\355z\302^]\266\350yM!0UN\227}m\3369\210aZ\$\12fe8r\344f8k\315Y\240C}\263\311\30h$"\224\273\204\20|"2\306\344P\212\335}\261\7\36d\324\365\35\357\355%\30A\266j\311\7q\32_\310\223\237\200O\356\360\374\223\266,-\317k#Pv\301\362\263", ) \224\273\204\20| (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\371\17\275\373\365z8\322\236\266\214\332\3\222 -aV\335J\16\367\376\331<\202\35U\215\1\22f%\377\225hI\23\21\21\272\12M\312\371\266N\377\342S\377\3411N\21\201J\270\252\263\20\250\267\340|B%S*\337>W\17R\300\343q\306\25f\13>\204\310F\333u\33487\245;\251\22\1Q A\253\340\364\345\31fTcq\16C{\323\367\336\325\324yEzV\3\365\6\223,\52\265\365\256-\3s\214\307L2}\250\212\303\335\301\5\327M,\3/0\303\356\347\323\267xqUH\230K\215v'\301\227'\22\11b\3177k\2004\243\11&S\356p\317J]\206/\310 F,\304\177[\0\330nc\344\24jg\11\220\317r\356;6I\236\256g:;\345\243\372\366\3725\274u\30\3531N#\230\10\324v\265\344\24\306&^\337\1\276et\205\346\257\34e3\2\11\200E\222%\211a\253v,d\7\344\265en\23@\366_\3476\177AP\210a\274>\370+YM~\32\355b=u\235\321\237\223\345;\35H(B\371iw\343q\307\220\333\246Q\275H\4\12\2060\205\267\204\3004X\240FNi%\3530\252\352eNp(\14\21 \33\27uF\15\2b\357\364\263\33}*\344\372\250\254\273\255F\374\15Sbk\20\21pk\0T{\202\205\274\325[a\255M\266\342\233\344\326\366\331\301u\36\377m\15i\21t\277s\4v\306\145p2\311W\355z\302^]\266\350yM!0UN\227}m\3369\210aZ\$\12fe8r\344f8k\315Y\240C}\263\311\30h$"\224\273\204\20|"2\306\344P\212\335}\261\7\36d\324\365\35\357\355%\30A\266j\311\7q\32_\310\223\237\200O\356\360\374\223\266,-\317k#Pv\301\362\263", ) , ) == 0x0
 00498   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\234b\213\373\220\27\16\322\373\333\272\332f\377\26-\4;\353Jk\232\310\331Y\357+UtX7\22\3H\311\225\15$%\21t\3272bd\300\206\34\360\25\3f\10\204\255+\355u\271U\1\245^\304$\14Mw\253\205\231\323\31\39Uqk.M\323\222\263\343\324\34(LVf\2300\223Ih\4\265\220\303\33\3\26\341\361LW\20\236\212\246\260\367\5\262 \32\3J]\365\356\202\276\201x\248~\23U&\273vB\254\241'wdT\317R\6\2664\306d\20S\213\35\371J8\353\31\310E+\32\304\3266\330\13\16\322\24\17\12?\220\252\37\330;S$\250\256\2W\15\345\306\227\300\372P\321C\30\216\x#\375e\342v\320\211"\306C3\351\1\333\10B\205\203\302*eVo?\200 \377\23\211\4\306@,\1j\322\265\0\3%@\2232\3216\32,f\210\4\321\10\370N4{~\177\200T=\20\360\347\237\366\210\15\35-Et\371\14\32\325q\242\375\355\2464\320~\4o\353\6\205\322}\2\300Q5\226F+\4\23\353U\307\334e+\35\36\14tM-\27\20+;\2\7\202\302\263~\20\34\344\237\305\232\273\310+\312\156\17]\20t\35]\01\26\264\205\331\270ma\310 \200\342\376\211\340\366\274\254C\36\232\0;it\31\211sa\33\360\14P\35\4\3112\200L\302;0\200\350\34 \2700#\241}\10\263\17\210\47j$o\13S8\27\211P8\16\240o\240&\20\205\311}\5\22"\361\326\262\20\31O\4\306\201=\274\335\30\3341\36\1\271\303\35\212\200\23\30$\333\\311b\34,_\255\376\251\200*\203\306\374\366\333\32-\252\6\25P\23\254\304\263", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \306C3\351\1\333\10B\205\203\302*eVo?\200 \377\23\211\4\306@,\1j\322\265\0\3%@\2232\3216\32,f\210\4\321\10\370N4{~\177\200T=\20\360\347\237\366\210\15\35-Et\371\14\32\325q\242\375\355\2464\320~\4o\353\6\205\322}\2\300Q5\226F+\4\23\353U\307\334e+\35\36\14tM-\27\20+;\2\7\202\302\263~\20\34\344\237\305\232\273\310+\312\156\17]\20t\35]\01\26\264\205\331\270ma\310 \200\342\376\211\340\366\274\254C\36\232\0;it\31\211sa\33\360\14P\35\4\3112\200L\302;0\200\350\34 \2700#\241}\10\263\17\210\47j$o\13S8\27\211P8\16\240o\240&\20\205\311}\5\22 (80, 0, 0, 0, "\234b\213\373\220\27\16\322\373\333\272\332f\377\26-\4;\353Jk\232\310\331Y\357+UtX7\22\3H\311\225\15$%\21t\3272bd\300\206\34\360\25\3f\10\204\255+\355u\271U\1\245^\304$\14Mw\253\205\231\323\31\39Uqk.M\323\222\263\343\324\34(LVf\2300\223Ih\4\265\220\303\33\3\26\341\361LW\20\236\212\246\260\367\5\262 \32\3J]\365\356\202\276\201x\248~\23U&\273vB\254\241'wdT\317R\6\2664\306d\20S\213\35\371J8\353\31\310E+\32\304\3266\330\13\16\322\24\17\12?\220\252\37\330;S$\250\256\2W\15\345\306\227\300\372P\321C\30\216\x#\375e\342v\320\211"\306C3\351\1\333\10B\205\203\302*eVo?\200 \377\23\211\4\306@,\1j\322\265\0\3%@\2232\3216\32,f\210\4\321\10\370N4{~\177\200T=\20\360\347\237\366\210\15\35-Et\371\14\32\325q\242\375\355\2464\320~\4o\353\6\205\322}\2\300Q5\226F+\4\23\353U\307\334e+\35\36\14tM-\27\20+;\2\7\202\302\263~\20\34\344\237\305\232\273\310+\312\156\17]\20t\35]\01\26\264\205\331\270ma\310 \200\342\376\211\340\366\274\254C\36\232\0;it\31\211sa\33\360\14P\35\4\3112\200L\302;0\200\350\34 \2700#\241}\10\263\17\210\47j$o\13S8\27\211P8\16\240o\240&\20\205\311}\5\22"\361\326\262\20\31O\4\306\201=\274\335\30\3341\36\1\271\303\35\212\200\23\30$\333\\311b\34,_\255\376\251\200*\203\306\374\366\333\32-\252\6\25P\23\254\304\263", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00499   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\305\323\347m\35$vJ\20\263ir\236 \226\342\321=F\14\236\375\325A\352\215\256~\317%\234\236I\315\22\243\22o\33@=+rH\336t\243{"t\315\230c\243a!-\275\227\212\206\4\24:\214\371\343\255\235"\303\350IR\333\330G9J\212dic\266\2634+\26t\0C\321\366\260NU\314\343\276\351\331G;\372s$6#\327\340K\370\300-[\230L\33B\303\334\351g\260\355m\321\36FkB\26\230\11\324\335P\257wD\26s5F\330n\334\236f\20ZH\373JBt\130Zq +\253~7c)\205\271\305\331]-]=\262d\10\231(\274y\241c\246{\306\36\217f\372\270S1\346|\221[\3779\356\321\15\237\365\347/D(\220\6S\237\303\16\223\242\177r\22\177\342{#\345>"\22&l\\220\2Q\214\223J\240\345~v\230\246A&eV\14\21v\33\377\312\357Y\272G\177\267Ca\347fGK\256+\4\214\206G\17\335\225\12\344\365$\316\370&i6r@\352\316\370\245\216{\310\235\225D\271`\350\322e\16B\342wi\347\22\263\206\222\312\304$\254F<\361\266\275|%\251\26E9\211\20$\\306\26\321\227u8\35\31Z\255\2126*\2068i\206\17\344N\375<\263g\z\6\300\211=\2TA*\25\332\311\264\260\247\301Bv\365 3\203\355\0\246\302\311t\273U\347y~\323B\304\326\213\215]]\2Tl\244'\367^416\256: \37\26O\324\257\224\242\7\375\26N3\235\17\330\1EN\0\351\15\260Q\365\255\21\30\6]D-c\37~4f\213B\244\20242\27\314\326H\355G\2\310\333\351\264\1\201\3625\314\205=\264\344,o\4y`\356C\5UV\267\304\312\307.\10MC\204\21mh\24W\27L\21\231", ) t\315\230c\243a!-\275\227\212\206\4\24:\214\371\343\255\235 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\305\323\347m\35$vJ\20\263ir\236 \226\342\321=F\14\236\375\325A\352\215\256~\317%\234\236I\315\22\243\22o\33@=+rH\336t\243{"t\315\230c\243a!-\275\227\212\206\4\24:\214\371\343\255\235"\303\350IR\333\330G9J\212dic\266\2634+\26t\0C\321\366\260NU\314\343\276\351\331G;\372s$6#\327\340K\370\300-[\230L\33B\303\334\351g\260\355m\321\36FkB\26\230\11\324\335P\257wD\26s5F\330n\334\236f\20ZH\373JBt\130Zq +\253~7c)\205\271\305\331]-]=\262d\10\231(\274y\241c\246{\306\36\217f\372\270S1\346|\221[\3779\356\321\15\237\365\347/D(\220\6S\237\303\16\223\242\177r\22\177\342{#\345>"\22&l\\220\2Q\214\223J\240\345~v\230\246A&eV\14\21v\33\377\312\357Y\272G\177\267Ca\347fGK\256+\4\214\206G\17\335\225\12\344\365$\316\370&i6r@\352\316\370\245\216{\310\235\225D\271`\350\322e\16B\342wi\347\22\263\206\222\312\304$\254F<\361\266\275|%\251\26E9\211\20$\\306\26\321\227u8\35\31Z\255\2126*\2068i\206\17\344N\375<\263g\z\6\300\211=\2TA*\25\332\311\264\260\247\301Bv\365 3\203\355\0\246\302\311t\273U\347y~\323B\304\326\213\215]]\2Tl\244'\367^416\256: \37\26O\324\257\224\242\7\375\26N3\235\17\330\1EN\0\351\15\260Q\365\255\21\30\6]D-c\37~4f\213B\244\20242\27\314\326H\355G\2\310\333\351\264\1\201\3625\314\205=\264\344,o\4y`\356C\5UV\267\304\312\307.\10MC\204\21mh\24W\27L\21\231", ) \22&l\\220\2Q\214\223J\240\345~v\230\246A&eV\14\21v\33\377\312\357Y\272G\177\267Ca\347fGK\256+\4\214\206G\17\335\225\12\344\365$\316\370&i6r@\352\316\370\245\216{\310\235\225D\271`\350\322e\16B\342wi\347\22\263\206\222\312\304$\254F<\361\266\275|%\251\26E9\211\20$\\306\26\321\227u8\35\31Z\255\2126*\2068i\206\17\344N\375<\263g\z\6\300\211=\2TA*\25\332\311\264\260\247\301Bv\365 3\203\355\0\246\302\311t\273U\347y~\323B\304\326\213\215]]\2Tl\244'\367^416\256: \37\26O\324\257\224\242\7\375\26N3\235\17\330\1EN\0\351\15\260Q\365\255\21\30\6]D-c\37~4f\213B\244\20242\27\314\326H\355G\2\310\333\351\264\1\201\3625\314\205=\264\344,o\4y`\356C\5UV\267\304\312\307.\10MC\204\21mh\24W\27L\21\231", ) == 0x0
 00500   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\240\276\321mxI@Ju\336_r\373M\240\342\264Pp\14\373\220\343A\217\340\230~\252H\252\236,\240$\243w\2-@XFDH\273\31\225{G\31\373\230\6\316W!H\320\241\212\343i":\351\224\325\255\370O\365\350,?\355\330"T|\212\1\4U\266\326Y\35\26\21mu\321\223\335xU\251\216\210\351\274*\15\372\26I\0#\262\215}\370\245@m\230)vt\303\271\204Q\260\210\0\347\36#\6t\26\375d\342\3355\302ADs\36\3F\275\3\352\236\3}lH\236'ttn]lqEF\235~R\16\37\205\334\250\357]H0\13\262\1e\257(\331\24\227c\303\26\360\36\352\13\314\2706\\320|\3646\3119\213\274;\237\220\212\31DM\3750S\372\2568\223\307\22D\22\32\217M#\200S\24\22C\1j\220g<\272\223/\315\323~\23\365\220AC\10`\14t\33-\377\257\202o\272"\22\201C\4\212PG.\303\35\4\351\353q\17\270\370<\344\220I\370\370C\4\0r%\207\370\370\300\343M\310\370\370r\271\5\205\344ek/\324w\14\212$\263\343\377\374\304A\301p<\224\333\213|@\304 E\\344&$9\253 \321\362\30\16\35|7\233\212SG\2608\14\3539\344+\220\12\263\21L\6\245\344\13\21,\34\25\277\244\202\260\302\254tv\220M\5\203\210m\220\302\254\31\215U\202\24H\323'\251\340\213\3500k\21\1\222'\2223\21S\303\14 zo\0O\261\302\242\242b\220 NV\3609\330d(x\0\214`\206Q\220\300'\30c0r-\6rH4\3|\5B\301\357\22r\241\340H\210*4\310\276\204\202\1\344\237\3\314\340P\202\344I\22y\5\203u\50;\201\304\257\252\30\10(.\262\21\10\5"Wr!'\231", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) :\351\224\325\255\370O\365\350,?\355\330 (80, 0, 0, 0, "\240\276\321mxI@Ju\336_r\373M\240\342\264Pp\14\373\220\343A\217\340\230~\252H\252\236,\240$\243w\2-@XFDH\273\31\225{G\31\373\230\6\316W!H\320\241\212\343i":\351\224\325\255\370O\365\350,?\355\330"T|\212\1\4U\266\326Y\35\26\21mu\321\223\335xU\251\216\210\351\274*\15\372\26I\0#\262\215}\370\245@m\230)vt\303\271\204Q\260\210\0\347\36#\6t\26\375d\342\3355\302ADs\36\3F\275\3\352\236\3}lH\236'ttn]lqEF\235~R\16\37\205\334\250\357]H0\13\262\1e\257(\331\24\227c\303\26\360\36\352\13\314\2706\\320|\3646\3119\213\274;\237\220\212\31DM\3750S\372\2568\223\307\22D\22\32\217M#\200S\24\22C\1j\220g<\272\223/\315\323~\23\365\220AC\10`\14t\33-\377\257\202o\272"\22\201C\4\212PG.\303\35\4\351\353q\17\270\370<\344\220I\370\370C\4\0r%\207\370\370\300\343M\310\370\370r\271\5\205\344ek/\324w\14\212$\263\343\377\374\304A\301p<\224\333\213|@\304 E\\344&$9\253 \321\362\30\16\35|7\233\212SG\2608\14\3539\344+\220\12\263\21L\6\245\344\13\21,\34\25\277\244\202\260\302\254tv\220M\5\203\210m\220\302\254\31\215U\202\24H\323'\251\340\213\3500k\21\1\222'\2223\21S\303\14 zo\0O\261\302\242\242b\220 NV\3609\330d(x\0\214`\206Q\220\300'\30c0r-\6rH4\3|\5B\301\357\22r\241\340H\210*4\310\276\204\202\1\344\237\3\314\340P\202\344I\22y\5\203u\50;\201\304\257\252\30\10(.\262\21\10\5"Wr!'\231", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \22\201C\4\212PG.\303\35\4\351\353q\17\270\370<\344\220I\370\370C\4\0r%\207\370\370\300\343M\310\370\370r\271\5\205\344ek/\324w\14\212$\263\343\377\374\304A\301p<\224\333\213|@\304 E\\344&$9\253 \321\362\30\16\35|7\233\212SG\2608\14\3539\344+\220\12\263\21L\6\245\344\13\21,\34\25\277\244\202\260\302\254tv\220M\5\203\210m\220\302\254\31\215U\202\24H\323'\251\340\213\3500k\21\1\222'\2223\21S\303\14 zo\0O\261\302\242\242b\220 NV\3609\330d(x\0\214`\206Q\220\300'\30c0r-\6rH4\3|\5B\301\357\22r\241\340H\210*4\310\276\204\202\1\344\237\3\314\340P\202\344I\22y\5\203u\50;\201\304\257\252\30\10(.\262\21\10\5 (80, 0, 0, 0, "\240\276\321mxI@Ju\336_r\373M\240\342\264Pp\14\373\220\343A\217\340\230~\252H\252\236,\240$\243w\2-@XFDH\273\31\225{G\31\373\230\6\316W!H\320\241\212\343i":\351\224\325\255\370O\365\350,?\355\330"T|\212\1\4U\266\326Y\35\26\21mu\321\223\335xU\251\216\210\351\274*\15\372\26I\0#\262\215}\370\245@m\230)vt\303\271\204Q\260\210\0\347\36#\6t\26\375d\342\3355\302ADs\36\3F\275\3\352\236\3}lH\236'ttn]lqEF\235~R\16\37\205\334\250\357]H0\13\262\1e\257(\331\24\227c\303\26\360\36\352\13\314\2706\\320|\3646\3119\213\274;\237\220\212\31DM\3750S\372\2568\223\307\22D\22\32\217M#\200S\24\22C\1j\220g<\272\223/\315\323~\23\365\220AC\10`\14t\33-\377\257\202o\272"\22\201C\4\212PG.\303\35\4\351\353q\17\270\370<\344\220I\370\370C\4\0r%\207\370\370\300\343M\310\370\370r\271\5\205\344ek/\324w\14\212$\263\343\377\374\304A\301p<\224\333\213|@\304 E\\344&$9\253 \321\362\30\16\35|7\233\212SG\2608\14\3539\344+\220\12\263\21L\6\245\344\13\21,\34\25\277\244\202\260\302\254tv\220M\5\203\210m\220\302\254\31\215U\202\24H\323'\251\340\213\3500k\21\1\222'\2223\21S\303\14 zo\0O\261\302\242\242b\220 NV\3609\330d(x\0\214`\206Q\220\300'\30c0r-\6rH4\3|\5B\301\357\22r\241\340H\210*4\310\276\204\202\1\344\237\3\314\340P\202\344I\22y\5\203u\50;\201\304\257\252\30\10(.\262\21\10\5"Wr!'\231", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00501   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "D\261\366[\222\36667\355\300\336\15v^#\313\367\261\36\2338\219\15\331\341\266D2\346\340a\355>\306\0\305\341e\15B|3\200\35\264\335Co\347\201\20D\246\177\272\235;G\240\317\1r3'K\232\14\31.\346\205\325:)\2156l\217\1&\375\226\342aOJ\35\245cV\31\3473\32\332p\217\333\0\35e\34\5\304d\307:{c\341|\321\3169\224s+\346\271H\10\13\202\222*b\215s\344+ SMg\5\366w>u\307\352\244\247\232\344\277\234u\247\261\302\305\2124\212\5m\226""\331Q\307H42\364\207\336\232\241\245l3\221\2459\310!\17~L|]VN\4'\234[CI\2225\24^;>|\2568\32\211\17j\207\232\306\367\203\252`w\3\201\345\367\216\364\32L<\362`\226\316-b\230f-}n\241\350(|G\211\2754\346\4\350 \316=!\235\262\346\354\311>\313\317\207\15\1F\345\202\10s\254\365\224\37\261\177(\305\256\264\17m\351\376\15\214X,\266q\201\356F\364\20\337\24\36}\216\0Bi\343\17\232\302\266\217e\241{H\20`c\210\30RrY]\206\13\2767\251>\0\24\314\12\353C\305\252ld\327Am\300\373h:\14u\246\204,\256}"\24}u\26,\256\337\32 AI\36(C\355\356\262IA\341\361\6V#\305\356\3716\2536b\224Y1}\211\210\363-\13K\356o\303\250\215\2745\245\23m;\201\37\7\6jO\347!\303\206\356\367\10-xz"fm\251\34\344\244\272[fP#\344\317\7\211\272\32uBFHx\225(\377&bP\21.\10\304\23\336k6\351 #\2755%B\373\22\317\21\24(\317u<", )  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "D\261\366[\222\36667\355\300\336\15v^#\313\367\261\36\2338\219\15\331\341\266D2\346\340a\355>\306\0\305\341e\15B|3\200\35\264\335Co\347\201\20D\246\177\272\235;G\240\317\1r3'K\232\14\31.\346\205\325:)\2156l\217\1&\375\226\342aOJ\35\245cV\31\3473\32\332p\217\333\0\35e\34\5\304d\307:{c\341|\321\3169\224s+\346\271H\10\13\202\222*b\215s\344+ SMg\5\366w>u\307\352\244\247\232\344\277\234u\247\261\302\305\2124\212\5m\226""\331Q\307H42\364\207\336\232\241\245l3\221\2459\310!\17~L|]VN\4'\234[CI\2225\24^;>|\2568\32\211\17j\207\232\306\367\203\252`w\3\201\345\367\216\364\32L<\362`\226\316-b\230f-}n\241\350(|G\211\2754\346\4\350 \316=!\235\262\346\354\311>\313\317\207\15\1F\345\202\10s\254\365\224\37\261\177(\305\256\264\17m\351\376\15\214X,\266q\201\356F\364\20\337\24\36}\216\0Bi\343\17\232\302\266\217e\241{H\20`c\210\30RrY]\206\13\2767\251>\0\24\314\12\353C\305\252ld\327Am\300\373h:\14u\246\204,\256}"\24}u\26,\256\337\32 AI\36(C\355\356\262IA\341\361\6V#\305\356\3716\2536b\224Y1}\211\210\363-\13K\356o\303\250\215\2745\245\23m;\201\37\7\6jO\347!\303\206\356\367\10-xz"fm\251\34\344\244\272[fP#\344\317\7\211\272\32uBFHx\225(\377&bP\21.\10\304\23\336k6\351 #\2755%B\373\22\317\21\24(\317u<", ) \252ld\327Am\300\373h:\14u\246\204,\256} (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "D\261\366[\222\36667\355\300\336\15v^#\313\367\261\36\2338\219\15\331\341\266D2\346\340a\355>\306\0\305\341e\15B|3\200\35\264\335Co\347\201\20D\246\177\272\235;G\240\317\1r3'K\232\14\31.\346\205\325:)\2156l\217\1&\375\226\342aOJ\35\245cV\31\3473\32\332p\217\333\0\35e\34\5\304d\307:{c\341|\321\3169\224s+\346\271H\10\13\202\222*b\215s\344+ SMg\5\366w>u\307\352\244\247\232\344\277\234u\247\261\302\305\2124\212\5m\226""\331Q\307H42\364\207\336\232\241\245l3\221\2459\310!\17~L|]VN\4'\234[CI\2225\24^;>|\2568\32\211\17j\207\232\306\367\203\252`w\3\201\345\367\216\364\32L<\362`\226\316-b\230f-}n\241\350(|G\211\2754\346\4\350 \316=!\235\262\346\354\311>\313\317\207\15\1F\345\202\10s\254\365\224\37\261\177(\305\256\264\17m\351\376\15\214X,\266q\201\356F\364\20\337\24\36}\216\0Bi\343\17\232\302\266\217e\241{H\20`c\210\30RrY]\206\13\2767\251>\0\24\314\12\353C\305\252ld\327Am\300\373h:\14u\246\204,\256}"\24}u\26,\256\337\32 AI\36(C\355\356\262IA\341\361\6V#\305\356\3716\2536b\224Y1}\211\210\363-\13K\356o\303\250\215\2745\245\23m;\201\37\7\6jO\347!\303\206\356\367\10-xz"fm\251\34\344\244\272[fP#\344\317\7\211\272\32uBFHx\225(\377&bP\21.\10\304\23\336k6\351 #\2755%B\373\22\317\21\24(\317u<", ) fm\251\34\344\244\272[fP#\344\317\7\211\272\32uBFHx\225(\377&bP\21.\10\304\23\336k6\351 #\2755%B\373\22\317\21\24(\317u<", ) == 0x0
 00502   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "!\334\300[\367\233\07\210\255\350\15\233\25\313\222\334(\233]|\17\15\274\214\200DW\213\326a\210S\360\0\240\214S\15'\21\5\200x\331\353C\12\212\267\20!\313I\272\370Vq\240\252lD3B&\254\14|C\320\205\260W\37\215S\1\271\1C\220\240\342\4"|\35\300\16`\31\202^,\332\25\342\355\0x\10*\5\241\11\361:\36\16\327|\264\243\17\224\26F\320\271-e=\202\367GT\215\26\211\35 6 Q\5\223\32\10u\242\207\222\247\377\211\211\234\20\312\207\302\240\347\2\212`\0\240"G\264g\307-Y\4\364\342\263\254\241\300\1\5\221\300T\376!j\23z|8;x\4B\361mC,\377\3\24;V\10|\313U,\211j\7\261\232\243\232\265\252\5\325\201\200\232\270\364\177!\12\362\5\373\370-\7\365P-\30\3\227\350M\21q\211\330Y\320\4\215M\370=D\360\204\346\211\244\10\313\252\352;\1#\210\264\10\26\301\303\224z\334I(\240\303\202\17\10\204\310\15\3515\32\266\24\354\330F\221}\351\24{\20\270\0'\4\325\17\377\257\200\217\0\314MHu\15U\210}?DY8\353=\276R\304\10\0q\241<\353&\250\12Z\305,\221\365\11\340\335\207\205\4\220*\12j\2V{\253\250\205Q\376\200\200\330muG\307Zd\262,[\300\236\5\14\14\20\313\262,\313\20\24\24\30\30 ,\313\262, $$((&\200\330\262,,\327\361c;\25\305\213\224\0\253S\17\242YT\20\277\210\226@=K\213\2\365\250\350\321\3\245v\0\15\201zj0j*\212\27\303\343\203\301\10H\25L"\3\0\237\34\201\311\214[\3=\25\344\252j\277\272\177\30tF-\25\243(\232KTPtC>\304v\263]6\214M\25\275PHt\373w\242'\24M\242C<", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) |\35\300\16`\31\202^,\332\25\342\355\0x\10*\5\241\11\361:\36\16\327|\264\243\17\224\26F\320\271-e=\202\367GT\215\26\211\35 6 Q\5\223\32\10u\242\207\222\247\377\211\211\234\20\312\207\302\240\347\2\212`\0\240 (80, 0, 0, 0, "!\334\300[\367\233\07\210\255\350\15\233\25\313\222\334(\233]|\17\15\274\214\200DW\213\326a\210S\360\0\240\214S\15'\21\5\200x\331\353C\12\212\267\20!\313I\272\370Vq\240\252lD3B&\254\14|C\320\205\260W\37\215S\1\271\1C\220\240\342\4"|\35\300\16`\31\202^,\332\25\342\355\0x\10*\5\241\11\361:\36\16\327|\264\243\17\224\26F\320\271-e=\202\367GT\215\26\211\35 6 Q\5\223\32\10u\242\207\222\247\377\211\211\234\20\312\207\302\240\347\2\212`\0\240"G\264g\307-Y\4\364\342\263\254\241\300\1\5\221\300T\376!j\23z|8;x\4B\361mC,\377\3\24;V\10|\313U,\211j\7\261\232\243\232\265\252\5\325\201\200\232\270\364\177!\12\362\5\373\370-\7\365P-\30\3\227\350M\21q\211\330Y\320\4\215M\370=D\360\204\346\211\244\10\313\252\352;\1#\210\264\10\26\301\303\224z\334I(\240\303\202\17\10\204\310\15\3515\32\266\24\354\330F\221}\351\24{\20\270\0'\4\325\17\377\257\200\217\0\314MHu\15U\210}?DY8\353=\276R\304\10\0q\241<\353&\250\12Z\305,\221\365\11\340\335\207\205\4\220*\12j\2V{\253\250\205Q\376\200\200\330muG\307Zd\262,[\300\236\5\14\14\20\313\262,\313\20\24\24\30\30 ,\313\262, $$((&\200\330\262,,\327\361c;\25\305\213\224\0\253S\17\242YT\20\277\210\226@=K\213\2\365\250\350\321\3\245v\0\15\201zj0j*\212\27\303\343\203\301\10H\25L"\3\0\237\34\201\311\214[\3=\25\344\252j\277\272\177\30tF-\25\243(\232KTPtC>\304v\263]6\214M\25\275PHt\373w\242'\24M\242C<", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \3\0\237\34\201\311\214[\3=\25\344\252j\277\272\177\30tF-\25\243(\232KTPtC>\304v\263]6\214M\25\275PHt\373w\242'\24M\242C<", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00503   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Ev\337P.qb\301\332\2448\212\272\215\14P4|\26\240\371\36\341\216$]\334\20\352N7p\3779N\322V_\0X\371E=|y\216J0e\353&\213 \235\266ff\234\266\0I\20\353\214`\302\333\271\33\250+\25\364_1\344d?\214\336\317\261\16\344\365.\200Ymo5\4oK19`^\366\276\364\321\222\303\273\334\206hF4S\306\301a\350\222\344\374b\301\276\243.\254Gc@\336\10h\275\221e\317\26\206\331\375n\372i%r\33T\351WBx\265\230\365\344{^mP\222\354\256\376\276\\2723\205!\354\252q`!\202d\350\3613\322\26u\266\26\1b\240"\0\246\23XztJ\200\27\335\\276K$mu~\22\263\372\2\255\242\242\37\221o\326YIC=\2\267/bE\344\353"\270\335\332\10e`C$su\26\15a\235\302x!\215\214z\244v\223\0;\33769H%!!\344\235\222\344v\273~\16\205\15\35\364O`}\22\242\303\34$DH!{|l\273\305\367rc\332\204"\3\260\342y\15."\216\266\1S5A\24\272\355\221h\354\12\343\206\242\256@=\367\262\327V\232\276|\333\352?"M=n\314\232N\35\276\375\317%\335\7\327n>\13mI=\23{\250A\32|\22 C\247\335\360\355\222\263\220*Dz\0D\312X"\313CI\304\25}`\227\213\21\304\214\266\253R\327\12"0\246\23XztJ\200\27\335\\276K$mu~\22\263\372\2\255\242\242\37\221o\326YIC=\2\267/bE\344\353 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Ev\337P.qb\301\332\2448\212\272\215\14P4|\26\240\371\36\341\216$]\334\20\352N7p\3779N\322V_\0X\371E=|y\216J0e\353&\213 \235\266ff\234\266\0I\20\353\214`\302\333\271\33\250+\25\364_1\344d?\214\336\317\261\16\344\365.\200Ymo5\4oK19`^\366\276\364\321\222\303\273\334\206hF4S\306\301a\350\222\344\374b\301\276\243.\254Gc@\336\10h\275\221e\317\26\206\331\375n\372i%r\33T\351WBx\265\230\365\344{^mP\222\354\256\376\276\\2723\205!\354\252q`!\202d\350\3613\322\26u\266\26\1b\240"\0\246\23XztJ\200\27\335\\276K$mu~\22\263\372\2\255\242\242\37\221o\326YIC=\2\267/bE\344\353"\270\335\332\10e`C$su\26\15a\235\302x!\215\214z\244v\223\0;\33769H%!!\344\235\222\344v\273~\16\205\15\35\364O`}\22\242\303\34$DH!{|l\273\305\367rc\332\204"\3\260\342y\15."\216\266\1S5A\24\272\355\221h\354\12\343\206\242\256@=\367\262\327V\232\276|\333\352?"M=n\314\232N\35\276\375\317%\335\7\327n>\13mI=\23{\250A\32|\22 C\247\335\360\355\222\263\220*Dz\0D\312X"\313CI\304\25}`\227\213\21\304\214\266\253R\327\12"3\260\342y\15. (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Ev\337P.qb\301\332\2448\212\272\215\14P4|\26\240\371\36\341\216$]\334\20\352N7p\3779N\322V_\0X\371E=|y\216J0e\353&\213 \235\266ff\234\266\0I\20\353\214`\302\333\271\33\250+\25\364_1\344d?\214\336\317\261\16\344\365.\200Ymo5\4oK19`^\366\276\364\321\222\303\273\334\206hF4S\306\301a\350\222\344\374b\301\276\243.\254Gc@\336\10h\275\221e\317\26\206\331\375n\372i%r\33T\351WBx\265\230\365\344{^mP\222\354\256\376\276\\2723\205!\354\252q`!\202d\350\3613\322\26u\266\26\1b\240"\0\246\23XztJ\200\27\335\\276K$mu~\22\263\372\2\255\242\242\37\221o\326YIC=\2\267/bE\344\353"\270\335\332\10e`C$su\26\15a\235\302x!\215\214z\244v\223\0;\33769H%!!\344\235\222\344v\273~\16\205\15\35\364O`}\22\242\303\34$DH!{|l\273\305\367rc\332\204"\3\260\342y\15."\216\266\1S5A\24\272\355\221h\354\12\343\206\242\256@=\367\262\327V\232\276|\333\352?"M=n\314\232N\35\276\375\317%\335\7\327n>\13mI=\23{\250A\32|\22 C\247\335\360\355\222\263\220*Dz\0D\312X"\313CI\304\25}`\227\213\21\304\214\266\253R\327\12"314\232N\35\276\375\317%\335\7\327n>\13mI=\23{\250A\32|\22 C\247\335\360\355\222\263\220*Dz\0D\312X (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Ev\337P.qb\301\332\2448\212\272\215\14P4|\26\240\371\36\341\216$]\334\20\352N7p\3779N\322V_\0X\371E=|y\216J0e\353&\213 \235\266ff\234\266\0I\20\353\214`\302\333\271\33\250+\25\364_1\344d?\214\336\317\261\16\344\365.\200Ymo5\4oK19`^\366\276\364\321\222\303\273\334\206hF4S\306\301a\350\222\344\374b\301\276\243.\254Gc@\336\10h\275\221e\317\26\206\331\375n\372i%r\33T\351WBx\265\230\365\344{^mP\222\354\256\376\276\\2723\205!\354\252q`!\202d\350\3613\322\26u\266\26\1b\240"\0\246\23XztJ\200\27\335\\276K$mu~\22\263\372\2\255\242\242\37\221o\326YIC=\2\267/bE\344\353"\270\335\332\10e`C$su\26\15a\235\302x!\215\214z\244v\223\0;\33769H%!!\344\235\222\344v\273~\16\205\15\35\364O`}\22\242\303\34$DH!{|l\273\305\367rc\332\204"\3\260\342y\15."\216\266\1S5A\24\272\355\221h\354\12\343\206\242\256@=\367\262\327V\232\276|\333\352?"M=n\314\232N\35\276\375\317%\335\7\327n>\13mI=\23{\250A\32|\22 C\247\335\360\355\222\263\220*Dz\0D\312X"\313CI\304\25}`\227\213\21\304\214\266\253R\327\12"215\21\22\30\303\7\16\301\266\205^\317?\252m\245}\225\212o<\254\324\375\224\5\224P\316\333\312uC\335\343\313\261\236\271aZ\305\367\200\23\353hc\2-\316G'\22\326\300\262\360*\14\237a9:@%&\256Gkop\210E\200P\370\355\333p\306\313\233\\347\273\201$(\277j\32K\263e\223\210/\31\327\330", ) == 0x0
 00504   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, " \33\351PK\34T\301\277\311\16\212\337\340:PQ\21 \240\234s\327\216A0\352\20\217#\1p\232Tx\322326X\234(\13|\34\343|0\0\206\20\213E\360\200f\3\361\200\0,}\335\214\5\257\355\271~\305\35\25\2212\7\344\1R\272\336\252\3348\344\220C\266Y\10\2\3\4\12&\79\53\300\276\221\274\244\303\336\261\260h#Ye\306\244\14\336\222\201\221T\301\333\316\30\254"\16v\336m\5\213\221\0\242 \206\274\220X\372\14HD\3V9\337W'\25\203\230\220\211M^\10=\244\354\313\223\210\\337^\263!\211\307G`D\357R\350\224^\344\26\20\333 \1\7\315\24\0\303~nz\21'\266\27\2701\210KA\0C~w\336\314\2\310\317\224\37\364\2\340Y,.\13\2\322BTE\201\206\24\27U\260\354\10\0\15u$\26\30 \15\4\360\364xD\340\272z\301\33\245\0^\262\09-H\27!\201\360\244\344\23\326H\16\340`+\364*\15K\22\307\256*$!%\27{\31\1\215\305\222\37U\332\341O5\260\207\24;.G\343\200\16Xw\24\337\200\247h\211g\325\206\307\303v=\222\337\341V\377\323J\333\217R\24MX\3\372\232+p\210\375\252H\353\7\262\3\10\13\10$\13\23\36\305w\32\31\177\26C\302\260\306\355\367\336\246*!\276D\2575\24\313&$\362\25\30\15\241\213t\251\272\266\316?\341\12GQ}\21\20T\273\21wu\365\7k\254\200\205;\242\11\252\10\310K\225\357\2\12\254\261\220\242\5\361=\370\333\257\30u\335\206\246\207\236\334\14l\305\222\355%\353\15\164-\253*\21\22\177[\366\262\225G:\237\4T\14@@K\230G\16\2F\210 \355f\370\210\266F\306\256\366j\347\336\354\22(\332\7,K\326\10\245\210Jt\341\330", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16v\336m\5\213\221\0\242 \206\274\220X\372\14HD\3V9\337W'\25\203\230\220\211M^\10=\244\354\313\223\210\\337^\263!\211\307G`D\357R\350\224^\344\26\20\333 \1\7\315\24\0\303~nz\21'\266\27\2701\210KA\0C~w\336\314\2\310\317\224\37\364\2\340Y,.\13\2\322BTE\201\206\24\27U\260\354\10\0\15u$\26\30 \15\4\360\364xD\340\272z\301\33\245\0^\262\09-H\27!\201\360\244\344\23\326H\16\340`+\364*\15K\22\307\256*$!%\27{\31\1\215\305\222\37U\332\341O5\260\207\24;.G\343\200\16Xw\24\337\200\247h\211g\325\206\307\303v=\222\337\341V\377\323J\333\217R\24MX\3\372\232+p\210\375\252H\353\7\262\3\10\13\10$\13\23\36\305w\32\31\177\26C\302\260\306\355\367\336\246*!\276D\2575\24\313&$\362\25\30\15\241\213t\251\272\266\316?\341\12GQ}\21\20T\273\21wu\365\7k\254\200\205;\242\11\252\10\310K\225\357\2\12\254\261\220\242\5\361=\370\333\257\30u\335\206\246\207\236\334\14l\305\222\355%\353\15\164-\253*\21\22\177[\366\262\225G:\237\4T\14@@K\230G\16\2F\210 \355f\370\210\266F\306\256\366j\347\336\354\22(\332\7,K\326\10\245\210Jt\341\330", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00505   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "hO2\224\342eb\340\271\376\316\353cW1U\271\3\13mf\214\301:g\30,k\265\13\5i\327\377NR\342\272V\267\300k\16\244yz\301RxJ\6A9ZA\6AOlVV~%\302=\330\376\316>\265\216T\129\330\210&}\300\205\252m\252\370G\255^\371~\347i\333OM\277\13y+~6%\252\320>\345\266pD{\215\11\234VM\20\210\2454\351\10`5E\14]\330\335\235\354\333'\211;\11`\302"\1r\37km\0\203\301\206tFK\241\2732}a\0\1\15\373\262\354\345\340\263\220\272!)J\245&\26-y;\316".\261-t\10\315\26b<\373\373\316`y"\30}\10]\360G\36\231\14i\30\375\245\366a.\2qVC\12m\327\340\261\346\340i\24\202{\277g\231*\206\33\240\253\341G\317\11\335\27\257\35\3{:~.\36}\12\244 \1|\362\204\211\307\20D " \20\313\310\231\25\356t \21\343\317n7\10\6\253\371\255\346w\14kv<|'o\362v\263\261|\30ve\226P\322<\252,\256\333]!qa.\30i\36\251-\323u\33\273-=>\15\345e'K}6\301Z58\205\304.\325O:\345\326\264\206\322\367\364\177O\201\340\216\210\23\177\374`\225\35bw\21!"\376sN|\221\2526\22n\377\306q^\177#6\255\12t\2\20T6AI\336C*N\351\5\340\263\255\\14\353\214w=%\271\207<\235\355\34\216\1B\13\230%M\4\17\352\2258\333Z(\213\300\241nD\30^\253/\336u]\355eMU;\3205\11\21kQ\11-\214\321\376\356'u\350\304\314\346\2079\37S^\261=u\20'\273q\232&<\211l<\222\34%Io\327\372\205$c\352L\307\327\232\235\3116@\177*\216\266\360", ) \1r\37km\0\203\301\206tFK\241\2732}a\0\1\15\373\262\354\345\340\263\220\272!)J\245&\26-y;\316 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "hO2\224\342eb\340\271\376\316\353cW1U\271\3\13mf\214\301:g\30,k\265\13\5i\327\377NR\342\272V\267\300k\16\244yz\301RxJ\6A9ZA\6AOlVV~%\302=\330\376\316>\265\216T\129\330\210&}\300\205\252m\252\370G\255^\371~\347i\333OM\277\13y+~6%\252\320>\345\266pD{\215\11\234VM\20\210\2454\351\10`5E\14]\330\335\235\354\333'\211;\11`\302"\1r\37km\0\203\301\206tFK\241\2732}a\0\1\15\373\262\354\345\340\263\220\272!)J\245&\26-y;\316".\261-t\10\315\26b<\373\373\316`y"\30}\10]\360G\36\231\14i\30\375\245\366a.\2qVC\12m\327\340\261\346\340i\24\202{\277g\231*\206\33\240\253\341G\317\11\335\27\257\35\3{:~.\36}\12\244 \1|\362\204\211\307\20D " \20\313\310\231\25\356t \21\343\317n7\10\6\253\371\255\346w\14kv<|'o\362v\263\261|\30ve\226P\322<\252,\256\333]!qa.\30i\36\251-\323u\33\273-=>\15\345e'K}6\301Z58\205\304.\325O:\345\326\264\206\322\367\364\177O\201\340\216\210\23\177\374`\225\35bw\21!"\376sN|\221\2526\22n\377\306q^\177#6\255\12t\2\20T6AI\336C*N\351\5\340\263\255\\14\353\214w=%\271\207<\235\355\34\216\1B\13\230%M\4\17\352\2258\333Z(\213\300\241nD\30^\253/\336u]\355eMU;\3205\11\21kQ\11-\214\321\376\356'u\350\304\314\346\2079\37S^\261=u\20'\273q\232&<\211l<\222\34%Io\327\372\205$c\352L\307\327\232\235\3116@\177*\216\266\360", ) \30}\10]\360G\36\231\14i\30\375\245\366a.\2qVC\12m\327\340\261\346\340i\24\202{\277g\231*\206\33\240\253\341G\317\11\335\27\257\35\3{:~.\36}\12\244 \1|\362\204\211\307\20D  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "hO2\224\342eb\340\271\376\316\353cW1U\271\3\13mf\214\301:g\30,k\265\13\5i\327\377NR\342\272V\267\300k\16\244yz\301RxJ\6A9ZA\6AOlVV~%\302=\330\376\316>\265\216T\129\330\210&}\300\205\252m\252\370G\255^\371~\347i\333OM\277\13y+~6%\252\320>\345\266pD{\215\11\234VM\20\210\2454\351\10`5E\14]\330\335\235\354\333'\211;\11`\302"\1r\37km\0\203\301\206tFK\241\2732}a\0\1\15\373\262\354\345\340\263\220\272!)J\245&\26-y;\316".\261-t\10\315\26b<\373\373\316`y"\30}\10]\360G\36\231\14i\30\375\245\366a.\2qVC\12m\327\340\261\346\340i\24\202{\277g\231*\206\33\240\253\341G\317\11\335\27\257\35\3{:~.\36}\12\244 \1|\362\204\211\307\20D " \20\313\310\231\25\356t \21\343\317n7\10\6\253\371\255\346w\14kv<|'o\362v\263\261|\30ve\226P\322<\252,\256\333]!qa.\30i\36\251-\323u\33\273-=>\15\345e'K}6\301Z58\205\304.\325O:\345\326\264\206\322\367\364\177O\201\340\216\210\23\177\374`\225\35bw\21!"\376sN|\221\2526\22n\377\306q^\177#6\255\12t\2\20T6AI\336C*N\351\5\340\263\255\\14\353\214w=%\271\207<\235\355\34\216\1B\13\230%M\4\17\352\2258\333Z(\213\300\241nD\30^\253/\336u]\355eMU;\3205\11\21kQ\11-\214\321\376\356'u\350\304\314\346\2079\37S^\261=u\20'\273q\232&<\211l<\222\34%Io\327\372\205$c\352L\307\327\232\235\3116@\177*\216\266\360", ) \376sN|\221\2526\22n\377\306q^\177#6\255\12t\2\20T6AI\336C*N\351\5\340\263\255\\14\353\214w=%\271\207<\235\355\34\216\1B\13\230%M\4\17\352\2258\333Z(\213\300\241nD\30^\253/\336u]\355eMU;\3205\11\21kQ\11-\214\321\376\356'u\350\304\314\346\2079\37S^\261=u\20'\273q\232&<\211l<\222\34%Io\327\372\205$c\352L\307\327\232\235\3116@\177*\216\266\360", ) == 0x0
 00506   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\15"\4\224\207\10T\340\334\223\370\353\6:\7U\334n=m\3\341\367:\2u\32k\320f3i\262\222xR\207\327`\267\245\68\244\34\27\367R\35'0A\7w\6$"ZV3\23\23\302X\265\310\316[\330\270ToT\356\210C\20\366\205\317\0\234\370"\300h\371\33\212_\333* \211\13\34FH6@\307\346>\200\333FD\36\340?\2343 &\210\300Y\337\10\5Xs\148\265\353\235\211\266\21\211^dV\302GlD\37\16\06\203\244\353BF.\314\2152\30\146\1h\226\204\354\200\215\205\220\337L\37J\300K -\34V\370"K\334\33tm\240 bY\226\315\316\5\24\24\30\30ek\360"s\257\14\14u\313\245\223\14\30\2\24;u\12\10\272\326\261\203\215_\24\347\26\211g\374G\260\33\305\306\327G\252d\353\27\312p5{_\23\30\36\30g\222 d\21\304\204\354\252&DEO\26\20\256\245\257\25\213\31\26\21\206\242X7mk\235\371\310\213A\14\16\33\12|B\2\304v\326\334J\30\23\10\240P\267Q\234,\313\266k!\24\14\30\30\14s\237-\266\30-\273HP\10\15\200\10\21K\30[\367ZPU\263\304K\270y:\200\273\202\206\267\232\302\177*\354\326\216\355~I\374\5\370+b\22|\27"\233\36x|\364\307\0\22\13\222\360q;\22\256\310gB\2u9\0A,\263u*+\2043\340\326\300j\14\216\341A=@\324\261<\370\200*\216d/=\230@ 2\17\217\370\16\333?E\275\300\304\3r\30;\306\31\336\200\333e(8\15\320Pd'k4d\33\214\264\223\330'\20\205\362\314\203\352\17\3763\207=\20}\21\273\24\367\20<\354\1\12\222yH\177o\262\227\263$\6\207z\307\177Z\254\235\254[v\177O\343\200\360", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \4\224\207\10T\340\334\223\370\353\6:\7U\334n=m\3\341\367:\2u\32k\320f3i\262\222xR\207\327`\267\245\68\244\34\27\367R\35'0A\7w\6$ (80, 0, 0, 0, "\15"\4\224\207\10T\340\334\223\370\353\6:\7U\334n=m\3\341\367:\2u\32k\320f3i\262\222xR\207\327`\267\245\68\244\34\27\367R\35'0A\7w\6$"ZV3\23\23\302X\265\310\316[\330\270ToT\356\210C\20\366\205\317\0\234\370"\300h\371\33\212_\333* \211\13\34FH6@\307\346>\200\333FD\36\340?\2343 &\210\300Y\337\10\5Xs\148\265\353\235\211\266\21\211^dV\302GlD\37\16\06\203\244\353BF.\314\2152\30\146\1h\226\204\354\200\215\205\220\337L\37J\300K -\34V\370"K\334\33tm\240 bY\226\315\316\5\24\24\30\30ek\360"s\257\14\14u\313\245\223\14\30\2\24;u\12\10\272\326\261\203\215_\24\347\26\211g\374G\260\33\305\306\327G\252d\353\27\312p5{_\23\30\36\30g\222 d\21\304\204\354\252&DEO\26\20\256\245\257\25\213\31\26\21\206\242X7mk\235\371\310\213A\14\16\33\12|B\2\304v\326\334J\30\23\10\240P\267Q\234,\313\266k!\24\14\30\30\14s\237-\266\30-\273HP\10\15\200\10\21K\30[\367ZPU\263\304K\270y:\200\273\202\206\267\232\302\177*\354\326\216\355~I\374\5\370+b\22|\27"\233\36x|\364\307\0\22\13\222\360q;\22\256\310gB\2u9\0A,\263u*+\2043\340\326\300j\14\216\341A=@\324\261<\370\200*\216d/=\230@ 2\17\217\370\16\333?E\275\300\304\3r\30;\306\31\336\200\333e(8\15\320Pd'k4d\33\214\264\223\330'\20\205\362\314\203\352\17\3763\207=\20}\21\273\24\367\20<\354\1\12\222yH\177o\262\227\263$\6\207z\307\177Z\254\235\254[v\177O\343\200\360", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \300h\371\33\212_\333* \211\13\34FH6@\307\346>\200\333FD\36\340?\2343 &\210\300Y\337\10\5Xs\148\265\353\235\211\266\21\211^dV\302GlD\37\16\06\203\244\353BF.\314\2152\30\146\1h\226\204\354\200\215\205\220\337L\37J\300K -\34V\370 (80, 0, 0, 0, "\15"\4\224\207\10T\340\334\223\370\353\6:\7U\334n=m\3\341\367:\2u\32k\320f3i\262\222xR\207\327`\267\245\68\244\34\27\367R\35'0A\7w\6$"ZV3\23\23\302X\265\310\316[\330\270ToT\356\210C\20\366\205\317\0\234\370"\300h\371\33\212_\333* \211\13\34FH6@\307\346>\200\333FD\36\340?\2343 &\210\300Y\337\10\5Xs\148\265\353\235\211\266\21\211^dV\302GlD\37\16\06\203\244\353BF.\314\2152\30\146\1h\226\204\354\200\215\205\220\337L\37J\300K -\34V\370"K\334\33tm\240 bY\226\315\316\5\24\24\30\30ek\360"s\257\14\14u\313\245\223\14\30\2\24;u\12\10\272\326\261\203\215_\24\347\26\211g\374G\260\33\305\306\327G\252d\353\27\312p5{_\23\30\36\30g\222 d\21\304\204\354\252&DEO\26\20\256\245\257\25\213\31\26\21\206\242X7mk\235\371\310\213A\14\16\33\12|B\2\304v\326\334J\30\23\10\240P\267Q\234,\313\266k!\24\14\30\30\14s\237-\266\30-\273HP\10\15\200\10\21K\30[\367ZPU\263\304K\270y:\200\273\202\206\267\232\302\177*\354\326\216\355~I\374\5\370+b\22|\27"\233\36x|\364\307\0\22\13\222\360q;\22\256\310gB\2u9\0A,\263u*+\2043\340\326\300j\14\216\341A=@\324\261<\370\200*\216d/=\230@ 2\17\217\370\16\333?E\275\300\304\3r\30;\306\31\336\200\333e(8\15\320Pd'k4d\33\214\264\223\330'\20\205\362\314\203\352\17\3763\207=\20}\21\273\24\367\20<\354\1\12\222yH\177o\262\227\263$\6\207z\307\177Z\254\235\254[v\177O\343\200\360", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) s\257\14\14u\313\245\223\14\30\2\24;u\12\10\272\326\261\203\215_\24\347\26\211g\374G\260\33\305\306\327G\252d\353\27\312p5{_\23\30\36\30g\222 d\21\304\204\354\252&DEO\26\20\256\245\257\25\213\31\26\21\206\242X7mk\235\371\310\213A\14\16\33\12|B\2\304v\326\334J\30\23\10\240P\267Q\234,\313\266k!\24\14\30\30\14s\237-\266\30-\273HP\10\15\200\10\21K\30[\367ZPU\263\304K\270y:\200\273\202\206\267\232\302\177*\354\326\216\355~I\374\5\370+b\22|\27 (80, 0, 0, 0, "\15"\4\224\207\10T\340\334\223\370\353\6:\7U\334n=m\3\341\367:\2u\32k\320f3i\262\222xR\207\327`\267\245\68\244\34\27\367R\35'0A\7w\6$"ZV3\23\23\302X\265\310\316[\330\270ToT\356\210C\20\366\205\317\0\234\370"\300h\371\33\212_\333* \211\13\34FH6@\307\346>\200\333FD\36\340?\2343 &\210\300Y\337\10\5Xs\148\265\353\235\211\266\21\211^dV\302GlD\37\16\06\203\244\353BF.\314\2152\30\146\1h\226\204\354\200\215\205\220\337L\37J\300K -\34V\370"K\334\33tm\240 bY\226\315\316\5\24\24\30\30ek\360"s\257\14\14u\313\245\223\14\30\2\24;u\12\10\272\326\261\203\215_\24\347\26\211g\374G\260\33\305\306\327G\252d\353\27\312p5{_\23\30\36\30g\222 d\21\304\204\354\252&DEO\26\20\256\245\257\25\213\31\26\21\206\242X7mk\235\371\310\213A\14\16\33\12|B\2\304v\326\334J\30\23\10\240P\267Q\234,\313\266k!\24\14\30\30\14s\237-\266\30-\273HP\10\15\200\10\21K\30[\367ZPU\263\304K\270y:\200\273\202\206\267\232\302\177*\354\326\216\355~I\374\5\370+b\22|\27"\233\36x|\364\307\0\22\13\222\360q;\22\256\310gB\2u9\0A,\263u*+\2043\340\326\300j\14\216\341A=@\324\261<\370\200*\216d/=\230@ 2\17\217\370\16\333?E\275\300\304\3r\30;\306\31\336\200\333e(8\15\320Pd'k4d\33\214\264\223\330'\20\205\362\314\203\352\17\3763\207=\20}\21\273\24\367\20<\354\1\12\222yH\177o\262\227\263$\6\207z\307\177Z\254\235\254[v\177O\343\200\360", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00507   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\334\6\24\240d\23*V\373$J\313\357\320\271\246H\352P\342\20\325`]\177\364:\20\203olflf\16\37\327\0\221\12\275\22\306\16g\357\327\306\5B\316-\262i\343$\317\36P\252\354\354\201\37C.\217\255M\25\343\306s\16~>$-\255\231\325K\17\302\273W\1\10\321KwH+\275\325\31\357\365\306=\2366s\1\242\255\222\276\374\25r\334\345\11\204\302\344\226\261\257\24za~l\252&\10\216\276\344\304=}\362TS\201EGR\24\254\323\342@4~`\3464p>C\247\311\211\373n\214@\346\242\13\231\231\276\1\354\203\35\336\21\276\37\232\27\3516\226\236\235\252Uu\374\32b\27\200Y\3xO\234\4\364p\275E\21V\357m\251&\251\11\342y\212`\227\366\2g0\234\204\263h\320U\233^\306P4\0\344\312\367D\257bTyk\326\343&\363\257(\31b1\14\266~&\354j\332\377\22V\265\210\114\250\262\342\253\270\23m\305\17\36`>\231\234\210\364=\277\5m\272\361\205\30eP\201\257c\362!g\323\360p\331\377$E\324=q]\220J\317E6\321\337`\11\206\1\35\264\363[\207\262UJ\211\35\24K-\\324\204$]\255\376`\364y3\27\377\303\22\10\316i\307\5\307U\204\370\212)h\220\276\3414QP\220I\320\36\3063\201\354a\24\257l9Y\0\330\36>+\222U!;\253\315f\310\325\257\307\31i\234&*\357*\32\1\26a\267~b=\302\303\3\374?ti\13\311\311M\3\30\337a\206&\2115f7\6f=p\225\305\3639@6\336&\244\365.\252\374u\317\266\223\216\360"le\270\277\356izgV[.!\207_}\245Kl Z% \230\237\310u7\375\6uV\213\311\371+\214\220+$\314;\222\20;\275\325\36c7", ) le\270\277\356izgV[.!\207_}\245Kl Z% \230\237\310u7\375\6uV\213\311\371+\214\220+$\314;\222\20;\275\325\36c7", ) == 0x0
 00508   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\271k"\240\1~\34V\236I|\313\212\275\217\246-\207f\342u\270V]\32\231\14\20\346\2Zf\11\138\37\262m\247\12\330\177\360\16\2\202\341\306`/\370-\327\4\325$\252sf\252\211\201\267\37&C\271\255(x\325\306\26cH>A@\233\231\260&9\302\336:7\10\264&AHN\320\343\31\212\230\360=\373[E\1\307\300\244\276\231xD\334\200d\262\302\201\373\207\257q\27W~\11\307\20\10\353\323\322\304X\20\304T6\354sG7y\232\323\207-\2~\5\213\2p[.\221\311\354\226X\214%\213\224\13\374\364\210\1\211\356+\336t\323)\232r\204\0\226\373\360\234U\20\221,br\355o\3\35"\252\4\221\35\213Et;\331m\314K\237\11\207\24\274`\362\2334gU\361\262\263\15\275c\233;\253f4e\211\374\367!\302TT\34\6\340\343C\236\231(|\17\7\14\323\23\20\354\17\267\311\223\330\276\11Q\305\204\342\316\325%m\240b(`[\364\252\210\221P\211\5\10\327\307\205}\10f\201\312\16\304!\2\276\306p\274\222\22E\261PG]\365'\371ES\274\351`l\3537\35\321\236m\207\3278|\211xy}-9\271\262$8\300\310`\221\24\5\27\232\256$\10\253\4\361\5\2428\262\370\357D^\220\333\214\2Q5\375\177\320{\253\5\201\211\14"\257\11To\0\275s\10+\3678\27;\316\240P\310\260\302\361\31\14\361\20*\212G,\1s\14\201~\7P\364\303f\221\11t\14f\377\311(n.\337\4\353\20\211P\13\1\6\3PF\225\240\236\17@S\263\20\244\220C\234\374\20\242\200\223\353\235\24l\0\325\211\356\14\27QV>C\27\207:\20\223K\11Ml%E\365\251\310\20Z\313\6\20;\275\311\234F\272\220NI\372;\367}\15\275\260sU7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \240\1~\34V\236I|\313\212\275\217\246-\207f\342u\270V]\32\231\14\20\346\2Zf\11\138\37\262m\247\12\330\177\360\16\2\202\341\306`/\370-\327\4\325$\252sf\252\211\201\267\37&C\271\255(x\325\306\26cH>A@\233\231\260&9\302\336:7\10\264&AHN\320\343\31\212\230\360=\373[E\1\307\300\244\276\231xD\334\200d\262\302\201\373\207\257q\27W~\11\307\20\10\353\323\322\304X\20\304T6\354sG7y\232\323\207-\2~\5\213\2p[.\221\311\354\226X\214%\213\224\13\374\364\210\1\211\356+\336t\323)\232r\204\0\226\373\360\234U\20\221,br\355o\3\35 (80, 0, 0, 0, "\271k"\240\1~\34V\236I|\313\212\275\217\246-\207f\342u\270V]\32\231\14\20\346\2Zf\11\138\37\262m\247\12\330\177\360\16\2\202\341\306`/\370-\327\4\325$\252sf\252\211\201\267\37&C\271\255(x\325\306\26cH>A@\233\231\260&9\302\336:7\10\264&AHN\320\343\31\212\230\360=\373[E\1\307\300\244\276\231xD\334\200d\262\302\201\373\207\257q\27W~\11\307\20\10\353\323\322\304X\20\304T6\354sG7y\232\323\207-\2~\5\213\2p[.\221\311\354\226X\214%\213\224\13\374\364\210\1\211\356+\336t\323)\232r\204\0\226\373\360\234U\20\221,br\355o\3\35"\252\4\221\35\213Et;\331m\314K\237\11\207\24\274`\362\2334gU\361\262\263\15\275c\233;\253f4e\211\374\367!\302TT\34\6\340\343C\236\231(|\17\7\14\323\23\20\354\17\267\311\223\330\276\11Q\305\204\342\316\325%m\240b(`[\364\252\210\221P\211\5\10\327\307\205}\10f\201\312\16\304!\2\276\306p\274\222\22E\261PG]\365'\371ES\274\351`l\3537\35\321\236m\207\3278|\211xy}-9\271\262$8\300\310`\221\24\5\27\232\256$\10\253\4\361\5\2428\262\370\357D^\220\333\214\2Q5\375\177\320{\253\5\201\211\14"\257\11To\0\275s\10+\3678\27;\316\240P\310\260\302\361\31\14\361\20*\212G,\1s\14\201~\7P\364\303f\221\11t\14f\377\311(n.\337\4\353\20\211P\13\1\6\3PF\225\240\236\17@S\263\20\244\220C\234\374\20\242\200\223\353\235\24l\0\325\211\356\14\27QV>C\27\207:\20\223K\11Ml%E\365\251\310\20Z\313\6\20;\275\311\234F\272\220NI\372;\367}\15\275\260sU7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \257\11To\0\275s\10+\3678\27;\316\240P\310\260\302\361\31\14\361\20*\212G,\1s\14\201~\7P\364\303f\221\11t\14f\377\311(n.\337\4\353\20\211P\13\1\6\3PF\225\240\236\17@S\263\20\244\220C\234\374\20\242\200\223\353\235\24l\0\325\211\356\14\27QV>C\27\207:\20\223K\11Ml%E\365\251\310\20Z\313\6\20;\275\311\234F\272\220NI\372;\367}\15\275\260sU7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00509   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\4\316\227SE"\224\3249\222\335\315\323\300\313\245^\253":\221\347\20\200\231FH\4>\6!\374H\30\3522\201\324\236A#]g\371\277\334\236N\2513e\212\23\334\310\26\250\341m\37\270\222m\353\355\316)\37\307\357\365\306~\21\312\365\314[\314\6\247 \356u\223N\311\15\343\310\351Z\324\256\322~w\206w(&s\236\242\221\265=Kt\215H1\30\7\253\254b\331=k\216s\253ot\303\267\12rL\353~j\337;\242\17&\376\362\351C\360(\320$\210T-\277,d\275gWS~\224\32\325\5q\357l\223\376\303\214He\364a\2068\200\245@\2314\271\217\225\351=c\30\24f\222+0\236tp\352\314w93~hnv\212#\371\30i\243.\332g\276\37236\302C\204?\14\255&M`\254\363p4\255\316\20\30\204\215\376w\320\351\370\274\214\374:\351\264\312\333H\313\202\330\12<[\341\274\366\353\202\376>\304A\21d&\375>\301\354\273\213\225\351u\203\340M\3\236\322\313CA\366\274Dp\210\352\300\215i\266\344j\1330U\214=\276\230;W\353W\255\234\213\201nK\10\34\237\31\324y\321\264;\30a\15\4\235\177E'\32\203\201\377\345\21\15\3P\37\23\306!k6O\35`\310\7wTA\355\36v\330\366\216rP\307\300\6a;\322\244$\261\333\306\6|M\226\361\225;\307\267*9\252\301\217\7\277\3\355>4\303`c\26\300$\244\24\5\2456\17\310n\247"a\237o\201\373\34j@\367\275\356\354\12\210x6[\3f\15z\232\366\316\360a\21)\277k,\33!\302\354\354\263\323\215;s\227$\213l\371\3343\15\267\32\306\364\272\0\306#Ol3\331N\257\31p\263\320N\332Q\350\302\240\224\366\276u~\324\31\360\1\26\300\365h\30(\332", ) \224\3249\222\335\315\323\300\313\245^\253 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\4\316\227SE"\224\3249\222\335\315\323\300\313\245^\253":\221\347\20\200\231FH\4>\6!\374H\30\3522\201\324\236A#]g\371\277\334\236N\2513e\212\23\334\310\26\250\341m\37\270\222m\353\355\316)\37\307\357\365\306~\21\312\365\314[\314\6\247 \356u\223N\311\15\343\310\351Z\324\256\322~w\206w(&s\236\242\221\265=Kt\215H1\30\7\253\254b\331=k\216s\253ot\303\267\12rL\353~j\337;\242\17&\376\362\351C\360(\320$\210T-\277,d\275gWS~\224\32\325\5q\357l\223\376\303\214He\364a\2068\200\245@\2314\271\217\225\351=c\30\24f\222+0\236tp\352\314w93~hnv\212#\371\30i\243.\332g\276\37236\302C\204?\14\255&M`\254\363p4\255\316\20\30\204\215\376w\320\351\370\274\214\374:\351\264\312\333H\313\202\330\12<[\341\274\366\353\202\376>\304A\21d&\375>\301\354\273\213\225\351u\203\340M\3\236\322\313CA\366\274Dp\210\352\300\215i\266\344j\1330U\214=\276\230;W\353W\255\234\213\201nK\10\34\237\31\324y\321\264;\30a\15\4\235\177E'\32\203\201\377\345\21\15\3P\37\23\306!k6O\35`\310\7wTA\355\36v\330\366\216rP\307\300\6a;\322\244$\261\333\306\6|M\226\361\225;\307\267*9\252\301\217\7\277\3\355>4\303`c\26\300$\244\24\5\2456\17\310n\247"a\237o\201\373\34j@\367\275\356\354\12\210x6[\3f\15z\232\366\316\360a\21)\277k,\33!\302\354\354\263\323\215;s\227$\213l\371\3343\15\267\32\306\364\272\0\306#Ol3\331N\257\31p\263\320N\332Q\350\302\240\224\366\276u~\324\31\360\1\26\300\365h\30(\332", ) a\237o\201\373\34j@\367\275\356\354\12\210x6[\3f\15z\232\366\316\360a\21)\277k,\33!\302\354\354\263\323\215;s\227$\213l\371\3343\15\267\32\306\364\272\0\306#Ol3\331N\257\31p\263\320N\332Q\350\302\240\224\366\276u~\324\31\360\1\26\300\365h\30(\332", ) == 0x0
 00510   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "a\243\241S O\242\324\\377\353\315\266\255\375\245;\306\24:\364\212&\200\374+~\4[k\27\374-u\3342\344\271\250AF0Q\371\332\261\250N\314^S\212v\261\376\26\315\214[\37\335\377[\353\210\243\37\37\242\202\303\306\33|\374\365\2516\372\6\302M\330u\366#\377\15\206\245\337Z\261\303\344~\22\353A(C\36\250\242\364\330\13K\21\340~1}j\235\254\7\264\13k\353\36\235o\21\256\201\12\27!\335~\17\262\15\242jK\310\362\214.\306(\265I\276TH\322\32d\330\12aS\33\371,\325`\34\331l\366\223\365\214-\10\302a\343U\266\245%\364\2\271\352\370\337=\6u"f\367F\6\236\21\35\334\314\22T\5~\15\3@\212F\224.i\306C\354g\333\227\56\247.\262?i\300\20M\5\301\305pQ\300\370\20}\351\273\376\22\275\337\370\331\341\312:\214\331\374\333-\246\264\330oQm\341\331\233\335\202\233S\362At\11\20\375[\254\332\273\356\370\337u\346\215{\3\373\277\375C$\233\212D\25\345\334\300\350\4\200\344\17f\500\341\13\276\375Va\3532\300\252\213\344\3}\10y\362/\324\34\274\202;}\14;\4\370\22s'\177\356\267\377\200|;\35r%\306D\6\0Ox\15\376\7\229w\355{\33\356\366\353\37f\307\2451\0a^\277\222$\324\266\360\6\31 \240\361\360V\361\267OT\234\301\352j\211\3\210S\2\303\5\16 \300A\311"\5\300[9\310\13\312\24a\372\2\267\373y\7v\367\330\203\332\12\355\25\0[f\13;z\377\233\370\360\4|\37\277\16A-!\247\201\332\263\266\340\15s\362I\275l\234\261\5\15\322w\360\364\337m\360#*\1\5\331+\302/p\326\275x\3324\205\364\240\361\233\210u\33\271/\360d{\366\365\15u\36\332", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) f\367F\6\236\21\35\334\314\22T\5~\15\3@\212F\224.i\306C\354g\333\227\56\247.\262?i\300\20M\5\301\305pQ\300\370\20}\351\273\376\22\275\337\370\331\341\312:\214\331\374\333-\246\264\330oQm\341\331\233\335\202\233S\362At\11\20\375[\254\332\273\356\370\337u\346\215{\3\373\277\375C$\233\212D\25\345\334\300\350\4\200\344\17f\500\341\13\276\375Va\3532\300\252\213\344\3}\10y\362/\324\34\274\202;}\14;\4\370\22s'\177\356\267\377\200|;\35r%\306D\6\0Ox\15\376\7\229w\355{\33\356\366\353\37f\307\2451\0a^\277\222$\324\266\360\6\31 \240\361\360V\361\267OT\234\301\352j\211\3\210S\2\303\5\16 \300A\311 (80, 0, 0, 0, "a\243\241S O\242\324\\377\353\315\266\255\375\245;\306\24:\364\212&\200\374+~\4[k\27\374-u\3342\344\271\250AF0Q\371\332\261\250N\314^S\212v\261\376\26\315\214[\37\335\377[\353\210\243\37\37\242\202\303\306\33|\374\365\2516\372\6\302M\330u\366#\377\15\206\245\337Z\261\303\344~\22\353A(C\36\250\242\364\330\13K\21\340~1}j\235\254\7\264\13k\353\36\235o\21\256\201\12\27!\335~\17\262\15\242jK\310\362\214.\306(\265I\276TH\322\32d\330\12aS\33\371,\325`\34\331l\366\223\365\214-\10\302a\343U\266\245%\364\2\271\352\370\337=\6u"f\367F\6\236\21\35\334\314\22T\5~\15\3@\212F\224.i\306C\354g\333\227\56\247.\262?i\300\20M\5\301\305pQ\300\370\20}\351\273\376\22\275\337\370\331\341\312:\214\331\374\333-\246\264\330oQm\341\331\233\335\202\233S\362At\11\20\375[\254\332\273\356\370\337u\346\215{\3\373\277\375C$\233\212D\25\345\334\300\350\4\200\344\17f\500\341\13\276\375Va\3532\300\252\213\344\3}\10y\362/\324\34\274\202;}\14;\4\370\22s'\177\356\267\377\200|;\35r%\306D\6\0Ox\15\376\7\229w\355{\33\356\366\353\37f\307\2451\0a^\277\222$\324\266\360\6\31 \240\361\360V\361\267OT\234\301\352j\211\3\210S\2\303\5\16 \300A\311"\5\300[9\310\13\312\24a\372\2\267\373y\7v\367\330\203\332\12\355\25\0[f\13;z\377\233\370\360\4|\37\277\16A-!\247\201\332\263\266\340\15s\362I\275l\234\261\5\15\322w\360\364\337m\360#*\1\5\331+\302/p\326\275x\3324\205\364\240\361\233\210u\33\271/\360d{\366\365\15u\36\332", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00511   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\265v\263\320\236\346\4\1aZ\314\233\27\1x\3/)c{^R]\315\223'@\325\324\233X\336lH\5L\235\0\330|\325rd\216\373<\213\27;\26\242a\310\4\27\10\356\276\355^\242\313)\370K"DHmDA\337E\334\2424\350\370\213\327\2727\255w\305\3424\341\225\233T\25\206:n6v\15\373\20\350\205\200\5\340\342\221FPe\255;0\277\30co\14}\337D\267\306Q\354\320"^\130?C\37\35y\2\233yi\22dl\335ew\23\266\367df\347\225\354GO~\21a\200\326\206V0\336\356f\250\277\365\356pf]\15\225x\3534\237E\217\213\32\5p\322\335\266\3\23V/w^VU\206\307\207Wn\354h"\14\23\203\276\15\223ABV\27\350<\307`c\325A\204(&\17\272x\21~\310\307nu\302\15\313\3502E\3256mt\276\347\310\320\356\207\267\345e\2235\14\344\257\357\334\276y;\201\207c\3609!j\315\242\317E\247\305 \346\3tqlU\316Y\243H\3553v}\274\236\342@\12\270VMy\335\215\200\10\334\3463\377\23sa\20\210\335\305}N\226aS\245\353\223\353l$f|\353[8\271\331\345\371\260TD\35\265\226\314\267\206E\332\247\346Q\360\335\3*c\3356/\245\300+c,\2628\13\26\315IyIE\3\356i\15\357\26\341\313\202VIz\266y\355vAg(\37\351\325\355\3667\310r\353m\301\320,\250\344\252\313\201\202\223r\227;\37O\273\216^\15\16", ) DHmDA\337E\334\2424\350\370\213\327\2727\255w\305\3424\341\225\233T\25\206:n6v\15\373\20\350\205\200\5\340\342\221FPe\255;0\277\30co\14}\337D\267\306Q\354\320307\264V)\225\277;=\256\231\242r\276\216G\375\16!}\241\33%$\345T5\371x\2747\334\351\232\315_0\339 ]\233Vja\2647\373\243 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\265v\263\320\236\346\4\1aZ\314\233\27\1x\3/)c{^R]\315\223'@\325\324\233X\336lH\5L\235\0\330|\325rd\216\373<\213\27;\26\242a\310\4\27\10\356\276\355^\242\313)\370K"DHmDA\337E\334\2424\350\370\213\327\2727\255w\305\3424\341\225\233T\25\206:n6v\15\373\20\350\205\200\5\340\342\221FPe\255;0\277\30co\14}\337D\267\306Q\354\320"^\130?C\37\35y\2\233yi\22dl\335ew\23\266\367df\347\225\354GO~\21a\200\326\206V0\336\356f\250\277\365\356pf]\15\225x\3534\237E\217\213\32\5p\322\335\266\3\23V/w^VU\206\307\207Wn\354h"\14\23\203\276\15\223ABV\27\350<\307`c\325A\204(&\17\272x\21~\310\307nu\302\15\313\3502E\3256mt\276\347\310\320\356\207\267\345e\2235\14\344\257\357\334\276y;\201\207c\3609!j\315\242\317E\247\305 \346\3tqlU\316Y\243H\3553v}\274\236\342@\12\270VMy\335\215\200\10\334\3463\377\23sa\20\210\335\305}N\226aS\245\353\223\353l$f|\353[8\271\331\345\371\260TD\35\265\226\314\267\206E\332\247\346Q\360\335\3*c\3356/\245\300+c,\2628\13\26\315IyIE\3\356i\15\357\26\341\313\202VIz\266y\355vAg(\37\351\325\355\3667\310r\353m\301\320,\250\344\252\313\201\202\223r\227;\37O\273\216^\15\16", ) \14\23\203\276\15\223ABV\27\350<\307`c\325A\204(&\17\272x\21~\310\307nu\30217\245\332t8\0\345b\36Due\336\341+\211>\15\313\3502E\3256mt\276\347\310\320\356\207\267\345e\2235\14\344\257\357\334\276y;\201\207c\3609!j\315\242\317E\247\305 \346\3tqlU\316Y\243H\3553v}\274\236\342@\12\270VMy\335\215\200\10\334\3463\377\23sa\20\210\335\305}N\226aS\245\353\223\353l$f|\353[8\271\331\345\371\260TD\35\265\226\314\267\206E\332\247\346Q\360\335\3*c\3356/\245\300+c,\2628\13\26\315IyIE\3\356i\15\357\26\341\313\202VIz\266y\355vAg(\37\351\325\355\3667\310r\353m\301\320,\250\344\252\313\201\202\223r\227;\37O\273\216^\15\16", ) == 0x0
 00512   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\320\33\205\320\373\2132\1\47\372\233rlN\3JDU{;?k\315w^\21@\260\271\255X\273\1~\5)\3606\330\31\270Dd\353\226\12\213rV \242\4\2452\27m\203\210\355;\317\375)\235&\24D-\0rA\272(\352\242Q\205\316\213\262\327\1\255\22\250\3244\204\370\255Tp\353\14nS\33;\373u\205\263\200`\215\324\221#=S\255^]\211\30\6\2:}\272)\201\3064\201\346<\15r\040\37\265z0\252\202VL\370\211;X\303\257\242\27\323\270G\230c\27}\304v\23$\2009\3\371\35\321\1\334\214\367\373_Uv\17 8\366`j\4\331\1\373\306Oh\13URu\37x\244\233\34\4$d\11\260Swv\333\301d\3\212\243\354""H\21\4\355\340\2063]\350\356\3\305\211\365\213\35P]h\370N\353Q\362s\217\356w3p\267\260\200\3v;\31w;;c\206\242\352an\211\5\24\14v\356\210\15\366,tVr\205\12\307\5\16\343A\341E\20\17\337\25'~\255\252Xu\247Qz[\13N9\245\277\31\16\0\200\17(D\20\10\350\341N\344\10\15\256\205\4E\260[[t\333\212\376\320\213\352\201\345\0\376\3\14\201\302\331\334\333\24\15\201\342\16\3069D\7\373\242\252(\221\305E\2135t\24\1c\316<\316~\355V\33K\274\373\217v\12\335;{y\270\340\266\10\271\213\5\377v\36W\20\355\260\363}+\373WS\300\206\245\353\11IP|\2166\16\271\274\210\317\2601)+\265\363\241\201\206 \267\221\3464\235\353\3O\16\3536J\310\366+\6A\2048n{\373I\34$s\3\213\4;\357s\214\375\2023$L\266\34\200@A\2E)\351\260\200\3007\255\37\335m\244\275\32\250\201\307\375\201\347\376D\227^ry\273\3533;\16", 10240, 0x0, 0, ... {status=0x0, info=10240}, )  (80, 0, 0, 0, "\320\33\205\320\373\2132\1\47\372\233rlN\3JDU{;?k\315w^\21@\260\271\255X\273\1~\5)\3606\330\31\270Dd\353\226\12\213rV \242\4\2452\27m\203\210\355;\317\375)\235&\24D-\0rA\272(\352\242Q\205\316\213\262\327\1\255\22\250\3244\204\370\255Tp\353\14nS\33;\373u\205\263\200`\215\324\221#=S\255^]\211\30\6\2:}\272)\201\3064\201\346<\15r\040\37\265z0\252\202VL\370\211;X\303\257\242\27\323\270G\230c\27}\304v\23$\2009\3\371\35\321\1\334\214\367\373_Uv\17 8\366`j\4\331\1\373\306Oh\13URu\37x\244\233\34\4$d\11\260Swv\333\301d\3\212\243\354""H\21\4\355\340\2063]\350\356\3\305\211\365\213\35P]h\370N\353Q\362s\217\356w3p\267\260\200\3v;\31w;;c\206\242\352an\211\5\24\14v\356\210\15\366,tVr\205\12\307\5\16\343A\341E\20\17\337\25'~\255\252Xu\247Qz[\13N9\245\277\31\16\0\200\17(D\20\10\350\341N\344\10\15\256\205\4E\260[[t\333\212\376\320\213\352\201\345\0\376\3\14\201\302\331\334\333\24\15\201\342\16\3069D\7\373\242\252(\221\305E\2135t\24\1c\316<\316~\355V\33K\274\373\217v\12\335;{y\270\340\266\10\271\213\5\377v\36W\20\355\260\363}+\373WS\300\206\245\353\11IP|\2166\16\271\274\210\317\2601)+\265\363\241\201\206 \267\221\3464\235\353\3O\16\3536J\310\366+\6A\2048n{\373I\34$s\3\213\4;\357s\214\375\2023$L\266\34\200@A\2E)\351\260\200\3007\255\37\335m\244\275\32\250\201\307\375\201\347\376D\227^ry\273\3533;\16", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00513   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "j\351\303\225\307!\245\344x\371\373\216\262\376\35\4\356\371\337}\375!f\14\336\351J\21\21e\241\330\6}\246_\2542\371dY\212\365\271t\365\2200\32\313~DK6o\314^=\266`\301{\323U-m\321bj\306u-j%2\4\342\111*\243\357|\37u;\377\340\370\271%\247\33\357\37\314\320g9\37\21x3|\316P_deq\211\374O\24q\4\356\2217_7:eTT_^\360! Ct::\36\272\13\207\16r{\356M\27n-\273\261J\311e\261\223\371\23\270\3\334\337Sz\206\35%\362a\377\2109\31\4\311\341q\252t9\367\232\0W\31-\23(\243*\230\242\16\241Plg\326\201>\10*\247Y8v\1{]r\3038%\3760\22f^\314\31\275\374Q\10\361z\12\235\15SKb\332l\10\244\304`\1\336\22\357nu\271|\4d^\275\312\275\201\373\240\362\362\25!\363x\366\177^\223D!\21@\313\31=l\212\326BC\1\36.\233\200\266Y\221\207\374j+I\335\262\\250I\352:\274\360u=\2747\275|\306\340\222\257\312M8\13\257\215)\333c\374\276z\312\6"o\275\7\244\2075\22bf\375\262\10\2002J\272h>\10iJ&,\256\337\32\24{u*\25\332A\375\262EI:(I\340I0/\6\331R\244\30\376\350$\221Xmo\205\15\202s\250f\30\33\213iw[s\3228\376\1e\354\324\200\21\206\17h\310z\316#\264\31\323\204\214E\262\366R\226\214\273!\214~B\216p\34\366%\221\204,>\314\303\5\230a\310\15", ) o\275\7\244\2075\22bf\375\262\10\2002J\272h>\10iJ&,\256\337\32\24{u*\25\332A\375\262EI:(I\340I0/\6\331R\244\30\376\350$\221Xmo\205\15\20213\355j\310\312\270\1\300\326\327\15r\27\232x\275\205\3\373\213\333\16b\341\363\3\306/\357\201\222\221\0\373_\366\374\227\303\273w\232\346K\14av??N\224\261\367M\214E\0\31>s\250f\30\33\213iw[s\3228\376\1e\354\324\200\21\206\17h\310z\316#\264\31\323\204\214E\262\366R\226\214\273!\214~B\216p\34\366%\221\204,>\314\303\5\230a\310\15", ) == 0x0
 00514   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\17\204\365\225\242L\223\344\35\224\315\216\327\223+\4\213\224\351}\230LP\14\273\204|\21t\10\227\330c\20\220_\311_\317d<\347\303\271\21\230\2460\177\246HD.[Y\314;P\200`\244\26\345UH\0\347b\17\253C-\17H\4\4\207d\7*\306\202J\37\20V\311\340\235\324\23\247~\202)\314\265\12\17\37t\25\5|\253=id\0\34\277\374*yG\4\213\374\1_RWST12h\360DMut_W(\272n\3528r\36\203{\27\13@\215\261/\244S\261\366\224%\270f\261\351S\37\353+%\227\14\311\210\t2\311\204\34\234t\\232\254\02t\33\23M\316\34\230\307c\227P\11\12\340\201[e\34\247, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00515   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "|\267[\342c|D\356J\323:\330\22\300\314;\236\32'\35\216\226@\357\232n1\20\264\1\224\225e\355\356\377oV{\370\32\3755u\356\20\212dy\331n\315U\305\303x\12\304QA`e\201-\253\241d\260\362\335\336\332k\375\355~\31.1,n\31\36\312xc\300nar\215:i-\25\350\303x\272q\247c\30i\261)pq_\157\31\207Y\257%-\260\344\301\311\206h\254\236&\254\301\2265bc,\202\346\233\333}5\322\356\311\355\15,\212\377`\306S\320\225h\314Y\300w\251.\224\355\275C;#r\202\306A\271o|\344o\200\345s\206(\325\3154xru%\203\31\376\3\26M\231\371\177\214\31pq\357o^\0\344\320\366\260\262|\225-\276\346.Q2\203e\3644\362`\307\270U\11\263\37\32-\2212n\22\377h\23\343\214\224X%+1\371\276=\347\1\3170=H\276b\313\321\20\204\321}\226\24\374n7\220\11~"\3704\3,\251\305I\221o\230\20\2+\345\243%\275\231\323\227\343h\362\210-\255\346.\363\300'I\304D\27i\267-\327\243\34\306b'Pu\322\340m\371\255g\350S\221\20\346y=ea\345\244\37\376p\2312\17\307\224&\26t\315\32\301\233\241\316\300\367G4\273r..\6\355\376\304\206^\355i\2438=g\351a\261\2368u]`\301\356\247\214\16\360\7\236\2034nT\2419\23p\0m\204\322w=\30\240\0z\35Q!\15\30\360\270E\177\4Y\357>\17\246\350Q0\26\331=\2606xA\211\17\345f\376\276\340*\224 m\334\5\334jz1E\315\220\377I_3\35\345\3kjy+\270=\3473\307\333&nj\347\35\200\353\23\354\365qE`\366*\240>{\366hfcX\212An@Vj\31/\20", ) \3704\3,\251\305I\221o\230\20\2+\345\243%\275\231\323\227\343h\362\210-\255\346.\363\300'I\304D\27i\267-\327\243\34\306b'Pu\322\340m\371\255g\350S\221\20\346y=ea\345\244\37\376p\2312\17\307\224&\26t\315\32\301\233\241\316\300\367G4\273r..\6\355\376\304\206^\355i\2438=g\351a\261\2368u]`\301\356\247\214\16\360\7\236\2034nT\2419\23p\0m\204\322w=\30\240\0z\35Q!\15\30\360\270E\177\4Y\357>\17\246\350Q0\26\331=\2606xA\211\17\345f\376\276\340*\224 m\334\5\334jz1E\315\220\377I_3\35\345\3kjy+\270=\3473\307\333&nj\347\35\200\353\23\354\365qE`\366*\240>{\366hfcX\212An@Vj\31/\20", ) == 0x0
 00516   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\31\332m\342\6\21r\356/\276\14\330w\255\372;\373w\21\35\353\373v\357\377\3\7\20\321l\242\225\0\200\330\377\12;M\370\177\220\3u\213}\274d\34\264X\3150\250\365xo\251gA\5\10\267-\316\314R\260\227\260\350\332\16\220\333~|C\7,\13t(\31W\25U\300\13\14D\215_\4\33\25\215\256N\272\24\312U\30\14\334\37p\242;7|\352o\257@@\206\344\244\244\260h\311\363\20\254\244\373\3b\6A\264\346\376\266K5\267\203\377\355hA\274\377\5\253e\320\360\5\372Y\245\32\237.\361\200\213C^ND\202\243,\217o\31\211Y\200\200\36\260(\260\240\2x\27\30\23\203|\2235\26(\364\317\177\351tFq\212\2h\0\201\275\300\260\327\21\243-\333\213\30QW\356S\364Q\237V\307\3358?\263zw\33\221W\3$\377\15~\325\214\3615\23+T\224\210=\202l\3710X%\210b\256\274&\204\264\20\240\24\231\3\1\220l\23\24\370Qn\32\251\240$\247o\375}4+\200\316\23\275\374\276\241\343\15\237\276-\310\213\30\363\245J\177\304!z_\267H\272\225\34\243\17\21P\20\277\326m\234\300Q\3506\374&\346\34PSa\200\311)\376\25\364\4\17\242\371\20\26\21\240,\301\376\314\370\300\222*\2\273\27C\30\6\210\223\362\206;\200_\243]PQ\351\4\334\2508\200V\301\213\312\272\1S\2351\236\346YXT\304T%pe\0\262\322\22P.\240e\27+QD`.\360\335(I\4<\202\10\17\303\205g0s\264\13\260S\25w\211j\210P\376\333\215\34\224E\0\352\5\271\7L1 \240\246\377,2\5\35\200n]j\34F\216=\202^\361\333C\3\\347x\355\335\23\211\230GE\5\233\34\240[\26\300h\3\16n\212$\3vV\17t\31\20", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00517   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "5\275"8F\12\246\1\3341N\360\1\264\326\2229\3715Qa\353\244\333\346?\22#7E~\252\13E_@\11n\352\7\27\257<36\253\363$\237\304R\201%7\3\1316F\251I6\210\300\206Nj}\341>\270\365ar\17\361\356\236S\364WRu\365\300\26\353K;F\237\5\321v^0\250e\14R\15\271\254 FeXnk\322\244\%"\1\15\25O\31\312\3511X\217\202l\241\310\337\301\2>m\305\227g\2460`f"\211\302\301n`_6.\356m\274lb\27n}&#\1\201\240\14]4$\4&|~\314;9\206\32369D2\2059\342\3439\24!aB\211c\49\15YUmD\15\204!^:_\256%X/\368B_8\321\305^)\241Ga\3318\222o;z\271=\364\274\201\17Q2c\310m\26\247t\362\26\322o\275;"#u\327\227\244\231U5\250 \326\376\326\330\15n\23\201\7a\7\27\15\227 =\231\1\247\301\26\37Ar6\22\225mV|\324\262\266|e6\22\2\14\23frI\315\324\371f8Rp1m\236\252\347r\355\256r\331J\20\33\12\243\14\313j.\26\361|\21E5&`\21Zj\372~r\235<=\202Rj\244l92\263u}*P`\203\31?8a'or\246xX\13fbR0a\246\330\241\10\341\240E\266\216\0\354\105\353g\177\370\236\342\222a\4n\311\375\3338H\231W\2055+ciN\6\202\5E\36*HT\225\32a\2667\204\276C\11\351n\252\254\36\3132\226\210\5\304\377AM \347\337\3454\376\3754\6g\266\252\3im6\10.\3677\351ynv \247K\27ev\26&7\322\1\364\336\271MV\350y\230P\311\333\3262&jA\241u\372\360\7\4", ) 8F\12\246\1\3341N\360\1\264\326\2229\3715Qa\353\244\333\346?\22#7E~\252\13E_@\11n\352\7\27\257<36\253\363$\237\304R\201%7\3\1316F\251I6\210\300\206Nj}\341>\270\365ar\17\361\356\236S\364WRu\365\300\26\353K;F\237\5\321v^0\250e\14R\15\271\254 FeXnk\322\244\% (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "5\275"8F\12\246\1\3341N\360\1\264\326\2229\3715Qa\353\244\333\346?\22#7E~\252\13E_@\11n\352\7\27\257<36\253\363$\237\304R\201%7\3\1316F\251I6\210\300\206Nj}\341>\270\365ar\17\361\356\236S\364WRu\365\300\26\353K;F\237\5\321v^0\250e\14R\15\271\254 FeXnk\322\244\%"\1\15\25O\31\312\3511X\217\202l\241\310\337\301\2>m\305\227g\2460`f"\211\302\301n`_6.\356m\274lb\27n}&#\1\201\240\14]4$\4&|~\314;9\206\32369D2\2059\342\3439\24!aB\211c\49\15YUmD\15\204!^:_\256%X/\368B_8\321\305^)\241Ga\3318\222o;z\271=\364\274\201\17Q2c\310m\26\247t\362\26\322o\275;"#u\327\227\244\231U5\250 \326\376\326\330\15n\23\201\7a\7\27\15\227 =\231\1\247\301\26\37Ar6\22\225mV|\324\262\266|e6\22\2\14\23frI\315\324\371f8Rp1m\236\252\347r\355\256r\331J\20\33\12\243\14\313j.\26\361|\21E5&`\21Zj\372~r\235<=\202Rj\244l92\263u}*P`\203\31?8a'or\246xX\13fbR0a\246\330\241\10\341\240E\266\216\0\354\105\353g\177\370\236\342\222a\4n\311\375\3338H\231W\2055+ciN\6\202\5E\36*HT\225\32a\2667\204\276C\11\351n\252\254\36\3132\226\210\5\304\377AM \347\337\3454\376\3754\6g\266\252\3im6\10.\3677\351ynv \247K\27ev\26&7\322\1\364\336\271MV\350y\230P\311\333\3262&jA\241u\372\360\7\4", ) \211\302\301n`_6.\356m\274lb\27n}&#\1\201\240\14]4$\4&|~\314;9\206\32369D2\2059\342\3439\24!aB\211c\49\15YUmD\15\204!^:_\256%X/\368B_8\321\305^)\241Ga\3318\222o;z\271=\364\274\201\17Q2c\310m\26\247t\362\26\322o\275; (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "5\275"8F\12\246\1\3341N\360\1\264\326\2229\3715Qa\353\244\333\346?\22#7E~\252\13E_@\11n\352\7\27\257<36\253\363$\237\304R\201%7\3\1316F\251I6\210\300\206Nj}\341>\270\365ar\17\361\356\236S\364WRu\365\300\26\353K;F\237\5\321v^0\250e\14R\15\271\254 FeXnk\322\244\%"\1\15\25O\31\312\3511X\217\202l\241\310\337\301\2>m\305\227g\2460`f"\211\302\301n`_6.\356m\274lb\27n}&#\1\201\240\14]4$\4&|~\314;9\206\32369D2\2059\342\3439\24!aB\211c\49\15YUmD\15\204!^:_\256%X/\368B_8\321\305^)\241Ga\3318\222o;z\271=\364\274\201\17Q2c\310m\26\247t\362\26\322o\275;"#u\327\227\244\231U5\250 \326\376\326\330\15n\23\201\7a\7\27\15\227 =\231\1\247\301\26\37Ar6\22\225mV|\324\262\266|e6\22\2\14\23frI\315\324\371f8Rp1m\236\252\347r\355\256r\331J\20\33\12\243\14\313j.\26\361|\21E5&`\21Zj\372~r\235<=\202Rj\244l92\263u}*P`\203\31?8a'or\246xX\13fbR0a\246\330\241\10\341\240E\266\216\0\354\105\353g\177\370\236\342\222a\4n\311\375\3338H\231W\2055+ciN\6\202\5E\36*HT\225\32a\2667\204\276C\11\351n\252\254\36\3132\226\210\5\304\377AM \347\337\3454\376\3754\6g\266\252\3im6\10.\3677\351ynv \247K\27ev\26&7\322\1\364\336\271MV\350y\230P\311\333\3262&jA\241u\372\360\7\4", ) , ) == 0x0
 00518   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "P\320\248#g\220\1\271\x\360d\331\340\222\\224\3Q\4\206\222\333\203R$#R(H\252n(i@l\3\334\7r\302\123Sx\5\363A\362\362R\344H\1\3n\\0F\314$\0\210\245\353xj\30\214\10\270\220\14D\17\224\203\250S\221:du\220\255 \353.Vp\237`\274@^U\305S\147`\217\254E+SX\13\6\344\2449H\24\1hxy\31\257\204\7X\352\357Z\241\255\262\367\2[\0\363\227\2\313\6`\3O\277\302\244\3V_SC\330m\331\1T\27\13\20\20#d\354\226\148Y\22\4C\21H\314^T\260\323STr2\340T\324\343\y\27a'\344U\4\`oU\10);\204D3\14_\313Hn/{Ut_]\274\363^L\314qa\274U\244o^\27\217=\221\321\267\174_U\310\10{\221t\227{\344o\330V\24#\20\272\241\244\3748\3\250E\273\310\326\275`X\23\344jW\7r`$7EP\257\1\302\254 \37$\37\0\22\360\0`|\261\337\200|\0[$\2i~Pr,\240\342\371\3UdpT\0\250\252\202\37\333\256\27\264|\20~g\225\14\256\7\30\26\224\21'EPKV\21?\7\314~\27\360\12=\347?\\244\11T\4\263\20\20\34P\5\356/?]\14\21o\27\313NXn\13TRU\14\220\330\304e\327\240 \333\270\0\211e\3\353\2\22\316\236\207\377W\4\13\244\313\333]%\257W\340X\35c\14#0\202`((*-9\243\32\4\333\1\20Q\323u\11\214\3\234\254{t\52\363\3453\304\232,{ \202\262\3234\233\220\2\6\2\333\234\3\14\0\0\10K\232\1\351\34\3@ \302&!e\23{\207\267l\302\336\334 `\350\34\365f\311\276\273\4&\17,\227u\237\2351\4", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00519   424   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\333nJ\312\11\2423\20\312\375,\33\205\17\2{j@\356\20}5\225u\231!;dn\320V\16\345a9\316\336\4\264?In1t\343d\342A\267i\253\271\376\356\305n\302Ou\367\260\5L&\212v\272\301\236\307\277:=[=R\353\177:\223\334\365\303\227g\366?nw\345\217`K\27\2009K\372\32FW\12&\333\315\357o\205\21D\316\331\341\10CK\321\242\14\6\367`\27Po9>\4no{\64{\35\2\7VR\202Pg5F\301\375?\213$,\347k\207s\247\254kl\13\350\251\357\306\312\251\216\16\20\350\341\357\2*\31\224\352.\265\277\224wX ;inx+\0V+bTK&\214v\316\206Yy\377>\254B|\22$\251X2\16UU\373\226\330|X\15\215]\326\301U]\277/\363\1\360l\25y4\374k=b\14\45\230d\252\373\255\17\20\17\250EF\307>\2{\246?!cNv\177L\264\27eo\337:\335:i_X\307>\322mg\333\232a\316+8\301\351\264$\235j\317\331\31\337\10p\321\11e\0\14\325\242#\21T\327w\14I\15\3060Y,\373,\256371\340Q\36\202\35\312E\3707\26\202%\250y\251\21\\2376\24\3243?\347,\246P\356\16a\242\118\1\377`\274\11&\367u7\12[\30f2m\177&\352l\27o\372"g\273T\343\275f\0c\212aE\12\341\15=#", ) g\273T\343\275f\0c\212aE\12\341\15=#", ) == 0x0
 00520   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\276\3|\312l\317\5\20\257\220\32\33\340b4{\17-\330\20\30X\243u\374L\15d\13\275`\16\200\14\17\313\21\260\30\314f%2M\263\366\222M x\16\206\14\344f\11K(H\16\22\240a\240\13\20E\212\330\254\215@|d\12\11\221\233\315\2\210\333\21S\370\336a\331\11I\13\B\343\1\217w\267\14\306\217\376\213\250X\302*\30\301\260`!\20\212\23z\4\301\373\252\211:X6\13R\216\22\14\223\271\230\365\227\2\233\11n\22\210\271`.z\2669.\227,F2g\20\333\250\202Y\205t)\370\331\204euK\264\317:\6\222\15!P\12T\10\4\13\2M\6Q\26+\2b;d\2025\12\3F\244\220\11\213AA\321k\342\36\221\254\16\1=\350\314\202\360\312\314\3438\20\215\214\331\2Ot\242\352K\330\211\224\225\26;\14\3N+e;\35b1&\20\214\23\243\260Y\34\222\10\254'\21$$\3145\4\1608\315\226\275\21n\15\3500\340\30100\211/\226l\306lp\24\2\374\16PT\14aX\256d\317\226\233\17ub\236E#\252\10\2\36\313\11!\6#@\177)\331!e\12\262\14\335_\4iX\242S\344m\2\266\254a\253F\16\301\214\331\22\235\17\242\357\31\272eF\321l\106\14\260\317\25\211\272A\14,`\3600"\2\326b\343\330\136c\357\14s\12\204`\13#", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \313\21\260\30\314f%2M\263\366\222M x\16\206\14\344f\11K(H\16\22\240a\240\13\20E\212\330\254\215@|d\12\11\221\233\315\2\210\333\21S\370\336a\331\11I\13\B\343\1\217w\267\14\306\217\376\213\250X\302*\30\301\260`!\20\212\23z\4\301\373\252\211:X6\13R\216\22\14\223\271\230\365\227\2\233\11n\22\210\271`.z\2669.\227,F2g\20\333\250\202Y\205t)\370\331\204euK\264\317:\6\222\15!P\12T\10\4\13\2M\6Q\26+\2b;d\2025\12\3F\244\220\11\213AA\321k\342\36\221\254\16\1=\350\314\202\360\312\314\3438\20\215\214\331\2Ot\242\352K\330\211\224\225\26;\14\3N+e;\35b1&\20\214\23\243\260Y\34\222\10\254'\21$$\3145\4\1608\315\226\275\21n\15\3500\340\30100\211/\226l\306lp\24\2\374\16PT\14aX\256d\317\226\233\17ub\236E#\252\10\2\36\313\11!\6#@\177)\331!e\12\262\14\335_\4iX\242S\344m\2\266\254a\253F\16\301\214\331\22\235\17\242\357\31\272eF\321l\106\14\260\317\25\211\272A\14,`\3600315,\313^\11\205<(\202x\247s\370R{\264%\315\24\237\219\362\0\24\261^\11\347I\313f\356k\14\224\11]l\311`\331d\20\367\20Z<[}\13\4m\32K\334lr\2\314 (80, 0, 0, 0, "\276\3|\312l\317\5\20\257\220\32\33\340b4{\17-\330\20\30X\243u\374L\15d\13\275`\16\200\14\17\313\21\260\30\314f%2M\263\366\222M x\16\206\14\344f\11K(H\16\22\240a\240\13\20E\212\330\254\215@|d\12\11\221\233\315\2\210\333\21S\370\336a\331\11I\13\B\343\1\217w\267\14\306\217\376\213\250X\302*\30\301\260`!\20\212\23z\4\301\373\252\211:X6\13R\216\22\14\223\271\230\365\227\2\233\11n\22\210\271`.z\2669.\227,F2g\20\333\250\202Y\205t)\370\331\204euK\264\317:\6\222\15!P\12T\10\4\13\2M\6Q\26+\2b;d\2025\12\3F\244\220\11\213AA\321k\342\36\221\254\16\1=\350\314\202\360\312\314\3438\20\215\214\331\2Ot\242\352K\330\211\224\225\26;\14\3N+e;\35b1&\20\214\23\243\260Y\34\222\10\254'\21$$\3145\4\1608\315\226\275\21n\15\3500\340\30100\211/\226l\306lp\24\2\374\16PT\14aX\256d\317\226\233\17ub\236E#\252\10\2\36\313\11!\6#@\177)\331!e\12\262\14\335_\4iX\242S\344m\2\266\254a\253F\16\301\214\331\22\235\17\242\357\31\272eF\321l\106\14\260\317\25\211\272A\14,`\3600"\2\326b\343\330\136c\357\14s\12\204`\13#", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00521   424   NtReadFile  (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\271>6\0\211>6\0\315\116\0\335\116\0M\366\0]\366\0-\366\05\366\0=\366\0\5\366\0\15\366\0\25\366\0\35\366\0\345\366\0\355\366\0\365\366\0\201\366\0\235\366\0y\316\0\5\316\0\361\316\0\211\316\0q\306\01\306\0\261\306\0I\336\0\255\326\0Q\246\0\21\246\0=\276\0\201\276\0\335\216\0\245\236\0\355\3556\0\11\3546\0i\3576\0\351\3576\0\251\3576\0\245\3566\0\205\3566\0a\3516\0Q\3516\0\375>3\0\205>3\0\262T1\0\216T1\0gW1\0\177W1\0QW1\0+W1\0\14W1\0\341W1\0\305W1\0\334W1\0\261W1\0\215W1\0\233W1\0wV1\0MV1\0$V1\05V1\0\30V1\0\363V1\0\322V1\0\264V1\0\235V1\0~Q1\0/Q1\0\12Q1\0\367Q1\0\244Q1\0\204Q1\0aP1\0\P1\0\2P1\0\31P1\0\367P1\0\317P1\0\245P1\0\263P1\0\211P1\0dS1\0\177S1\0JS1\0!S1\0;S1\0\34S1\0\341S1\0\357S1\0\366S1\0\372S1\0ym \0rm/\0qm.\0pm,\0am5\0mm1\0cm3\0Nm-\0xm(\0Am\26\0Mm\34\0Lm\27\0Fm\24\0zm\23\0Cm\21\0vm'\0wm:\0um8\0jm;\0nm<\0lm\32\0em4\0dm\30\0Hm6\0em6\0em6\0em6@A\25F$T_xm\20\11F@1#{U!=6@A\25F$TXxm", ) , ) == 0x0
 00522   424   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\334S\0\0\354S\0\0\250d\0\0\270d\0\0(s\0\08s\0\0Hs\0\0Ps\0\0Xs\0\0`s\0\0hs\0\0ps\0\0xs\0\0\200s\0\0\210s\0\0\220s\0\0\344s\0\0\370s\0\0\34t\0\0`t\0\0\224t\0\0\354t\0\0\24u\0\0Tu\0\0\324u\0\0,v\0\0\310w\0\04y\0\0ty\0\0Xz\0\0\344z\0\0\270|\0\0\300~\0\0\210\200\0\0l\201\0\0\14\202\0\0\214\202\0\0\314\202\0\0\300\203\0\0\340\203\0\0\4\204\0\04\204\0\0\230S\5\0\340S\5\0\3279\7\0\3539\7\0\2:\7\0\32:\7\04:\7\0N:\7\0i:\7\0\204:\7\0\240:\7\0\271:\7\0\324:\7\0\350:\7\0\376:\7\0\22;\7\0(;\7\0A;\7\0P;\7\0};\7\0\226;\7\0\267;\7\0\321;\7\0\370;\7\0\33<\7\0J<\7\0o<\7\0\222<\7\0\301<\7\0\341<\7\0\4=\7\09=\7\0g=\7\0|=\7\0\222=\7\0\252=\7\0\300=\7\0\326=\7\0\354=\7\0\1>\7\0\32>\7\0/>\7\0D>\7\0^>\7\0y>\7\0\204>\7\0\212>\7\0\223>\7\0\237>\7\0\34\0\26\0\27\0\31\0\24\0\30\0\25\0\32\0\4\0\3\0\10\0\7\0\6\0\5\0+\0\33\0\35\0\36\0$\0 \0(\0*\0)\0!\0#\0"\0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00523   424   NtClose  (80, ... ) == 0x0
 00524   424   NtClose  (68, ... ) == 0x0
 00525   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.tmp"}, 1242416, ... ) }, 1242416, ... ) == 0x0
 00526   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.tmp"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00527   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 80, ) == 0x0
 00528   424   NtClose  (68, ... ) == 0x0
 00529   424   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 176128, ) == 0x0
 00530   424   NtClose  (80, ... ) == 0x0
 00531   424   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00532   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.tmp"}, 1242732, ... ) }, 1242732, ... ) == 0x0
 00533   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.tmp"}, 1242732, ... ) }, 1242732, ... ) == 0x0
 00534   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.tmp"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00535   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 68, ) == 0x0
 00536   424   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00537   424   NtClose  (80, ... ) == 0x0
 00538   424   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x860000), 0x0, 475136, ) == STATUS_IMAGE_NOT_AT_BASE
 00539   424   NtMapViewOfSection  (68, -1, (0x860000), 0, 0, 0x0, 475136, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00540   424   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00541   424   NtClose  (68, ... ) == 0x0
 00542   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 8, ) == 0x0
 00543   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 8, ... (0x8d3000), 4096, 4, ) == 0x0
 00544   424   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00545   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00546   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00547   424   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00548   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.DLL"}, ... 68, ) }, ... 68, ) == 0x0
 00549   424   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00550   424   NtClose  (68, ... ) == 0x0
 00551   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00552   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00553   424   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00554   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00555   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00556   424   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00557   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 68, ) }, ... 68, ) == 0x0
 00558   424   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00559   424   NtClose  (68, ... ) == 0x0
 00560   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00561   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00562   424   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00563   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00564   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00565   424   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00566   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00567   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00568   424   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00569   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00570   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00571   424   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00572   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 1241948, ... ) }, 1241948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WSOCK32.DLL"}, 1241948, ... ) }, 1241948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 1241948, ... ) }, 1241948, ... ) == 0x0
 00576   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00577   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 80, ) == 0x0
 00578   424   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00579   424   NtClose  (68, ... ) == 0x0
 00580   424   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00581   424   NtClose  (80, ... ) == 0x0
 00582   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00583   424   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00584   424   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00585   424   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {420, 0}, ... 80, ) == 0x0
 00586   424   NtQueryInformationProcess  (80, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00587   424   NtClose  (80, ... ) == 0x0
 00588   424   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00589   424   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00590   424   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00591   424   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00592   424   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593   424   NtClose  (80, ... ) == 0x0
 00594   424   NtUserSystemParametersInfo  (41, 500, 1242456, 0, ... ) == 0x1
 00595   424   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00596   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00597   424   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00598   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc03b
 00599   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00600   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc03d
 00601   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00602   424   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00603   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc03f
 00604   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00605   424   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00606   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc041
 00607   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00608   424   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00609   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc043
 00610   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00611   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc045
 00612   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00613   424   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00614   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc047
 00615   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00616   424   NtUserFindExistingCursorIcon  (1242244, 1242260, 1242828, ... ) == 0x10011
 00617   424   NtUserRegisterClassExWOW  (1242696, 1242776, 1242760, 1242792, 0, 384, 0, ... ) == 0x810cc049
 00618   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00619   424   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00620   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc04b
 00621   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00622   424   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00623   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc04d
 00624   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00625   424   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00626   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc04f
 00627   424   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00628   424   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810cc051
 00629   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00630   424   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00631   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc053
 00632   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00633   424   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00634   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc055
 00635   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc057
 00636   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00637   424   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00638   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc059
 00639   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00640   424   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10013
 00641   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc05b
 00642   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00643   424   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00644   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc05d
 00645   424   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00646   424   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00647   424   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc05f
 00648   424   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 80, ) == 0x0
 00649   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00650   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 84, ) }, ... 84, ) == 0x0
 00651   424   NtNotifyChangeKey  (84, 68, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00652   424   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00653   424   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00654   424   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00655   424   NtUserCallOneParam  (0, 40, ... ) == 0x4
 00656   424   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00657   424   NtQueryVirtualMemory  (-1, 0x12f670, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00658   424   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00659   424   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 9371648, 1048576, ) == 0x0
 00660   424   NtAllocateVirtualMemory  (-1, 9371648, 0, 16384, 4096, 4, ... 9371648, 16384, ) == 0x0
 00661   424   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00662   424   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00663   424   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00664   424   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   424   NtOpenProcessToken  (-1, 0x8, ... 96, ) == 0x0
 00666   424   NtQueryInformationToken  (96, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00667   424   NtClose  (96, ... ) == 0x0
 00668   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00669   424   NtReleaseMutant  (16, ...
 00670   424   NtContinue  (-136314744, 0, ...
 00669   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00671   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.ENU"}, 1241180, ... ) }, 1241180, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.ENU"}, 1240820, ... ) }, 1240820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.ENU.DLL"}, 1240820, ... ) }, 1240820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.EN"}, 1241180, ... ) }, 1241180, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.EN"}, 1240820, ... ) }, 1240820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.EN.DLL"}, 1240820, ... ) }, 1240820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00678   424   NtReleaseMutant  (16, ...
 00679   424   NtContinue  (-136314744, 0, ...
 00678   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00680   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00681   424   NtReleaseMutant  (16, ...
 00682   424   NtContinue  (-136314744, 0, ...
 00681   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00683   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00684   424   NtReleaseMutant  (16, ...
 00685   424   NtContinue  (-136314744, 0, ...
 00684   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00686   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00687   424   NtReleaseMutant  (16, ...
 00688   424   NtContinue  (-136314744, 0, ...
 00687   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00689   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00690   424   NtReleaseMutant  (16, ...
 00691   424   NtContinue  (-136314744, 0, ...
 00690   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00692   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00693   424   NtReleaseMutant  (16, ...
 00694   424   NtContinue  (-136314744, 0, ...
 00693   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00695   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00696   424   NtReleaseMutant  (16, ...
 00697   424   NtContinue  (-136314744, 0, ...
 00696   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00698   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00699   424   NtReleaseMutant  (16, ...
 00700   424   NtContinue  (-136314744, 0, ...
 00699   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00701   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00702   424   NtReleaseMutant  (16, ...
 00703   424   NtContinue  (-136314744, 0, ...
 00702   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00704   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00705   424   NtReleaseMutant  (16, ...
 00706   424   NtContinue  (-136314744, 0, ...
 00705   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00707   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00708   424   NtReleaseMutant  (16, ...
 00709   424   NtContinue  (-136314744, 0, ...
 00708   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00710   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00711   424   NtReleaseMutant  (16, ...
 00712   424   NtContinue  (-136314744, 0, ...
 00711   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00713   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00714   424   NtReleaseMutant  (16, ...
 00715   424   NtContinue  (-136314744, 0, ...
 00714   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00716   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00717   424   NtReleaseMutant  (16, ...
 00718   424   NtContinue  (-136314744, 0, ...
 00717   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00719   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00720   424   NtReleaseMutant  (16, ...
 00721   424   NtContinue  (-136314744, 0, ...
 00720   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00722   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00723   424   NtReleaseMutant  (16, ...
 00724   424   NtContinue  (-136314744, 0, ...
 00723   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00725   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00726   424   NtReleaseMutant  (16, ...
 00727   424   NtContinue  (-136314744, 0, ...
 00726   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00728   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00729   424   NtReleaseMutant  (16, ...
 00730   424   NtContinue  (-136314744, 0, ...
 00729   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00731   424   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 96, ) == 0x0
 00732   424   NtUserGetDC  (0, ... ) == 0x1010053
 00733   424   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00734   424   NtUserGetDC  (0, ... ) == 0x1010053
 00735   424   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00736   424   NtGdiCreatePaletteInternal  (1241868, 16, ... ) == 0x16080382
 00737   424   NtGdiGetStockObject  (7, ... ) == 0x1b00017
 00738   424   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00739   424   NtUserFindExistingCursorIcon  (1242264, 1242280, 1242848, ... ) == 0x10003
 00740   424   NtAddAtom  ( ("D\0e\0l\0p\0h\0i\00\00\00\00\00\01\0A\04\0", 28, 1242800, ... ) , 28, 1242800, ... ) == 0x0
 00741   424   NtAddAtom  ( ("C\0o\0n\0t\0r\0o\0l\0O\0f\0s\00\00\08\06\00\00\00\00\00\00\00\00\00\01\0A\08\0", 52, 1242800, ... ) , 52, 1242800, ... ) == 0x0
 00742   424   NtUserSystemParametersInfo  (104, 0, 9376892, 0, ... ) == 0x1
 00743   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10011
 00744   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10023
 00745   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x0
 00746   424   NtUserGetDC  (0, ... ) == 0x1010053
 00747   424   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x805040c
 00748   424   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00749   424   NtGdiSelectBitmap  (335610656, 134546444, ... ) == 0x185000f
 00750   424   NtGdiGetDCforBitmap  (134546444, ... ) == 0x14010320
 00751   424   NtGdiSaveDC  (335610656, ... ) == 0x1
 00752   424   NtGdiSelectBitmap  (335610656, 134546444, ... ) == 0x805040c
 00753   424   NtGdiGetDCObject  (335610656, 524288, ... ) == 0x188000b
 00754   424   NtUserSelectPalette  (335610656, 25690123, 0, ... ) == 0x188000b
 00755   424   NtGdiSetDIBitsToDeviceInternal  (335610656, 0, 0, 32, 64, 0, 0, 0, 64, 9192972, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00756   424   NtUserSelectPalette  (335610656, 25690123, 0, ... ) == 0x188000b
 00757   424   NtGdiSelectBitmap  (335610656, 134546444, ... ) == 0x805040c
 00758   424   NtGdiRestoreDC  (335610656, -1, ... ) == 0x1
 00759   424   NtGdiSelectBitmap  (335610656, 25493519, ... ) == 0x805040c
 00760   424   NtGdiCreateCompatibleDC  (335610656, ... ) == 0xd0103ff
 00761   424   NtGdiExtGetObjectW  (134546444, 24, 1241320, ... ) == 0x18
 00762   424   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x9050407
 00763   424   NtGdiSelectBitmap  (335610656, 134546444, ... ) == 0x185000f
 00764   424   NtGdiSelectBitmap  (218170367, 151323655, ... ) == 0x185000f
 00765   424   NtGdiBitBlt  (218170367, 0, 0, 32, 64, 335610656, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00766   424   NtGdiSelectBitmap  (335610656, 25493519, ... ) == 0x805040c
 00767   424   NtGdiSelectBitmap  (218170367, 25493519, ... ) == 0x9050407
 00768   424   NtGdiDeleteObjectApp  (134546444, ... ) == 0x1
 00769   424   NtGdiDeleteObjectApp  (218170367, ... ) == 0x1
 00770   424   NtUserCallOneParam  (0, 33, ... ) == 0x3004d
 00771   424   NtUserSetCursorIconData  (196685, 1241428, 1241444, 1242024, ... ) == 0x1
 00772   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10029
 00773   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10027
 00774   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10025
 00775   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x0
 00776   424   NtUserGetDC  (0, ... ) == 0x1010053
 00777   424   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xa05040b
 00778   424   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00779   424   NtGdiSelectBitmap  (335610656, 168100875, ... ) == 0x185000f
 00780   424   NtGdiGetDCforBitmap  (168100875, ... ) == 0x14010320
 00781   424   NtGdiSaveDC  (335610656, ... ) == 0x1
 00782   424   NtGdiSelectBitmap  (335610656, 168100875, ... ) == 0xa05040b
 00783   424   NtGdiGetDCObject  (335610656, 524288, ... ) == 0x188000b
 00784   424   NtUserSelectPalette  (335610656, 25690123, 0, ... ) == 0x188000b
 00785   424   NtGdiSetDIBitsToDeviceInternal  (335610656, 0, 0, 32, 64, 0, 0, 0, 64, 9193280, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00786   424   NtUserSelectPalette  (335610656, 25690123, 0, ... ) == 0x188000b
 00787   424   NtGdiSelectBitmap  (335610656, 168100875, ... ) == 0xa05040b
 00788   424   NtGdiRestoreDC  (335610656, -1, ... ) == 0x1
 00789   424   NtGdiSelectBitmap  (335610656, 25493519, ... ) == 0xa05040b
 00790   424   NtGdiCreateCompatibleDC  (335610656, ... ) == 0xa01040c
 00791   424   NtGdiExtGetObjectW  (168100875, 24, 1241320, ... ) == 0x18
 00792   424   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xb050408
 00793   424   NtGdiSelectBitmap  (335610656, 168100875, ... ) == 0x185000f
 00794   424   NtGdiSelectBitmap  (167838732, 184878088, ... ) == 0x185000f
 00795   424   NtGdiBitBlt  (167838732, 0, 0, 32, 64, 335610656, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00796   424   NtGdiSelectBitmap  (335610656, 25493519, ... ) == 0xa05040b
 00797   424   NtGdiSelectBitmap  (167838732, 25493519, ... ) == 0xb050408
 00798   424   NtGdiDeleteObjectApp  (168100875, ... ) == 0x1
 00799   424   NtGdiDeleteObjectApp  (167838732, ... ) == 0x1
 00800   424   NtUserCallOneParam  (0, 33, ... ) == 0x3006d
 00801   424   NtUserSetCursorIconData  (196717, 1241428, 1241444, 1242024, ... ) == 0x1
 00802   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x0
 00803   424   NtUserGetDC  (0, ... ) == 0x1010053
 00804   424   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xf0503ff
 00805   424   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00806   424   NtGdiSelectBitmap  (335610656, 251986943, ... ) == 0x185000f
 00807   424   NtGdiGetDCforBitmap  (251986943, ... ) == 0x14010320
 00808   424   NtGdiSaveDC  (335610656, ... ) == 0x1
 00809   424   NtGdiSelectBitmap  (335610656, 251986943, ... ) == 0xf0503ff
 00810   424   NtGdiGetDCObject  (335610656, 524288, ... ) == 0x188000b
 00811   424   NtUserSelectPalette  (335610656, 25690123, 0, ... ) == 0x188000b
 00812   424   NtGdiSetDIBitsToDeviceInternal  (335610656, 0, 0, 32, 64, 0, 0, 0, 64, 9193588, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00813   424   NtUserSelectPalette  (335610656, 25690123, 0, ... ) == 0x188000b
 00814   424   NtGdiSelectBitmap  (335610656, 251986943, ... ) == 0xf0503ff
 00815   424   NtGdiRestoreDC  (335610656, -1, ... ) == 0x1
 00816   424   NtGdiSelectBitmap  (335610656, 25493519, ... ) == 0xf0503ff
 00817   424   NtGdiCreateCompatibleDC  (335610656, ... ) == 0xc01040b
 00818   424   NtGdiExtGetObjectW  (251986943, 24, 1241320, ... ) == 0x18
 00819   424   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x8050405
 00820   424   NtGdiSelectBitmap  (335610656, 251986943, ... ) == 0x185000f
 00821   424   NtGdiSelectBitmap  (201393163, 134546437, ... ) == 0x185000f
 00822   424   NtGdiBitBlt  (201393163, 0, 0, 32, 64, 335610656, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00823   424   NtGdiSelectBitmap  (335610656, 25493519, ... ) == 0xf0503ff
 00824   424   NtGdiSelectBitmap  (201393163, 25493519, ... ) == 0x8050405
 00825   424   NtGdiDeleteObjectApp  (251986943, ... ) == 0x1
 00826   424   NtGdiDeleteObjectApp  (201393163, ... ) == 0x1
 00827   424   NtUserCallOneParam  (0, 33, ... ) == 0x3006b
 00828   424   NtUserSetCursorIconData  (196715, 1241428, 1241444, 1242024, ... ) == 0x1
 00829   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x0
 00830   424   NtUserGetDC  (0, ... ) == 0x1010053
 00831   424   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xc05040c
 00832   424   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00833   424   NtGdiSelectBitmap  (335610656, 201655308, ... ) == 0x185000f
 00834   424   NtGdiGetDCforBitmap  (201655308, ... ) == 0x14010320
 00835   424   NtGdiSaveDC  (335610656, ... ) == 0x1
 00836   424   NtGdiSelectBitmap  (335610656, 201655308, ... ) == 0xc05040c
 00837   424   NtGdiGetDCObject  (335610656, 524288, ... ) == 0x188000b
 00838   424   NtUserSelectPalette  (335610656, 25690123, 0, ... ) == 0x188000b
 00839   424   NtGdiSetDIBitsToDeviceInternal  (335610656, 0, 0, 32, 64, 0, 0, 0, 64, 9193896, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00840   424   NtUserSelectPalette  (335610656, 25690123, 0, ... ) == 0x188000b
 00841   424   NtGdiSelectBitmap  (335610656, 201655308, ... ) == 0xc05040c
 00842   424   NtGdiRestoreDC  (335610656, -1, ... ) == 0x1
 00843   424   NtGdiSelectBitmap  (335610656, 25493519, ... ) == 0xc05040c
 00844   424   NtGdiCreateCompatibleDC  (335610656, ... ) == 0x110103ff
 00845   424   NtGdiExtGetObjectW  (201655308, 24, 1241320, ... ) == 0x18
 00846   424   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x8050406
 00847   424   NtGdiSelectBitmap  (335610656, 201655308, ... ) == 0x185000f
 00848   424   NtGdiSelectBitmap  (285279231, 134546438, ... ) == 0x185000f
 00849   424   NtGdiBitBlt  (285279231, 0, 0, 32, 64, 335610656, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00850   424   NtGdiSelectBitmap  (335610656, 25493519, ... ) == 0xc05040c
 00851   424   NtGdiSelectBitmap  (285279231, 25493519, ... ) == 0x8050406
 00852   424   NtGdiDeleteObjectApp  (201655308, ... ) == 0x1
 00853   424   NtGdiDeleteObjectApp  (285279231, ... ) == 0x1
 00854   424   NtUserCallOneParam  (0, 33, ... ) == 0x300a7
 00855   424   NtUserSetCursorIconData  (196775, 1241428, 1241444, 1242024, ... ) == 0x1
 00856   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x0
 00857   424   NtUserGetDC  (0, ... ) == 0x1010053
 00858   424   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xe05040b
 00859   424   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00860   424   NtGdiSelectBitmap  (335610656, 235209739, ... ) == 0x185000f
 00861   424   NtGdiGetDCforBitmap  (235209739, ... ) == 0x14010320
 00862   424   NtGdiSaveDC  (335610656, ... ) == 0x1
 00863   424   NtGdiSelectBitmap  (335610656, 235209739, ... ) == 0xe05040b
 00864   424   NtGdiGetDCObject  (335610656, 524288, ... ) == 0x188000b
 00865   424   NtUserSelectPalette  (335610656, 25690123, 0, ... ) == 0x188000b
 00866   424   NtGdiSetDIBitsToDeviceInternal  (335610656, 0, 0, 32, 64, 0, 0, 0, 64, 9194204, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00867   424   NtUserSelectPalette  (335610656, 25690123, 0, ... ) == 0x188000b
 00868   424   NtGdiSelectBitmap  (335610656, 235209739, ... ) == 0xe05040b
 00869   424   NtGdiRestoreDC  (335610656, -1, ... ) == 0x1
 00870   424   NtGdiSelectBitmap  (335610656, 25493519, ... ) == 0xe05040b
 00871   424   NtGdiCreateCompatibleDC  (335610656, ... ) == 0xe01040c
 00872   424   NtGdiExtGetObjectW  (235209739, 24, 1241320, ... ) == 0x18
 00873   424   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xb0503e7
 00874   424   NtGdiSelectBitmap  (335610656, 235209739, ... ) == 0x185000f
 00875   424   NtGdiSelectBitmap  (234947596, 184878055, ... ) == 0x185000f
 00876   424   NtGdiBitBlt  (234947596, 0, 0, 32, 64, 335610656, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00877   424   NtGdiSelectBitmap  (335610656, 25493519, ... ) == 0xe05040b
 00878   424   NtGdiSelectBitmap  (234947596, 25493519, ... ) == 0xb0503e7
 00879   424   NtGdiDeleteObjectApp  (235209739, ... ) == 0x1
 00880   424   NtGdiDeleteObjectApp  (234947596, ... ) == 0x1
 00881   424   NtUserCallOneParam  (0, 33, ... ) == 0x300a5
 00882   424   NtUserSetCursorIconData  (196773, 1241428, 1241444, 1242024, ... ) == 0x1
 00883   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x0
 00884   424   NtUserGetDC  (0, ... ) == 0x1010053
 00885   424   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x130503ff
 00886   424   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00887   424   NtGdiSelectBitmap  (335610656, 319095807, ... ) == 0x185000f
 00888   424   NtGdiGetDCforBitmap  (319095807, ... ) == 0x14010320
 00889   424   NtGdiSaveDC  (335610656, ... ) == 0x1
 00890   424   NtGdiSelectBitmap  (335610656, 319095807, ... ) == 0x130503ff
 00891   424   NtGdiGetDCObject  (335610656, 524288, ... ) == 0x188000b
 00892   424   NtUserSelectPalette  (335610656, 25690123, 0, ... ) == 0x188000b
 00893   424   NtGdiSetDIBitsToDeviceInternal  (335610656, 0, 0, 32, 64, 0, 0, 0, 64, 9194820, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00894   424   NtUserSelectPalette  (335610656, 25690123, 0, ... ) == 0x188000b
 00895   424   NtGdiSelectBitmap  (335610656, 319095807, ... ) == 0x130503ff
 00896   424   NtGdiRestoreDC  (335610656, -1, ... ) == 0x1
 00897   424   NtGdiSelectBitmap  (335610656, 25493519, ... ) == 0x130503ff
 00898   424   NtGdiCreateCompatibleDC  (335610656, ... ) == 0x1001040b
 00899   424   NtGdiExtGetObjectW  (319095807, 24, 1241320, ... ) == 0x18
 00900   424   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x120503e8
 00901   424   NtGdiSelectBitmap  (335610656, 319095807, ... ) == 0x185000f
 00902   424   NtGdiSelectBitmap  (268502027, 302318568, ... ) == 0x185000f
 00903   424   NtGdiBitBlt  (268502027, 0, 0, 32, 64, 335610656, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00904   424   NtGdiSelectBitmap  (335610656, 25493519, ... ) == 0x130503ff
 00905   424   NtGdiSelectBitmap  (268502027, 25493519, ... ) == 0x120503e8
 00906   424   NtGdiDeleteObjectApp  (319095807, ... ) == 0x1
 00907   424   NtGdiDeleteObjectApp  (268502027, ... ) == 0x1
 00908   424   NtUserCallOneParam  (0, 33, ... ) == 0x300a3
 00909   424   NtUserSetCursorIconData  (196771, 1241428, 1241444, 1242024, ... ) == 0x1
 00910   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x0
 00911   424   NtUserGetDC  (0, ... ) == 0x1010053
 00912   424   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x1005040c
 00913   424   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00914   424   NtGdiSelectBitmap  (335610656, 268764172, ... ) == 0x185000f
 00915   424   NtGdiGetDCforBitmap  (268764172, ... ) == 0x14010320
 00916   424   NtGdiSaveDC  (335610656, ... ) == 0x1
 00917   424   NtGdiSelectBitmap  (335610656, 268764172, ... ) == 0x1005040c
 00918   424   NtGdiGetDCObject  (335610656, 524288, ... ) == 0x188000b
 00919   424   NtUserSelectPalette  (335610656, 25690123, 0, ... ) == 0x188000b
 00920   424   NtGdiSetDIBitsToDeviceInternal  (335610656, 0, 0, 32, 64, 0, 0, 0, 64, 9194512, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00921   424   NtUserSelectPalette  (335610656, 25690123, 0, ... ) == 0x188000b
 00922   424   NtGdiSelectBitmap  (335610656, 268764172, ... ) == 0x1005040c
 00923   424   NtGdiRestoreDC  (335610656, -1, ... ) == 0x1
 00924   424   NtGdiSelectBitmap  (335610656, 25493519, ... ) == 0x1005040c
 00925   424   NtGdiCreateCompatibleDC  (335610656, ... ) == 0x150103ff
 00926   424   NtGdiExtGetObjectW  (268764172, 24, 1241320, ... ) == 0x18
 00927   424   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xd0503e9
 00928   424   NtGdiSelectBitmap  (335610656, 268764172, ... ) == 0x185000f
 00929   424   NtGdiSelectBitmap  (352388095, 218432489, ... ) == 0x185000f
 00930   424   NtGdiBitBlt  (352388095, 0, 0, 32, 64, 335610656, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00931   424   NtGdiSelectBitmap  (335610656, 25493519, ... ) == 0x1005040c
 00932   424   NtGdiSelectBitmap  (352388095, 25493519, ... ) == 0xd0503e9
 00933   424   NtGdiDeleteObjectApp  (268764172, ... ) == 0x1
 00934   424   NtGdiDeleteObjectApp  (352388095, ... ) == 0x1
 00935   424   NtUserCallOneParam  (0, 33, ... ) == 0x200a1
 00936   424   NtUserSetCursorIconData  (131233, 1241428, 1241444, 1242024, ... ) == 0x1
 00937   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10015
 00938   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10019
 00939   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x1001f
 00940   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x1001b
 00941   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10021
 00942   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x1001d
 00943   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10013
 00944   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10017
 00945   424   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10011
 00946   424   NtUserCallOneParam  (0, 39, ... ) == 0x4090409
 00947   424   NtUserGetDC  (0, ... ) == 0x1010053
 00948   424   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00949   424   NtUserEnumDisplayMonitors  (0, 0, 8915880, 9377472, ... ) == 0x1
 00950   424   NtUserSystemParametersInfo  (31, 60, 1241584, 0, ... ) == 0x1
 00951   424   NtGdiHfontCreate  (1241980, 356, 0, 0, 1344496, ... ) == 0x160a03ff
 00952   424   NtGdiExtGetObjectW  (369755135, 420, 1241804, ... ) == 0x164
 00953   424   NtUserSystemParametersInfo  (41, 0, 1241784, 0, ... ) == 0x1
 00954   424   NtGdiHfontCreate  (1241980, 356, 0, 0, 1344488, ... ) == 0x120a040b
 00955   424   NtGdiExtGetObjectW  (302646283, 420, 1241804, ... ) == 0x164
 00956   424   NtGdiHfontCreate  (1241980, 356, 0, 0, 1344480, ... ) == 0x110a040c
 00957   424   NtGdiExtGetObjectW  (285869068, 420, 1241804, ... ) == 0x164
 00958   424   NtUserFindExistingCursorIcon  (1241892, 1241908, 1242476, ... ) == 0x0
 00959   424   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 8650752, 4096, ) == 0x0
 00960   424   NtUserGetKeyboardLayoutList  (64, 1242464, ... ) == 0x1
 00961   424   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00962   424   NtUserRegisterWindowMessage  ( ("Delphi Picture", ... ) , ... ) == 0xc0cc
 00963   424   NtUserRegisterWindowMessage  ( ("Delphi Component", ... ) , ... ) == 0xc0cd
 00964   424   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "Residented"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   424   NtUserSetWindowsHookEx  (8781824, 1243792, 0, 4, 8789524, 2, ... ) == 0x3009f
 00966   424   NtOpenFile  (0x10080, {24, 12, 0x40, 0, 0,  (0x10080, {24, 12, 0x40, 0, 0, "ftpupd.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   424   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "uterm20"}, 1, ... 100, ) }, 1, ... 100, ) == 0x0
 00968   424   NtOpenProcessToken  (-1, 0x20, ... 104, ) == 0x0
 00969   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00970   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 108, ) }, ... 108, ) == 0x0
 00972   424   NtQueryValueKey  (108,  (108, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   424   NtClose  (108, ... ) == 0x0
 00974   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00976   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00977   424   NtQuerySystemTime  (... {-1684889974, 29891243}, ) == 0x0
 00978   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00979   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00981   424   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00982   424   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00983   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00984   424   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 124, ) == 0x0
 00985   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 128, ) }, ... 128, ) == 0x0
 00986   424   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "ActiveComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00987   424   NtQueryValueKey  (132,  (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00988   424   NtClose  (132, ... ) == 0x0
 00989   424   NtClose  (128, ... ) == 0x0
 00990   424   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 128, ) == 0x0
 00991   424   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 132, ) == 0x0
 00992   424   NtDuplicateObject  (-1, 128, -1, 0x0, 0, 2, ... 136, ) == 0x0
 00993   424   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00994   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00995   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00996   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00997   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00998   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243244,  (0xc0100080, {24, 0, 0x40, 0, 1243244, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 00999   424   NtSetInformationFile  (144, 1243300, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01000   424   NtSetInformationFile  (144, 1243292, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01001   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01002   424   NtWriteFile  (144, 121, 0, 0,  (144, 121, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01003   424   NtReadFile  (144, 121, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (144, 121, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20]\36\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01004   424   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20]\36\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20]\36\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01005   424   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\275\327A\326\236\206\334\21\261\310\0\14)\371\246\305 \0"\0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\275\327A\326\236\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\275\327A\326\236\206\334\21\261\310\0\14)\371\246\305 \0"\0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\275\327A\326\236\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\275\327A\326\236\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01006   424   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\275\327A\326\236\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\275\327A\326\236\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01007   424   NtClose  (140, ... ) == 0x0
 01008   424   NtClose  (144, ... ) == 0x0
 01009   424   NtAdjustPrivilegesToken  (104, 0, 1245080, 16, 0, 0, ... ) == 0x0
 01010   424   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01011   424   NtQueryValueKey  (144,  (144, "Windows Security Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012   424   NtClose  (144, ... ) == 0x0
 01013   424   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01014   424   NtQueryValueKey  (144,  (144, "Disk Defragmenter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01015   424   NtClose  (144, ... ) == 0x0
 01016   424   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01017   424   NtQueryValueKey  (144,  (144, "System Restore Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01018   424   NtClose  (144, ... ) == 0x0
 01019   424   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01020   424   NtQueryValueKey  (144,  (144, "Bot Loader", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01021   424   NtClose  (144, ... ) == 0x0
 01022   424   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01023   424   NtQueryValueKey  (144,  (144, "SysTray", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024   424   NtClose  (144, ... ) == 0x0
 01025   424   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01026   424   NtQueryValueKey  (144,  (144, "WinUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027   424   NtClose  (144, ... ) == 0x0
 01028   424   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01029   424   NtQueryValueKey  (144,  (144, "Windows Update Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01030   424   NtClose  (144, ... ) == 0x0
 01031   424   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01032   424   NtQueryValueKey  (144,  (144, "avserve.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01033   424   NtClose  (144, ... ) == 0x0
 01034   424   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01035   424   NtQueryValueKey  (144,  (144, "avserve2.exeUpdate Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01036   424   NtClose  (144, ... ) == 0x0
 01037   424   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01038   424   NtQueryValueKey  (144,  (144, "MS Config v13", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   424   NtClose  (144, ... ) == 0x0
 01040   424   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01041   424   NtQueryValueKey  (144,  (144, "Windows Update", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   424   NtClose  (144, ... ) == 0x0
 01043   424   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   424   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01045   424   NtSetInformationFile  (-2147482808, -136313820, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01046   424   NtSetInformationFile  (-2147482808, -136314292, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01044   424   NtCreateKey  ... 144, 1, ) == 0x0
 01047   424   NtSetValueKey  (144,  (144, "ID", 0, 1, "k\0k\0q\0v\0l\0g\0x\0e\0s\0c\0t\0v\0c\0m\0t\0r\0v\0\0\0", 36, ... ) , 0, 1,  (144, "ID", 0, 1, "k\0k\0q\0v\0l\0g\0x\0e\0s\0c\0t\0v\0c\0m\0t\0r\0v\0\0\0", 36, ... ) , 36, ... ) == 0x0
 01048   424   NtClose  (144, ... ) == 0x0
 01049   424   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01050   424   NtQueryValueKey  (144,  (144, "Cryptographic Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01051   424   NtClose  (144, ... ) == 0x0
 01052   424   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... 144, 2, ) }, 0, 0x0, 0, ... 144, 2, ) == 0x0
 01053   424   NtSetValueKey  (144,  (144, "Client", 0, 1, "1\0\0\0", 4, ... ) , 0, 1,  (144, "Client", 0, 1, "1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01054   424   NtClose  (144, ... ) == 0x0
 01055   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243516,  (0x80100080, {24, 0, 0x40, 0, 1243516, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 01056   424   NtQueryInformationFile  (144, 1244452, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01057   424   NtQueryInformationFile  (144, 1244424, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01058   424   NtQueryInformationFile  (144, 1244376, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01059   424   NtAllocateVirtualMemory  (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0
 01060   424   NtQueryInformationFile  (144, 1371664, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01061   424   NtQueryInformationFile  (144, 1242920, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01062   424   NtQueryInformationFile  (144, 1242764, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01063   424   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242772,  (0x40110080, {24, 0, 0x40, 0, 1242772, "\??\C:\WINDOWS\System32\swfqei.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01064   424   NtClose  (-2147482020, ... ) == 0x0
 01063   424   NtCreateFile  ... 140, {status=0x0, info=2}, ) == 0x0
 01065   424   NtQueryVolumeInformationFile  (140, 1242144, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01066   424   NtQueryInformationFile  (140, 1242104, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01067   424   NtQueryVolumeInformationFile  (144, 1242144, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01068   424   NtQueryVolumeInformationFile  (144, 1241828, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01069   424   NtSetInformationFile  (140, 1241932, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01070   424   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 144, ... 148, ) == 0x0
 01071   424   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x9f0000), {0, 0}, 188416, ) == 0x0
 01072   424   NtClose  (148, ... ) == 0x0
 01073   424   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\11\3538\210M\212V\333M\212V\333M\212V\333\316\226X\333O\212V\333\245\225R\333O\212V\333M\212V\333J\212V\333M\212W\333\32\212V\333/\225E\333D\212V\333\245\225]\333G\212V\333RichM\212V\333\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\322~\340@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0 \0\0\0\20\0\0\0P\0\0\0\240\0\0\0`\0\0\0\200\0\0\0\0C1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\340UPX1", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01074   424   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\240\340\34\6F\231\14"v\37\304\260\277T\13\20FQs\315\341\370\3123c\215&\274\347\5\232E4(iR\356\\366PS\305\355\207T\344\324\213\256\222'd=\270w9\347\370\35\5\335\206\350B\31\257\301\256\3326\212\203Z\347\253\250;\31Zj%Q2\177\10i\266\323\343\351L\270\354kVT\271\235\273Va\325\6L\334o.\15\260Z\224B\254q\273F\350\244\330\267wm\207!;g\360\3\215JI[\235s+\22&R1\4`\344)\203\246`\350\267\315\2%+\243P\312;\31\266\27754k\266\255\270w\275\37\254q!a^\325Skbh:\11\246\2\341o\212\262\264\31p\373\277P`\3161\3251=c\264Iel<"\234\36\2325>\376\350\244<\307\15\5\316\306t\307\233\21\243\271@\30\367\275v\366\3\376G\226!\305\327\303;0\322P\263\213\261B\37h|\24.G\311^k\263\253F\12r\253\316\348[\16xI\12\224\362\257\3353\17j\243\4h#\232\260\261$\271w\177\30\16"\334\237\17c\337\235-\224\3746\201\213\10\355\252\346\0\3204\333\24:v\3278\373}\307\376bA\200\201\236\365\236\311\275\270\351~t\251\21\212x\3\375,\3\232\360\4QN\353[\260\355\375\1le2\1-^\344\214mo&\20h\314\274\255J\177\276\331^m\342\16gqMS\331Hb1\15\321nj\12dc\2718%\315\13\311f\241t^\331\300Fu\355\270#\256\245 \10ti$\2W\337\272,de4\20G1\244\357a\355~ eT\27\257i\212\372\26A\54\25.\2713\323"|\220`i7\331\256i\3771\6\211\241+!\305\166\7\216o!\30ev\342\362\222\257v\204\6\237\212\364\215\306&4a\13W\257\o\366\10$\235n\314", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) v\37\304\260\277T\13\20FQs\315\341\370\3123c\215&\274\347\5\232E4(iR\356\\366PS\305\355\207T\344\324\213\256\222'd=\270w9\347\370\35\5\335\206\350B\31\257\301\256\3326\212\203Z\347\253\250;\31Zj%Q2\177\10i\266\323\343\351L\270\354kVT\271\235\273Va\325\6L\334o.\15\260Z\224B\254q\273F\350\244\330\267wm\207!;g\360\3\215JI[\235s+\22&R1\4`\344)\203\246`\350\267\315\2%+\243P\312;\31\266\27754k\266\255\270w\275\37\254q!a^\325Skbh:\11\246\2\341o\212\262\264\31p\373\277P`\3161\3251=c\264Iel< (140, 0, 0, 0, "\240\340\34\6F\231\14"v\37\304\260\277T\13\20FQs\315\341\370\3123c\215&\274\347\5\232E4(iR\356\\366PS\305\355\207T\344\324\213\256\222'd=\270w9\347\370\35\5\335\206\350B\31\257\301\256\3326\212\203Z\347\253\250;\31Zj%Q2\177\10i\266\323\343\351L\270\354kVT\271\235\273Va\325\6L\334o.\15\260Z\224B\254q\273F\350\244\330\267wm\207!;g\360\3\215JI[\235s+\22&R1\4`\344)\203\246`\350\267\315\2%+\243P\312;\31\266\27754k\266\255\270w\275\37\254q!a^\325Skbh:\11\246\2\341o\212\262\264\31p\373\277P`\3161\3251=c\264Iel<"\234\36\2325>\376\350\244<\307\15\5\316\306t\307\233\21\243\271@\30\367\275v\366\3\376G\226!\305\327\303;0\322P\263\213\261B\37h|\24.G\311^k\263\253F\12r\253\316\348[\16xI\12\224\362\257\3353\17j\243\4h#\232\260\261$\271w\177\30\16"\334\237\17c\337\235-\224\3746\201\213\10\355\252\346\0\3204\333\24:v\3278\373}\307\376bA\200\201\236\365\236\311\275\270\351~t\251\21\212x\3\375,\3\232\360\4QN\353[\260\355\375\1le2\1-^\344\214mo&\20h\314\274\255J\177\276\331^m\342\16gqMS\331Hb1\15\321nj\12dc\2718%\315\13\311f\241t^\331\300Fu\355\270#\256\245 \10ti$\2W\337\272,de4\20G1\244\357a\355~ eT\27\257i\212\372\26A\54\25.\2713\323"|\220`i7\331\256i\3771\6\211\241+!\305\166\7\216o!\30ev\342\362\222\257v\204\6\237\212\364\215\306&4a\13W\257\o\366\10$\235n\314", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \334\237\17c\337\235-\224\3746\201\213\10\355\252\346\0\3204\333\24:v\3278\373}\307\376bA\200\201\236\365\236\311\275\270\351~t\251\21\212x\3\375,\3\232\360\4QN\353[\260\355\375\1le2\1-^\344\214mo&\20h\314\274\255J\177\276\331^m\342\16gqMS\331Hb1\15\321nj\12dc\2718%\315\13\311f\241t^\331\300Fu\355\270#\256\245 \10ti$\2W\337\272,de4\20G1\244\357a\355~ eT\27\257i\212\372\26A\54\25.\2713\323 (140, 0, 0, 0, "\240\340\34\6F\231\14"v\37\304\260\277T\13\20FQs\315\341\370\3123c\215&\274\347\5\232E4(iR\356\\366PS\305\355\207T\344\324\213\256\222'd=\270w9\347\370\35\5\335\206\350B\31\257\301\256\3326\212\203Z\347\253\250;\31Zj%Q2\177\10i\266\323\343\351L\270\354kVT\271\235\273Va\325\6L\334o.\15\260Z\224B\254q\273F\350\244\330\267wm\207!;g\360\3\215JI[\235s+\22&R1\4`\344)\203\246`\350\267\315\2%+\243P\312;\31\266\27754k\266\255\270w\275\37\254q!a^\325Skbh:\11\246\2\341o\212\262\264\31p\373\277P`\3161\3251=c\264Iel<"\234\36\2325>\376\350\244<\307\15\5\316\306t\307\233\21\243\271@\30\367\275v\366\3\376G\226!\305\327\303;0\322P\263\213\261B\37h|\24.G\311^k\263\253F\12r\253\316\348[\16xI\12\224\362\257\3353\17j\243\4h#\232\260\261$\271w\177\30\16"\334\237\17c\337\235-\224\3746\201\213\10\355\252\346\0\3204\333\24:v\3278\373}\307\376bA\200\201\236\365\236\311\275\270\351~t\251\21\212x\3\375,\3\232\360\4QN\353[\260\355\375\1le2\1-^\344\214mo&\20h\314\274\255J\177\276\331^m\342\16gqMS\331Hb1\15\321nj\12dc\2718%\315\13\311f\241t^\331\300Fu\355\270#\256\245 \10ti$\2W\337\272,de4\20G1\244\357a\355~ eT\27\257i\212\372\26A\54\25.\2713\323"|\220`i7\331\256i\3771\6\211\241+!\305\166\7\216o!\30ev\342\362\222\257v\204\6\237\212\364\215\306&4a\13W\257\o\366\10$\235n\314", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01075   424   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\13\2/d\365,fQ7\11\246Ac>bU\365,0\313:nActRY?60\31\1\375j];2\266t\365,vA\232\226*\220d\216\330a\252q\330ha\262\372\224yzN\6n9*8\317\317\215i\3330](m4"\37r\375c\11\13\2468\12\0yUhX\254\22\312q\14\13Se\3606c\213\222'\320\5n\300o\222\362\2735r\2373\35aw\232\11\3\355`A\354\13|\301f\355\215\242S\13sx\326b2E~j"9\16O4\212\315h\12\305o\206b\6\36pD\201E\177\211$\275\250\35g=\312\14JF\202/c\270+\12i\271\321\335\336@i\12n9Si\11fuD\135f\320bd\305\252\345v=\200\255\344>\336m\23;D\17\36}\357\15\337$\0H69c\347\317\300\331\262\202R\16\307\271\214hVI\33\260tg\307[&-\271i\372\36fa\6\6\220"c-\21\321\232\36]\212\1e58uJvv_\6=\336_\207q_\205-\11\23\356+xA+\360\332\34[\270f\324\31\264\216\242\345\224"\305\354g\13\271\330\347{\213\30h\7\11w\23c\267\306\13$\211\217\3259G\345&#\250\305\366\367\364mkv\233]\226\303e\241\36'[\354\344=-\371W@\337q\300EB\35\235\266\215\321$\232\300\334)\277\377j4\305\244\216N\273u\202b\200\31/\261[\20E\312\4\22dbj\354 \3465\211o\205mqmL\373`\316\306g\356\252\35\213>3i.\270[\237\343t\3435\360\224\16\200_\217,\377\254oP5\260U#\365\207\203\250\330\2\357B\33\252\246\1\300\377R\325}M\201\205\15Mi\22)\203\234\220J\32n\244I\34C\332Al", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \37r\375c\11\13\2468\12\0yUhX\254\22\312q\14\13Se\3606c\213\222'\320\5n\300o\222\362\2735r\2373\35aw\232\11\3\355`A\354\13|\301f\355\215\242S\13sx\326b2E~j225\200\17j\5\33\10\252\276 (140, 0, 0, 0, "\13\2/d\365,fQ7\11\246Ac>bU\365,0\313:nActRY?60\31\1\375j];2\266t\365,vA\232\226*\220d\216\330a\252q\330ha\262\372\224yzN\6n9*8\317\317\215i\3330](m4"\37r\375c\11\13\2468\12\0yUhX\254\22\312q\14\13Se\3606c\213\222'\320\5n\300o\222\362\2735r\2373\35aw\232\11\3\355`A\354\13|\301f\355\215\242S\13sx\326b2E~j"9\16O4\212\315h\12\305o\206b\6\36pD\201E\177\211$\275\250\35g=\312\14JF\202/c\270+\12i\271\321\335\336@i\12n9Si\11fuD\135f\320bd\305\252\345v=\200\255\344>\336m\23;D\17\36}\357\15\337$\0H69c\347\317\300\331\262\202R\16\307\271\214hVI\33\260tg\307[&-\271i\372\36fa\6\6\220"c-\21\321\232\36]\212\1e58uJvv_\6=\336_\207q_\205-\11\23\356+xA+\360\332\34[\270f\324\31\264\216\242\345\224"\305\354g\13\271\330\347{\213\30h\7\11w\23c\267\306\13$\211\217\3259G\345&#\250\305\366\367\364mkv\233]\226\303e\241\36'[\354\344=-\371W@\337q\300EB\35\235\266\215\321$\232\300\334)\277\377j4\305\244\216N\273u\202b\200\31/\261[\20E\312\4\22dbj\354 \3465\211o\205mqmL\373`\316\306g\356\252\35\213>3i.\270[\237\343t\3435\360\224\16\200_\217,\377\254oP5\260U#\365\207\203\250\330\2\357B\33\252\246\1\300\377R\325}M\201\205\15Mi\22)\203\234\220J\32n\244I\34C\332Al", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) c-\21\321\232\36]\212\1e58uJvv_\6=\336_\207q_\205-\11\23\356+xA+\360\332\34[\270f\324\31\264\216\242\345\224 (140, 0, 0, 0, "\13\2/d\365,fQ7\11\246Ac>bU\365,0\313:nActRY?60\31\1\375j];2\266t\365,vA\232\226*\220d\216\330a\252q\330ha\262\372\224yzN\6n9*8\317\317\215i\3330](m4"\37r\375c\11\13\2468\12\0yUhX\254\22\312q\14\13Se\3606c\213\222'\320\5n\300o\222\362\2735r\2373\35aw\232\11\3\355`A\354\13|\301f\355\215\242S\13sx\326b2E~j"9\16O4\212\315h\12\305o\206b\6\36pD\201E\177\211$\275\250\35g=\312\14JF\202/c\270+\12i\271\321\335\336@i\12n9Si\11fuD\135f\320bd\305\252\345v=\200\255\344>\336m\23;D\17\36}\357\15\337$\0H69c\347\317\300\331\262\202R\16\307\271\214hVI\33\260tg\307[&-\271i\372\36fa\6\6\220"c-\21\321\232\36]\212\1e58uJvv_\6=\336_\207q_\205-\11\23\356+xA+\360\332\34[\270f\324\31\264\216\242\345\224"\305\354g\13\271\330\347{\213\30h\7\11w\23c\267\306\13$\211\217\3259G\345&#\250\305\366\367\364mkv\233]\226\303e\241\36'[\354\344=-\371W@\337q\300EB\35\235\266\215\321$\232\300\334)\277\377j4\305\244\216N\273u\202b\200\31/\261[\20E\312\4\22dbj\354 \3465\211o\205mqmL\373`\316\306g\356\252\35\213>3i.\270[\237\343t\3435\360\224\16\200_\217,\377\254oP5\260U#\365\207\203\250\330\2\357B\33\252\246\1\300\377R\325}M\201\205\15Mi\22)\203\234\220J\32n\244I\34C\332Al", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01076   424   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "mn6\0\23150\0ui6\0em6\0em6\0em6\0\3\326\31+em6\0em7\0em6\0Un6\0i00\0El6\0em6\0em6\0em6\0\3\326\31+em6\0em7\0em6\0=n6\0I30\0\345n6\0em6\0em6\0em6\0\3\326\31+em6\0em7\0em6\0\345n6\0\311\140\0\261n6\0em6\0em6\0em6\0\3\326\31+em6\0em7\0em6\0\315n6\0\345\100\0\271n6\0em6\0em6\0em6\0\3\326\31+em6\0em7\0em6\0\265n6\09\40\0\255o6\0em6\0em6\0em6\0\3\326\31+em6\0gm6\0\325h6\200ei6\200\333h6\200Mi6\200em6\0\3\326\31+em6\0em7\0em6\0}i6\0A\10\0um6\0em6\0em6\0em6\0\3\326\31+em6\0em7\0em6\0%i6\0Q\10\0\16l6\0em6\0em6\0em6\0\3\326\31+em6\0em1\0\234\226\0\375i6\200\237\226\0\245i6\200\236\226\0\215i6\200\231\226\0uh6\200\230\226\0]h6\200\233\226\0\5h6\200\232\226\0\355h6\200em6\0\3\326\31+em6\0em7\0em6\0\325i6\0\305\00\0qm6\0em6\0em6\0em6\0\3\326\31+em6\0em7\0em6\0\275i6\0\321\00\0qm6\0em6\0em6\0em6\0\3\326\31+em6\0em7\0", 3324, 0x0, 0, ... {status=0x0, info=3324}, ) , 3324, 0x0, 0, ... {status=0x0, info=3324}, ) == 0x0
 01077   424   NtUnmapViewOfSection  (-1, 0x9f0000, ... ) == 0x0
 01078   424   NtSetInformationFile  (140, 1244376, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01079   424   NtClose  (144, ... ) == 0x0
 01080   424   NtClose  (140, ... ) == 0x0
 01081   424   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01082   424   NtSetValueKey  (140,  (140, "Cryptographic Service", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0w\0f\0q\0e\0i\0.\0e\0x\0e\0\0\0", 62, ... , 0, 1,  (140, "Cryptographic Service", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0w\0f\0q\0e\0i\0.\0e\0x\0e\0\0\0", 62, ... , 62, ...
 01083   424   NtSetInformationFile  (-2147482808, -136313036, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01084   424   NtSetInformationFile  (-2147482808, -136313128, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01082   424   NtSetValueKey  ... ) == 0x0
 01085   424   NtClose  (140, ... ) == 0x0
 01086   424   NtClose  (100, ... ) == 0x0
 01087   424   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01088   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\swfqei.exe"}, 1241008, ... ) }, 1241008, ... ) == 0x0
 01089   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\swfqei.exe"}, 1241700, ... ) }, 1241700, ... ) == 0x0
 01090   424   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\swfqei.exe"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 01091   424   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 100, ... 140, ) == 0x0
 01092   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01093   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 144, ) }, ... 144, ) == 0x0
 01094   424   NtQueryValueKey  (144,  (144, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095   424   NtClose  (144, ... ) == 0x0
 01096   424   NtQueryVolumeInformationFile  (100, 1241008, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01097   424   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 144, ) }, ... 144, ) == 0x0
 01098   424   NtWaitForSingleObject  (144, 0, {-1000000, -1}, ... ) == 0x0
 01099   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 148, ) }, ... 148, ) == 0x0
 01100   424   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x9f0000), {0, 0}, 57344, ) == 0x0
 01101   424   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01102   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238992, ... ) }, 1238992, ... ) == 0x0
 01103   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01104   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 152, ... 156, ) == 0x0
 01105   424   NtClose  (152, ... ) == 0x0
 01106   424   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa00000), 0x0, 106496, ) == 0x0
 01107   424   NtClose  (156, ... ) == 0x0
 01108   424   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01109   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239308, ... ) }, 1239308, ... ) == 0x0
 01110   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01111   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 152, ) == 0x0
 01112   424   NtQuerySection  (152, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01113   424   NtClose  (156, ... ) == 0x0
 01114   424   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01115   424   NtClose  (152, ... ) == 0x0
 01116   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01117   424   NtQueryInformationFile  (152, 1239596, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01118   424   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 152, ... 156, ) == 0x0
 01119   424   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa00000), 0x0, 1028096, ) == 0x0
 01120   424   NtQueryInformationFile  (152, 1239692, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01121   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01123   424   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01124   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01125   424   NtQueryDirectoryFile  (160, 0, 0, 0, 1237256, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237256, 616, BothDirectory, 1, "swfqei.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01126   424   NtClose  (160, ... ) == 0x0
 01127   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01128   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01129   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\swfqei.exe"}, 1236644, ... ) }, 1236644, ... ) == 0x0
 01130   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01131   424   NtQueryDirectoryFile  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01132   424   NtClose  (160, ... ) == 0x0
 01133   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01134   424   NtQueryDirectoryFile  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01135   424   NtClose  (160, ... ) == 0x0
 01136   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01137   424   NtQueryDirectoryFile  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1, "swfqei.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01138   424   NtClose  (160, ... ) == 0x0
 01139   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01140   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01141   424   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01142   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01143   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01144   424   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01145   424   NtClose  (160, ... ) == 0x0
 01146   424   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147   424   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\swfqei.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01148   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01149   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01150   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\swfqei.exe"}, 1238924, ... ) }, 1238924, ... ) == 0x0
 01151   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01152   424   NtQueryDirectoryFile  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01153   424   NtClose  (160, ... ) == 0x0
 01154   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01155   424   NtQueryDirectoryFile  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01156   424   NtClose  (160, ... ) == 0x0
 01157   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01158   424   NtQueryDirectoryFile  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1, "swfqei.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01159   424   NtClose  (160, ... ) == 0x0
 01160   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01161   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01162   424   NtWaitForSingleObject  (144, 0, {-1000000, -1}, ... ) == 0x0
 01163   424   NtQueryVolumeInformationFile  (100, 1239568, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01164   424   NtQueryInformationFile  (100, 1239548, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01165   424   NtQueryInformationFile  (100, 1239588, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01166   424   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01167   424   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01168   424   NtClose  (156, ... ) == 0x0
 01169   424   NtClose  (152, ... ) == 0x0
 01170   424   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01171   424   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swfqei.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   424   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01173   424   NtOpenProcessToken  (-1, 0xa, ... 152, ) == 0x0
 01174   424   NtQueryInformationToken  (152, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01175   424   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01177   424   NtQueryValueKey  (156,  (156, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (156, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01178   424   NtQueryValueKey  (156,  (156, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (156, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01179   424   NtClose  (156, ... ) == 0x0
 01180   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01181   424   NtQueryValueKey  (156,  (156, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01182   424   NtQueryValueKey  (156,  (156, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (156, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01183   424   NtClose  (156, ... ) == 0x0
 01184   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01185   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01186   424   NtQueryValueKey  (156,  (156, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   424   NtClose  (156, ... ) == 0x0
 01188   424   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01189   424   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01190   424   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01191   424   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01192   424   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01193   424   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01194   424   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01195   424   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01196   424   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01197   424   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01198   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 156, ) }, ... 156, ) == 0x0
 01199   424   NtEnumerateKey  (156, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (156, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01200   424   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 160, ) }, ... 160, ) == 0x0
 01201   424   NtQueryValueKey  (160,  (160, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (160, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01202   424   NtQueryValueKey  (160,  (160, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (160, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01203   424   NtClose  (160, ... ) == 0x0
 01204   424   NtEnumerateKey  (156, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01205   424   NtClose  (156, ... ) == 0x0
 01206   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01207   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01209   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01210   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01211   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01212   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01216   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01217   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01218   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01220   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01221   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01222   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01223   424   NtClose  (156, ... ) == 0x0
 01224   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01225   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01226   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01227   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01228   424   NtClose  (156, ... ) == 0x0
 01229   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01230   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01231   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01232   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01233   424   NtClose  (156, ... ) == 0x0
 01234   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01236   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01237   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01238   424   NtClose  (156, ... ) == 0x0
 01239   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01240   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01241   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01242   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01243   424   NtClose  (156, ... ) == 0x0
 01244   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01245   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01246   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01247   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01248   424   NtClose  (156, ... ) == 0x0
 01249   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01251   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01252   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01253   424   NtClose  (156, ... ) == 0x0
 01254   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01255   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01256   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01257   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01258   424   NtClose  (156, ... ) == 0x0
 01259   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01260   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01261   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01262   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01263   424   NtClose  (156, ... ) == 0x0
 01264   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01265   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01266   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01267   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01268   424   NtClose  (156, ... ) == 0x0
 01269   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01270   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01271   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01272   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01273   424   NtClose  (156, ... ) == 0x0
 01274   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01275   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01276   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01277   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01278   424   NtClose  (156, ... ) == 0x0
 01279   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01280   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01281   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01282   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01283   424   NtClose  (156, ... ) == 0x0
 01284   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01285   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01286   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01287   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01288   424   NtClose  (156, ... ) == 0x0
 01289   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01290   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01291   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01292   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01293   424   NtClose  (156, ... ) == 0x0
 01294   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01296   424   NtQueryValueKey  (156,  (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01297   424   NtClose  (156, ... ) == 0x0
 01298   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01299   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01300   424   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01301   424   NtClose  (156, ... ) == 0x0
 01302   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   424   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01304   424   NtOpenProcessToken  (-1, 0xa, ... 156, ) == 0x0
 01305   424   NtDuplicateToken  (156, 0xc, {24, 0, 0x0, 0, 1240900, 0x0}, 0, 2, ... 160, ) == 0x0
 01306   424   NtClose  (156, ... ) == 0x0
 01307   424   NtAccessCheck  (1378928, 160, 0x1, 1241028, 1240972, 56, 1241056, ... (0x1), ) == 0x0
 01308   424   NtClose  (160, ... ) == 0x0
 01309   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 160, ) }, ... 160, ) == 0x0
 01310   424   NtQueryValueKey  (160,  (160, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (160, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01311   424   NtClose  (160, ... ) == 0x0
 01312   424   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 160, ) }, ... 160, ) == 0x0
 01313   424   NtQuerySymbolicLinkObject  (160, ...  (160, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01314   424   NtClose  (160, ... ) == 0x0
 01315   424   NtQueryInformationFile  (100, 1239360, 528, Name, ... {status=0x0, info=60}, ) == 0x0
 01316   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01317   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01318   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\swfqei.exe"}, 1238040, ... ) }, 1238040, ... ) == 0x0
 01319   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01320   424   NtQueryDirectoryFile  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01321   424   NtClose  (160, ... ) == 0x0
 01322   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01323   424   NtQueryDirectoryFile  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01324   424   NtClose  (160, ... ) == 0x0
 01325   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01326   424   NtQueryDirectoryFile  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1, "swfqei.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01327   424   NtClose  (160, ... ) == 0x0
 01328   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01329   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01330   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01331   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01332   424   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01333   424   NtClose  (160, ... ) == 0x0
 01334   424   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 160, ) }, ... 160, ) == 0x0
 01335   424   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 156, ) }, ... 156, ) == 0x0
 01336   424   NtClose  (160, ... ) == 0x0
 01337   424   NtQueryValueKey  (156,  (156, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01338   424   NtQueryValueKey  (156,  (156, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (156, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01339   424   NtClose  (156, ... ) == 0x0
 01340   424   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10485760, 4096, ) == 0x0
 01341   424   NtAllocateVirtualMemory  (-1, 10485760, 0, 4096, 4096, 4, ... 10485760, 4096, ) == 0x0
 01342   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01343   424   NtQueryValueKey  (156,  (156, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344   424   NtClose  (156, ... ) == 0x0
 01345   424   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01346   424   NtQueryInformationToken  (152, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01347   424   NtQueryInformationToken  (152, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01348   424   NtClose  (152, ... ) == 0x0
 01349   424   NtCreateProcessEx  (1243636, 2035711, 0, -1, 0, 140, 0, 0, 0, ... ) == 0x0
 01350   424   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=588,ParentPid=420,}, 0x0, ) == 0x0
 01351   424   NtReadVirtualMemory  (152, 0x7ffdf008, 4, ...  (152, 0x7ffdf008, 4, ... "\0\0C1", 0x0, ) , 0x0, ) == 0x0
 01352   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\swfqei.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01353   424   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 01354   424   NtReadVirtualMemory  (152, 0x31430000, 4096, ...  (152, 0x31430000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\11\3538\210M\212V\333M\212V\333M\212V\333\316\226X\333O\212V\333\245\225R\333O\212V\333M\212V\333J\212V\333M\212W\333\32\212V\333/\225E\333D\212V\333\245\225]\333G\212V\333RichM\212V\333\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\322~\340@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0 \0\0\0\20\0\0\0P\0\0\0\240\0\0\0`\0\0\0\200\0\0\0\0C1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\340UPX1", 4096, ) , 4096, ) == 0x0
 01355   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01356   424   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=588,ParentPid=420,}, 0x0, ) == 0x0
 01357   424   NtAllocateVirtualMemory  (-1, 0, 0, 1660, 4096, 4, ... 10551296, 4096, ) == 0x0
 01358   424   NtAllocateVirtualMemory  (152, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01359   424   NtWriteVirtualMemory  (152, 0x10000,  (152, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01360   424   NtAllocateVirtualMemory  (152, 0, 0, 1660, 4096, 4, ... 131072, 4096, ) == 0x0
 01361   424   NtWriteVirtualMemory  (152, 0x20000,  (152, 0x20000, "\0\20\0\0|\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0<\0>\0\230\5\0\0<\0>\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0<\0>\0\30\6\0\0\36\0 \0X\6\0\0\0\0\2\0x\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1660, ... 0x0, ) , 1660, ... 0x0, ) == 0x0
 01362   424   NtWriteVirtualMemory  (152, 0x7ffdf010,  (152, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01363   424   NtWriteVirtualMemory  (152, 0x7ffdf1e8,  (152, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01364   424   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 4096, ) == 0x0
 01365   424   NtAllocateVirtualMemory  (152, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01366   424   NtAllocateVirtualMemory  (152, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01367   424   NtProtectVirtualMemory  (152, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01368   424   NtCreateThread  (0x1f03ff, 0x0, 152, 1241900, 1242620, 1, ... 156, {588, 584}, ) == 0x0
 01369   424   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1368240, 1243720}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1368240, 1243720} "\0\0\0\0\0\0\1\0\2$\370w U\367w\233\0\0\0\234\0\0\0L\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 420, 424, 1521, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\230\0\0\0\234\0\0\0L\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ... {168, 196, reply, 0, 420, 424, 1521, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1368240, 1243720} "\0\0\0\0\0\0\1\0\2$\370w U\367w\233\0\0\0\234\0\0\0L\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 420, 424, 1521, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\230\0\0\0\234\0\0\0L\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ) == 0x0
 01370   424   NtResumeThread  (156, ... 1, ) == 0x0
 01371   424   NtClose  (100, ... ) == 0x0
 01372   424   NtClose  (140, ... ) == 0x0
 01373   424   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=588,ParentPid=420,}, 0x0, ) == 0x0
 01374   424   NtUserWaitForInputIdle  (588, 30000, 0, ...
 01375   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 140, ) == 0x0
 01376   424   NtClose  (140, ... ) == 0x0
 01374   424   NtUserWaitForInputIdle  ... ) == 0x0
 01377   424   NtClose  (152, ... ) == 0x0
 01378   424   NtClose  (156, ... ) == 0x0
 01379   424   NtDelayExecution  (0, {-5000000, -1}, ... ) == 0x0
 01380   424   NtTerminateProcess  (0, 0, ... ) == 0x0
 01381   424   NtQueryVirtualMemory  (-1, 0x897664, Basic, 28, ... {BaseAddress=0x897000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x12000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01382   424   NtQueryVirtualMemory  (-1, 0x897f70, Basic, 28, ... {BaseAddress=0x897000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x12000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01383   424   NtQueryVirtualMemory  (-1, 0x86d838, Basic, 28, ... {BaseAddress=0x86d000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x3c000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01384   424   NtGdiDeleteObjectApp  (302646283, ... ) == 0x1
 01385   424   NtGdiDeleteObjectApp  (285869068, ... ) == 0x1
 01386   424   NtGdiDeleteObjectApp  (369755135, ... ) == 0x1
 01387   424   NtUserDestroyCursor  (131233, 1, ... ) == 0x1
 01388   424   NtUserDestroyCursor  (196771, 1, ... ) == 0x1
 01389   424   NtUserDestroyCursor  (196773, 1, ... ) == 0x1
 01390   424   NtUserDestroyCursor  (196775, 1, ... ) == 0x1
 01391   424   NtUserDestroyCursor  (196715, 1, ... ) == 0x1
 01392   424   NtUserDestroyCursor  (196717, 1, ... ) == 0x1
 01393   424   NtUserDestroyCursor  (196685, 1, ... ) == 0x1
 01394   424   NtUserFindExistingCursorIcon  (1243472, 1243488, 1244056, ... ) == 0x10011
 01395   424   NtDeleteAtom  (49180, ... ) == 0x0
 01396   424   NtDeleteAtom  (49181, ... ) == 0x0
 01397   424   NtGdiDeleteObjectApp  (369623938, ... ) == 0x1
 01398   424   NtClose  (96, ... ) == 0x0
 01399   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01400   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc03b
 01401   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01402   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc03d
 01403   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01404   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc03f
 01405   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01406   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc041
 01407   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01408   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc043
 01409   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01410   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc045
 01411   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01412   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc047
 01413   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01414   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc049
 01415   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01416   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc04b
 01417   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01418   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc04d
 01419   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01420   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc04f
 01421   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01422   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc051
 01423   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01424   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc053
 01425   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01426   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc057
 01427   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01428   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc059
 01429   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01430   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc05b
 01431   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01432   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc05d
 01433   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01434   424   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc05f
 01435   424   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01436   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc03b
 01437   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01438   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc03d
 01439   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01440   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc03f
 01441   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01442   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc041
 01443   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01444   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc043
 01445   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01446   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc045
 01447   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01448   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc047
 01449   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01450   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc049
 01451   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01452   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc04b
 01453   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01454   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc04d
 01455   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01456   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc04f
 01457   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01458   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc051
 01459   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01460   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc053
 01461   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01462   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc057
 01463   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01464   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc059
 01465   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01466   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc05b
 01467   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01468   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc05d
 01469   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01470   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc05f
 01471   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01472   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc017
 01473   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01474   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc019
 01475   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01476   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc018
 01477   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01478   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01a
 01479   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01480   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01c
 01481   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01482   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01e
 01483   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01484   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01b
 01485   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01486   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc068
 01487   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01488   424   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc06a
 01489   424   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01490   424   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01491   424   NtClose  (76, ... ) == 0x0
 01492   424   NtClose  (64, ... ) == 0x0
 01493   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01494   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01495   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01496   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01497   424   NtFreeVirtualMemory  (-1, (0xa00000), 4096, 32768, ... (0xa00000), 4096, ) == 0x0
 01498   424   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 420, 424, 3382, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 420, 424, 3382, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 420, 424, 3382, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01499   424   NtTerminateProcess  (-1, 0, ...
 01500   424   NtClose  (44, ... ) == 0x0
NtAdjustPrivilegesToken(>)	1	NtDeleteAtom(>)	2	NtGdiBitBlt(>)	7	NtQueryInformationProcess(>)	15
NtCallbackReturn(>)	1	NtEnumerateKey(>)	2	NtGdiCreateDIBitmapInternal(>)	7	NtCreateSection(>)	17
NtCreateMutant(>)	1	NtGdiCreateSolidBrush(>)	2	NtGdiGetDCObject(>)	7	NtGdiDeleteObjectApp(>)	18
NtCreateProcessEx(>)	1	NtOpenDirectoryObject(>)	2	NtGdiGetDCforBitmap(>)	7	NtReadFile(>)	19
NtCreateThread(>)	1	NtOpenEvent(>)	2	NtGdiGetStockObject(>)	7	NtContinue(>)	20
NtDelayExecution(>)	1	NtOpenSymbolicLinkObject(>)	2	NtGdiRestoreDC(>)	7	NtQuerySystemInformation(>)	20
NtDuplicateToken(>)	1	NtQueryInstallUILanguage(>)	2	NtGdiSaveDC(>)	7	NtUserCallOneParam(>)	20
NtEnumerateValueKey(>)	1	NtQuerySymbolicLinkObject(>)	2	NtGdiSetDIBitsToDeviceInternal(>)	7	NtWaitForSingleObject(>)	21
NtGdiCreatePaletteInternal(>)	1	NtReadVirtualMemory(>)	2	NtOpenProcessToken(>)	7	NtFlushInstructionCache(>)	23
NtGdiInit(>)	1	NtTerminateProcess(>)	2	NtUserDestroyCursor(>)	7	NtWriteFile(>)	23
NtGdiQueryFontAssocInfo(>)	1	NtUserWaitForInputIdle(>)	2	NtUserSetCursorIconData(>)	7	NtOpenProcessTokenEx(>)	24
NtNotifyChangeKey(>)	1	NtAddAtom(>)	3	NtGdiCreateBitmap(>)	8	NtOpenThreadTokenEx(>)	24
NtOpenKeyedEvent(>)	1	NtCreateSemaphore(>)	3	NtQuerySection(>)	8	NtOpenSection(>)	25
NtOpenProcess(>)	1	NtDuplicateObject(>)	3	NtRequestWaitReplyPort(>)	8	NtOpenFile(>)	30
NtQueryInformationJobObject(>)	1	NtFreeVirtualMemory(>)	3	NtSetInformationThread(>)	8	NtQueryAttributesFile(>)	31
NtQueryObject(>)	1	NtGdiHfontCreate(>)	3	NtQueryDebugFilterState(>)	9	NtQueryInformationToken(>)	31
NtQuerySystemTime(>)	1	NtOpenMutant(>)	3	NtSetInformationFile(>)	9	NtMapViewOfSection(>)	37
NtRegisterThreadTerminatePort(>)	1	NtSetInformationObject(>)	3	NtCreateEvent(>)	10	NtReleaseMutant(>)	40
NtResumeThread(>)	1	NtFsControlFile(>)	4	NtGdiCreateCompatibleDC(>)	10	NtAllocateVirtualMemory(>)	41
NtSecureConnectPort(>)	1	NtOpenThreadToken(>)	4	NtGdiExtGetObjectW(>)	10	NtProtectVirtualMemory(>)	45
NtTestAlert(>)	1	NtSetValueKey(>)	4	NtQueryDirectoryFile(>)	10	NtUserUnregisterClass(>)	45
NtUserCallNoParam(>)	1	NtWriteVirtualMemory(>)	4	NtCreateFile(>)	11	NtQueryValueKey(>)	51
NtUserEnumDisplayMonitors(>)	1	NtUserRegisterWindowMessage(>)	5	NtUserGetDC(>)	11	NtGdiSelectBitmap(>)	57
NtUserGetKeyboardLayoutList(>)	1	NtCreateKey(>)	6	NtUnmapViewOfSection(>)	12	NtUserRegisterClassExWOW(>)	63
NtUserGetThreadDesktop(>)	1	NtQueryDefaultUILanguage(>)	6	NtQueryDefaultLocale(>)	13	NtUserGetClassInfo(>)	64
NtUserSetWindowsHookEx(>)	1	NtQueryVirtualMemory(>)	6	NtQueryInformationFile(>)	13	NtUserFindExistingCursorIcon(>)	72
NtAccessCheck(>)	2	NtQueryVolumeInformationFile(>)	6	NtUserSystemParametersInfo(>)	13	NtOpenKey(>)	112
NtCreateIoCompletion(>)	2	NtSetInformationProcess(>)	6	NtUserSelectPalette(>)	14	NtClose(>)	165