Summary:


NtAddAtom(>)  1 
NtSecureConnectPort(>)  1 
NtUserCallOneParam(>)  3 
NtQueryDirectoryFile(>)  14 

NtCallbackReturn(>)  1 
NtSetInformationThread(>)  1 
NtUserGetWindowDC(>)  3 
NtUnmapViewOfSection(>)  15 

NtConnectPort(>)  1 
NtUserCreateWindowEx(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtQueryDebugFilterState(>)  16 

NtCreateMutant(>)  1 
NtUserGetAtomName(>)  1 
NtWaitForMultipleObjects(>)  3 
NtQueryInformationToken(>)  17 

NtCreateThread(>)  1 
NtUserGetDC(>)  1 
NtWriteFile(>)  3 
NtQueryInformationFile(>)  19 

NtDelayExecution(>)  1 
NtUserGetGUIThreadInfo(>)  1 
NtAccessCheck(>)  4 
NtCreateFile(>)  22 

NtDuplicateToken(>)  1 
NtUserGetObjectInformation(>)  1 
NtContinue(>)  4 
NtDeviceIoControlFile(>)  22 

NtEnumerateValueKey(>)  1 
NtUserGetProcessWindowStation(>)  1 
NtCreateSemaphore(>)  4 
NtOpenSection(>)  29 

NtGdiCreateBitmap(>)  1 
NtUserGetThreadDesktop(>)  1 
NtSetEvent(>)  4 
NtQueryDefaultLocale(>)  30 

NtGdiInit(>)  1 
NtDuplicateObject(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenFile(>)  35 

NtGdiQueryFontAssocInfo(>)  1 
NtFsControlFile(>)  2 
NtFreeVirtualMemory(>)  7 
NtQueryAttributesFile(>)  36 

NtGdiSelectBitmap(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtOpenProcessToken(>)  7 
NtQueryVirtualMemory(>)  36 

NtNotifyChangeKey(>)  1 
NtGdiHfontCreate(>)  2 
NtQueryInformationProcess(>)  7 
NtQueryValueKey(>)  46 

NtOpenEvent(>)  1 
NtOpenDirectoryObject(>)  2 
NtSetValueKey(>)  8 
NtAllocateVirtualMemory(>)  47 

NtOpenKeyedEvent(>)  1 
NtOpenThreadToken(>)  2 
NtCreateEvent(>)  9 
NtMapViewOfSection(>)  48 

NtOpenProcess(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtCreateKey(>)  9 
NtUserFindExistingCursorIcon(>)  50 

NtOpenSymbolicLinkObject(>)  1 
NtSetEventBoostPriority(>)  2 
NtQueryVolumeInformationFile(>)  9 
NtUserRegisterClassExWOW(>)  62 

NtQueryFullAttributesFile(>)  1 
NtSetInformationProcess(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtCreateSection(>)  75 

NtQueryInformationThread(>)  1 
NtTestAlert(>)  2 
NtQuerySection(>)  10 
NtQuerySystemInformation(>)  78 

NtQueryInstallUILanguage(>)  1 
NtWaitForSingleObject(>)  2 
NtSetInformationFile(>)  10 
NtReadFile(>)  79 

NtQueryObject(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtRequestWaitReplyPort(>)  12 
NtOpenKey(>)  90 

NtQuerySymbolicLinkObject(>)  1 
NtQueryPerformanceCounter(>)  3 
NtUserSystemParametersInfo(>)  12 
NtFlushInstructionCache(>)  110 

NtRaiseException(>)  1 
NtSetInformationObject(>)  3 
NtOpenProcessTokenEx(>)  13 
NtProtectVirtualMemory(>)  227 

NtResumeThread(>)  1 
NtUserCallNoParam(>)  3 
NtOpenThreadTokenEx(>)  13 
NtClose(>)  265 


Trace:
 00001   896   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... -2147481368, {status=0x0, info=1}, ) }, 0, 32, ... -2147481368, {status=0x0, info=1}, ) == 0x0
 00002   896   NtQueryInformationFile  (-2147481368, -142414796, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00003   896   NtReadFile  (-2147481368, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474},  (-2147481368, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474}, "\21\0\0\0SCCA\17\0\0\0\2424\0\0P\0A\0C\0K\0E\0D\0.\0E\0X\0E\0\0\0\0\00\366i\201\0\0\0\0\0\0\0\0\20\0\0\0@-\201\367\0@\300\367\30,\201\367x@s\201@-\201\367\241\6\355\11\0\0\0\0\230\0\0\0\34\0\0\0\310\2\0\0\331\2\0\0\364$\0\0\36\14\0\0\301\0\0\1\0\0\0\212\3\0\0\200\14V6\217\260\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\01\0\0\0\0\0\0\02\0\0\0\2\0\0\01\0\0\0%\1\0\0f\0\0\05\0\0\0\6\0\0\0V\1\0\0\5\0\0\0\322\0\0\04\0\0\0\4\0\0\0[\1\0\0\3\0\0\0<\1\0\03\0\0\0\4\0\0\0^\1\0\0\4\0\0\0\244\1\0\05\0\0\0\4\0\0\0b\1\0\0\32\0\0\0\20\2\0\03\0\0\0\2\0\0\0|\1\0\0\23\0\0\0x\2\0\02\0\0\0\2\0\0\0\217\1\0\0\7\0\0\0\336\2\0\02\0\0\0\6\0\0\0\226\1\0\0\22\0\0\0D\3\0\05\0\0\0\2\0\0\0\250\1\0\0\14\0\0\0\260\3\0\03\0\0\0\2\0\0\0\264\1\0\0\13\0\0\0\30\4\0\05\0\0\0\2\0\0\0\277\1\0\0*\0\0\0\204\4\0\03\0\0\0\2\0\0\0\351\1\0\0\21\0\0\0\354\4\0\02\0\0\0\2\0\0\0\372\1\0\0\2\0\0\0R\5\0\02\0\0\0\4\0\0\0\374\1\0\0\1\0\0\0\270\5\0\04\0\0\0\4\0\0\0\375\1\0\0\22\0\0\0"\6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) \6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) == 0x0
 00004   896   NtClose  (-2147481368, ... ) == 0x0
 00005   896   NtCreateFile  (0x100080, {24, 0, 0x240, 0, 0,  (0x100080, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... -2147481368, {status=0x0, info=0}, ) }, 0x0, 0, 7, 1, 32, 0, 0, ... -2147481368, {status=0x0, info=0}, ) == 0x0
 00006   896   NtQueryVolumeInformationFile  (-2147481368, -142414840, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00007   896   NtClose  (-2147481368, ... ) == 0x0
 00008   896   NtCreateFile  (0x100180, {24, 0, 0x240, 0, 0,  (0x100180, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... }, 0x0, 0, 7, 1, 32, 0, 0, ...
 00009   896   NtContinue  (-142419640, 0, ...
 00008   896   NtCreateFile  ... -2147481368, {status=0x0, info=1}, ) == 0x0
 00010   896   NtQueryVolumeInformationFile  (-2147481368, -142414852, 24, Volume, ... {status=0x0, info=18}, ) == 0x0
 00011   896   NtFsControlFile  (-2147481368, 0, 0x0, 0x0, 0x90120,  (-2147481368, 0, 0x0, 0x0, 0x90120, "\1\0\0\0!\0\0\0H\10\0\0\0\0\1\0\2309\0\0\0\0\2\0\15\1\0\0\0\0\1\0\357\0\0\0\0\3\0X\244\0\0\0\0\4\0\217\10\0\0\0\0\1\0\214;\0\0\0\0\2\0XK\0\0\0\0\3\0f\10\0\0\0\0\1\0Z\10\0\0\0\0\1\0\304\10\0\0\0\0\1\0Y\10\0\0\0\0\1\0C\10\0\0\0\0\1\0/:\0\0\0\0\3\0\235\244\0\0\0\0\3\0\26\11\0\0\0\0\1\0\201\246\0\0\0\0\3\0\224\246\0\0\0\0\3\0@C\0\0\0\0\2\0r\10\0\0\0\0\1\0g\10\0\0\0\0\1\0\2\1\0\0\0\0\1\0o%\0\0\0\0\3\0\243\10\0\0\0\0\1\0q\10\0\0\0\0\1\0p\10\0\0\0\0\1\0@\31\0\0\0\0\1\0\2339\0\0\0\0\1\0\5\0\0\0\0\0\5\0\34\0\0\0\0\0\1\0'\0\0\0\0\0\1\0\210\0\0\0\0\0\1\0\2329\0\0\0\0\1\0", 272, 0, ... {status=0x0, info=0}, 0x0, ) , 272, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00012   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00013   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=1146}, ) == 0x0
 00014   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00015   896   NtClose  (-2147482764, ... ) == 0x0
 00016   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00017   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=15820}, ) == 0x0
 00018   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00019   896   NtClose  (-2147482764, ... ) == 0x0
 00020   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00021   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=16366}, ) == 0x0
 00022   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16354}, ) == 0x0
 00023   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16348}, ) == 0x0
 00024   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16364}, ) == 0x0
 00025   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=11386}, ) == 0x0
 00026   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00027   896   NtClose  (-2147482764, ... ) == 0x0
 00028   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00029   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=2228}, ) == 0x0
 00030   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00031   896   NtClose  (-2147482764, ... ) == 0x0
 00032   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00033   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=68}, ) == 0x0
 00034   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00035   896   NtClose  (-2147482764, ... ) == 0x0
 00036   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482764, ... -2147482688, ) == 0x0
 00037   896   NtClose  (-2147482688, ... ) == 0x0
 00038   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482688, ... -2147482660, ) == 0x0
 00039   896   NtClose  (-2147482660, ... ) == 0x0
 00040   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482660, ... -2147482656, ) == 0x0
 00041   896   NtClose  (-2147482656, ... ) == 0x0
 00042   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482656, ... -2147482652, ) == 0x0
 00043   896   NtClose  (-2147482652, ... ) == 0x0
 00044   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482652, ... -2147482724, ) == 0x0
 00045   896   NtClose  (-2147482724, ... ) == 0x0
 00046   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482724, ... -2147481452, ) == 0x0
 00047   896   NtClose  (-2147481452, ... ) == 0x0
 00048   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481452, ... -2147482684, ) == 0x0
 00049   896   NtClose  (-2147482684, ... ) == 0x0
 00050   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482684, ... -2147482680, ) == 0x0
 00051   896   NtClose  (-2147482680, ... ) == 0x0
 00052   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482680, ... -2147482760, ) == 0x0
 00053   896   NtClose  (-2147482760, ... ) == 0x0
 00054   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482760, ... -2147481628, ) == 0x0
 00055   896   NtClose  (-2147481628, ... ) == 0x0
 00056   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481628, ... -2147481484, ) == 0x0
 00057   896   NtClose  (-2147481484, ... ) == 0x0
 00058   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481484, ... -2147481480, ) == 0x0
 00059   896   NtClose  (-2147481480, ... ) == 0x0
 00060   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481480, ... -2147482136, ) == 0x0
 00061   896   NtClose  (-2147482136, ... ) == 0x0
 00062   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482136, ... -2147482748, ) == 0x0
 00063   896   NtClose  (-2147482748, ... ) == 0x0
 00064   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482748, ... -2147482676, ) == 0x0
 00065   896   NtClose  (-2147482676, ... ) == 0x0
 00066   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482676, ... -2147482672, ) == 0x0
 00067   896   NtClose  (-2147482672, ... ) == 0x0
 00068   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482672, ... -2147482668, ) == 0x0
 00069   896   NtClose  (-2147482668, ... ) == 0x0
 00070   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482668, ... -2147482664, ) == 0x0
 00071   896   NtClose  (-2147482664, ... ) == 0x0
 00072   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482664, ... -2147481588, ) == 0x0
 00073   896   NtClose  (-2147481588, ... ) == 0x0
 00074   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481588, ... -2147481584, ) == 0x0
 00075   896   NtClose  (-2147481584, ... ) == 0x0
 00076   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481584, ... -2147482692, ) == 0x0
 00077   896   NtClose  (-2147482692, ... ) == 0x0
 00078   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482692, ... -2147481512, ) == 0x0
 00079   896   NtClose  (-2147481512, ... ) == 0x0
 00080   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481512, ... -2147481580, ) == 0x0
 00081   896   NtClose  (-2147481580, ... ) == 0x0
 00082   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481580, ... -2147481552, ) == 0x0
 00083   896   NtClose  (-2147481552, ... ) == 0x0
 00084   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481552, ... -2147481592, ) == 0x0
 00085   896   NtClose  (-2147481592, ... ) == 0x0
 00086   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481592, ... -2147481596, ) == 0x0
 00087   896   NtClose  (-2147481596, ... ) == 0x0
 00088   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481596, ... -2147482108, ) == 0x0
 00089   896   NtClose  (-2147482108, ... ) == 0x0
 00090   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482108, ... -2147482732, ) == 0x0
 00091   896   NtClose  (-2147482732, ... ) == 0x0
 00092   896   NtClose  (-2147482764, ... ) == 0x0
 00093   896   NtClose  (-2147482688, ... ) == 0x0
 00094   896   NtClose  (-2147482660, ... ) == 0x0
 00095   896   NtClose  (-2147482656, ... ) == 0x0
 00096   896   NtClose  (-2147482652, ... ) == 0x0
 00097   896   NtClose  (-2147482724, ... ) == 0x0
 00098   896   NtClose  (-2147481452, ... ) == 0x0
 00099   896   NtClose  (-2147482684, ... ) == 0x0
 00100   896   NtClose  (-2147482680, ... ) == 0x0
 00101   896   NtClose  (-2147482760, ... ) == 0x0
 00102   896   NtClose  (-2147481628, ... ) == 0x0
 00103   896   NtClose  (-2147481484, ... ) == 0x0
 00104   896   NtClose  (-2147481480, ... ) == 0x0
 00105   896   NtClose  (-2147482136, ... ) == 0x0
 00106   896   NtClose  (-2147482748, ... ) == 0x0
 00107   896   NtClose  (-2147482676, ... ) == 0x0
 00108   896   NtClose  (-2147482672, ... ) == 0x0
 00109   896   NtClose  (-2147482668, ... ) == 0x0
 00110   896   NtClose  (-2147482664, ... ) == 0x0
 00111   896   NtClose  (-2147481588, ... ) == 0x0
 00112   896   NtClose  (-2147481584, ... ) == 0x0
 00113   896   NtClose  (-2147482692, ... ) == 0x0
 00114   896   NtClose  (-2147481512, ... ) == 0x0
 00115   896   NtClose  (-2147481580, ... ) == 0x0
 00116   896   NtClose  (-2147481552, ... ) == 0x0
 00117   896   NtClose  (-2147481592, ... ) == 0x0
 00118   896   NtClose  (-2147481596, ... ) == 0x0
 00119   896   NtClose  (-2147482108, ... ) == 0x0
 00120   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482108, ... -2147481596, ) == 0x0
 00121   896   NtClose  (-2147481596, ... ) == 0x0
 00122   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481596, ... -2147481592, ) == 0x0
 00123   896   NtClose  (-2147481592, ... ) == 0x0
 00124   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481592, ... -2147481552, ) == 0x0
 00125   896   NtClose  (-2147481552, ... ) == 0x0
 00126   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481552, ... -2147481580, ) == 0x0
 00127   896   NtClose  (-2147481580, ... ) == 0x0
 00128   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481580, ... -2147481512, ) == 0x0
 00129   896   NtClose  (-2147481512, ... ) == 0x0
 00130   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481512, ... -2147482692, ) == 0x0
 00131   896   NtClose  (-2147482692, ... ) == 0x0
 00132   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482692, ... -2147481584, ) == 0x0
 00133   896   NtClose  (-2147481584, ... ) == 0x0
 00134   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481584, ... -2147481588, ) == 0x0
 00135   896   NtClose  (-2147481588, ... ) == 0x0
 00136   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481588, ... -2147482664, ) == 0x0
 00137   896   NtClose  (-2147482664, ... ) == 0x0
 00138   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482664, ... -2147482668, ) == 0x0
 00139   896   NtClose  (-2147482668, ... ) == 0x0
 00140   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482668, ... -2147482672, ) == 0x0
 00141   896   NtClose  (-2147482672, ... ) == 0x0
 00142   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482672, ... -2147482676, ) == 0x0
 00143   896   NtClose  (-2147482676, ... ) == 0x0
 00144   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482676, ... -2147482748, ) == 0x0
 00145   896   NtClose  (-2147482748, ... ) == 0x0
 00146   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482748, ... -2147482136, ) == 0x0
 00147   896   NtClose  (-2147482136, ... ) == 0x0
 00148   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482136, ... -2147481480, ) == 0x0
 00149   896   NtClose  (-2147481480, ... ) == 0x0
 00150   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481480, ... -2147481484, ) == 0x0
 00151   896   NtClose  (-2147481484, ... ) == 0x0
 00152   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481484, ... -2147481628, ) == 0x0
 00153   896   NtClose  (-2147481628, ... ) == 0x0
 00154   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481628, ... -2147482760, ) == 0x0
 00155   896   NtClose  (-2147482760, ... ) == 0x0
 00156   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482760, ... -2147482680, ) == 0x0
 00157   896   NtClose  (-2147482680, ... ) == 0x0
 00158   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482680, ... -2147482684, ) == 0x0
 00159   896   NtClose  (-2147482684, ... ) == 0x0
 00160   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482684, ... -2147481452, ) == 0x0
 00161   896   NtClose  (-2147481452, ... ) == 0x0
 00162   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481452, ... -2147482724, ) == 0x0
 00163   896   NtClose  (-2147482724, ... ) == 0x0
 00164   896   NtClose  (-2147482108, ... ) == 0x0
 00165   896   NtClose  (-2147481596, ... ) == 0x0
 00166   896   NtClose  (-2147481592, ... ) == 0x0
 00167   896   NtClose  (-2147481552, ... ) == 0x0
 00168   896   NtClose  (-2147481580, ... ) == 0x0
 00169   896   NtClose  (-2147481512, ... ) == 0x0
 00170   896   NtClose  (-2147482692, ... ) == 0x0
 00171   896   NtClose  (-2147481584, ... ) == 0x0
 00172   896   NtClose  (-2147481588, ... ) == 0x0
 00173   896   NtClose  (-2147482664, ... ) == 0x0
 00174   896   NtClose  (-2147482668, ... ) == 0x0
 00175   896   NtClose  (-2147482672, ... ) == 0x0
 00176   896   NtClose  (-2147482676, ... ) == 0x0
 00177   896   NtClose  (-2147482748, ... ) == 0x0
 00178   896   NtClose  (-2147482136, ... ) == 0x0
 00179   896   NtClose  (-2147481480, ... ) == 0x0
 00180   896   NtClose  (-2147481484, ... ) == 0x0
 00181   896   NtClose  (-2147481628, ... ) == 0x0
 00182   896   NtClose  (-2147482760, ... ) == 0x0
 00183   896   NtClose  (-2147482680, ... ) == 0x0
 00184   896   NtClose  (-2147482684, ... ) == 0x0
 00185   896   NtClose  (-2147481452, ... ) == 0x0
 00186   896   NtClose  (-2147481368, ... ) == 0x0
 00187   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   896   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00189   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00191   896   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00192   896   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00193   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00195   896   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00196   896   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00197   896   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00198   896   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00199   896   NtClose  (12, ... ) == 0x0
 00200   896   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00201   896   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00202   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00204   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00205   896   NtClose  (16, ... ) == 0x0
 00206   896   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00207   896   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00208   896   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00209   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00210   896   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00211   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212   896   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00213   896   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) == 0x0
 00214   896   NtClose  (16, ... ) == 0x0
 00215   896   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00216   896   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00217   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218   896   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00219   896   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00220   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81833, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ) == 0x0
 00221   896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00222   896   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00223   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00224   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00225   896   NtClose  (16, ... ) == 0x0
 00226   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00227   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00228   896   NtClose  (16, ... ) == 0x0
 00229   896   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00230   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00231   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00232   896   NtClose  (16, ... ) == 0x0
 00233   896   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00234   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00235   896   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00236   896   NtClose  (16, ... ) == 0x0
 00237   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00238   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00239   896   NtClose  (16, ... ) == 0x0
 00240   896   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00241   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   896   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00244   896   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81834, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ... {24, 52, reply, 0, 1252, 896, 81834, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81834, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ) == 0x0
 00245   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81835, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81835, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81835, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ) == 0x0
 00246   896   NtProtectVirtualMemory  (-1, (0x43c000), 86016, 4, ... (0x43c000), 86016, 128, ) == 0x0
 00247   896   NtProtectVirtualMemory  (-1, (0x43c000), 86016, 128, ... (0x43c000), 86016, 4, ) == 0x0
 00248   896   NtFlushInstructionCache  (-1, 4440064, 86016, ... ) == 0x0
 00249   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250   896   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00251   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   896   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00253   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00254   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00255   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00256   896   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00257   896   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00258   896   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00259   896   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00260   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00261   896   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00262   896   NtClose  (36, ... ) == 0x0
 00263   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00264   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00265   896   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00266   896   NtClose  (36, ... ) == 0x0
 00267   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00268   896   NtClose  (32, ... ) == 0x0
 00269   896   NtClose  (16, ... ) == 0x0
 00270   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00271   896   NtClose  (28, ... ) == 0x0
 00272   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00273   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00274   896   NtClose  (28, ... ) == 0x0
 00275   896   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00276   896   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00277   896   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00278   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00279   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00280   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00281   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00282   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == 0x0
 00284   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00285   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 16, ) == 0x0
 00286   896   NtQuerySection  (16, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00287   896   NtClose  (28, ... ) == 0x0
 00288   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00289   896   NtClose  (16, ... ) == 0x0
 00290   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00291   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00292   896   NtClose  (16, ... ) == 0x0
 00293   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00294   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00295   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00296   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00297   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00298   896   NtClose  (16, ... ) == 0x0
 00299   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00300   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00301   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00302   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00303   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00304   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00305   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00306   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00307   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00308   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00309   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00310   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00311   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00312   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00313   896   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00314   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00315   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00316   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00317   896   NtProtectVirtualMemory  (-1, (0x43c000), 86016, 4, ... (0x43c000), 86016, 64, ) == 0x0
 00318   896   NtProtectVirtualMemory  (-1, (0x43c000), 86016, 64, ... (0x43c000), 86016, 4, ) == 0x0
 00319   896   NtFlushInstructionCache  (-1, 4440064, 86016, ... ) == 0x0
 00320   896   NtProtectVirtualMemory  (-1, (0x43c000), 86016, 4, ... (0x43c000), 86016, 64, ) == 0x0
 00321   896   NtProtectVirtualMemory  (-1, (0x43c000), 86016, 64, ... (0x43c000), 86016, 4, ) == 0x0
 00322   896   NtFlushInstructionCache  (-1, 4440064, 86016, ... ) == 0x0
 00323   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00324   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00325   896   NtClose  (16, ... ) == 0x0
 00326   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00327   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00328   896   NtClose  (16, ... ) == 0x0
 00329   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00330   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00331   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00332   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00333   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00334   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00335   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00336   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00337   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00338   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00339   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00340   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00341   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00342   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00343   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00344   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00345   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00346   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00347   896   NtProtectVirtualMemory  (-1, (0x43c000), 86016, 4, ... (0x43c000), 86016, 64, ) == 0x0
 00348   896   NtProtectVirtualMemory  (-1, (0x43c000), 86016, 64, ... (0x43c000), 86016, 4, ) == 0x0
 00349   896   NtFlushInstructionCache  (-1, 4440064, 86016, ... ) == 0x0
 00350   896   NtProtectVirtualMemory  (-1, (0x43c000), 86016, 4, ... (0x43c000), 86016, 64, ) == 0x0
 00351   896   NtProtectVirtualMemory  (-1, (0x43c000), 86016, 64, ... (0x43c000), 86016, 4, ) == 0x0
 00352   896   NtFlushInstructionCache  (-1, 4440064, 86016, ... ) == 0x0
 00353   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00354   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 00355   896   NtClose  (16, ... ) == 0x0
 00356   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00357   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00358   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00359   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00360   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00361   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00362   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00363   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00364   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00365   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00366   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00367   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00368   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00369   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00370   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00371   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00372   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00373   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00374   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00375   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00376   896   NtClose  (16, ... ) == 0x0
 00377   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00378   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00379   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00380   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00381   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00382   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00383   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00384   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00385   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00386   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00387   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00388   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00389   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00390   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00391   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00392   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00393   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00394   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00395   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00396   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00397   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00398   896   NtProtectVirtualMemory  (-1, (0x43c000), 86016, 4, ... (0x43c000), 86016, 64, ) == 0x0
 00399   896   NtProtectVirtualMemory  (-1, (0x43c000), 86016, 64, ... (0x43c000), 86016, 4, ) == 0x0
 00400   896   NtFlushInstructionCache  (-1, 4440064, 86016, ... ) == 0x0
 00401   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00402   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00403   896   NtClose  (16, ... ) == 0x0
 00404   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00405   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00406   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00407   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00408   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00409   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00410   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00411   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00412   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00413   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00414   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00415   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00416   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00417   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00418   896   NtClose  (16, ... ) == 0x0
 00419   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00420   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00421   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00422   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00423   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00424   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00425   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00426   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00427   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00428   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00429   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00430   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00431   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00432   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00433   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00434   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00435   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00436   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00437   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00438   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00439   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00440   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00441   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00442   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00443   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00444   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00445   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00446   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00447   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00448   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00449   896   NtProtectVirtualMemory  (-1, (0x43c000), 86016, 4, ... (0x43c000), 86016, 64, ) == 0x0
 00450   896   NtProtectVirtualMemory  (-1, (0x43c000), 86016, 64, ... (0x43c000), 86016, 4, ) == 0x0
 00451   896   NtFlushInstructionCache  (-1, 4440064, 86016, ... ) == 0x0
 00452   896   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00453   896   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00454   896   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00455   896   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00456   896   NtClose  (16, ... ) == 0x0
 00457   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00458   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00459   896   NtClose  (16, ... ) == 0x0
 00460   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00461   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00462   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00463   896   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00464   896   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00465   896   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00466   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 16, ) }, ... 16, ) == 0x0
 00467   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00468   896   NtClose  (16, ... ) == 0x0
 00469   896   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00470   896   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00471   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00472   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00473   896   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00474   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00475   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00476   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00477   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00478   896   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00479   896   NtClose  (16, ... ) == 0x0
 00480   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00481   896   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482   896   NtClose  (16, ... ) == 0x0
 00483   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00484   896   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00485   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00486   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00487   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00488   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00489   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00490   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00491   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00492   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00493   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6!\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81836, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81836, 0}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6!\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81836, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ) == 0x0
 00494   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00495   896   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00496   896   NtClose  (28, ... ) == 0x0
 00497   896   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00498   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00499   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00500   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00501   896   NtClose  (28, ... ) == 0x0
 00502   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00503   896   NtClose  (32, ... ) == 0x0
 00504   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00505   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00506   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00507   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00508   896   NtClose  (32, ... ) == 0x0
 00509   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00510   896   NtClose  (28, ... ) == 0x0
 00511   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00512   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00513   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00514   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00515   896   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00516   896   NtClose  (28, ... ) == 0x0
 00517   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00518   896   NtClose  (32, ... ) == 0x0
 00519   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00520   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00521   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00522   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00523   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00524   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00525   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00526   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00527   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00528   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00529   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00530   896   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00531   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00532   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00533   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00534   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00535   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00536   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00537   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00539   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00540   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00541   896   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00542   896   NtClose  (32, ... ) == 0x0
 00543   896   NtMapViewOfSection  (-2147481368, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x530000), 0x0, 1060864, ) == 0x0
 00544   896   NtClose  (-2147481368, ... ) == 0x0
 00545   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00546   896   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00547   896   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147481368, ) == 0x0
 00548   896   NtQueryInformationToken  (-2147481368, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00549   896   NtQueryInformationToken  (-2147481368, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00550   896   NtClose  (-2147481368, ... ) == 0x0
 00551   896   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00552   896   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00553   896   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00554   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 00555   896   NtQueryValueKey  (-2147481368,  (-2147481368, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00556   896   NtClose  (-2147481368, ... ) == 0x0
 00557   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 00558   896   NtQueryValueKey  (-2147481368,  (-2147481368, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00559   896   NtClose  (-2147481368, ... ) == 0x0
 00560   896   NtQueryDefaultLocale  (0, -135747252, ... ) == 0x0
 00561   896   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00562   896   NtUserCallNoParam  (24, ... ) == 0x0
 00563   896   NtGdiCreateCompatibleDC  (0, ...
 00564   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00563   896   NtGdiCreateCompatibleDC  ... ) == 0x860107ab
 00565   896   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00566   896   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00567   896   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x870506a2
 00568   896   NtGdiCreateSolidBrush  (0, 0, ...
 00569   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00568   896   NtGdiCreateSolidBrush  ... ) == 0x1100680
 00570   896   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00571   896   NtGdiCreateCompatibleDC  (0, ... ) == 0xf6010687
 00572   896   NtGdiSelectBitmap  (-167704953, -2029713758, ... ) == 0x185000f
 00573   896   NtUserGetThreadDesktop  (896, 0, ... ) == 0x24
 00574   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00575   896   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00576   896   NtClose  (44, ... ) == 0x0
 00577   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00578   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x8177c017
 00579   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00580   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x8177c01c
 00581   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00582   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x8177c01e
 00583   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00584   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x81778002
 00585   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00586   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x8177c018
 00587   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00588   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x8177c01a
 00589   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00590   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x8177c01d
 00591   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00592   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x8177c026
 00593   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00594   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x8177c019
 00595   896   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8177c020
 00596   896   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8177c022
 00597   896   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8177c023
 00598   896   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8177c024
 00599   896   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8177c025
 00600   896   NtCallbackReturn  (0, 0, 0, ...
 00601   896   NtGdiInit  (... ) == 0x1
 00602   896   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00603   896   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00604   896   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00605   896   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00606   896   NtCreateSemaphore  (0x1f0003, {24, 44, 0x80, 1329528, 0,  (0x1f0003, {24, 44, 0x80, 1329528, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 48, ) }, 0, 2147483647, ... 48, ) == STATUS_OBJECT_NAME_EXISTS
 00607   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00608   896   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00609   896   NtClose  (52, ... ) == 0x0
 00610   896   NtQueryDefaultUILanguage  (1241692, ...
 00611   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00612   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481368, ) == 0x0
 00613   896   NtQueryInformationToken  (-2147481368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00614   896   NtClose  (-2147481368, ... ) == 0x0
 00615   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 00616   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x240, 0, 0,  (0x80000000, {24, -2147481368, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00617   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x640, 0, 0,  (0x80000000, {24, -2147481368, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 00618   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619   896   NtClose  (-2147481452, ... ) == 0x0
 00620   896   NtClose  (-2147481368, ... ) == 0x0
 00610   896   NtQueryDefaultUILanguage  ... ) == 0x0
 00621   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00622   896   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00623   896   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x940000), 0x0, 8462336, ) == 0x0
 00624   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00625   896   NtQueryDefaultUILanguage  (2090319928, ...
 00626   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00627   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481368, ) == 0x0
 00628   896   NtQueryInformationToken  (-2147481368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00629   896   NtClose  (-2147481368, ... ) == 0x0
 00630   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 00631   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x240, 0, 0,  (0x80000000, {24, -2147481368, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00632   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x640, 0, 0,  (0x80000000, {24, -2147481368, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 00633   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00634   896   NtClose  (-2147481452, ... ) == 0x0
 00635   896   NtClose  (-2147481368, ... ) == 0x0
 00625   896   NtQueryDefaultUILanguage  ... ) == 0x0
 00636   896   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00637   896   NtQueryDefaultLocale  (1, 1239788, ... ) == 0x0
 00638   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00639   896   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240824, 1179817, 1240548}  (24, {128, 156, new_msg, 0, 2088850039, 1240824, 1179817, 1240548} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\14\0\0\0\377\377\377\377\0\0\0\0@ \267\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\354\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81837, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\14\0\0\0\377\377\377\377\0\0\0\0@ \267\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\354\362\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81837, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240824, 1179817, 1240548} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\14\0\0\0\377\377\377\377\0\0\0\0@ \267\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\354\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81837, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\14\0\0\0\377\377\377\377\0\0\0\0@ \267\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\354\362\22\0\0\0\0\0" )  ) == 0x0
 00640   896   NtClose  (52, ... ) == 0x0
 00641   896   NtClose  (56, ... ) == 0x0
 00642   896   NtUnmapViewOfSection  (-1, 0x940000, ... ) == 0x0
 00643   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00644   896   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00645   896   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00646   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00647   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00648   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238980, ... ) }, 1238980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00649   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00650   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00651   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00652   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1239044, ... ) }, 1239044, ... ) == 0x0
 00653   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00654   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00655   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00656   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00657   896   NtClose  (52, ... ) == 0x0
 00658   896   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x940000), 0x0, 1056768, ) == 0x0
 00659   896   NtClose  (60, ... ) == 0x0
 00660   896   NtUnmapViewOfSection  (-1, 0x940000, ... ) == 0x0
 00661   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00662   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00663   896   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00664   896   NtClose  (60, ... ) == 0x0
 00665   896   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 00666   896   NtClose  (52, ... ) == 0x0
 00667   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00668   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00669   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00670   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00671   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00672   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00673   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00674   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00675   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00676   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00677   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00678   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00679   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00680   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00681   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00682   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00683   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00684   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00685   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00686   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00687   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00688   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00689   896   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240524, ... ) , 42, 1240524, ... ) == 0x0
 00690   896   NtQueryDefaultUILanguage  (1239208, ...
 00691   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00692   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481368, ) == 0x0
 00693   896   NtQueryInformationToken  (-2147481368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00694   896   NtClose  (-2147481368, ... ) == 0x0
 00695   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 00696   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x240, 0, 0,  (0x80000000, {24, -2147481368, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00697   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x640, 0, 0,  (0x80000000, {24, -2147481368, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 00698   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00699   896   NtClose  (-2147481452, ... ) == 0x0
 00700   896   NtClose  (-2147481368, ... ) == 0x0
 00690   896   NtQueryDefaultUILanguage  ... ) == 0x0
 00701   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238048, ... ) }, 1238048, ... ) == 0x0
 00702   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00703   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00704   896   NtClose  (52, ... ) == 0x0
 00705   896   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x370000), 0x0, 4096, ) == 0x0
 00706   896   NtClose  (60, ... ) == 0x0
 00707   896   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00708   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237644, ... ) }, 1237644, ... ) == 0x0
 00709   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238388,  (0x80100080, {24, 0, 0x40, 0, 1238388, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00710   896   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00711   896   NtClose  (60, ... ) == 0x0
 00712   896   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x370000), {0, 0}, 4096, ) == 0x0
 00713   896   NtClose  (52, ... ) == 0x0
 00714   896   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00715   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00716   896   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00717   896   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x370000), 0x0, 4096, ) == 0x0
 00718   896   NtQueryInformationFile  (52, 1238040, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00719   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00720   896   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238340, 1179817, 1238064}  (24, {128, 156, new_msg, 0, 2088850039, 1238340, 1179817, 1238064} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81838, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81838, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238340, 1179817, 1238064} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81838, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" )  ) == 0x0
 00721   896   NtClose  (52, ... ) == 0x0
 00722   896   NtClose  (60, ... ) == 0x0
 00723   896   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00724   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00725   896   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00726   896   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 00727   896   NtUserGetDC  (0, ... ) == 0x1010052
 00728   896   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00729   896   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 00730   896   NtUserSystemParametersInfo  (66, 12, 1240040, 0, ... ) == 0x1
 00731   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00732   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00733   896   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00734   896   NtClose  (60, ... ) == 0x0
 00735   896   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00736   896   NtOpenProcessToken  (-1, 0x8, ... 52, ) == 0x0
 00737   896   NtAccessCheck  (1332160, 52, 0x1, 1239872, 1239924, 56, 1239904, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00738   896   NtClose  (52, ... ) == 0x0
 00739   896   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00740   896   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00741   896   NtClose  (52, ... ) == 0x0
 00742   896   NtUserSystemParametersInfo  (41, 500, 1240068, 0, ... ) == 0x1
 00743   896   NtOpenProcessToken  (-1, 0x8, ... 52, ) == 0x0
 00744   896   NtAccessCheck  (1332160, 52, 0x1, 1239872, 1239924, 56, 1239904, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00745   896   NtClose  (52, ... ) == 0x0
 00746   896   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00747   896   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00748   896   NtClose  (52, ... ) == 0x0
 00749   896   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 00750   896   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 00751   896   NtClose  (60, ... ) == 0x0
 00752   896   NtUserSystemParametersInfo  (4130, 0, 1240572, 0, ... ) == 0x1
 00753   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 60, ) }, ... 60, ) == 0x0
 00754   896   NtEnumerateValueKey  (60, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00755   896   NtClose  (60, ... ) == 0x0
 00756   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00757   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c03b
 00758   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c03d
 00759   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00760   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c03f
 00761   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00762   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c041
 00763   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00764   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c043
 00765   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c045
 00766   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00767   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c047
 00768   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00769   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c049
 00770   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00771   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c04b
 00772   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00773   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c04d
 00774   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00775   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c04f
 00776   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c051
 00777   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00778   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c053
 00779   896   NtUserFindExistingCursorIcon  (1239816, 1239832, 1239880, ... ) == 0x10011
 00780   896   NtUserRegisterClassExWOW  (1239760, 1239828, 1239844, 1239860, 0, 384, 0, ... ) == 0x8177c055
 00781   896   NtUserFindExistingCursorIcon  (1239816, 1239832, 1239880, ... ) == 0x10011
 00782   896   NtUserRegisterClassExWOW  (1239760, 1239828, 1239844, 1239860, 0, 384, 0, ... ) == 0x8177c057
 00783   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00784   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c059
 00785   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10013
 00786   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c05b
 00787   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00788   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c05d
 00789   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00790   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c05f
 00791   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00792   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c017
 00793   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00794   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c019
 00795   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10013
 00796   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c018
 00797   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00798   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c01a
 00799   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00800   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c01c
 00801   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00802   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c01e
 00803   896   NtUserFindExistingCursorIcon  (1239812, 1239828, 1239876, ... ) == 0x10011
 00804   896   NtUserRegisterClassExWOW  (1239812, 1239880, 1239896, 1239912, 0, 384, 0, ... ) == 0x8177c01b
 00805   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00806   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c068
 00807   896   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00808   896   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8177c06a
 00809   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00810   896   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 00811   896   NtClose  (60, ... ) == 0x0
 00812   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00813   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00814   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00815   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00816   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00817   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00818   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00819   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00820   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00821   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00822   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00823   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00824   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00825   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00826   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00827   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00828   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00829   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00830   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 4096, 4096, 4, ... 3604480, 4096, ) == 0x0
 00831   896   NtAllocateVirtualMemory  (-1, 3608576, 0, 8192, 4096, 4, ... 3608576, 8192, ) == 0x0
 00832   896   NtAllocateVirtualMemory  (-1, 3616768, 0, 4096, 4096, 4, ... 3616768, 4096, ) == 0x0
 00833   896   NtAllocateVirtualMemory  (-1, 3620864, 0, 4096, 4096, 4, ... 3620864, 4096, ) == 0x0
 00834   896   NtQueryDefaultUILanguage  (1239820, ...
 00835   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00836   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481368, ) == 0x0
 00837   896   NtQueryInformationToken  (-2147481368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00838   896   NtClose  (-2147481368, ... ) == 0x0
 00839   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 00840   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x240, 0, 0,  (0x80000000, {24, -2147481368, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00841   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x640, 0, 0,  (0x80000000, {24, -2147481368, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 00842   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00843   896   NtClose  (-2147481452, ... ) == 0x0
 00844   896   NtClose  (-2147481368, ... ) == 0x0
 00834   896   NtQueryDefaultUILanguage  ... ) == 0x0
 00845   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll"}, 1, 96, ... 60, {status=0x0, info=1}, ) }, 1, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00846   896   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00847   896   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x940000), 0x0, 618496, ) == 0x0
 00848   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00849   896   NtQueryDefaultLocale  (1, 1237916, ... ) == 0x0
 00850   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   896   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238952, 1179817, 1238676}  (24, {128, 156, new_msg, 0, 2088850039, 1238952, 1179817, 1238676} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1<\0\0\0\377\377\377\377\0\0\0\0\340q\233\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0\234\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81839, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1<\0\0\0\377\377\377\377\0\0\0\0\340q\233\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0\234\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81839, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238952, 1179817, 1238676} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1<\0\0\0\377\377\377\377\0\0\0\0\340q\233\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0\234\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81839, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1<\0\0\0\377\377\377\377\0\0\0\0\340q\233\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0\234\353\22\0\0\0\0\0" )  ) == 0x0
 00852   896   NtClose  (60, ... ) == 0x0
 00853   896   NtClose  (52, ... ) == 0x0
 00854   896   NtUnmapViewOfSection  (-1, 0x940000, ... ) == 0x0
 00855   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00856   896   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1252, 0}, ... 52, ) == 0x0
 00857   896   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00858   896   NtClose  (52, ... ) == 0x0
 00859   896   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00860   896   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 00861   896   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 00862   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00863   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00864   896   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00865   896   NtClose  (52, ... ) == 0x0
 00866   896   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00867   896   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00868   896   NtAccessCheck  (1332160, 60, 0x1, 1241012, 1241064, 56, 1241044, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00869   896   NtClose  (60, ... ) == 0x0
 00870   896   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Control Panel\Desktop"}, ... 60, ) }, ... 60, ) == 0x0
 00871   896   NtQueryValueKey  (60,  (60, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00872   896   NtClose  (60, ... ) == 0x0
 00873   896   NtUserSystemParametersInfo  (41, 500, 1241192, 0, ... ) == 0x1
 00874   896   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 00875   896   NtClose  (52, ... ) == 0x0
 00876   896   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00877   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c03b
 00878   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c03d
 00879   896   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00880   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c03f
 00881   896   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00882   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c041
 00883   896   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00884   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c043
 00885   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c045
 00886   896   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00887   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c047
 00888   896   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00889   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c049
 00890   896   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00891   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c04b
 00892   896   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00893   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c04d
 00894   896   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00895   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c04f
 00896   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c051
 00897   896   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00898   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c053
 00899   896   NtUserFindExistingCursorIcon  (1240940, 1240956, 1241004, ... ) == 0x10011
 00900   896   NtUserRegisterClassExWOW  (1240884, 1240952, 1240968, 1240984, 0, 384, 0, ... ) == 0x8177c055
 00901   896   NtUserFindExistingCursorIcon  (1240940, 1240956, 1241004, ... ) == 0x10011
 00902   896   NtUserRegisterClassExWOW  (1240884, 1240952, 1240968, 1240984, 0, 384, 0, ... ) == 0x8177c057
 00903   896   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00904   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c059
 00905   896   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10013
 00906   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c05b
 00907   896   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00908   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c05d
 00909   896   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00910   896   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8177c05f
 00911   896   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00912   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 52, {status=0x0, info=0}, ) }, 7, 16, ... 52, {status=0x0, info=0}, ) == 0x0
 00913   896   NtDeviceIoControlFile  (52, 0, 0x0, 0x0, 0x390008,  (52, 0, 0x0, 0x0, 0x390008, "\362\267\324\15\237\307S\15`Q\236\247\253<\23d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00914   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00915   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00916   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00917   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00918   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00919   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00920   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00921   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 00922   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "\256P\327F\273\241\324\341\30\315\327)\233\230$i\322\336\374B\205\300g]\217\314J\244\362M\23\242\21\17\232\260\375\307\376\374\211\21\245\323\336\344%\204\i(!sAN\373\276?!Z\343,\373F]\177\364\237k\314?>\2216\200\355sSE", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "\256P\327F\273\241\324\341\30\315\327)\233\230$i\322\336\374B\205\300g]\217\314J\244\362M\23\242\21\17\232\260\375\307\376\374\211\21\245\323\336\344%\204\i(!sAN\373\276?!Z\343,\373F]\177\364\237k\314?>\2216\200\355sSE", 80, ... ) , 80, ... ) == 0x0
 00923   896   NtClose  (-2147481368, ... ) == 0x0
 00913   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\312\376{\3672\3274M\305\306\273E##d\3754 \365\351\20\376;\\242\314\317\256\342\243\242%/.G\342\2\304l\213R.\316a\301TCjz\240Q0\225\333\247\221Y\201\14\1+4j\367z\32\342O\245\354\245\305/\206\204n\363\302?Tq\271c\\240\332\237<\270\226\3H\27\14\275pL9\331\372\235\352\270\12w\0d\255&\227\252\16.\203\213\16\37L\31\0R\235\375\222\7\307r[\275\10q*\262}\244\220\310\21\201\230\236\312\16\13w\242\241\252\332\214\336\331\340\316\220\243\362\326\332\264R\31\362je\25\37\237\25\302\350\213\330\343\250D\274\207\336\371\372\02\322\215\301\223t\321\360UF\237\23\320\25\202D\225\25f\300\225Ig\255% _\347Oa\313\357\311Z\344\340\312\36\353\330!|v\215\33\214Y\340I\274", ) R\235\375\222\7\307r[\275\10q*\262}\244\220\310\21\201\230\236\312\16\13w\242\241\252\332\214\336\331\340\316\220\243\362\326\332\264R\31\362je\25\37\237\25\302\350\213\330\343\250D\274\207\336\371\372\02\322\215\301\223t\321\360UF\237\23\320\25\202D\225\25f\300\225Ig\255% _\347Oa\313\357\311Z\344\340\312\36\353\330!|v\215\33\214Y\340I\274", ) == 0x0
 00924   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00925   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00926   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00927   896   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00928   896   NtClose  (60, ... ) == 0x0
 00929   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 60, ) }, ... 60, ) == 0x0
 00930   896   NtQueryValueKey  (60,  (60, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   896   NtClose  (60, ... ) == 0x0
 00932   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00933   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00934   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00935   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00936   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00937   896   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   896   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939   896   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   896   NtClose  (60, ... ) == 0x0
 00941   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00942   896   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943   896   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944   896   NtClose  (60, ... ) == 0x0
 00945   896   NtOpenEvent  (0x1f0003, {24, 44, 0x0, 0, 0,  (0x1f0003, {24, 44, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   896   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 00947   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948   896   NtOpenKey  (0x9, {24, 16, 0x40, 0, 0,  (0x9, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   896   NtTestAlert  (... ) == 0x0
 00951   896   NtContinue  (1244464, 1, ...
 00952   896   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x44a000,}, 4, ... ) == 0x0
 00953   896   NtAllocateVirtualMemory  (-1, 0, 0, 793816, 4096, 4, ... 9699328, 794624, ) == 0x0
 00954   896   NtFreeVirtualMemory  (-1, (0x940000), 0, 32768, ... (0x940000), 794624, ) == 0x0
 00955   896   NtProtectVirtualMemory  (-1, (0x400000), 1, 4, ... (0x400000), 4096, 2, ) == 0x0
 00956   896   NtAllocateVirtualMemory  (-1, 0, 0, 793816, 4096, 4, ... 9699328, 794624, ) == 0x0
 00957   896   NtFreeVirtualMemory  (-1, (0x940000), 0, 32768, ... (0x940000), 794624, ) == 0x0
 00958   896   NtProtectVirtualMemory  (-1, (0x400000), 1, 2, ... (0x400000), 4096, 4, ) == 0x0
 00959   896   NtAllocateVirtualMemory  (-1, 0, 0, 793816, 4096, 4, ... 9699328, 794624, ) == 0x0
 00960   896   NtFreeVirtualMemory  (-1, (0x940000), 0, 32768, ... (0x940000), 794624, ) == 0x0
 00961   896   NtProtectVirtualMemory  (-1, (0x400000), 1, 4, ... (0x400000), 4096, 2, ) == 0x0
 00962   896   NtAllocateVirtualMemory  (-1, 0, 0, 793816, 4096, 4, ... 9699328, 794624, ) == 0x0
 00963   896   NtFreeVirtualMemory  (-1, (0x940000), 0, 32768, ... (0x940000), 794624, ) == 0x0
 00964   896   NtProtectVirtualMemory  (-1, (0x400000), 1, 2, ... (0x400000), 4096, 4, ) == 0x0
 00965   896   NtQueryVirtualMemory  (-1, 0x42254e, Basic, 28, ... {BaseAddress=0x422000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0xc000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00966   896   NtQueryVirtualMemory  (-1, 0x421330, Basic, 28, ... {BaseAddress=0x421000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0xd000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00967   896   NtContinue  (1244332, 0, ...
 00968   896   NtAllocateVirtualMemory  (-1, 0, 0, 16384, 4096, 64, ... 3801088, 16384, ) == 0x0
 00969   896   NtAllocateVirtualMemory  (-1, 0, 0, 15980, 4096, 4, ... 3866624, 16384, ) == 0x0
 00970   896   NtFreeVirtualMemory  (-1, (0x3b0000), 0, 32768, ... (0x3b0000), 16384, ) == 0x0
 00971   896   NtFreeVirtualMemory  (-1, (0x3a0000), 0, 32768, ... (0x3a0000), 16384, ) == 0x0
 00972   896   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00973   896   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00974   896   NtDelayExecution  (0, {-10000000, -1}, ... ) == 0x0
 00975   896   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "2aacbfa20df37146c3b7fd4bb5120566c6c0"}, 0, ... 60, ) }, 0, ... 60, ) == 0x0
 00976   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00977   896   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 00978   896   NtClose  (64, ... ) == 0x0
 00979   896   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00980   896   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00981   896   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00982   896   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00983   896   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00984   896   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00985   896   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00986   896   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00987   896   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00988   896   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00989   896   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00990   896   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00991   896   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00992   896   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00993   896   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00994   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00995   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00996   896   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 73728, ) == 0x0
 00997   896   NtClose  (64, ... ) == 0x0
 00998   896   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 00999   896   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 01000   896   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 01001   896   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 01002   896   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 01003   896   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 01004   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01005   896   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 64, ) == 0x0
 01006   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 01007   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 72, ) }, ... 72, ) == 0x0
 01008   896   NtNotifyChangeKey  (72, 68, 0, 0, 2011455960, 4, 0, 0, 0, 1, ... ) == 0x103
 01009   896   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 01010   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 01011   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 80, ) == 0x0
 01012   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01013   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1238128, ... ) }, 1238128, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01014   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\pstorec.dll"}, 1238128, ... ) }, 1238128, ... ) == 0x0
 01015   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\pstorec.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 01016   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 84, ... 88, ) == 0x0
 01017   896   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01018   896   NtClose  (84, ... ) == 0x0
 01019   896   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 53248, ) == 0x0
 01020   896   NtClose  (88, ... ) == 0x0
 01021   896   NtProtectVirtualMemory  (-1, (0x5e0c1000), 432, 4, ... (0x5e0c1000), 4096, 32, ) == 0x0
 01022   896   NtProtectVirtualMemory  (-1, (0x5e0c1000), 4096, 32, ... (0x5e0c1000), 4096, 4, ) == 0x0
 01023   896   NtFlushInstructionCache  (-1, 1577848832, 432, ... ) == 0x0
 01024   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01025   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237312, ... ) }, 1237312, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ATL.DLL"}, 1237312, ... ) }, 1237312, ... ) == 0x0
 01027   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ATL.DLL"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 01028   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 84, ) == 0x0
 01029   896   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01030   896   NtClose  (88, ... ) == 0x0
 01031   896   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 69632, ) == 0x0
 01032   896   NtClose  (84, ... ) == 0x0
 01033   896   NtProtectVirtualMemory  (-1, (0x76b21000), 556, 4, ... (0x76b21000), 4096, 32, ) == 0x0
 01034   896   NtProtectVirtualMemory  (-1, (0x76b21000), 4096, 32, ... (0x76b21000), 4096, 4, ) == 0x0
 01035   896   NtFlushInstructionCache  (-1, 1991380992, 556, ... ) == 0x0
 01036   896   NtProtectVirtualMemory  (-1, (0x76b21000), 556, 4, ... (0x76b21000), 4096, 32, ) == 0x0
 01037   896   NtProtectVirtualMemory  (-1, (0x76b21000), 4096, 32, ... (0x76b21000), 4096, 4, ) == 0x0
 01038   896   NtFlushInstructionCache  (-1, 1991380992, 556, ... ) == 0x0
 01039   896   NtProtectVirtualMemory  (-1, (0x76b21000), 556, 4, ... (0x76b21000), 4096, 32, ) == 0x0
 01040   896   NtProtectVirtualMemory  (-1, (0x76b21000), 4096, 32, ... (0x76b21000), 4096, 4, ) == 0x0
 01041   896   NtFlushInstructionCache  (-1, 1991380992, 556, ... ) == 0x0
 01042   896   NtProtectVirtualMemory  (-1, (0x76b21000), 556, 4, ... (0x76b21000), 4096, 32, ) == 0x0
 01043   896   NtProtectVirtualMemory  (-1, (0x76b21000), 4096, 32, ... (0x76b21000), 4096, 4, ) == 0x0
 01044   896   NtFlushInstructionCache  (-1, 1991380992, 556, ... ) == 0x0
 01045   896   NtProtectVirtualMemory  (-1, (0x5e0c1000), 432, 4, ... (0x5e0c1000), 4096, 32, ) == 0x0
 01046   896   NtProtectVirtualMemory  (-1, (0x5e0c1000), 4096, 32, ... (0x5e0c1000), 4096, 4, ) == 0x0
 01047   896   NtFlushInstructionCache  (-1, 1577848832, 432, ... ) == 0x0
 01048   896   NtProtectVirtualMemory  (-1, (0x5e0c1000), 432, 4, ... (0x5e0c1000), 4096, 32, ) == 0x0
 01049   896   NtProtectVirtualMemory  (-1, (0x5e0c1000), 4096, 32, ... (0x5e0c1000), 4096, 4, ) == 0x0
 01050   896   NtFlushInstructionCache  (-1, 1577848832, 432, ... ) == 0x0
 01051   896   NtProtectVirtualMemory  (-1, (0x5e0c1000), 432, 4, ... (0x5e0c1000), 4096, 32, ) == 0x0
 01052   896   NtProtectVirtualMemory  (-1, (0x5e0c1000), 4096, 32, ... (0x5e0c1000), 4096, 4, ) == 0x0
 01053   896   NtFlushInstructionCache  (-1, 1577848832, 432, ... ) == 0x0
 01054   896   NtProtectVirtualMemory  (-1, (0x5e0c1000), 432, 4, ... (0x5e0c1000), 4096, 32, ) == 0x0
 01055   896   NtProtectVirtualMemory  (-1, (0x5e0c1000), 4096, 32, ... (0x5e0c1000), 4096, 4, ) == 0x0
 01056   896   NtFlushInstructionCache  (-1, 1577848832, 432, ... ) == 0x0
 01057   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01058   896   NtQueryPerformanceCounter  (... {-1441309546, 16}, {3579545, 0}, ) == 0x0
 01059   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01060   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 84, ) }, ... 84, ) == 0x0
 01061   896   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42c10000), 0x0, 847872, ) == 0x0
 01062   896   NtClose  (84, ... ) == 0x0
 01063   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01064   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01065   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01066   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01067   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01068   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01069   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01070   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01071   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01072   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01073   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01074   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01075   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01076   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01077   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01078   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01079   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01080   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01081   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Normaliz.dll"}, ... 84, ) }, ... 84, ) == 0x0
 01082   896   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x3a0000), 0x0, 36864, ) == STATUS_IMAGE_NOT_AT_BASE
 01083   896   NtProtectVirtualMemory  (-1, (0x3a1000), 18944, 4, ... (0x3a1000), 20480, 32, ) == 0x0
 01084   896   NtProtectVirtualMemory  (-1, (0x3a7000), 1024, 4, ... (0x3a7000), 4096, 2, ) == 0x0
 01085   896   NtProtectVirtualMemory  (-1, (0x3a8000), 1536, 4, ... (0x3a8000), 4096, 2, ) == 0x0
 01086   896   NtMapViewOfSection  (84, -1, (0x3a0000), 0, 0, 0x0, 36864, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 01087   896   NtProtectVirtualMemory  (-1, (0x3a1000), 18944, 16, ... (0x3a1000), 20480, 4, ) == 0x0
 01088   896   NtProtectVirtualMemory  (-1, (0x3a7000), 1024, 2, ... (0x3a7000), 4096, 8, ) == 0x0
 01089   896   NtProtectVirtualMemory  (-1, (0x3a8000), 1536, 2, ... (0x3a8000), 4096, 8, ) == 0x0
 01090   896   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 01091   896   NtClose  (84, ... ) == 0x0
 01092   896   NtProtectVirtualMemory  (-1, (0x3a1000), 160, 4, ... (0x3a1000), 4096, 16, ) == 0x0
 01093   896   NtProtectVirtualMemory  (-1, (0x3a1000), 4096, 16, ... (0x3a1000), 4096, 4, ) == 0x0
 01094   896   NtFlushInstructionCache  (-1, 3805184, 160, ... ) == 0x0
 01095   896   NtProtectVirtualMemory  (-1, (0x3a1000), 160, 4, ... (0x3a1000), 4096, 16, ) == 0x0
 01096   896   NtProtectVirtualMemory  (-1, (0x3a1000), 4096, 16, ... (0x3a1000), 4096, 4, ) == 0x0
 01097   896   NtFlushInstructionCache  (-1, 3805184, 160, ... ) == 0x0
 01098   896   NtProtectVirtualMemory  (-1, (0x3a1000), 160, 4, ... (0x3a1000), 4096, 16, ) == 0x0
 01099   896   NtProtectVirtualMemory  (-1, (0x3a1000), 4096, 16, ... (0x3a1000), 4096, 4, ) == 0x0
 01100   896   NtFlushInstructionCache  (-1, 3805184, 160, ... ) == 0x0
 01101   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01102   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01103   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01104   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iertutil.dll"}, ... 84, ) }, ... 84, ) == 0x0
 01105   896   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0
 01106   896   NtClose  (84, ... ) == 0x0
 01107   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01108   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01109   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01110   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01111   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01112   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01113   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01114   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01115   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01116   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01117   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01118   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01119   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01120   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01121   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01122   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01123   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01124   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01125   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01126   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01127   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01128   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01129   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01130   896   NtQueryPerformanceCounter  (... {-1441284054, 16}, {3579545, 0}, ) == 0x0
 01131   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininet.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01132   896   NtQueryPerformanceCounter  (... {-1441283282, 16}, {3579545, 0}, ) == 0x0
 01133   896   NtAllocateVirtualMemory  (-1, 1339392, 0, 8192, 4096, 4, ... 1339392, 8192, ) == 0x0
 01134   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01135   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9699328, 1048576, ) == 0x0
 01136   896   NtAllocateVirtualMemory  (-1, 9699328, 0, 4096, 4096, 4, ... 9699328, 4096, ) == 0x0
 01137   896   NtAllocateVirtualMemory  (-1, 9703424, 0, 8192, 4096, 4, ... 9703424, 8192, ) == 0x0
 01138   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 01139   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237568,  (0xc0100080, {24, 0, 0x40, 0, 1237568, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 88, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 88, {status=0x0, info=0}, ) == 0x0
 01140   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 92, ) == 0x0
 01141   896   NtDeviceIoControlFile  (88, 92, 0x0, 0x12e2a0, 0x22414c,  (88, 92, 0x0, 0x12e2a0, 0x22414c, "\350\342\22\0\0\0\0\0\1\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\0\0\0\0\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 01142   896   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 01143   896   NtQueryValueKey  (-2147481368,  (-2147481368, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01144   896   NtQueryValueKey  (-2147481368,  (-2147481368, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   896   NtClose  (-2147481368, ... ) == 0x0
 01146   896   NtClose  (2280, ... ) == 0x0
 01141   896   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, " \350R\342\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#Vid\00\211\25\0\0\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01147   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237784,  (0xc0100080, {24, 0, 0x40, 0, 1237784, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 100, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 100, {status=0x0, info=0}, ) == 0x0
 01148   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 104, ) == 0x0
 01149   896   NtDuplicateObject  (-1, -1, -1, 0x0, 0, 2, ... 108, ) == 0x0
 01150   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 01151   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 01152   896   NtAllocateVirtualMemory  (-1, 9711616, 0, 8192, 4096, 4, ... 9711616, 8192, ) == 0x0
 01153   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10747904, 1048576, ) == 0x0
 01154   896   NtAllocateVirtualMemory  (-1, 11788288, 0, 8192, 4096, 4, ... 11788288, 8192, ) == 0x0
 01155   896   NtProtectVirtualMemory  (-1, (0xb3e000), 4096, 260, ... (0xb3e000), 4096, 4, ) == 0x0
 01156   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1236868, 1236812, 1, ... 120, {1252, 188}, ) == 0x0
 01157   896   NtQueryInformationThread  (120, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1252,Tid=188,}, 0x0, ) == 0x0
 01158   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 9699704}  (24, {28, 56, new_msg, 0, 0, 0, 0, 9699704} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0x\0\0\0\344\4\0\0\274\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81848, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0x\0\0\0\344\4\0\0\274\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81848, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 9699704} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0x\0\0\0\344\4\0\0\274\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81848, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0x\0\0\0\344\4\0\0\274\0\0\0" )  ) == 0x0
 01159   896   NtResumeThread  (120, ... 1, ) == 0x0
 01160   188   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 124, ) == 0x0
 01161   188   NtWaitForSingleObject  (124, 0, 0x0, ...
 01162   896   NtClose  (120, ... ) == 0x0
 01163   896   NtSetEvent  (104, ... 0x0, ) == 0x0
 01164   896   NtSetEvent  (84, ... 0x0, ) == 0x0
 01165   896   NtClose  (84, ... ) == 0x0
 01166   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 01167   896   NtAllocateVirtualMemory  (-1, 9719808, 0, 4096, 4096, 4, ... 9719808, 4096, ) == 0x0
 01168   896   NtDeviceIoControlFile  (88, 92, 0x0, 0x12e2a0, 0x22414c,  (88, 92, 0x0, 0x12e2a0, 0x22414c, "\350\342\22\0\0\0\0\0\2\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\0\0\0\0\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 01169   896   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 01170   896   NtQueryValueKey  (-2147481368,  (-2147481368, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01171   896   NtQueryValueKey  (-2147481368,  (-2147481368, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   896   NtClose  (-2147481368, ... ) == 0x0
 01173   896   NtClose  (2280, ... ) == 0x0
 01168   896   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\310&]\341\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344b\0o\0x\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01174   896   NtSetEvent  (104, ... 0x0, ) == 0x0
 01175   896   NtSetEvent  (84, ... 0x0, ) == 0x0
 01176   896   NtClose  (84, ... ) == 0x0
 01177   896   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01178   896   NtOpenProcessToken  (-1, 0xa, ... 84, ) == 0x0
 01179   896   NtDuplicateToken  (84, 0xc, {24, 0, 0x0, 0, 1238052, 0x0}, 0, 2, ... 128, ) == 0x0
 01180   896   NtClose  (84, ... ) == 0x0
 01181   896   NtAccessCheck  (1332160, 128, 0x1, 1238128, 1238180, 56, 1238160, ... (0x1), ) == 0x0
 01182   896   NtClose  (128, ... ) == 0x0
 01183   896   NtQueryDefaultUILanguage  (1236932, ...
 01184   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01185   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481368, ) == 0x0
 01186   896   NtQueryInformationToken  (-2147481368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01187   896   NtClose  (-2147481368, ... ) == 0x0
 01188   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 01189   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x240, 0, 0,  (0x80000000, {24, -2147481368, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01190   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x640, 0, 0,  (0x80000000, {24, -2147481368, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 01191   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01192   896   NtClose  (-2147481452, ... ) == 0x0
 01193   896   NtClose  (-2147481368, ... ) == 0x0
 01183   896   NtQueryDefaultUILanguage  ... ) == 0x0
 01194   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01195   896   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01196   896   NtQueryDefaultLocale  (1, 1235028, ... ) == 0x0
 01197   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01198   896   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1236064, 1179817, 1235788}  (24, {128, 156, new_msg, 0, 2088850039, 1236064, 1179817, 1235788} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0T\340\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81849, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0T\340\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81849, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1236064, 1179817, 1235788} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0T\340\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81849, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0T\340\22\0\0\0\0\0" )  ) == 0x0
 01199   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01200   896   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01201   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01202   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01203   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1234256, ... ) }, 1234256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01205   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01206   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01207   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1234320, ... ) }, 1234320, ... ) == 0x0
 01208   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 128, {status=0x0, info=1}, ) }, 3, 33, ... 128, {status=0x0, info=1}, ) == 0x0
 01209   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01210   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01211   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 01212   896   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01213   896   NtClose  (84, ... ) == 0x0
 01214   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 84, ) }, ... 84, ) == 0x0
 01215   896   NtSetInformationObject  (84, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01216   896   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 132, 2, ) }, 0, 0x0, 0, ... 132, 2, ) == 0x0
 01217   896   NtSetEventBoostPriority  (124, ...
 01161   188   NtWaitForSingleObject  ... ) == 0x0
 01218   188   NtTestAlert  (... ) == 0x0
 01219   188   NtContinue  (11795760, 1, ...
 01220   188   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01221   188   NtDeviceIoControlFile  (100, 112, 0x0, 0x77e466a0, 0x228144,  (100, 112, 0x0, 0x77e466a0, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0l\0\0\0\0\0\0\0x\0\0\0\0\0\0\0`\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01217   896   NtSetEventBoostPriority  ... ) == 0x0
 01222   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01223   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1238148, ... }, 1238148, ...
 01224   188   NtWaitForMultipleObjects  (2, (104, 112, ), 1, 1, {1294967296, -1}, ... ) == 0x0
 01225   188   NtDeviceIoControlFile  (100, 116, 0x0, 0x77e46680, 0x228144,  (100, 116, 0x0, 0x77e46680, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0l\0\0\0\0\0\0\0x\0\0\0\0\0\0\0`\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01226   188   NtWaitForMultipleObjects  (2, (104, 116, ), 1, 1, {1294967296, -1}, ...
 01223   896   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\psapi.dll"}, 1238148, ... ) }, 1238148, ... ) == 0x0
 01228   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\psapi.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 01229   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 136, ... 140, ) == 0x0
 01230   896   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01231   896   NtClose  (136, ... ) == 0x0
 01232   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 01233   896   NtClose  (140, ... ) == 0x0
 01234   896   NtProtectVirtualMemory  (-1, (0x76bf1000), 236, 4, ... (0x76bf1000), 4096, 32, ) == 0x0
 01235   896   NtProtectVirtualMemory  (-1, (0x76bf1000), 4096, 32, ... (0x76bf1000), 4096, 4, ) == 0x0
 01236   896   NtFlushInstructionCache  (-1, 1992232960, 236, ... ) == 0x0
 01237   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01238   896   NtAllocateVirtualMemory  (-1, 3297280, 0, 8192, 4096, 4, ... 3297280, 8192, ) == 0x0
 01239   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01240   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 140, ) == 0x0
 01241   896   NtQueryInformationToken  (140, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01242   896   NtClose  (140, ... ) == 0x0
 01243   896   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 140, ) }, ... 140, ) == 0x0
 01244   896   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01245   896   NtClose  (140, ... ) == 0x0
 01246   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 140, ) }, ... 140, ) == 0x0
 01247   896   NtQueryValueKey  (140,  (140, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (140, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01248   896   NtQueryValueKey  (140,  (140, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (140, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01249   896   NtQueryValueKey  (140,  (140, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (140, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01250   896   NtQueryValueKey  (140,  (140, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (140, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01251   896   NtClose  (140, ... ) == 0x0
 01252   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 140, ) }, ... 140, ) == 0x0
 01253   896   NtQueryValueKey  (140,  (140, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (140, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01254   896   NtQueryValueKey  (140,  (140, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (140, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) }, 34, ) == 0x0
 01255   896   NtQueryValueKey  (140,  (140, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (140, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) }, 34, ) == 0x0
 01256   896   NtQueryValueKey  (140,  (140, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (140, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) }, 34, ) == 0x0
 01257   896   NtQueryValueKey  (140,  (140, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (140, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) }, 34, ) == 0x0
 01258   896   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, -1, ) == 0x0
 01259   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rsaenh.dll"}, 1238568, ... ) }, 1238568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01260   896   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rsaenh.dll"}, 1238568, ... ) }, 1238568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01261   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 1238568, ... ) }, 1238568, ... ) == 0x0
 01262   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239076,  (0x80100080, {24, 0, 0x40, 0, 1239076, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0
 01263   896   NtQueryInformationFile  (136, 1239056, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01264   896   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 136, ... 144, ) == 0x0
 01265   896   NtMapViewOfSection  (144, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3c0000), {0, 0}, 155648, ) == 0x0
 01266   896   NtClose  (144, ... ) == 0x0
 01267   896   NtClose  (136, ... ) == 0x0
 01268   896   NtUnmapViewOfSection  (-1, 0x3c0000, ... ) == 0x0
 01269   896   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 1239304, ... ) }, 1239304, ... ) == 0x0
 01270   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239140,  (0x80100080, {24, 0, 0x40, 0, 1239140, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0
 01271   896   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 136, ... 144, ) == 0x0
 01272   896   NtMapViewOfSection  (144, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3c0000), {0, 0}, 155648, ) == 0x0
 01273   896   NtQueryDefaultLocale  (1, 1239032, ... ) == 0x0
 01274   896   NtQueryVirtualMemory  (-1, 0x3c0000, Basic, 28, ... {BaseAddress=0x3c0000,AllocationBase=0x3c0000,AllocationProtect=0x2,RegionSize=0x26000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01275   896   NtQueryVirtualMemory  (-1, 0x3c0000, Basic, 28, ... {BaseAddress=0x3c0000,AllocationBase=0x3c0000,AllocationProtect=0x2,RegionSize=0x26000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01276   896   NtReadFile  (136, 0, 0, 0, 328, 0x0, 0, ... {status=0x0, info=328},  (136, 0, 0, 0, 328, 0x0, 0, ... {status=0x0, info=328}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\267\232\34C\326\364OC\326\364OC\326\364O\200\331\373OJ\326\364OC\326\365O\320\326\364O\200\331\251OH\326\364O\200\331\250OB\326\364O\200\331\252OB\326\364O\200\331\224OB\326\364O\200\331\253Oj\326\364O\200\331\256OB\326\364ORichC\326\364O\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0(]\353@\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0\14\2\0\0F\0\0\0\0\0\0\3414\1\0\0\20\0\0\0 \2\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\200\2\0\0\4\0\0", ) , ) == 0x0
 01277   896   NtQueryInformationFile  (136, 1239192, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01278   896   NtSetInformationFile  (136, 1239192, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01279   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\10\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\200\30\2\0\273\2\0\08\14\2\0x\0\0\0\0P\2\0P\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\354\16\0\00\22\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200`\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\00\2\0\00\12\2\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0;\13\2\0\0\20\0\0\0\14\2\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\210%\0\0\0 \2\0\0$\0\0\0\20\2\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\0P\14\0\0\0P\2\0\0\16\0\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0r\20\0\0\0`\2\0\0\22\0\0\0B\2\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01280   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0 \0\0@ \0\200\0\0 \0@ \0\0@  \200\0  \0\0\0\0\200\0 \0\200@\0\0\200\0\0 \200@  \0\0\0 \0@ \0\200@\0 \200\0\0\0\0\0 \0\0@\0\0\0\0  \200@\0 \200@  \200\0\0 \200\0\0\0\200@ \0\0@\0\0\0\0  \0@  \0\0 \0\200@ \0\0\0\0\0\200\0 \0\200@  \0\0  \200@\0 \0\0\0\0\0\0 \0\200\0\0\0\200\0 \0\0@\0 \200\0\0 \0@\0 \0@  \200\0  \0@\0\0\0@  \200\0  \0\0\0 \0@ \0\200@\0\0\200\0\0 \200@  \0\0\0\0\0\0 \0\0@\0\0\200@ \0\200\0  \200\0\0 \200@ \0\0@\0\0\0@\0 \200\0@\0\0\0\2\0\0\0\2\0\1\4\0\0\1\4B\0\1\4@\0\0\0B\0\0\0\0\0\0\0\0\0\1\4\2\0\1\4\2\0\0\0@\0\1\4\0\0\0\0B\0\1\0@\0\1\4\2\0\0\4\2\0\1\0@\0\0\4@\0\0\4B\0\1\0\0\0\0\0\2\0\1\4\0\0\1\0B\0\0\4@\0\1\4B\0\0\0B\0\1\4\0\0\0\4B\0\0\4@\0\1\0\2\0\0\0\0\0\1\4B\0\0\0@\0\1\4@\0\1\4\2\0\0\0@\0\0\0\2\0\0\0\0\0\1\4@\0\1\4\2\0\1\4B\0\0\0B\0\0\0\0\0\0\0\2\0\0\4\0\0\1\4\0\0\0\0\2\0\1\0\0\0\0\4\2\0\1\0\2\0\1\0B\0\0\4\2\0\0\0@\0\0\4B\0\1\0\0\0\1\0B\0\1\4\0\0\0\4@\0\0\4B\0\1\4\0\0\1\0B\0\1\0@\0\1\4@\0\0\200\0\200 \0\0\202 ", ) , ) == 0x0
 01281   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\250TT\374m\273\273\326,\26\26:\245\306cc\204\370||\231\356ww\215\366{{\15\377\362\362\275\326kk\261\336ooT\221\305\305P`00\3\2\1\1\251\316gg}V++\31\347\376\376b\265\327\327\346M\253\253\232\354vvE\217\312\312\235\37\202\202@\211\311\311\207\372}}\25\357\372\372\353\262YY\311\216GG\13\373\360\360\354A\255\255g\263\324\324\375_\242\242\352E\257\257\277#\234\234\367S\244\244\226\344rr[\233\300\300\302u\267\267\34\341\375\375\256=\223\223jL&&Zl66A~??\2\365\367\367O\203\314\314\h44\364Q\245\2454\321\345\345\10\371\361\361\223\342qqs\253\330\330Sb11?*\25\25\14\10\4\4R\225\307\307eF##^\235\303\303(0\30\30\2417\226\226\17\12\5\5\265/\232\232\11\16\7\76$\22\22\233\33\200\200=\337\342\342&\315\353\353iN''\315\177\262\262\237\352uu\33\22\11\11\236\35\203\203tX,,.4\32\32-6\33\33\262\334nn\356\264ZZ\373[\240\240\366\244RRMv;;a\267\326\326\316}\263\263{R))>\335\343\343q^//\227\23\204\204\365\246SSh\271\321\321\0\0\0\0,\301\355\355`@  \37\343\374\374\310y\261\261\355\266[[\276\324jjF\215\313\313\331g\276\276Kr99\336\224JJ\324\230LL\350\260XXJ\205\317\317k\273\320\320*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266", ) , ) == 0x0
 01282   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3252\266pHl\t\320\270WBPQ\364\247S~Ae\303\32\27\244\226:'^\313;\253k\361\37\235E\253\254\372X\223K\343\3U 0\372\366\255vm\221\210\314v%\365\2L\374O\345\327\327\305*\313\200&5D\217\265b\243I\336\261Zg%\272\33\230E\352\16\341]\376\300\2\303/u\22\201L\360\243\215F\227\306k\323\371\347\3\217_\225\25\222\234\353\277mz\332\225RY-\324\276\203\323Xt!)I\340iD\216\311\310ju\302\211x\364\216yk\231X>\335'\271q\266\276\341O\27\360\210\255f\311 \254\264}\316:\30c\337J\202\345\321`\227Q3EbS\177\340\261dw\204\273k\256\34\376\201\240\224\371\10+XpHh\31\217E\375\207\224\336l\267R{\370#\253s\323\342rK\2W\343\37\217*fU\253\7\262\353(\3/\265\302\232\206\305{\245\3237\10\3620(\207\262#\277\245\272\2\3j\\355\26\202+\212\317\34\222\247y\264\360\363\7\362\241Ni\342\315e\332\364\325\6\5\276\37\3214b\212\304\246\376\2354.S\240\242\363U2\5\212\341u\244\366\3539\13\203\354\252@`\357\6^q\237Q\275n\20\371>!\212=\226\335\6\256\335>\5FM\346\275\265\221T\215\5q\304]o\4\6\324\377`P\25$\31\230\373\227\326\275\351\314\211@Cwg\331\236\275\260\350B\210\7\211\2138\347\31[\333y\310\356G\241|\12\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*", ) , ) == 0x0
 01283   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "<"\340C.9\367^ 0\372U\354\232\267\1\342\223\272\12\360\210\255\27\376\201\240\34\324\276\203-\332\267\216&\310\254\231;\306\245\2240\234\322\337Y\222\333\322R\200\300\305O\216\311\310D\244\366\353u\252\377\346~\270\344\361c\266\355\374h\14\12g\261\2\3j\272\20\30}\247\36\21p\2544.S\235:'^\226("@\35\236/KG\351d"I\340i)[\373~4U\362s?\177\315P\16q\304]\5c\337J\30m\326G\23\3271\334\312\3318\321\301\313#\306\334\305*\313\327\357\25\350\346\341\34\345\355\363\7\362\360\375\16\377\373\247y\264\222\251p\271\231\273k\256\204\265b\243\217\237]\200\276\221T\215\265\203O\232\250\215F\227\243\0\0\0\0\13\16\11\15\26\34\22\32\35\22\33\27,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS\177tHl\\177FeQbT~FiZwK\260\340\220\320\273\356\231\335\246\374\202\312\255\362\213\307\234\330\264\344\227\326\275\351\212\304\246\376\201\312\257\363\350\220\330\270\343\236\321\265\376\214\312\242\365\202\303\257\304\250\374\214\317\246\365\201\322\264\356\226\331\272\347\233{\333;\273p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16", ) \340C.9\367^ 0\372U\354\232\267\1\342\223\272\12\360\210\255\27\376\201\240\34\324\276\203-\332\267\216&\310\254\231;\306\245\2240\234\322\337Y\222\333\322R\200\300\305O\216\311\310D\244\366\353u\252\377\346~\270\344\361c\266\355\374h\14\12g\261\2\3j\272\20\30}\247\36\21p\2544.S\235:'^\226(213&5D\200|B\17\351rK\2\342`P\25\377nY\30\364Df;\305Jo6\316Xt!\323V},\3307\241\14z9\250\1q+\263\26l%\272\33g\17\2058V\1\2145]\23\227 (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "<"\340C.9\367^ 0\372U\354\232\267\1\342\223\272\12\360\210\255\27\376\201\240\34\324\276\203-\332\267\216&\310\254\231;\306\245\2240\234\322\337Y\222\333\322R\200\300\305O\216\311\310D\244\366\353u\252\377\346~\270\344\361c\266\355\374h\14\12g\261\2\3j\272\20\30}\247\36\21p\2544.S\235:'^\226("@\35\236/KG\351d"I\340i)[\373~4U\362s?\177\315P\16q\304]\5c\337J\30m\326G\23\3271\334\312\3318\321\301\313#\306\334\305*\313\327\357\25\350\346\341\34\345\355\363\7\362\360\375\16\377\373\247y\264\222\251p\271\231\273k\256\204\265b\243\217\237]\200\276\221T\215\265\203O\232\250\215F\227\243\0\0\0\0\13\16\11\15\26\34\22\32\35\22\33\27,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS\177tHl\\177FeQbT~FiZwK\260\340\220\320\273\356\231\335\246\374\202\312\255\362\213\307\234\330\264\344\227\326\275\351\212\304\246\376\201\312\257\363\350\220\330\270\343\236\321\265\376\214\312\242\365\202\303\257\304\250\374\214\317\246\365\201\322\264\356\226\331\272\347\233{\333;\273p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16", ) I\340i)[\373~4U\362s?\177\315P\16q\304]\5c\337J\30m\326G\23\3271\334\312\3318\321\301\313#\306\334\305*\313\327\357\25\350\346\341\34\345\355\363\7\362\360\375\16\377\373\247y\264\222\251p\271\231\273k\256\204\265b\243\217\237]\200\276\221T\215\265\203O\232\250\215F\227\243\0\0\0\0\13\16\11\15\26\34\22\32\35\22\33\27,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS\177tHl\\177FeQbT~FiZwK\260\340\220\320\273\356\231\335\246\374\202\312\255\362\213\307\234\330\264\344\227\326\275\351\212\304\246\376\201\312\257\363\350\220\330\270\343\236\321\265\376\214\312\242\365\202\303\257\304\250\374\214\317\246\365\201\322\264\356\226\331\272\347\233{\333;\273p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16", ) == 0x0
 01284   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "M\0a\0c\0h\0i\0n\0e\0K\0e\0y\0s\0\0\0-%lu\0\0\0\00x%02hx%02hx%02hx%02hx%02hx%02hx\0\0\0\0%lu\0S-%lu-\0\0-\0%\0l\0u\0\0\0\0\00\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModEx", ) , ) == 0x0
 01285   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\300@\213M\374_^\350\317\305\0\0\311\302\14\0\314\314\314\314\314\213\377U\213\354\213E\10\203x\4\14u\26\201}\14\1\200\0\0t\11\201}\14\2\200\0\0u\43\300\353\33\300@]\302\10\0\314\314\314\314\314\213\377U\213\354\213E\10-\1\200\0\0VW\17\204\211\0\0\0HtWHt9Ht\12\270\10\0\11\200\351\235\0\0\0jt_W\350\324G\1\0\213\360\205\366u\10j\10X\351\206\0\0\0V\350\311\310\0\0\203&\0\213E\14\2110\213E\20\2118\353ojl_W\350\250G\1\0\213\360\205\366t\324\203fh\0V\350}\310\0\0\353\331jd\350\217G\1\0\213\360\205\366t\273j\31Y3\300\213\376\363\253!F\34V\350\220\24\1\0\213E\20\307\0d\0\0\0\213E\14\2110\353%j8^V\350^G\1\0\213\320\205\322t\2123\300j\16Y\213\372\363\253!B4\213E\20\2110\213E\14\211\203\300_^]\302\14\0\314\314\314\314\314\213\377U\213\354S3\3339]\24VWt\12\277\11\0\11\200\351\243\0\0\0S\377u\10\350[\223\0\0;\303u\12\277\1\0\11\200\351\214\0\0\0\213u\14VP\350\306\376\377\377\205\300u\7\277\10\0\11\200\353wj8\350\351F\1\0\213\3303\322;\332\17\204\361\0\0\0j\163\300Y\213\373\363\253\213M\10\213\306-\2L\0\0\211s\4\211\13\17\204\254\1\0\0-\34\0\0\17\204F\1\0\0\203\350\3\17\204%\1\0\0H\17\204\366\0\0\0Ht\9U\20\17\205\250\1\0\0\215C\10P\215C\14PV\350\205\376\377\377\205\300u\13Sj\1\377u\30\3503\223\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\236F\1\0S\350\230F", ) , ) == 0x0
 01286   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\253\2533\300@S\211s<\211s@\211C\\211C`\211sd\350P\377\377\377\213E\30;\306\213M\20\211K\14t"9u\34t\5\211C\20\353\30\213{\20\213\360\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\203\366\201\352\1f\0\0tuJtTJt3\203\352\6t\37\203\352\5t\21Jt\16Jt\13\211s`\211sx\351\200\0\0\0\307Cx\20\0\0\0\353w\203{\14\20uM9u u\31j\20\353\15\203{\14\30u>9u u\12j\30\377s\20\350T\17\1\0\307Cx\10\0\0\0\353J\213E\249\260\204\1\0\0u\11\307Cl(\0\0\0\353\343\213\301\301\340\3\211Cl\353\331j\10_9{\14t\23\277\11\0\11\200;\336t\6S\350\2607\1\0\213\307\353\309u u\11W\377s\20\350\4\17\1\0\211{x\213E$\211\303\300_^[]\302 \0\314\314\314\314\314\213\377U\213\354V\213u\10\213F\20\205\300t\6P\350r7\1\0\213F\30\205\300t\6P\350e7\1\0V\350_7\1\0^]\302\4\0\314\314\314\314\314\213\377U\213\354\213E\14\213M\30W3\3223\377-\0$\0\0\211\21t\31-\1B\0\0tlHtUHtF\203\350\6t5-\367=\0\0u\6\307\1\1\0\0\0\213E\20R\301\340\3P\377u\14\213E\10\3774\205HB\377\17\350\204\207\1\0\205\300t\33\377G\213\307_]\302\24\0\203}\20\20t\360\203}\20\16\353*\203}\20\30t\344\203}\20\25\353\369U\24u\331\213E\20R\301\340\3Ph\2f\0\0\353\267\203}\20\10t\304\203}\20\7u\301\353\274\314\314\314\314\314\213\377U\213\354\213E\14V3\366\205\300t \215M\14Q\377u\20\377p\14\377p\4", ) 9u\34t\5\211C\20\353\30\213{\20\213\360\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\203\366\201\352\1f\0\0tuJtTJt3\203\352\6t\37\203\352\5t\21Jt\16Jt\13\211s`\211sx\351\200\0\0\0\307Cx\20\0\0\0\353w\203{\14\20uM9u u\31j\20\353\15\203{\14\30u>9u u\12j\30\377s\20\350T\17\1\0\307Cx\10\0\0\0\353J\213E\249\260\204\1\0\0u\11\307Cl(\0\0\0\353\343\213\301\301\340\3\211Cl\353\331j\10_9{\14t\23\277\11\0\11\200;\336t\6S\350\2607\1\0\213\307\353\309u u\11W\377s\20\350\4\17\1\0\211{x\213E$\211\303\300_^[]\302 \0\314\314\314\314\314\213\377U\213\354V\213u\10\213F\20\205\300t\6P\350r7\1\0\213F\30\205\300t\6P\350e7\1\0V\350_7\1\0^]\302\4\0\314\314\314\314\314\213\377U\213\354\213E\14\213M\30W3\3223\377-\0$\0\0\211\21t\31-\1B\0\0tlHtUHtF\203\350\6t5-\367=\0\0u\6\307\1\1\0\0\0\213E\20R\301\340\3P\377u\14\213E\10\3774\205HB\377\17\350\204\207\1\0\205\300t\33\377G\213\307_]\302\24\0\203}\20\20t\360\203}\20\16\353*\203}\20\30t\344\203}\20\25\353\369U\24u\331\213E\20R\301\340\3Ph\2f\0\0\353\267\203}\20\10t\304\203}\20\7u\301\353\274\314\314\314\314\314\213\377U\213\354\213E\14V3\366\205\300t \215M\14Q\377u\20\377p\14\377p\4", ) == 0x0
 01287   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\1\0\11\200\351\325\0\0\0\215E\10Pj\2V\377u\14\350\237t\0\0\205\300t;\215E\10Pj\3V\377u\14\350\214t\0\0\205\300t(\215E\10Pj\4V\377u\14\350yt\0\0\205\300t\25= \0\11\200\17\205\221\0\0\0\270\3\0\11\200\351\207\0\0\0\213E\20\203\370\12\17\207\313\1\0\0\17\204u\1\0\0H\17\204]\1\0\0H\17\204\342\0\0\0H\17\204\316\0\0\0H\17\204\213\0\0\0HtrH\17\205\317\2\0\0\213E\24\213\20\367\302\300\376\377\377t\7\270\11\0\11\200\353;\367\302\4\0\0\0\213E\10t\20\367@h\4\0\0\0u\7\270\5\0\11\200\353 \271\0\1\0\0\205\321t\5\205Hht\353\213Hh3\312\201\341\4\1\0\03\312\211Hh3\300_3\311\205\300\17\224\301\213\361\205\366u\7P\377\25\304\21\375\17\213\306^]\302\24\0\213E\24\213\0\205\300t\264\203\370@w\257\213M\10\211Ad\353\314\213U\10\213B\4=\0$\0\0\17\204,\377\377\377=\0\244\0\0\17\204!\377\377\377\213M\24\212\1<\1t\20<\2t\14<\4t\10<\3\17\205r\377\377\377\213\1\211B`\353\220\213E\24\2038\1t\210\351^\377\377\377\213M\10\213A\4=\2f\0\0t\13=\1h\0\0\17\205\334\376\377\377\213u\24\205\366u\10jWX\351^\377\377\377\213\207\204\1\0\0\205\300t\13\203\370\1t\6\203a@\0\353\7\307A@\13\0\0\0\213E\10\213H@\205\311t\24\215xD\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213E\10P\350\307\371\377\377\205\300\17\204\24\377\377\377\351\21\377\377\377\213E\10\213Hx\213u\24\215x\34\351g\1\0\0\213M\10\213A\4=\2f\0\0t\13=\1h\0\0\17\205W\376", ) , ) == 0x0
 01288   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "j\10X\351\264\1\0\0\213E\309{\10\213H$\213\372u\25\213\361\301\351\2\2706666\363\253\213\316\203\341\3\363\252\353\21\213s\4\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213E\30\213@ \205\300t\11P\350C\30\1\0\213U\24\213E\30\211P \213C\20\205\300u\14\213E\30\307@,@\0\0\0\353\6\213M\30\211A,\213E\30\377p,\350\323\27\1\0\213\320\205\322\213E\30\211U\24u\24\377p \350\2\30\1\0\213E\30\203` \0\351h\377\377\377\203{\20\0\213H,\213\372u\25\213\361\301\351\2\270\\\\\363\253\213\316\203\341\3\363\252\353\21\213s\14\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213E\30\213@(\205\300t\11P\350\265\27\1\0\213U\24\213E\30\211P(\351\323\0\0\0\213E\30\213H\4\201\351\1\200\0\0\17\204\236\0\0\0I\17\204\217\0\0\0It\177ItnIt\37\203\351\3t\12\270\10\0\11\200\351\244\0\0\0\213x\14j\11\213u\24Y\363\245\351\200\0\0\0\213p\14\215M\374Qj\2\377u\10\377p\20\350{c\0\0;\307t\14= \0\11\200uu\203\300\343\353p9^$u\7\270\14\0\11\200\353d\213E\374\213Hx\213u\24\215x,\213\301\301\351\2\363\245\213\310\203\341\3\363\244\3534\213@\149\30t\326\215x\4j\5\353\233\213@\149Xht\307\215xX\353\22\213@\149X\34\353\6\213@\149X4t\262\213\370\213u\24\245\245\245\245\213E\30\11X0\203}\20\2u\6\213E\30\11X\243\300[3\311\205\300\17\224\301\213\361\205\366u\7P\377\25\304\21\375\17_\213\306^\311\302\24\0\314\314\314\314\314\213\377U\213\354\213E\10-\1\200\0\0SVW\17\204\324\0\0\0", ) , ) == 0x0
 01289   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\304\215\226d\1\0\0\211U\300\215U\314R\215F8\215NXPQ\377u\300\211E\260\211M\264\350\5\35\0\0\205\300\17\205q\377\377\377;\337t3\201\373\11f\0\0t+\201\373\3f\0\0t#\201\373\1L\0\0u\11\306E\314\3\210E\315\353\34\201\373\6L\0\0u\24\306E\314\3\306E\315\1\353\12\366E\20\4\17\205\303\376\377\377\366E\20\1t\7\307E\274\1\0\0\0\215E\310Pj\0j\0\215E\314P\377u\10\377u\304\377u\274S\350\365\316\377\377\205\300\17\205\0\377\377\377\213]\20\203\343\4tA\213\266\204\1\0\0\205\366t\15\203\376\1t\10\213}\310!G@\353\14\213E\310\307@@\13\0\0\0\213\370\377w@\215GDP\377u\260\377u\264\377u\300\350L\34\0\0\205\300t\10\351\267\376\377\377\213}\310\213u\270Wj\2V\350\16T\0\0\205\300\17\205\240\376\377\377\203}\304\5u;\366E\20\20u5\205\333u1\213E\14=\1L\0\0t'=\6L\0\0t =\4L\0\0t\31=\5L\0\0t\22\3776\377u\10\350S\375\377\377\205\300\17\205_\376\377\3773\366[3\300\205\366\17\224\300\213\370\205\377u\249E\310t\10\377u\310\350\253\317\377\377V\377\25\304\21\375\17\213M\374\213\307_^\350n\204\0\0\311\302\20\0\314\314\314\314\314\213\377U\213\354\201\354<\1\0\0\241\244B\377\17S3\333f\367E\24\352\373V\213u\30\211E\374W\211\265\304\376\377\377\211\235\324\376\377\377\211\235\360\376\377\377\211\235\314\376\377\377\211\235\350\376\377\377\211\235\344\376\377\377\211\235\320\376\377\377t\12\276\11\0\11\200\351\271\3\0\0S\377u\10\350\274R\0\0\213\370;\373\211\275\324\376\377\377u\12\276\1\0\11\200\351\232\3\0\0\213]\14SW\350\216", ) , ) == 0x0
 01290   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "M\14u\25\213\35\324D\377\17\213G@\213O(\307E\30\1\0\0\0\353\30:\301\17\205C\2\0\0\203e\30\0\213\35\330D\377\17\213GL\213O0\205\300\17\204+\2\0\0\213U\374;J\14\17\205\37\2\0\0\213z\20\213\3603\322\363\246t\5\33\322\203\332\377\205\322\17\205\7\2\0\0\215M\364QP\350U\302\377\3773\3669u\20t"V\215E\14P\215E\24Pj\10\377u\20\377u\10\350:\323\377\377\205\300\17\204\330\1\0\0\301m\24\39u\34\213M\24\213E\364\215D\1\10\213M u\7\211\1\351R\2\0\09\1s\14\211\1\276\352\0\0\0\351B\2\0\0\213}\344\366G\3\360u\24j\1\377u\30SW\350?\35\0\0;\306\17\205h\376\377\3779u\30t\13\213\207<\1\0\0\213\177H\353\11\213\2074\1\0\0\213\177T;\306\211E\30\17\204~\1\0\0;\376u\15\213E\374\366@\11@\17\204Y\1\0\0\215E\364PV\377u\30\350\307\301\377\377\205\300\17\204D\1\0\09u\360\213E\364\213M\24\215<\1u\27W\350\27\367\0\0\213\330;\336\211]\354u\21j\10^\351\266\1\0\0\213]\370\203\303\10\211]\354\215E\364PS\377u\30\350\204\301\377\377\205\300\17\204\1\1\0\09u\20t\36VW\215E\364PSVj\1V\377u\20\377u\10\350D\246\377\377;\306\17\205\270\375\377\377\203}\360\0\213M\364\215Y\10\17\205<\1\0\0\213}\34\213u\354\203\307\10\3516\1\0\0\212\6<\3t\10<\4\17\205\262\0\0\0\213E\374\213@\20\205\300\17\204\270\0\0\0\213X\10\213u\34\203\303\7\301\353\3\203\303\24\205\366\17\204\25\1\0\0\213M 9\31\17\202\12\1\0\0\213\10\213U\370\211J\10\213H\10\211J\14\213H\20\211", ) V\215E\14P\215E\24Pj\10\377u\20\377u\10\350:\323\377\377\205\300\17\204\330\1\0\0\301m\24\39u\34\213M\24\213E\364\215D\1\10\213M u\7\211\1\351R\2\0\09\1s\14\211\1\276\352\0\0\0\351B\2\0\0\213}\344\366G\3\360u\24j\1\377u\30SW\350?\35\0\0;\306\17\205h\376\377\3779u\30t\13\213\207<\1\0\0\213\177H\353\11\213\2074\1\0\0\213\177T;\306\211E\30\17\204~\1\0\0;\376u\15\213E\374\366@\11@\17\204Y\1\0\0\215E\364PV\377u\30\350\307\301\377\377\205\300\17\204D\1\0\09u\360\213E\364\213M\24\215<\1u\27W\350\27\367\0\0\213\330;\336\211]\354u\21j\10^\351\266\1\0\0\213]\370\203\303\10\211]\354\215E\364PS\377u\30\350\204\301\377\377\205\300\17\204\1\1\0\09u\20t\36VW\215E\364PSVj\1V\377u\20\377u\10\350D\246\377\377;\306\17\205\270\375\377\377\203}\360\0\213M\364\215Y\10\17\205<\1\0\0\213}\34\213u\354\203\307\10\3516\1\0\0\212\6<\3t\10<\4\17\205\262\0\0\0\213E\374\213@\20\205\300\17\204\270\0\0\0\213X\10\213u\34\203\303\7\301\353\3\203\303\24\205\366\17\204\25\1\0\0\213M 9\31\17\202\12\1\0\0\213\10\213U\370\211J\10\213H\10\211J\14\213H\20\211", ) == 0x0
 01291   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\26\0\11\200\351\314\1\0\0\213^\10\203\303\7\301\353\3\205\377\17\204\245\1\0\0\213E\2749\30\17\202\232\1\0\0\215E\314PQ\377u\10\377u\14\350\2024\0\0\205\300\17\205b\1\0\0\213\313\213\321\301\351\2\363\253\213\312\203\341\3\363\252\213M\314\213A\4-\1\200\0\0t"Ht\37Ht\34Ht\31\203\350\4\17\205d\1\0\0\366A\24\1u\12\277\14\0\11\200\351Y\1\0\03\3779}\300t-W\377u\300\377\25\254\21\375\17\321\340P\377u\300\377u\14\377u\10\350,\250\377\377\205\300u\13\377\25\310\21\375\17\351\362\0\0\0\213M\314\366A0\1t\7\307E\264\1\0\0\0\213F\4W\211E\310\215E\310P\215E\330Pj\2\377u\14\377u\10\350r\322\377\377\205\300t\305\377v\4\350f\347\0\0;\307\211E\320tS\366E\30\4t#\213M\314\201y\4\4\200\0\0\17\205\316\0\0\0P\377u\264\215E\330\377u\310PS\350\342\375\377\377\353\33P\377u\30\215E\330\377u\310P\213E\314\377p\4V\350\313\374\377\377;\307uo\377v\4\350\23\347\0\0;\307\211E\324u\10j\10_\351\216\0\0\0W\377u\304\213}\254\377u\270W\350\266\14\0\0\205\300uD9E\304t\10\213\207<\1\0\0\353\6\213\2074\1\0\0\205\300u\7\277\15\0\11\200\353\\213N\4;H\4t\7\277\32\0\11\200\353M\213u\324V\377u\320P\377\267\200\1\0\0\350O\37\0\0\205\300t\4\213\370\3532\213}\260\213\313\213\301\301\351\2\363\245\213\310\213E\274\203\341\3\363\244\211\303\377\353\26\213E\274\367\337\33\377\211\30\201\347\352\0\0\0\353\5\277\10\0\11\2003\300\205\377\17\224\300\203}\324\0\213\360t\10\377u\324\350\242\346\0\0\203}\320\0t\10\377u", ) Ht\37Ht\34Ht\31\203\350\4\17\205d\1\0\0\366A\24\1u\12\277\14\0\11\200\351Y\1\0\03\3779}\300t-W\377u\300\377\25\254\21\375\17\321\340P\377u\300\377u\14\377u\10\350,\250\377\377\205\300u\13\377\25\310\21\375\17\351\362\0\0\0\213M\314\366A0\1t\7\307E\264\1\0\0\0\213F\4W\211E\310\215E\310P\215E\330Pj\2\377u\14\377u\10\350r\322\377\377\205\300t\305\377v\4\350f\347\0\0;\307\211E\320tS\366E\30\4t#\213M\314\201y\4\4\200\0\0\17\205\316\0\0\0P\377u\264\215E\330\377u\310PS\350\342\375\377\377\353\33P\377u\30\215E\330\377u\310P\213E\314\377p\4V\350\313\374\377\377;\307uo\377v\4\350\23\347\0\0;\307\211E\324u\10j\10_\351\216\0\0\0W\377u\304\213}\254\377u\270W\350\266\14\0\0\205\300uD9E\304t\10\213\207<\1\0\0\353\6\213\2074\1\0\0\205\300u\7\277\15\0\11\200\353\\213N\4;H\4t\7\277\32\0\11\200\353M\213u\324V\377u\320P\377\267\200\1\0\0\350O\37\0\0\205\300t\4\213\370\3532\213}\260\213\313\213\301\301\351\2\363\245\213\310\213E\274\203\341\3\363\244\211\303\377\353\26\213E\274\367\337\33\377\211\30\201\347\352\0\0\0\353\5\277\10\0\11\2003\300\205\377\17\224\300\203}\324\0\213\360t\10\377u\324\350\242\346\0\0\203}\320\0t\10\377u", ) == 0x0
 01292   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\12\213U\334\211\2\203\301\354Q\203\300\24P\350\241\330\0\0\211E\304\205\300\17\205[\377\377\377\213u\334\213E\340\3770\3776\203}\20\1u\15j\1\377s\\377s(\377s@\353\13j\0\377s\\377s0\377sL\350F'\1\0\211E\344\205\300u\36\367E\310\10\0\0\0t\25\377u\20\377u\310\3775\310D\377\17S\350\263\372\377\377\211E\304\203M\374\377\353\36\307E\344\32\0\11\200\353\3613\300@\303\213e\350\307E\344W\0\0\0\203M\374\377\213]\10\203}\300\0t\15\201\303h\1\0\0S\377\25\270\21\375\17\213}\264\205\377t\34\213M\2603\300\213\321\301\351\2\363\253\213\312\203\341\3\363\252\377u\264\377\25\250\21\375\17\213E\344\350\361W\0\0\302\20\0\314\314\314\314\314\213\377U\213\354\203\354L\241\244B\377\17S3\333V\213u\10\211E\374\213E\14W\211u\314\211E\320\211]\334\211]\324\211]\340\307E\264\20\0\0\0\306E\354p\306E\355\362\306E\356\205\306E\357\36\306E\360N\210]\361\210]\362\210]\363\210]\364\210]\365\210]\366\210]\367\210]\370\210]\371\210]\372\210]\373\215x\1\212\10@:\313u\371+\307\203\300\6\211E\310\350\262\343\0\0\205\300\17\205\27\1\0\0h\320\23\375\17\377\25\230\21\375\17;\303\211E\334\17\204\1\1\0\0\213=\234\21\375\17h\274\23\375\17P\377\327h\244\23\375\17\377u\334\211E\304\377\327\367E\20 \0\0\0\211E\270\17\205\326\0\0\09]\304\17\204\315\0\0\0;\303\17\204\305\0\0\0\213E\310@P\350\220\326\0\0;\303\211E\324\17\204\240\0\0\0\213M\320\276\234\23\375\17\213\370\245f\245\244\213\361\212\21A:\323u\371+\316\213\370\213\321O\212O\1G:\313u\370\213\312\301\351\2\363\245j", ) , ) == 0x0
 01293   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2r\3\213p\14\203\371\3r\3\213P\30RV\377u\10\215E\24P\377u\20\377u\14\350\226\373\377\377\205\300u\22\367E\20\20\0\0\0u\7\213E\24\203`\10\03\3003\311\205\300\17\224\301\213\361\205\366u\7P\377\25\304\21\375\17\213\306^]\302\20\0\314\314\314\314\314\213\377U\213\3543\3223\3119U\14v\22\213E\10\3\301\210\20A;M\14\306\0\377\210\20r\356]\302\10\0\314\314\314\314\314\213\377U\213\354\203}\10\0V\213u\14t9\201>RSA1t\7\270\3\0\11\200\353A\213F\10j\0j\0\377u\24\203\300\7\301\350\3P\215F\24Pj\4\215F\20P\377u\20\377u\10\350\260\1\1\0\205\300u\25\377u\24\377u\20V\350\377\257\0\0\205\300u\5j\10X\353\23\300^]\302\20\0\314\314\314\314\314\213\377U\213\354\203\354\30\213E\14\213@\10SVW\215P\7j\10\301\352\3^\203\342\7\213\316+\312;\316t\2\3\316\203\300\17\301\350\4\321\351\3\301\215<\200\321\347\213\307\203\340\7t\6\213\316+\310\3\371\203\307\24;=xE\377\17\211}\374w6\241|E\377\17\3\307;\307r+\203\300\10P\350\311\30\1\0\205\300t\36\215G\10\203\300\3\203\340\374\350\343F\0\0\213\334\205\333t\12\307\3Stck\3\336u"\215G\10P\377\25\200E\377\17\213\330\205\333\17\204\355\0\0\0\307\3Heap\3\336\17\204\265\0\0\0\213u\14\213\317\213\301\301\351\2\213\373\363\245\213\310\213E\374\203\341\3\203\300\354\363\244P\215{\24W\350\36\307\0\0\213\360\205\366\17\205\203\0\0\09E\10tg\201;RSA2t\7\276\3\0\11\200\353o\213K\10\213E\14\213@\4\203\301\7\301\351\3@\321\350\215tC\24j\0\215Q\1\321\352\211", ) \215G\10P\377\25\200E\377\17\213\330\205\333\17\204\355\0\0\0\307\3Heap\3\336\17\204\265\0\0\0\213u\14\213\317\213\301\301\351\2\213\373\363\245\213\310\213E\374\203\341\3\203\300\354\363\244P\215{\24W\350\36\307\0\0\213\360\205\366\17\205\203\0\0\09E\10tg\201;RSA2t\7\276\3\0\11\200\353o\213K\10\213E\14\213@\4\203\301\7\301\351\3@\321\350\215tC\24j\0\215Q\1\321\352\211", ) == 0x0
 01294   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\340\350\304\374\377\377\211E\334\205\300t\13\211E\344\211]\374\351W\1\0\0\203}\20\0u2\215~@\211}\244\215\236<\1\0\0\211]\240\215F(\211E\274\215\2068\1\0\0\211E\304\215FH\211E\270\307E\264\1\0\0\0\241\234D\377\17\353-\215~L\211}\244\215\2364\1\0\0\211]\240\215F0\211E\274\215\2060\1\0\0\211E\304\215FT\211E\270\203e\264\0\241\240D\377\17\211E\260\213\7\205\300t\15P\350\2\270\0\0\3773\350\373\267\0\0\203e\314\0\213E\320\213M\304\211\1\213E\300\213M\274\211\1\213E\324\211\3\213E\340\211\7\17\266E\14\203\340\1\213M\270\211\1\366F\3\360u\26\377u\264\377u\14\377u\260V\350N\332\377\377\211E\334\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\21\216\377\377\205\300u\10\377\25\310\21\375\17\3537\215E\330Pj\3\353\24j\1\377u\10\350\363\215\377\377\205\300t\342\215E\330Pj\4\377u\10\3777\350\230\3\0\0\211E\334\205\300t\23= \0\11\200u\3\203\300\343\211E\344\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\330\11A\10\213E\330\200Hi\1\203M\374\377\203e\344\0\353\253\300@\303\213e\350\307E\344W\0\0\0\203M\374\377\213u\2343\3779}\254t\15\201\306h\1\0\0V\377\25\270\21\375\179}\314t\329}\324t\10\377u\324\350\371\266\0\09}\340t\10\377u\340\350\354\266\0\0\213E\344\350\317\0\0\302\24\0\314\314\314\314\314\213\377U\213\354\203}\14\0\213E\10SVWt\16\213\260<\1\0\0\215H(\215x@\353\14\213\2604\1\0\0\215H0\215xL\213^\10\321\353\203\303?\301\353\5\215\34\335\24\0\0\0\213\301;\30\211", ) , ) == 0x0
 01295   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\377u$\213\310\213E\374\377u \203\341\3\363\244\213M\34\213u\30\215<\20\213\321\301\351\2\363\245h\3\200\0\0\377u\370\213\312\203\341\3\363\244\213u\364\213}\10P\3\336SW\350?\376\377\377\205\300u\36\377u$\3\367\377u\14h\4\200\0\0\377u\370\377u\374SV\350!\376\377\377\205\300t\4\213\360\353\32\213u$\205\366v\21\213E \213M\14+\310\212\24\10\20@Nu\3673\366\203}\14\0t\10\377u\14\350\1\250\0\0\377u\374\350\371\247\0\0_\213\306^[\311\302 \0\314\314\314\314\314\213\377U\213\354\213E\10\213\200$\2\0\0\205\300t\6P\350\323\247\0\0]\302\4\0\314\314\314\314\314\213\377U\213\354\213E\10\213\200<\2\0\0\205\300t\6P\350\262\247\0\0]\302\4\0\314\314\314\314\314\213\377U\213\354Q\203e\374\0S\213]\14\213C\4=\1L\0\0t\37=\4L\0\0t\30=\6L\0\0t\21=\5L\0\0t\12\270\12\0\11\200\351_\2\0\0\203{\30\0VWu$\276h\3\0\0V\350\34\247\0\0\213\370\205\377\211{\30\17\204\342\1\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\205:\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\246\0\0\0H\17\205\335\1\0\0\213F\10\250\7\17\205\322\1\0\0\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\204\1\0\0\350\234o\377\377\205\300u\12\270\11\0\11\200\351\316\1\0\0\213F\4-\1f\0\0t\37Ht\34Ht\31\203\350\6t\24-\370\1\0\0\17\205\211\1\0\0\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3", ) , ) == 0x0
 01296   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\20\0\314\314\314\314\314\213\377U\213\354\203\354\30\213E\10S\213X\14\213E\20V3\3663\3119u\24W\211u\364t0\213M\14%\0\4\0\0\211E\360t\23\307E\370\254\26\375\17\307E\20\3\0\0\0\215\14I\353D\307E\370\250\26\375\17\307E\20\2\0\0\0\353+%\0\4\0\0\211E\360t\20\307E\370\240\26\375\17\307E\20\5\0\0\0\353\32\213M\14\307E\370\230\26\375\17\307E\20\4\0\0\0\213\203(\2\0\0\215\14\210\213E\20\17\257E\14\215\4@\3\2030\4\0\0\3\203 \2\0\0\3\203\34\1\0\0\215D\1\1P\211E\354\350\225\227\0\0\213\370;\376\211}\374u\10j\10^\351\323\1\0\0\213M\143\300@9u\24\210\17t';\316v#\211M\24\213M\20\213u\370\213\321\3\370\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244\213}\374u\340\213\2130\4\0\0\213\321\301\351\2\3\370\215\2630\3\0\0\363\245\213\312\203\341\3\363\244\213M\14\3\2030\4\0\0\205\311v$\211M\24\213U\374\213M\20\213u\370\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244u\337\213\213 \2\0\0\213U\374\215<\20\213\321\301\351\2\215\263 \1\0\0\363\245\213\312\203\341\3\363\244\213M\14\3\203 \2\0\0\205\311v$\211M\24\213U\374\213M\20\213u\370\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244u\337\203}\360\0uS\213\213(\2\0\0\213U\374\213\263$\2\0\0\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\363\244\3\203(\2\0\0\203}\14\0v'\213M\14\211M\24\213U\374\213M\20\213u\370\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244u\337\213\213", ) , ) == 0x0
 01297   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "E\10P\245\215E\374Ph\364\26\375\17\245\377\263@\1\0\0\350,\246\377\377\205\300t\4\213\360\353nj\1\215E\364P\215E\370Ph\344\26\375\17\377\263@\1\0\0\350\12\246\377\377\205\300u\336\213u\374\205\366t \213\273X\1\0\0\203\307\10\245\245\245\245\213u\374\213\273X\1\0\0\203\306\20\203\307\30\245\245\245\245\213u\370\205\366t \213\273X\1\0\0\203\307(\245\245\245\245\213u\370\213\273X\1\0\0\203\306\20\203\3078\245\245\245\2453\366\203}\374\0t\10\377u\374\350\361\207\0\0\203}\370\0t\10\377u\370\350\343\207\0\0_\213\306^[\311\302\4\0\314\314\314\314\314\213\377U\213\354SV\213u\10W3\3333\3779\236X\1\0\0u\7\270\26\0\11\200\353T9]\14t(\377u\14\377\25\254\21\375\17\215|\0\2W\350\\207\0\0\213\330\205\333u\5j\10X\3531\377u\14S\377\25x\21\375\17\213\206X\1\0\0\213@H\205\300t\6P\350w\207\0\0\213\206X\1\0\0\211xL\213\206X\1\0\0\211XH3\300_^[]\302\10\0\314\314\314\314\314\213\377U\213\354SV\213u\10\205\366WtE\213\6\213M\14\213]\20\213}\24\211\1\213F\4\211\3\213\7\205\300t\6P\350*\207\0\0\3773\350\340\206\0\0\205\300\211\7u\5j\10X\353\27\213\13\213\370\213\301\301\351\2\203\306\10\363\245\213\310\203\341\3\363\2443\300_^[]\302\20\0\314\314\314\314\314\213\377U\213\354\203\354\24\213M\10\213\201X\1\0\0S3\3339] V\211]\374\213p\4\213E$W\211]\10\211\30t\7\307E\10\1\0\0\03\3009]\34\215}\354\253\253\253\253\307E\354\20\0\0\0t\329Y(\17\204\213\0\0\0\213\201X\1\0\0\215P\10\203\300\30\215", ) , ) == 0x0
 01298   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\213\2338\36\375\173\373\213\2318\37\375\173\373\213\2308\34\375\173\373\213\2328\35\375\173\373\213E\103\333\213U\143\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\365\213\2518\32\375\173\365\212\316\301\350\20\213\2538\31\375\173\365\212\334\301\352\20\213\2518\33\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\173\363\213\2318\37\375\173\363\213\2308\34\375\173\363\213\2328\35\375\173\363\213E\203\333\213U\243\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\375\213\2518\32\375\173\375\212\316\301\350\20\213\2538\31\375\173\375\212\334\301\352\20\213\2518\33\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\173\373\213\2318\37\375\173\373\213\2308\34\375\173\373\213\2328\35\375\173\373\213E\303\333\213U\343\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\365\213\2518\32\375\173\365\212\316\301\350\20\213\2538\31\375\173\365\212\334\301\352\20\213\2518\33\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\173\363\213\2318\37\375\173\363\213\2308\34\375\173\363\213\2328\35\375\173\363\213E 3\333\213U$3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\375\213\2518\32\375\173\375\212\316\301\350\20\213\2538\31\375\173\375\212\334\301\352\20\213\2518\33\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\17", ) , ) == 0x0
 01299   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "D$ \205\300\17\204\31\7\0\0\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320", ) , ) == 0x0
 01300   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\213M\14\203\371\1\17\216\346\0\0\0\213E\10V\203\300\26IW\215\233\0\0\0\0\17\266p\374\213<\265XR\375\17\17\266P\375\213\24\225XV\375\17\17\266p\3733\327\213<\265XN\375\17\17\266p\3723\3273\24\265XJ\375\17\211P\372\17\266p\377\213<\265XN\375\17\17\266P\1\213\24\225XV\375\17\17\26603\327\213<\265XR\375\17\17\266p\3763\3273\24\265XJ\375\17\211P\376\17\266p\4\213<\265XR\375\17\17\266P\5\213\24\225XV\375\17\17\266p\33\327\213<\265XN\375\17\17\266p\23\3273\24\265XJ\375\17\211P\2\17\266p\10\17\266P\11\213<\265XR\375\17\17\266p\7\213\24\225XV\375\173\327\213<\265XN\375\17\17\266p\63\3273\24\265XJ\375\17\211P\6\203\300\20I\17\205+\377\377\377_^]\302\10\0\314\314\314\314\314\213\377U\213\354\203\354\30SV\213u\10\213\16W\213}\20\213\27\213_\4\213~\103\312\213V\4\213v\143\323\213]\203{\10\241\244B\377\17\211}\364\213\373\213_\14\17\266}\3663\363\213\34\275X1\375\17\211u\370\301\356\30\2134\265X5\375\173\363\17\266\37634\275X-\375\17\17\266\371\213\34\275X)\375\17\17\266}\3723\363\211E\374\213E\14\2110\213\34\275X1\375\17\213\361\301\356\30\2134\265X5\375\173\363\213]\364\211U\360\17\266\37734\275X-\375\17\17\266\322\213<\225X)\375\17\17\266U\3633\367\211p\4\213<\225X5\375\17\211M\354\17\266u\3563<\265X1\375\17\213U\370\17\266\3663<\265X-\375\17\17\266\363\213\34\265X)\375\17\17\266u\3673\373", ) , ) == 0x0
 01301   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "]\370\301\353\10\17\266\33334\235X-\375\17\17\266]\36434\235X)\375\17\17\266]\362\211p\10\17\266u\367\2134\265X5\375\1734\235X1\375\17\17\266\326\213\34\225X-\375\17\17\266U\3703\363\213\34\225X)\375\17\213U\3503\363\203\301@J\211p\14\211U\350\17\205\365\373\377\377\213\217\220\0\0\0\213\227\224\0\0\0\213\303P\4\213\267\230\0\0\03\3133p\10\213X\14\211u\364\213\267\234\0\0\03\363\211u\370\17\266\361\212\34\265Y)\375\17\210\30\17\266\366\212\34\265Y)\375\17\17\266u\366\210X\1\212\34\265Y)\375\17\213u\370\210X\2\211U\360\17\266\322\301\356\30\212\34\265Y)\375\17\210X\3\212\24\225Y)\375\17\210P\4\213U\364\17\266\366\212\34\265Y)\375\17\17\266u\372\210X\5\212\34\265Y)\375\17\210X\6\211M\354\17\266u\357\212\34\265Y)\375\17\210X\7\17\266\322\212\24\225Y)\375\17\210P\10\213U\370\17\266\366\212\34\265Y)\375\17\17\266u\356\210X\11\212\34\265Y)\375\17\17\266u\363\210X\12\212\34\265Y)\375\17\210X\13\213\30\213p\4\17\266\322\212\24\225Y)\375\17\210P\14\17\266\315\212\24\215Y)\375\17\17\266M\362\210P\15\212\24\215Y)\375\17\17\266M\367\210P\16\212\24\215Y)\375\17\210P\17\213\217\240\0\0\03\331\211\30\213\227\244\0\0\03\362\213P\10\211p\4\213\217\250\0\0\03\321\213H\14\211P\10\213\227\254\0\0\03\312_\211H\14\213M\374^[\350*\304\377\377\213\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\203\354\30\213U\24\213M\20\301\342\4S\213\34\12V\2154\12\213U\10\213\22W\213~\43\323\213]\103{\4\241\244B\377\17\211", ) , ) == 0x0
 01302   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\17\17\266\326\213<\225X=\375\17\213U\3643\367\17\266\37234\275X9\375\17\17\266}\362\211p\10\17\266u\357\2134\265XE\375\1734\275XA\375\17\17\266\326\213<\225X=\375\17\17\266\3233\36734\225X9\375\17\213U\350\203\351@J\211p\14\211U\350\17\205G\374\377\377\213M\20\213q\24\213Q\20\213x\43\20\213X\103\367\213x\14\211u\360\213q\303\363\211u\364\213q\343\367\211u\370\17\266\362\212\236XI\375\17\17\266u\371\210\30\212\236XI\375\17\17\266u\366\210X\1\212\236XI\375\17\213u\360\210X\2\211U\354\301\356\30\212\236XI\375\17\17\266u\360\210X\3\212\236XI\375\17\210X\4\17\266\326\212\222XI\375\17\210P\5\213U\370\301\352\20\17\266\322\212\222XI\375\17\210P\6\213U\364\301\352\30\212\222XI\375\17\210P\7\213U\364\17\266\362\212\236XI\375\17\17\266u\361\210X\10\212\236XI\375\17\17\266u\356\210X\11\212\236XI\375\17\17\266u\373\210X\12\212\236XI\375\17\17\266u\370\210X\13\212\236XI\375\17\213x\4\17\266\326\210X\14\212\222XI\375\17\213\30\213p\10\210P\15\17\266U\362\212\222XI\375\17\210P\16\17\266U\357\212\222XI\375\17\210P\17\213\213\332\211\30\213Q\43\372\211x\4\213Q\103\362\213P\14\211p\10\213I\14_3\321\213M\374^\211P\14[\350H\264\377\377\213\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\203}\24\1\213M\20\213\1uD\203\301\4\203\370\16u\22\213E\10Q\213M\14PQ\350\332\342\377\377]\302\20\0\203\370\12u\22\213U\10\213E\14QRP\350S\351\377\377]\302\20\0\213U\14PQ\213M\10QR\350 \337\377\377", ) , ) == 0x0
 01303   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\377v?SV\213u\10\212\142\17\266\301\213\330\301\353\4\17\266\233H(\375\17\203\340\17\17\266\200H(\375\17\3\330\201\343\1\0\0\200y\5K\203\313\376Cu\6\200\361\1\210\142B;\327r\310^[_]\302\10\0\314\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354V\213u\10W\213}\14WV\350\254\371\377\377\203\307\10W\215\206\200\0\0\0P\350\234\371\377\377\215\276\0\1\0\0\271 \0\0\0\363\245_^]\302\10\0\314\314\314\314\314\314\314\314\314\213\377U\213\354V\213u\14W\213}\10VW\350l\371\377\377\215F\10P\215\217\200\0\0\0Q\350\\371\377\377\203\306\20V\201\307\0\1\0\0W\350L\371\377\377_^]\302\10\0\314\314\314\314\314\314\213\377U\213\354\213E\24\215P\7\301\352\3\215\14\325\0\0\0\0+\310\270\377\0\0\0\323\370S\213]\20V\213u\14\213\313W\213}\10\210E\27\213\301\301\351\2\363\245\213\310\203\341\3\201\373\200\0\0\0\363\244}9\213M\10\277\1\0\0\0\276\200\0\0\0+\373\215D\31\377+\363\215\233\0\0\0\03\311\212\14\73\333\212\30\3\313\201\341\377\0\0\0\212\211 \27\375\17\210H\1@Nu\342\213u\10\17\266M\27\213\306+\302\17\266\270\200\0\0\0\5\200\0\0\0#\317\212\211 \27\375\17\210\10\271\177\0\0\0+\312x\37\215D1\1\215q\1\220\17\266L\2\377\17\26683\317\212\211 \27\375\17\210H\377HNu\351_^3\300[]\302\20\0\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\213L$\203\300\205\311v7W\213|$\14V\213t$\24SU\213\$\24+\376+\336\213\24>\213.\3\320\270\0\0\0\0\23\300\3\325\203\320\0\211\24\36\203\340\1\203\306\4Iu\341][^", ) , ) == 0x0
 01304   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\213\313\215\4\23\213\321\301\351\2\213\360\363\245\213\312\203\341\3\363\244\213u\370\213}\10\213\313\301\351\2\363\245\213\312\213U\360\203\341\3\363\244\213}\374\2154\23\213\313\213\321\301\351\2\363\245\213\312\213U\364\203\341\3\363\244\213\313\213\370\213\301\301\351\2\213\362\363\245\213\310\203\341\3\363\244\213}\370\3\323\213\362\213\313\213\321\301\351\2\363\245\213\312\213U\370\351\317\376\377\377\213E\14\213L\3\374\277\0\0\0\200\205\317t\14\213M\30VQPP\350%\361\377\377\213E\20\205|\3\374t\14\213U\24VRPP\350\20\361\377\377\213E\350\205\300^t\7P\377\25\250\21\375\17_\270\1\0\0\0[\213\345]\302\30\0_3\300[\213\345]\302\30\0\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\201\354\220\0\0\0S\213]\10\213\3W3\377=RSA1\211}\374t\12_3\300[\213\345]\302\14\0\213C\10\321\350V\213\360\301\356\5F\250\37t\1F\213K\20\270\1\0\0\0;\310\215\146u\21\213u\14\213}\20\363\245^_[\213\345]\302\14\0\215C\24QP\211E\370\213E\14P\211M\10\350\223\363\377\377\205\300}b\301\346\3\201\376\210\0\0\0v\24Vj\0\377\25\364\20\375\17\205\300\211E\374tG\213\320\353\6\215\225p\377\377\3773\300\213\316\301\351\2\213\372\363\253\213\316\203\341\3\363\252\213K\20\213E\10P\213E\20\211\12\213M\370QR\213U\14RP\350\355\20\0\0\213\370\213E\374\205\300t\7P\377\25\250\21\375\17^\213\307_[\213\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\203\354(V\213u\10\201>RSA2u\16\215E\330PV\350\22\6\0\0\205\300u\113\300^\213\345]\302\14\0\213N\10\321\351", ) , ) == 0x0
 01305   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "u\325_^[]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354Q\213E\20\205\300VW\17\204\374\0\0\0\213}\14\2154\205\0\0\0\0\213L>\374\205\311\17\204\346\0\0\0\215\14v\215T\301\4Rj\0\377\25\364\20\375\17\205\300\211E\374\17\204\313\0\0\0\215\140S\213]\10\211K\10\3\316\211K\14\3\316\211K\20\213\316\211C\4\213\367\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\20\213K\4\301\346\2\213D\16\374\277\0\0\0\200\205\307u\30\213C\4\213U\20RPPP\350\14\341\377\377\213C\4\205|\6\374t\350\213{\20\215N\4\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213C\20\213}\14\307D0\4\1\0\0\0\213u\20\213S\10\213C\20V\215N\2QRWP\350\351\345\377\377\205\300u\25\213M\374Q\377\25\250\21\375\17[_3\300^\213\345]\302\14\0\213S\10\213C\14VRWP\350\345\340\377\377\2113[_\270\1\0\0\0^\213\345]\302\14\0_3\300^\213\345]\302\14\0\314\314\314\314\314\314\314\213\377U\213\354\203\354\10\213E\10\213H\10\213P\14SV\213u\14W\2138\213@\4\211E\10\215\\276\3703\300;\336\211M\374\211U\370r'\220\213L\273\4;\310Ws\11\213U\374R+\301P\353\7\213U\370R+\310QS\350a\375\377\377\203\353\4;\336s\332\215\34\275\0\0\0\0\213\143;\310s!+\310\211\143\215\244$\0\0\0\0\213E\10WP\215F\4PP\350\1\340\377\377\205\300t\355\353&+\310\211\143\213M\10W\215F\4QP\350\10\343\377\377\205\300|\17\213U\10WR\215F\4PP\350\31\340\377\377\213E\10\213L3\374\213\243WP\213D\3\374PQR\350E", ) , ) == 0x0
 01306   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\253\253\2533\300\203e\374\0\215}\364\253\2533\300\215}\354\253\253\215E\374\211E\370\215E\354Pj\0\215E\324Pj\0\215E\344Ph4]\375\17\215E\364P\307E\324\20\0\0\0\307E\364\4\0\0\0\307E\344\21\0\0\0\307E\350 ]\375\17\350\273\371\377\377\203}\360\0\213\370t\11\377u\360\377\25\250\21\375\17\213\307_\311\303\314\314\314\314\314\213\377U\213\354\203\354(3\300VW\215}\330\253\253\253\2533\300\215}\360\253\2533\300\215}\370\2533\3119M\14j\4\253Xt\2\213\310\211E\360\215E\10\211E\364\215E\370PQ\215E\330Pj\0\215E\350Ph4]\375\17\215E\360P\307E\330\20\0\0\0\307E\350\21\0\0\0\307E\354 ]\375\17\3508\371\377\377\205\300t\4\213\360\3533\377u\370\350b\367\377\377\205\300\213U\20\211\2u\5j\10^\353\35\213M\370\213E\24\213u\374\211\10\213:\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\203}\374\0t\11\377u\374\377\25\250\21\375\17_\213\306^\311\302\20\0\314\314\314\314\314\213\377U\213\354\203\354(W3\300\215}\330\253\253\253\2533\300\215}\360\253\2533\300\215}\350\253\2533\300\215}\370\2533\3119M\10\253t\3j\4Y\213E\20\211E\360\213E\14j\0\211E\364\215E\350PQ\215E\330Pj\0\215E\370Pj\0\215E\360P\307E\330\20\0\0\0\307E\370\21\0\0\0\307E\374 ]\375\17\350\343\370\377\377\205\300\213M\354t\4\213\370\353\26\203}\350\4t\7\277\26\0\11\200\353\11\213\1\213U\24\211\23\377\205\311t\7Q\377\25\250\21\375\17\213\307_\311\302\20\0\314\314\314\314\314\213\377U\213\354\203\354 \241\244B\377\17S3\333VW\2135D\20\375\17\213}\10\211E\374", ) , ) == 0x0
 01307   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\363\2443\300_^[\311\302\14\0\314\314\314\314\314\213\377U\213\354\203\3548\241\244B\377\17\213M S\213]\34V\2135 \21\375\17W3\377WS\377u\30\211E\374\213E\14W\377u\24\211E\320\377u\20\211M\314P\211}\330\211}\324\377\326\203\370\377\17\205\246\0\0\0\377\25\310\21\375\179}\10\17\204\223\0\0\0\211E\310\215E\330Pj\10\3508\351\377\377;\307uxj\103\300\366E\23\200Y\215}\334\363\253\215E\344\307E\334\1\0\0\0Pt\7hx^\375\17\353\5hd^\375\17j\0\377\25p\20\375\173\377;\307t=\215E\324P\215E\334P\377u\330\307E\354\2\0\0\0\377\25l\20\375\17\205\300t!9}\324t&W\201\313\0\0\0\2S\377u\30W\377u\24\377u\20\377u\320\377\326\203\370\377u\23\377\25\310\21\375\17\213\360\353\20\213u\310\353\13\213\360\353\26\213M\314\211\13\366\203}\330\0t\11\377u\330\377\25\370\20\375\17\213M\374_\213\306^[\350\273d\377\377\311\302\34\0\314\314\314\314\314\213\377U\213\354QQSV\213u\30\203\16\377Wj\33\3773\333\366E\17\200X\211}\374\211E\370t\4C\211E\370\366E\17@t\12j\4X3\333\211E\370\213\370\215E\374P\377u\24\377u\20\350&\376\377\377\205\300ufV\201\317\0\0\0\10W\377u\370S\377u\14\377u\374\377u\10\350\202\376\377\377\205\300t:3\366\203\370 t\5\203\370\5u2\203\376\30s-\377\266\364B\377\17\377\25\20\21\375\17\377u\30\203\306\4W\377u\370S\377u\14\377u\374\377u\10\350H\376\377\377\205\300u\3103\366\353\14\203\370\2\276\26\0\11\200t\2\213\360\203}\374\0t\10\377u\374\350\244\346\377\377_\213\306^[\311\302\24\0\314", ) , ) == 0x0
 01308   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "6\377\327\205\300\17\204\316\0\0\09]\14u\109\235\234\375\377\377tL\215\205\244\375\377\377P\350\14\335\377\377;\303\17\205\277\0\0\09\235\244\375\377\377u\32\276 \0\11\200\353g\215\205\254\375\377\377P\3776\377\327\205\300\17\204\213\0\0\0\377\265\244\375\377\377\215\205\330\375\377\377P\350"\376\377\377\205\300t\327\377\265\224\375\377\377\215\205\330\375\377\377\377\265\230\375\377\377\377\265\250\375\377\377P\377u\14\350\345\373\377\377;\303\17\205k\377\377\3773\3669\235\244\375\377\377t\13\377\265\244\375\377\377\350\354\327\377\3779\235\250\375\377\377t\13\377\265\250\375\377\377\350\331\327\377\3779\235\240\375\377\377t\13\377\265\240\375\377\377\350\306\327\377\377\213M\374_\213\306^[\350\7U\377\377\311\302\30\0\377\25\310\21\375\17\203\370\22u\7\276\3\1\0\0\353\244\213\360\353\240\314\314\314\314\314\213\377U\213\354\201\354(\4\0\0\241\244B\377\17S\213]\14V\2135\24\21\375\17W3\322RR\211E\374\213E\10j\377\211\205\330\373\377\377\213E\30S\211\205\334\373\377\377j\23\300\271\5\1\0\0\215\275\350\373\377\377R\211\225\340\373\377\377\363\253\377\326\213\370\205\377u\15\377\25\310\21\375\17\213\360\351\251\0\0\0\215G\1=\12\2\0\0v(\215D?\2P\350\336\326\377\377\205\300\211\205\344\373\377\377u\10j\10^\351\203\0\0\0\307\205\340\373\377\377\1\0\0\0\353\14\215\205\350\373\377\377\211\205\344\373\377\377W\377\265\344\373\377\377j\377Sj\2j\0\377\326\205\300u\12\377\25\310\21\375\17\213\360\3530\377\265\334\373\377\377\377u\24\377u\20\377\265\344\373\377\377\377\265\330\373\377\377\377\25t\20\375\17\205\300t\14\203\370\2u\325\276\26\0\11\200\353\23\366\203\275\340\373\377\377\0t\24\203\275\344\373\377\377", ) \376\377\377\205\300t\327\377\265\224\375\377\377\215\205\330\375\377\377\377\265\230\375\377\377\377\265\250\375\377\377P\377u\14\350\345\373\377\377;\303\17\205k\377\377\3773\3669\235\244\375\377\377t\13\377\265\244\375\377\377\350\354\327\377\3779\235\250\375\377\377t\13\377\265\250\375\377\377\350\331\327\377\3779\235\240\375\377\377t\13\377\265\240\375\377\377\350\306\327\377\377\213M\374_\213\306^[\350\7U\377\377\311\302\30\0\377\25\310\21\375\17\203\370\22u\7\276\3\1\0\0\353\244\213\360\353\240\314\314\314\314\314\213\377U\213\354\201\354(\4\0\0\241\244B\377\17S\213]\14V\2135\24\21\375\17W3\322RR\211E\374\213E\10j\377\211\205\330\373\377\377\213E\30S\211\205\334\373\377\377j\23\300\271\5\1\0\0\215\275\350\373\377\377R\211\225\340\373\377\377\363\253\377\326\213\370\205\377u\15\377\25\310\21\375\17\213\360\351\251\0\0\0\215G\1=\12\2\0\0v(\215D?\2P\350\336\326\377\377\205\300\211\205\344\373\377\377u\10j\10^\351\203\0\0\0\307\205\340\373\377\377\1\0\0\0\353\14\215\205\350\373\377\377\211\205\344\373\377\377W\377\265\344\373\377\377j\377Sj\2j\0\377\326\205\300u\12\377\25\310\21\375\17\213\360\3530\377\265\334\373\377\377\377u\24\377u\20\377\265\344\373\377\377\377\265\330\373\377\377\377\25t\20\375\17\205\300t\14\203\370\2u\325\276\26\0\11\200\353\23\366\203\275\340\373\377\377\0t\24\203\275\344\373\377\377", ) == 0x0
 01309   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\353U\215E\10P\215E\374PS\350\11\375\377\377\205\300t\4\213\360\3531\213}\30\205\377\213M\10\213E\34u\4\211\10\353\369\10\211\10s\7\276\352\0\0\0\353\23\213u\374\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\203}\374\0t\10\377u\374\3507\310\377\377\205\333t\6S\350-\310\377\377[\203}\370\0t\10\377u\370\350\36\310\377\377\203}\364\0t\10\377u\364\350\20\310\377\377_\213\306^\311\302\30\0\314\314\314\314\314\213\377U\213\354V\213u\10\205\366t\24\213F\4\205\300t\7P\377\25\244\21\375\17V\350\342\307\377\377^]\302\4\0\314\314\314\314\314h4\1\0\0hx_\375\17\350\303G\377\377\241\244B\377\17\211E\344\213E\10\211\205\274\376\377\3773\333\211\235\330\376\377\377\211\235\304\376\377\377\211\235\300\376\377\377\211\235\324\376\377\377\211\235\314\376\377\377\211]\374\215\205\324\376\377\377Ph\31\0\2\0ShP_\375\17h\2\0\0\200\377\25\224\20\375\17\211\205\310\376\377\377;\303\17\205\341\0\0\0\307\205\320\376\377\377\5\1\0\0\215\205\320\376\377\377P\215\205\334\376\377\377PSS\277D_\375\17W\377\265\324\376\377\377\2135\300\20\375\17\377\326\211\205\310\376\377\377;\303tL=\352\0\0\0\17\205\236\0\0\0\377\265\320\376\377\377\350\331\306\377\377\211\205\330\376\377\377;\303\17\204\205\0\0\0\307\205\304\376\377\377\1\0\0\0\215\215\320\376\377\377QPSSWh\2\0\0\200\377\326\211\205\310\376\377\377;\303t\16\353]\215\205\334\376\377\377\211\205\330\376\377\377j\14_W\350\216\306\377\377\213\360\211\265\300\376\377\377;\363t<\211>SS\377\265\330\376\377\377\377\25H\21\375\17\211F\4;\303t%h4_\375\17P\377\25\234\21\375\17\211F\10;\303t\22\213", ) , ) == 0x0
 01310   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\350\307E\334\10\0\0\0\377u\330\350~\270\377\377\203M\374\3773\3779}\340t\11\377u\340\377\25\304\20\375\17\213E\334\350\2278\377\377\303\314\314\314\314\314\213\377U\213\354\213M\20\205\311\213E\14V\213u\10u\10\213H$\211N\30\353\6\213P$\211Q$P\350\310\375\377\377\377N$^]\302\14\0\314\314\314\314\314\213\377U\213\354\213U\10\213B\30VW3\3663\3113\377\205\300t#S\205\311t\10\213X ;Y s\4\213\310\213\376\213\360\213@$\205\300u\347WQR\350\223\377\377\377[_^]\302\4\0\314\314\314\314\314\213\377U\213\354VW\377\25l\21\375\17\213U\10\213J,\213u\14\213\3703\300@\203\371\377t\27S\213\337+^ ;\331[v\14\377u\20VR\350R\377\377\3773\300\211~ _^]\302\14\0\314\314\314\314\314\213\377U\213\354QQ\213E\10S\213X\30W3\300\215}\370\253\253\213E\24\203 \0\215E\370P\350\235\266\377\377\205\300t\43\300\353}\205\333twV\213C\24;E\20uI\213s\20\213}\14\212\17\212\301:\16u\32\204\300t\22\212O\1\212\301:N\1u\14GGFF\204\300u\3423\300\353\5\33\300\203\330\377\205\300u\30j\10Y\215{\30\215u\3703\300\363\246t\5\33\300\203\330\377\205\300t\14\213E\24\211\30\213[$\205\333u\243\205\333^t\24\213E\24\3770S\377u\10\350\31\377\377\377\205\300u\23\333\213\303_[\311\302\20\0\314\314\314\314\314\213\377U\213\354QVW\213}\10\213w\30\203e\10\0\377\25l\21\375\17\211E\374+G\349G(w2\205\366t(S\213E\374+F 9G(s\21\377u\10\213^$VW\350M\376\377\377\213\363\353\6\211u\10\213v$\205\366u\332[", ) , ) == 0x0
 01311   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "D\22\2\0\236\21\2\0\252\21\2\0\266\21\2\0\300\21\2\0\316\21\2\0\334\21\2\0\350\21\2\0\372\21\2\0\16\22\2\0"\22\2\00\22\2\0<\26\2\0\0\0\0\0r\21\2\0V\21\2\0B\21\2\0.\21\2\0\24\21\2\0\376\20\2\0\272\22\2\0\322\22\2\0\342\22\2\0\360\22\2\0\376\22\2\0\22\23\2\0\36\23\2\00\23\2\0>\23\2\0J\23\2\0R\23\2\0h\23\2\0x\23\2\0\216\23\2\0\234\23\2\0\260\23\2\0\274\23\2\0\312\23\2\0\330\23\2\0\352\23\2\0\372\23\2\0\20\24\2\0&\24\2\06\24\2\0H\24\2\0Z\24\2\0j\24\2\0z\24\2\0\206\24\2\0\220\24\2\0\242\24\2\0\350\20\2\0\330\20\2\0\276\20\2\0\240\20\2\0\224\20\2\0x\20\2\0b\20\2\0J\20\2\0:\20\2\0.\20\2\0"\20\2\0\6\20\2\0\366\17\2\0\344\17\2\0\330\17\2\0\312\17\2\0\276\17\2\0\262\17\2\0\240\17\2\0\210\17\2\0p\17\2\0d\17\2\0X\17\2\0H\17\2\08\17\2\0\0\0\0\0\216\25\2\0\202\25\2\0v\25\2\0\0\0\0\0\364\16\2\0\376\16\2\0\6\17\2\0\22\17\2\0\34\17\2\0\326\24\2\0\314\24\2\0\302\24\2\0\270\24\2\0\256\24\2\0\340\16\2\0\0\0\0\0\376\24\2\0\10\25\2\0\26\25\2\0&\25\2\0F\25\2\0X\25\2\0\346\24\2\0\0\0\0\0\355\0_except_handler3\0\0\372\1_strlwr\0\245\2free\0\0;\1_initterm\0\330\2malloc\0\0\266\0_adjust_fdiv\0\0msvcrt.dll\0\0h\1GetLas", ) \22\2\00\22\2\0<\26\2\0\0\0\0\0r\21\2\0V\21\2\0B\21\2\0.\21\2\0\24\21\2\0\376\20\2\0\272\22\2\0\322\22\2\0\342\22\2\0\360\22\2\0\376\22\2\0\22\23\2\0\36\23\2\00\23\2\0>\23\2\0J\23\2\0R\23\2\0h\23\2\0x\23\2\0\216\23\2\0\234\23\2\0\260\23\2\0\274\23\2\0\312\23\2\0\330\23\2\0\352\23\2\0\372\23\2\0\20\24\2\0&\24\2\06\24\2\0H\24\2\0Z\24\2\0j\24\2\0z\24\2\0\206\24\2\0\220\24\2\0\242\24\2\0\350\20\2\0\330\20\2\0\276\20\2\0\240\20\2\0\224\20\2\0x\20\2\0b\20\2\0J\20\2\0:\20\2\0.\20\2\0 (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "D\22\2\0\236\21\2\0\252\21\2\0\266\21\2\0\300\21\2\0\316\21\2\0\334\21\2\0\350\21\2\0\372\21\2\0\16\22\2\0"\22\2\00\22\2\0<\26\2\0\0\0\0\0r\21\2\0V\21\2\0B\21\2\0.\21\2\0\24\21\2\0\376\20\2\0\272\22\2\0\322\22\2\0\342\22\2\0\360\22\2\0\376\22\2\0\22\23\2\0\36\23\2\00\23\2\0>\23\2\0J\23\2\0R\23\2\0h\23\2\0x\23\2\0\216\23\2\0\234\23\2\0\260\23\2\0\274\23\2\0\312\23\2\0\330\23\2\0\352\23\2\0\372\23\2\0\20\24\2\0&\24\2\06\24\2\0H\24\2\0Z\24\2\0j\24\2\0z\24\2\0\206\24\2\0\220\24\2\0\242\24\2\0\350\20\2\0\330\20\2\0\276\20\2\0\240\20\2\0\224\20\2\0x\20\2\0b\20\2\0J\20\2\0:\20\2\0.\20\2\0"\20\2\0\6\20\2\0\366\17\2\0\344\17\2\0\330\17\2\0\312\17\2\0\276\17\2\0\262\17\2\0\240\17\2\0\210\17\2\0p\17\2\0d\17\2\0X\17\2\0H\17\2\08\17\2\0\0\0\0\0\216\25\2\0\202\25\2\0v\25\2\0\0\0\0\0\364\16\2\0\376\16\2\0\6\17\2\0\22\17\2\0\34\17\2\0\326\24\2\0\314\24\2\0\302\24\2\0\270\24\2\0\256\24\2\0\340\16\2\0\0\0\0\0\376\24\2\0\10\25\2\0\26\25\2\0&\25\2\0F\25\2\0X\25\2\0\346\24\2\0\0\0\0\0\355\0_except_handler3\0\0\372\1_strlwr\0\245\2free\0\0;\1_initterm\0\330\2malloc\0\0\266\0_adjust_fdiv\0\0msvcrt.dll\0\0h\1GetLas", ) , ) == 0x0
 01312   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\225\13#\305r\230\235IzFN\341\346/\306c!\217f\334\233\314\342'\3'\205\360:\2\373@\0\0\0\0Qt\366\362#\354\241vUX\7q\277\177\12\36kHH\273\222\266*\261\7\244!\321\306\313_@\316\335\272\333\374\27\373\247\275\341\364c\330\236\211\342\335z\354\21\326\251\234\272\307^5\226\246o\177,\0\0\0\0\0\0\0\0RSA1H\0\0\0\0\2\0\0?\0\0\0\1\0\1\0\357L\154\317D\17\261s\254\324\233\276\314-\21*+\275!\4\216\254\255\325\374\322P\245\33C\25bg\217^\0\271%\33\342O\276\241P\241D;\27\330\221\365(\371\372\256\347\300\375\271\315vO\0\0\0\0\0\0\0\0\270/k\211\310\354\364\376\13\360m*\332?\303\350\226\202\205\353\256\1\24s\371\10E\300jm>i\200j\14a\212c\322\373\0\0\0\334\356L\371,\0\0\0\3618)\311\336\0\0\0\224Vx\220\253\315\357YE\232\371'\204t\312\325Xu\22\316\357w\223{\230\337\235\242\334{z\235\223\216\366|\1^\353\1#\4g\10\253\15\357Now is t\254\227M\331\2\23\210,G\334\360\23\177\245\3262\1#Eg\211\253\315\357Now is t?\244\16\212\230MH\25\345\307\315\336\207+\362|\1#Eg\211\253\315\357#Eg\211\253\315\357\1Eg\211\253\315\357\1#Now is t1O\203'\372z\11\250\363\300\377\2l\20\211\1#Eg\211\253\315\357#Eg\211\253\315\357\1Now is t\267\203Wy\356&\254\267\23K\230\370\356\263\366\7\0\1\2\3\4\5\6\7\10\11\12\13\14\15\16\17\0\1\2\3\4\5\6\7\10\11\12\13\14\15\16\17\12\224\13\265An\360E\361\303\224X\306S\352Z", ) , ) == 0x0
 01313   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "age Authentication Code\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\0\0\4\0\0\200\1\0\0\0@\0\00\0\0\0\11\0\0\0RSA_SIGN\0\0\0\0\0\0\0\0\0\0\0\0\16\0\0\0RSA Signature\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\0\0\0\4\0\0\200\1\0\0\0@\0\00\0\0\0\11\0\0\0RSA_KEYX\0\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0RSA Key Exchange\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\11\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0HMAC\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\22\0\0\0Hugo's MAC (HMAC)\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0", ) , ) == 0x0
 01314   896   NtReadFile  (136, 0, 0, 0, 1924, 0x0, 0, ... {status=0x0, info=1924},  (136, 0, 0, 0, 1924, 0x0, 0, ... {status=0x0, info=1924}, " \1\0\0\0\0\0\0\14\0\0\0SSL3 SHAMD5\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 SHAMD5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\0\0\4\0\0\200\1\0\0\0@\0\0 \0\0\0\11\0\0\0RSA_SIGN\0\0\0\0\0\0\0\0\0\0\0\0\16\0\0\0RSA Signature\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10$\377\17\200(\377\17\250-\377\17\09\377\17\340?\377\17\3202\377\17\20\244\37M\331o\320\21\214X\0\300O\331\22k\21\244\37M\331o\320\21\214X\0\300O\331\22k\22\244\37M\331o\320\21\214X\0\300O\331\22k0\214\7\212U7\320\21\240\275\0\252\0aBj\277D\377\377@\273\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320[\375\17\324[\375\17\330[\375\17\334[\375\17\340[\375\17\350[\375\17\360[\375\17\370[\375\17\0\\375\17\14\\375\17\30\\375\17$\\375\170\\375\17@\\375\17P\\375\17`\\375\17\1\0\0\0\12\0\0\0d\0\0\0\364\1\0\0\350\3\0\0\210\23\0\0\0\0\0\0\355\11\377\17\10\12\377\17\0\0\0\0\357\6\377\17\0\0\0\0\333\6\377\17\300\6\377\17\345\6\377\17\0\0\0\0\22\12\377\17\0\0\0\0\310\11\377\17", ) , ) == 0x0
 01315   896   NtQueryInformationFile  (136, 1239192, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01316   896   NtSetInformationFile  (136, 1239192, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01317   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0H\1\0\0\217-l#\214\27<\361\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 01318   896   NtReadFile  (136, 0, 0, 0, 2720, 0x0, 0, ... {status=0x0, info=2720},  (136, 0, 0, 0, 2720, 0x0, 0, ... {status=0x0, info=2720}, "\3047\3247\3427\3607\28\178\358+8\2208\3138\3258\3378\3518\09\79\279$9=9D9Q9\9n9u9\1779\2119\3129\3279\3479\3619\10:\17:\37:*:A:H:X:c:u:|:\206:\223:\316:\333:\353:\365:\14;\23;#;.;B;I;Y;d;v;};\207;\224;\317;\331;\351;\363;\7<\24<$\30>(>6>G>T>d>r>\200>\222>\237>\255>\273>;?]?j?t?~?\226?\247?\256?\275?\323?\332?\341?\360?\0p\1\0\324\1\0\0\20\110\230\370q0x0\2020\2140\2360\2570\2660\3050\3330\3420\3510\3700\121\211\331'1n1z1\2071\2311\2461\2621\3041\3231\3421\3571\3741\112\262%272D2\2732\3422\3512\3632\3752\303&3-373E3R3a3o3\2033\2123\2263\2403\3533\3623\3743\64\304&404?4R4Y4c4r4\2044\2134\2254\2374\3324\3474\3614\3734\165\255\375,5B5I5P5]5o5v5\2005\2125\3035\3125\3245\3365\3645\3735\106\276&616;6H6Z6a6k6u6\2546\2636\2756\3076\3316\3526\3616\07\237\327$737E7L7V7b7\2477\2637\3007\3227\3377\3537\3757\148\338(858", ) , ) == 0x0
 01319   896   NtUnmapViewOfSection  (-1, 0x3c0000, ... ) == 0x0
 01320   896   NtClose  (144, ... ) == 0x0
 01321   896   NtClose  (136, ... ) == 0x0
 01322   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rsaenh.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01323   896   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 01324   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rsaenh.dll"}, 1237944, ... ) }, 1237944, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01325   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 1237944, ... ) }, 1237944, ... ) == 0x0
 01326   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 01327   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 136, ... 144, ) == 0x0
 01328   896   NtQuerySection  (144, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01329   896   NtClose  (136, ... ) == 0x0
 01330   896   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 163840, ) == 0x0
 01331   896   NtClose  (144, ... ) == 0x0
 01332   896   NtProtectVirtualMemory  (-1, (0xffd1000), 560, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01333   896   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01334   896   NtFlushInstructionCache  (-1, 268242944, 560, ... ) == 0x0
 01335   896   NtProtectVirtualMemory  (-1, (0xffd1000), 560, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01336   896   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01337   896   NtFlushInstructionCache  (-1, 268242944, 560, ... ) == 0x0
 01338   896   NtProtectVirtualMemory  (-1, (0xffd1000), 560, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01339   896   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01340   896   NtFlushInstructionCache  (-1, 268242944, 560, ... ) == 0x0
 01341   896   NtProtectVirtualMemory  (-1, (0xffd1000), 560, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01342   896   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01343   896   NtFlushInstructionCache  (-1, 268242944, 560, ... ) == 0x0
 01344   896   NtProtectVirtualMemory  (-1, (0xffd1000), 560, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01345   896   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01346   896   NtFlushInstructionCache  (-1, 268242944, 560, ... ) == 0x0
 01347   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsaenh.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\crypt32.dll"}, 1236576, ... ) }, 1236576, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\crypt32.dll"}, 1236576, ... ) }, 1236576, ... ) == 0x0
 01350   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237344,  (0x80100080, {24, 0, 0x40, 0, 1237344, "\??\C:\WINDOWS\system32\crypt32.dll"}, 0x0, 0, 5, 1, 96, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 01351   896   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 144, ... 136, ) == 0x0
 01352   896   NtClose  (144, ... ) == 0x0
 01353   896   NtMapViewOfSection  (136, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xb40000), {0, 0}, 598016, ) == 0x0
 01354   896   NtClose  (136, ... ) == 0x0
 01355   896   NtAllocateVirtualMemory  (-1, 1351680, 0, 20480, 4096, 4, ... 1351680, 20480, ) == 0x0
 01356   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01357   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01358   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01359   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01360   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01361   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01362   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01363   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01364   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01365   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01366   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01367   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01368   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01369   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01370   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01371   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01372   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01373   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01374   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01375   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01376   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01377   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01378   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01379   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01380   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01381   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01382   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01383   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01384   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01385   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01386   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01387   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01388   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01389   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01390   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01391   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01392   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01393   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01394   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01395   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01396   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01397   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01398   896   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01399   896   NtQueryVirtualMemory  (-1, 0xb40000, Basic, 28, ... {BaseAddress=0xb40000,AllocationBase=0xb40000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01400   896   NtUnmapViewOfSection  (-1, 0xb40000, ... ) == 0x0
 01401   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 1236804, ... ) }, 1236804, ... ) == 0x0
 01402   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237580,  (0x80100080, {24, 0, 0x40, 0, 1237580, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0
 01403   896   NtQueryVolumeInformationFile  (136, 1237764, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01404   896   NtQueryInformationFile  (136, 1237632, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01405   896   NtQueryInformationFile  (136, 1237936, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01406   896   NtClose  (136, ... ) == 0x0
 01407   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 1236284, ... ) }, 1236284, ... ) == 0x0
 01408   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237060,  (0x80100080, {24, 0, 0x40, 0, 1237060, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0
 01409   896   NtQueryVolumeInformationFile  (136, 1237244, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01410   896   NtQueryInformationFile  (136, 1237112, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01411   896   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 136, ... 144, ) == 0x0
 01412   896   NtMapViewOfSection  (144, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3c0000), {0, 0}, 155648, ) == 0x0
 01413   896   NtQueryDefaultLocale  (1, 1237296, ... ) == 0x0
 01414   896   NtQueryVirtualMemory  (-1, 0x3c0000, Basic, 28, ... {BaseAddress=0x3c0000,AllocationBase=0x3c0000,AllocationProtect=0x2,RegionSize=0x26000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01415   896   NtQueryVirtualMemory  (-1, 0x3c0000, Basic, 28, ... {BaseAddress=0x3c0000,AllocationBase=0x3c0000,AllocationProtect=0x2,RegionSize=0x26000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01416   896   NtQueryDefaultLocale  (1, 1237296, ... ) == 0x0
 01417   896   NtQueryVirtualMemory  (-1, 0x3c0000, Basic, 28, ... {BaseAddress=0x3c0000,AllocationBase=0x3c0000,AllocationProtect=0x2,RegionSize=0x26000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01418   896   NtQueryVirtualMemory  (-1, 0x3c0000, Basic, 28, ... {BaseAddress=0x3c0000,AllocationBase=0x3c0000,AllocationProtect=0x2,RegionSize=0x26000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01419   896   NtReadFile  (136, 0, 0, 0, 328, 0x0, 0, ... {status=0x0, info=328},  (136, 0, 0, 0, 328, 0x0, 0, ... {status=0x0, info=328}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\267\232\34C\326\364OC\326\364OC\326\364O\200\331\373OJ\326\364OC\326\365O\320\326\364O\200\331\251OH\326\364O\200\331\250OB\326\364O\200\331\252OB\326\364O\200\331\224OB\326\364O\200\331\253Oj\326\364O\200\331\256OB\326\364ORichC\326\364O\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0(]\353@\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0\14\2\0\0F\0\0\0\0\0\0\3414\1\0\0\20\0\0\0 \2\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\200\2\0\0\4\0\0", ) , ) == 0x0
 01420   896   NtQueryInformationFile  (136, 1237460, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01421   896   NtSetInformationFile  (136, 1237460, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01422   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\10\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\200\30\2\0\273\2\0\08\14\2\0x\0\0\0\0P\2\0P\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\354\16\0\00\22\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200`\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\00\2\0\00\12\2\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0;\13\2\0\0\20\0\0\0\14\2\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\210%\0\0\0 \2\0\0$\0\0\0\20\2\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\0P\14\0\0\0P\2\0\0\16\0\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0r\20\0\0\0`\2\0\0\22\0\0\0B\2\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01423   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0 \0\0@ \0\200\0\0 \0@ \0\0@  \200\0  \0\0\0\0\200\0 \0\200@\0\0\200\0\0 \200@  \0\0\0 \0@ \0\200@\0 \200\0\0\0\0\0 \0\0@\0\0\0\0  \200@\0 \200@  \200\0\0 \200\0\0\0\200@ \0\0@\0\0\0\0  \0@  \0\0 \0\200@ \0\0\0\0\0\200\0 \0\200@  \0\0  \200@\0 \0\0\0\0\0\0 \0\200\0\0\0\200\0 \0\0@\0 \200\0\0 \0@\0 \0@  \200\0  \0@\0\0\0@  \200\0  \0\0\0 \0@ \0\200@\0\0\200\0\0 \200@  \0\0\0\0\0\0 \0\0@\0\0\200@ \0\200\0  \200\0\0 \200@ \0\0@\0\0\0@\0 \200\0@\0\0\0\2\0\0\0\2\0\1\4\0\0\1\4B\0\1\4@\0\0\0B\0\0\0\0\0\0\0\0\0\1\4\2\0\1\4\2\0\0\0@\0\1\4\0\0\0\0B\0\1\0@\0\1\4\2\0\0\4\2\0\1\0@\0\0\4@\0\0\4B\0\1\0\0\0\0\0\2\0\1\4\0\0\1\0B\0\0\4@\0\1\4B\0\0\0B\0\1\4\0\0\0\4B\0\0\4@\0\1\0\2\0\0\0\0\0\1\4B\0\0\0@\0\1\4@\0\1\4\2\0\0\0@\0\0\0\2\0\0\0\0\0\1\4@\0\1\4\2\0\1\4B\0\0\0B\0\0\0\0\0\0\0\2\0\0\4\0\0\1\4\0\0\0\0\2\0\1\0\0\0\0\4\2\0\1\0\2\0\1\0B\0\0\4\2\0\0\0@\0\0\4B\0\1\0\0\0\1\0B\0\1\4\0\0\0\4@\0\0\4B\0\1\4\0\0\1\0B\0\1\0@\0\1\4@\0\0\200\0\200 \0\0\202 ", ) , ) == 0x0
 01424   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\250TT\374m\273\273\326,\26\26:\245\306cc\204\370||\231\356ww\215\366{{\15\377\362\362\275\326kk\261\336ooT\221\305\305P`00\3\2\1\1\251\316gg}V++\31\347\376\376b\265\327\327\346M\253\253\232\354vvE\217\312\312\235\37\202\202@\211\311\311\207\372}}\25\357\372\372\353\262YY\311\216GG\13\373\360\360\354A\255\255g\263\324\324\375_\242\242\352E\257\257\277#\234\234\367S\244\244\226\344rr[\233\300\300\302u\267\267\34\341\375\375\256=\223\223jL&&Zl66A~??\2\365\367\367O\203\314\314\h44\364Q\245\2454\321\345\345\10\371\361\361\223\342qqs\253\330\330Sb11?*\25\25\14\10\4\4R\225\307\307eF##^\235\303\303(0\30\30\2417\226\226\17\12\5\5\265/\232\232\11\16\7\76$\22\22\233\33\200\200=\337\342\342&\315\353\353iN''\315\177\262\262\237\352uu\33\22\11\11\236\35\203\203tX,,.4\32\32-6\33\33\262\334nn\356\264ZZ\373[\240\240\366\244RRMv;;a\267\326\326\316}\263\263{R))>\335\343\343q^//\227\23\204\204\365\246SSh\271\321\321\0\0\0\0,\301\355\355`@  \37\343\374\374\310y\261\261\355\266[[\276\324jjF\215\313\313\331g\276\276Kr99\336\224JJ\324\230LL\350\260XXJ\205\317\317k\273\320\320*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266", ) , ) == 0x0
 01425   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3252\266pHl\t\320\270WBPQ\364\247S~Ae\303\32\27\244\226:'^\313;\253k\361\37\235E\253\254\372X\223K\343\3U 0\372\366\255vm\221\210\314v%\365\2L\374O\345\327\327\305*\313\200&5D\217\265b\243I\336\261Zg%\272\33\230E\352\16\341]\376\300\2\303/u\22\201L\360\243\215F\227\306k\323\371\347\3\217_\225\25\222\234\353\277mz\332\225RY-\324\276\203\323Xt!)I\340iD\216\311\310ju\302\211x\364\216yk\231X>\335'\271q\266\276\341O\27\360\210\255f\311 \254\264}\316:\30c\337J\202\345\321`\227Q3EbS\177\340\261dw\204\273k\256\34\376\201\240\224\371\10+XpHh\31\217E\375\207\224\336l\267R{\370#\253s\323\342rK\2W\343\37\217*fU\253\7\262\353(\3/\265\302\232\206\305{\245\3237\10\3620(\207\262#\277\245\272\2\3j\\355\26\202+\212\317\34\222\247y\264\360\363\7\362\241Ni\342\315e\332\364\325\6\5\276\37\3214b\212\304\246\376\2354.S\240\242\363U2\5\212\341u\244\366\3539\13\203\354\252@`\357\6^q\237Q\275n\20\371>!\212=\226\335\6\256\335>\5FM\346\275\265\221T\215\5q\304]o\4\6\324\377`P\25$\31\230\373\227\326\275\351\314\211@Cwg\331\236\275\260\350B\210\7\211\2138\347\31[\333y\310\356G\241|\12\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*", ) , ) == 0x0
 01426   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "<"\340C.9\367^ 0\372U\354\232\267\1\342\223\272\12\360\210\255\27\376\201\240\34\324\276\203-\332\267\216&\310\254\231;\306\245\2240\234\322\337Y\222\333\322R\200\300\305O\216\311\310D\244\366\353u\252\377\346~\270\344\361c\266\355\374h\14\12g\261\2\3j\272\20\30}\247\36\21p\2544.S\235:'^\226("@\35\236/KG\351d"I\340i)[\373~4U\362s?\177\315P\16q\304]\5c\337J\30m\326G\23\3271\334\312\3318\321\301\313#\306\334\305*\313\327\357\25\350\346\341\34\345\355\363\7\362\360\375\16\377\373\247y\264\222\251p\271\231\273k\256\204\265b\243\217\237]\200\276\221T\215\265\203O\232\250\215F\227\243\0\0\0\0\13\16\11\15\26\34\22\32\35\22\33\27,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS\177tHl\\177FeQbT~FiZwK\260\340\220\320\273\356\231\335\246\374\202\312\255\362\213\307\234\330\264\344\227\326\275\351\212\304\246\376\201\312\257\363\350\220\330\270\343\236\321\265\376\214\312\242\365\202\303\257\304\250\374\214\317\246\365\201\322\264\356\226\331\272\347\233{\333;\273p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16", ) \340C.9\367^ 0\372U\354\232\267\1\342\223\272\12\360\210\255\27\376\201\240\34\324\276\203-\332\267\216&\310\254\231;\306\245\2240\234\322\337Y\222\333\322R\200\300\305O\216\311\310D\244\366\353u\252\377\346~\270\344\361c\266\355\374h\14\12g\261\2\3j\272\20\30}\247\36\21p\2544.S\235:'^\226(213&5D\200|B\17\351rK\2\342`P\25\377nY\30\364Df;\305Jo6\316Xt!\323V},\3307\241\14z9\250\1q+\263\26l%\272\33g\17\2058V\1\2145]\23\227 (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "<"\340C.9\367^ 0\372U\354\232\267\1\342\223\272\12\360\210\255\27\376\201\240\34\324\276\203-\332\267\216&\310\254\231;\306\245\2240\234\322\337Y\222\333\322R\200\300\305O\216\311\310D\244\366\353u\252\377\346~\270\344\361c\266\355\374h\14\12g\261\2\3j\272\20\30}\247\36\21p\2544.S\235:'^\226("@\35\236/KG\351d"I\340i)[\373~4U\362s?\177\315P\16q\304]\5c\337J\30m\326G\23\3271\334\312\3318\321\301\313#\306\334\305*\313\327\357\25\350\346\341\34\345\355\363\7\362\360\375\16\377\373\247y\264\222\251p\271\231\273k\256\204\265b\243\217\237]\200\276\221T\215\265\203O\232\250\215F\227\243\0\0\0\0\13\16\11\15\26\34\22\32\35\22\33\27,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS\177tHl\\177FeQbT~FiZwK\260\340\220\320\273\356\231\335\246\374\202\312\255\362\213\307\234\330\264\344\227\326\275\351\212\304\246\376\201\312\257\363\350\220\330\270\343\236\321\265\376\214\312\242\365\202\303\257\304\250\374\214\317\246\365\201\322\264\356\226\331\272\347\233{\333;\273p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16", ) I\340i)[\373~4U\362s?\177\315P\16q\304]\5c\337J\30m\326G\23\3271\334\312\3318\321\301\313#\306\334\305*\313\327\357\25\350\346\341\34\345\355\363\7\362\360\375\16\377\373\247y\264\222\251p\271\231\273k\256\204\265b\243\217\237]\200\276\221T\215\265\203O\232\250\215F\227\243\0\0\0\0\13\16\11\15\26\34\22\32\35\22\33\27,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS\177tHl\\177FeQbT~FiZwK\260\340\220\320\273\356\231\335\246\374\202\312\255\362\213\307\234\330\264\344\227\326\275\351\212\304\246\376\201\312\257\363\350\220\330\270\343\236\321\265\376\214\312\242\365\202\303\257\304\250\374\214\317\246\365\201\322\264\356\226\331\272\347\233{\333;\273p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16", ) == 0x0
 01427   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "M\0a\0c\0h\0i\0n\0e\0K\0e\0y\0s\0\0\0-%lu\0\0\0\00x%02hx%02hx%02hx%02hx%02hx%02hx\0\0\0\0%lu\0S-%lu-\0\0-\0%\0l\0u\0\0\0\0\00\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModEx", ) , ) == 0x0
 01428   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\300@\213M\374_^\350\317\305\0\0\311\302\14\0\314\314\314\314\314\213\377U\213\354\213E\10\203x\4\14u\26\201}\14\1\200\0\0t\11\201}\14\2\200\0\0u\43\300\353\33\300@]\302\10\0\314\314\314\314\314\213\377U\213\354\213E\10-\1\200\0\0VW\17\204\211\0\0\0HtWHt9Ht\12\270\10\0\11\200\351\235\0\0\0jt_W\350\324G\1\0\213\360\205\366u\10j\10X\351\206\0\0\0V\350\311\310\0\0\203&\0\213E\14\2110\213E\20\2118\353ojl_W\350\250G\1\0\213\360\205\366t\324\203fh\0V\350}\310\0\0\353\331jd\350\217G\1\0\213\360\205\366t\273j\31Y3\300\213\376\363\253!F\34V\350\220\24\1\0\213E\20\307\0d\0\0\0\213E\14\2110\353%j8^V\350^G\1\0\213\320\205\322t\2123\300j\16Y\213\372\363\253!B4\213E\20\2110\213E\14\211\203\300_^]\302\14\0\314\314\314\314\314\213\377U\213\354S3\3339]\24VWt\12\277\11\0\11\200\351\243\0\0\0S\377u\10\350[\223\0\0;\303u\12\277\1\0\11\200\351\214\0\0\0\213u\14VP\350\306\376\377\377\205\300u\7\277\10\0\11\200\353wj8\350\351F\1\0\213\3303\322;\332\17\204\361\0\0\0j\163\300Y\213\373\363\253\213M\10\213\306-\2L\0\0\211s\4\211\13\17\204\254\1\0\0-\34\0\0\17\204F\1\0\0\203\350\3\17\204%\1\0\0H\17\204\366\0\0\0Ht\9U\20\17\205\250\1\0\0\215C\10P\215C\14PV\350\205\376\377\377\205\300u\13Sj\1\377u\30\3503\223\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\236F\1\0S\350\230F", ) , ) == 0x0
 01429   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\253\2533\300@S\211s<\211s@\211C\\211C`\211sd\350P\377\377\377\213E\30;\306\213M\20\211K\14t"9u\34t\5\211C\20\353\30\213{\20\213\360\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\203\366\201\352\1f\0\0tuJtTJt3\203\352\6t\37\203\352\5t\21Jt\16Jt\13\211s`\211sx\351\200\0\0\0\307Cx\20\0\0\0\353w\203{\14\20uM9u u\31j\20\353\15\203{\14\30u>9u u\12j\30\377s\20\350T\17\1\0\307Cx\10\0\0\0\353J\213E\249\260\204\1\0\0u\11\307Cl(\0\0\0\353\343\213\301\301\340\3\211Cl\353\331j\10_9{\14t\23\277\11\0\11\200;\336t\6S\350\2607\1\0\213\307\353\309u u\11W\377s\20\350\4\17\1\0\211{x\213E$\211\303\300_^[]\302 \0\314\314\314\314\314\213\377U\213\354V\213u\10\213F\20\205\300t\6P\350r7\1\0\213F\30\205\300t\6P\350e7\1\0V\350_7\1\0^]\302\4\0\314\314\314\314\314\213\377U\213\354\213E\14\213M\30W3\3223\377-\0$\0\0\211\21t\31-\1B\0\0tlHtUHtF\203\350\6t5-\367=\0\0u\6\307\1\1\0\0\0\213E\20R\301\340\3P\377u\14\213E\10\3774\205HB\377\17\350\204\207\1\0\205\300t\33\377G\213\307_]\302\24\0\203}\20\20t\360\203}\20\16\353*\203}\20\30t\344\203}\20\25\353\369U\24u\331\213E\20R\301\340\3Ph\2f\0\0\353\267\203}\20\10t\304\203}\20\7u\301\353\274\314\314\314\314\314\213\377U\213\354\213E\14V3\366\205\300t \215M\14Q\377u\20\377p\14\377p\4", ) 9u\34t\5\211C\20\353\30\213{\20\213\360\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\203\366\201\352\1f\0\0tuJtTJt3\203\352\6t\37\203\352\5t\21Jt\16Jt\13\211s`\211sx\351\200\0\0\0\307Cx\20\0\0\0\353w\203{\14\20uM9u u\31j\20\353\15\203{\14\30u>9u u\12j\30\377s\20\350T\17\1\0\307Cx\10\0\0\0\353J\213E\249\260\204\1\0\0u\11\307Cl(\0\0\0\353\343\213\301\301\340\3\211Cl\353\331j\10_9{\14t\23\277\11\0\11\200;\336t\6S\350\2607\1\0\213\307\353\309u u\11W\377s\20\350\4\17\1\0\211{x\213E$\211\303\300_^[]\302 \0\314\314\314\314\314\213\377U\213\354V\213u\10\213F\20\205\300t\6P\350r7\1\0\213F\30\205\300t\6P\350e7\1\0V\350_7\1\0^]\302\4\0\314\314\314\314\314\213\377U\213\354\213E\14\213M\30W3\3223\377-\0$\0\0\211\21t\31-\1B\0\0tlHtUHtF\203\350\6t5-\367=\0\0u\6\307\1\1\0\0\0\213E\20R\301\340\3P\377u\14\213E\10\3774\205HB\377\17\350\204\207\1\0\205\300t\33\377G\213\307_]\302\24\0\203}\20\20t\360\203}\20\16\353*\203}\20\30t\344\203}\20\25\353\369U\24u\331\213E\20R\301\340\3Ph\2f\0\0\353\267\203}\20\10t\304\203}\20\7u\301\353\274\314\314\314\314\314\213\377U\213\354\213E\14V3\366\205\300t \215M\14Q\377u\20\377p\14\377p\4", ) == 0x0
 01430   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\1\0\11\200\351\325\0\0\0\215E\10Pj\2V\377u\14\350\237t\0\0\205\300t;\215E\10Pj\3V\377u\14\350\214t\0\0\205\300t(\215E\10Pj\4V\377u\14\350yt\0\0\205\300t\25= \0\11\200\17\205\221\0\0\0\270\3\0\11\200\351\207\0\0\0\213E\20\203\370\12\17\207\313\1\0\0\17\204u\1\0\0H\17\204]\1\0\0H\17\204\342\0\0\0H\17\204\316\0\0\0H\17\204\213\0\0\0HtrH\17\205\317\2\0\0\213E\24\213\20\367\302\300\376\377\377t\7\270\11\0\11\200\353;\367\302\4\0\0\0\213E\10t\20\367@h\4\0\0\0u\7\270\5\0\11\200\353 \271\0\1\0\0\205\321t\5\205Hht\353\213Hh3\312\201\341\4\1\0\03\312\211Hh3\300_3\311\205\300\17\224\301\213\361\205\366u\7P\377\25\304\21\375\17\213\306^]\302\24\0\213E\24\213\0\205\300t\264\203\370@w\257\213M\10\211Ad\353\314\213U\10\213B\4=\0$\0\0\17\204,\377\377\377=\0\244\0\0\17\204!\377\377\377\213M\24\212\1<\1t\20<\2t\14<\4t\10<\3\17\205r\377\377\377\213\1\211B`\353\220\213E\24\2038\1t\210\351^\377\377\377\213M\10\213A\4=\2f\0\0t\13=\1h\0\0\17\205\334\376\377\377\213u\24\205\366u\10jWX\351^\377\377\377\213\207\204\1\0\0\205\300t\13\203\370\1t\6\203a@\0\353\7\307A@\13\0\0\0\213E\10\213H@\205\311t\24\215xD\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213E\10P\350\307\371\377\377\205\300\17\204\24\377\377\377\351\21\377\377\377\213E\10\213Hx\213u\24\215x\34\351g\1\0\0\213M\10\213A\4=\2f\0\0t\13=\1h\0\0\17\205W\376", ) , ) == 0x0
 01431   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "j\10X\351\264\1\0\0\213E\309{\10\213H$\213\372u\25\213\361\301\351\2\2706666\363\253\213\316\203\341\3\363\252\353\21\213s\4\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213E\30\213@ \205\300t\11P\350C\30\1\0\213U\24\213E\30\211P \213C\20\205\300u\14\213E\30\307@,@\0\0\0\353\6\213M\30\211A,\213E\30\377p,\350\323\27\1\0\213\320\205\322\213E\30\211U\24u\24\377p \350\2\30\1\0\213E\30\203` \0\351h\377\377\377\203{\20\0\213H,\213\372u\25\213\361\301\351\2\270\\\\\363\253\213\316\203\341\3\363\252\353\21\213s\14\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213E\30\213@(\205\300t\11P\350\265\27\1\0\213U\24\213E\30\211P(\351\323\0\0\0\213E\30\213H\4\201\351\1\200\0\0\17\204\236\0\0\0I\17\204\217\0\0\0It\177ItnIt\37\203\351\3t\12\270\10\0\11\200\351\244\0\0\0\213x\14j\11\213u\24Y\363\245\351\200\0\0\0\213p\14\215M\374Qj\2\377u\10\377p\20\350{c\0\0;\307t\14= \0\11\200uu\203\300\343\353p9^$u\7\270\14\0\11\200\353d\213E\374\213Hx\213u\24\215x,\213\301\301\351\2\363\245\213\310\203\341\3\363\244\3534\213@\149\30t\326\215x\4j\5\353\233\213@\149Xht\307\215xX\353\22\213@\149X\34\353\6\213@\149X4t\262\213\370\213u\24\245\245\245\245\213E\30\11X0\203}\20\2u\6\213E\30\11X\243\300[3\311\205\300\17\224\301\213\361\205\366u\7P\377\25\304\21\375\17_\213\306^\311\302\24\0\314\314\314\314\314\213\377U\213\354\213E\10-\1\200\0\0SVW\17\204\324\0\0\0", ) , ) == 0x0
 01432   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\304\215\226d\1\0\0\211U\300\215U\314R\215F8\215NXPQ\377u\300\211E\260\211M\264\350\5\35\0\0\205\300\17\205q\377\377\377;\337t3\201\373\11f\0\0t+\201\373\3f\0\0t#\201\373\1L\0\0u\11\306E\314\3\210E\315\353\34\201\373\6L\0\0u\24\306E\314\3\306E\315\1\353\12\366E\20\4\17\205\303\376\377\377\366E\20\1t\7\307E\274\1\0\0\0\215E\310Pj\0j\0\215E\314P\377u\10\377u\304\377u\274S\350\365\316\377\377\205\300\17\205\0\377\377\377\213]\20\203\343\4tA\213\266\204\1\0\0\205\366t\15\203\376\1t\10\213}\310!G@\353\14\213E\310\307@@\13\0\0\0\213\370\377w@\215GDP\377u\260\377u\264\377u\300\350L\34\0\0\205\300t\10\351\267\376\377\377\213}\310\213u\270Wj\2V\350\16T\0\0\205\300\17\205\240\376\377\377\203}\304\5u;\366E\20\20u5\205\333u1\213E\14=\1L\0\0t'=\6L\0\0t =\4L\0\0t\31=\5L\0\0t\22\3776\377u\10\350S\375\377\377\205\300\17\205_\376\377\3773\366[3\300\205\366\17\224\300\213\370\205\377u\249E\310t\10\377u\310\350\253\317\377\377V\377\25\304\21\375\17\213M\374\213\307_^\350n\204\0\0\311\302\20\0\314\314\314\314\314\213\377U\213\354\201\354<\1\0\0\241\244B\377\17S3\333f\367E\24\352\373V\213u\30\211E\374W\211\265\304\376\377\377\211\235\324\376\377\377\211\235\360\376\377\377\211\235\314\376\377\377\211\235\350\376\377\377\211\235\344\376\377\377\211\235\320\376\377\377t\12\276\11\0\11\200\351\271\3\0\0S\377u\10\350\274R\0\0\213\370;\373\211\275\324\376\377\377u\12\276\1\0\11\200\351\232\3\0\0\213]\14SW\350\216", ) , ) == 0x0
 01433   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "M\14u\25\213\35\324D\377\17\213G@\213O(\307E\30\1\0\0\0\353\30:\301\17\205C\2\0\0\203e\30\0\213\35\330D\377\17\213GL\213O0\205\300\17\204+\2\0\0\213U\374;J\14\17\205\37\2\0\0\213z\20\213\3603\322\363\246t\5\33\322\203\332\377\205\322\17\205\7\2\0\0\215M\364QP\350U\302\377\3773\3669u\20t"V\215E\14P\215E\24Pj\10\377u\20\377u\10\350:\323\377\377\205\300\17\204\330\1\0\0\301m\24\39u\34\213M\24\213E\364\215D\1\10\213M u\7\211\1\351R\2\0\09\1s\14\211\1\276\352\0\0\0\351B\2\0\0\213}\344\366G\3\360u\24j\1\377u\30SW\350?\35\0\0;\306\17\205h\376\377\3779u\30t\13\213\207<\1\0\0\213\177H\353\11\213\2074\1\0\0\213\177T;\306\211E\30\17\204~\1\0\0;\376u\15\213E\374\366@\11@\17\204Y\1\0\0\215E\364PV\377u\30\350\307\301\377\377\205\300\17\204D\1\0\09u\360\213E\364\213M\24\215<\1u\27W\350\27\367\0\0\213\330;\336\211]\354u\21j\10^\351\266\1\0\0\213]\370\203\303\10\211]\354\215E\364PS\377u\30\350\204\301\377\377\205\300\17\204\1\1\0\09u\20t\36VW\215E\364PSVj\1V\377u\20\377u\10\350D\246\377\377;\306\17\205\270\375\377\377\203}\360\0\213M\364\215Y\10\17\205<\1\0\0\213}\34\213u\354\203\307\10\3516\1\0\0\212\6<\3t\10<\4\17\205\262\0\0\0\213E\374\213@\20\205\300\17\204\270\0\0\0\213X\10\213u\34\203\303\7\301\353\3\203\303\24\205\366\17\204\25\1\0\0\213M 9\31\17\202\12\1\0\0\213\10\213U\370\211J\10\213H\10\211J\14\213H\20\211", ) V\215E\14P\215E\24Pj\10\377u\20\377u\10\350:\323\377\377\205\300\17\204\330\1\0\0\301m\24\39u\34\213M\24\213E\364\215D\1\10\213M u\7\211\1\351R\2\0\09\1s\14\211\1\276\352\0\0\0\351B\2\0\0\213}\344\366G\3\360u\24j\1\377u\30SW\350?\35\0\0;\306\17\205h\376\377\3779u\30t\13\213\207<\1\0\0\213\177H\353\11\213\2074\1\0\0\213\177T;\306\211E\30\17\204~\1\0\0;\376u\15\213E\374\366@\11@\17\204Y\1\0\0\215E\364PV\377u\30\350\307\301\377\377\205\300\17\204D\1\0\09u\360\213E\364\213M\24\215<\1u\27W\350\27\367\0\0\213\330;\336\211]\354u\21j\10^\351\266\1\0\0\213]\370\203\303\10\211]\354\215E\364PS\377u\30\350\204\301\377\377\205\300\17\204\1\1\0\09u\20t\36VW\215E\364PSVj\1V\377u\20\377u\10\350D\246\377\377;\306\17\205\270\375\377\377\203}\360\0\213M\364\215Y\10\17\205<\1\0\0\213}\34\213u\354\203\307\10\3516\1\0\0\212\6<\3t\10<\4\17\205\262\0\0\0\213E\374\213@\20\205\300\17\204\270\0\0\0\213X\10\213u\34\203\303\7\301\353\3\203\303\24\205\366\17\204\25\1\0\0\213M 9\31\17\202\12\1\0\0\213\10\213U\370\211J\10\213H\10\211J\14\213H\20\211", ) == 0x0
 01434   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\26\0\11\200\351\314\1\0\0\213^\10\203\303\7\301\353\3\205\377\17\204\245\1\0\0\213E\2749\30\17\202\232\1\0\0\215E\314PQ\377u\10\377u\14\350\2024\0\0\205\300\17\205b\1\0\0\213\313\213\321\301\351\2\363\253\213\312\203\341\3\363\252\213M\314\213A\4-\1\200\0\0t"Ht\37Ht\34Ht\31\203\350\4\17\205d\1\0\0\366A\24\1u\12\277\14\0\11\200\351Y\1\0\03\3779}\300t-W\377u\300\377\25\254\21\375\17\321\340P\377u\300\377u\14\377u\10\350,\250\377\377\205\300u\13\377\25\310\21\375\17\351\362\0\0\0\213M\314\366A0\1t\7\307E\264\1\0\0\0\213F\4W\211E\310\215E\310P\215E\330Pj\2\377u\14\377u\10\350r\322\377\377\205\300t\305\377v\4\350f\347\0\0;\307\211E\320tS\366E\30\4t#\213M\314\201y\4\4\200\0\0\17\205\316\0\0\0P\377u\264\215E\330\377u\310PS\350\342\375\377\377\353\33P\377u\30\215E\330\377u\310P\213E\314\377p\4V\350\313\374\377\377;\307uo\377v\4\350\23\347\0\0;\307\211E\324u\10j\10_\351\216\0\0\0W\377u\304\213}\254\377u\270W\350\266\14\0\0\205\300uD9E\304t\10\213\207<\1\0\0\353\6\213\2074\1\0\0\205\300u\7\277\15\0\11\200\353\\213N\4;H\4t\7\277\32\0\11\200\353M\213u\324V\377u\320P\377\267\200\1\0\0\350O\37\0\0\205\300t\4\213\370\3532\213}\260\213\313\213\301\301\351\2\363\245\213\310\213E\274\203\341\3\363\244\211\303\377\353\26\213E\274\367\337\33\377\211\30\201\347\352\0\0\0\353\5\277\10\0\11\2003\300\205\377\17\224\300\203}\324\0\213\360t\10\377u\324\350\242\346\0\0\203}\320\0t\10\377u", ) Ht\37Ht\34Ht\31\203\350\4\17\205d\1\0\0\366A\24\1u\12\277\14\0\11\200\351Y\1\0\03\3779}\300t-W\377u\300\377\25\254\21\375\17\321\340P\377u\300\377u\14\377u\10\350,\250\377\377\205\300u\13\377\25\310\21\375\17\351\362\0\0\0\213M\314\366A0\1t\7\307E\264\1\0\0\0\213F\4W\211E\310\215E\310P\215E\330Pj\2\377u\14\377u\10\350r\322\377\377\205\300t\305\377v\4\350f\347\0\0;\307\211E\320tS\366E\30\4t#\213M\314\201y\4\4\200\0\0\17\205\316\0\0\0P\377u\264\215E\330\377u\310PS\350\342\375\377\377\353\33P\377u\30\215E\330\377u\310P\213E\314\377p\4V\350\313\374\377\377;\307uo\377v\4\350\23\347\0\0;\307\211E\324u\10j\10_\351\216\0\0\0W\377u\304\213}\254\377u\270W\350\266\14\0\0\205\300uD9E\304t\10\213\207<\1\0\0\353\6\213\2074\1\0\0\205\300u\7\277\15\0\11\200\353\\213N\4;H\4t\7\277\32\0\11\200\353M\213u\324V\377u\320P\377\267\200\1\0\0\350O\37\0\0\205\300t\4\213\370\3532\213}\260\213\313\213\301\301\351\2\363\245\213\310\213E\274\203\341\3\363\244\211\303\377\353\26\213E\274\367\337\33\377\211\30\201\347\352\0\0\0\353\5\277\10\0\11\2003\300\205\377\17\224\300\203}\324\0\213\360t\10\377u\324\350\242\346\0\0\203}\320\0t\10\377u", ) == 0x0
 01435   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\12\213U\334\211\2\203\301\354Q\203\300\24P\350\241\330\0\0\211E\304\205\300\17\205[\377\377\377\213u\334\213E\340\3770\3776\203}\20\1u\15j\1\377s\\377s(\377s@\353\13j\0\377s\\377s0\377sL\350F'\1\0\211E\344\205\300u\36\367E\310\10\0\0\0t\25\377u\20\377u\310\3775\310D\377\17S\350\263\372\377\377\211E\304\203M\374\377\353\36\307E\344\32\0\11\200\353\3613\300@\303\213e\350\307E\344W\0\0\0\203M\374\377\213]\10\203}\300\0t\15\201\303h\1\0\0S\377\25\270\21\375\17\213}\264\205\377t\34\213M\2603\300\213\321\301\351\2\363\253\213\312\203\341\3\363\252\377u\264\377\25\250\21\375\17\213E\344\350\361W\0\0\302\20\0\314\314\314\314\314\213\377U\213\354\203\354L\241\244B\377\17S3\333V\213u\10\211E\374\213E\14W\211u\314\211E\320\211]\334\211]\324\211]\340\307E\264\20\0\0\0\306E\354p\306E\355\362\306E\356\205\306E\357\36\306E\360N\210]\361\210]\362\210]\363\210]\364\210]\365\210]\366\210]\367\210]\370\210]\371\210]\372\210]\373\215x\1\212\10@:\313u\371+\307\203\300\6\211E\310\350\262\343\0\0\205\300\17\205\27\1\0\0h\320\23\375\17\377\25\230\21\375\17;\303\211E\334\17\204\1\1\0\0\213=\234\21\375\17h\274\23\375\17P\377\327h\244\23\375\17\377u\334\211E\304\377\327\367E\20 \0\0\0\211E\270\17\205\326\0\0\09]\304\17\204\315\0\0\0;\303\17\204\305\0\0\0\213E\310@P\350\220\326\0\0;\303\211E\324\17\204\240\0\0\0\213M\320\276\234\23\375\17\213\370\245f\245\244\213\361\212\21A:\323u\371+\316\213\370\213\321O\212O\1G:\313u\370\213\312\301\351\2\363\245j", ) , ) == 0x0
 01436   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2r\3\213p\14\203\371\3r\3\213P\30RV\377u\10\215E\24P\377u\20\377u\14\350\226\373\377\377\205\300u\22\367E\20\20\0\0\0u\7\213E\24\203`\10\03\3003\311\205\300\17\224\301\213\361\205\366u\7P\377\25\304\21\375\17\213\306^]\302\20\0\314\314\314\314\314\213\377U\213\3543\3223\3119U\14v\22\213E\10\3\301\210\20A;M\14\306\0\377\210\20r\356]\302\10\0\314\314\314\314\314\213\377U\213\354\203}\10\0V\213u\14t9\201>RSA1t\7\270\3\0\11\200\353A\213F\10j\0j\0\377u\24\203\300\7\301\350\3P\215F\24Pj\4\215F\20P\377u\20\377u\10\350\260\1\1\0\205\300u\25\377u\24\377u\20V\350\377\257\0\0\205\300u\5j\10X\353\23\300^]\302\20\0\314\314\314\314\314\213\377U\213\354\203\354\30\213E\14\213@\10SVW\215P\7j\10\301\352\3^\203\342\7\213\316+\312;\316t\2\3\316\203\300\17\301\350\4\321\351\3\301\215<\200\321\347\213\307\203\340\7t\6\213\316+\310\3\371\203\307\24;=xE\377\17\211}\374w6\241|E\377\17\3\307;\307r+\203\300\10P\350\311\30\1\0\205\300t\36\215G\10\203\300\3\203\340\374\350\343F\0\0\213\334\205\333t\12\307\3Stck\3\336u"\215G\10P\377\25\200E\377\17\213\330\205\333\17\204\355\0\0\0\307\3Heap\3\336\17\204\265\0\0\0\213u\14\213\317\213\301\301\351\2\213\373\363\245\213\310\213E\374\203\341\3\203\300\354\363\244P\215{\24W\350\36\307\0\0\213\360\205\366\17\205\203\0\0\09E\10tg\201;RSA2t\7\276\3\0\11\200\353o\213K\10\213E\14\213@\4\203\301\7\301\351\3@\321\350\215tC\24j\0\215Q\1\321\352\211", ) \215G\10P\377\25\200E\377\17\213\330\205\333\17\204\355\0\0\0\307\3Heap\3\336\17\204\265\0\0\0\213u\14\213\317\213\301\301\351\2\213\373\363\245\213\310\213E\374\203\341\3\203\300\354\363\244P\215{\24W\350\36\307\0\0\213\360\205\366\17\205\203\0\0\09E\10tg\201;RSA2t\7\276\3\0\11\200\353o\213K\10\213E\14\213@\4\203\301\7\301\351\3@\321\350\215tC\24j\0\215Q\1\321\352\211", ) == 0x0
 01437   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\340\350\304\374\377\377\211E\334\205\300t\13\211E\344\211]\374\351W\1\0\0\203}\20\0u2\215~@\211}\244\215\236<\1\0\0\211]\240\215F(\211E\274\215\2068\1\0\0\211E\304\215FH\211E\270\307E\264\1\0\0\0\241\234D\377\17\353-\215~L\211}\244\215\2364\1\0\0\211]\240\215F0\211E\274\215\2060\1\0\0\211E\304\215FT\211E\270\203e\264\0\241\240D\377\17\211E\260\213\7\205\300t\15P\350\2\270\0\0\3773\350\373\267\0\0\203e\314\0\213E\320\213M\304\211\1\213E\300\213M\274\211\1\213E\324\211\3\213E\340\211\7\17\266E\14\203\340\1\213M\270\211\1\366F\3\360u\26\377u\264\377u\14\377u\260V\350N\332\377\377\211E\334\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\21\216\377\377\205\300u\10\377\25\310\21\375\17\3537\215E\330Pj\3\353\24j\1\377u\10\350\363\215\377\377\205\300t\342\215E\330Pj\4\377u\10\3777\350\230\3\0\0\211E\334\205\300t\23= \0\11\200u\3\203\300\343\211E\344\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\330\11A\10\213E\330\200Hi\1\203M\374\377\203e\344\0\353\253\300@\303\213e\350\307E\344W\0\0\0\203M\374\377\213u\2343\3779}\254t\15\201\306h\1\0\0V\377\25\270\21\375\179}\314t\329}\324t\10\377u\324\350\371\266\0\09}\340t\10\377u\340\350\354\266\0\0\213E\344\350\317\0\0\302\24\0\314\314\314\314\314\213\377U\213\354\203}\14\0\213E\10SVWt\16\213\260<\1\0\0\215H(\215x@\353\14\213\2604\1\0\0\215H0\215xL\213^\10\321\353\203\303?\301\353\5\215\34\335\24\0\0\0\213\301;\30\211", ) , ) == 0x0
 01438   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\377u$\213\310\213E\374\377u \203\341\3\363\244\213M\34\213u\30\215<\20\213\321\301\351\2\363\245h\3\200\0\0\377u\370\213\312\203\341\3\363\244\213u\364\213}\10P\3\336SW\350?\376\377\377\205\300u\36\377u$\3\367\377u\14h\4\200\0\0\377u\370\377u\374SV\350!\376\377\377\205\300t\4\213\360\353\32\213u$\205\366v\21\213E \213M\14+\310\212\24\10\20@Nu\3673\366\203}\14\0t\10\377u\14\350\1\250\0\0\377u\374\350\371\247\0\0_\213\306^[\311\302 \0\314\314\314\314\314\213\377U\213\354\213E\10\213\200$\2\0\0\205\300t\6P\350\323\247\0\0]\302\4\0\314\314\314\314\314\213\377U\213\354\213E\10\213\200<\2\0\0\205\300t\6P\350\262\247\0\0]\302\4\0\314\314\314\314\314\213\377U\213\354Q\203e\374\0S\213]\14\213C\4=\1L\0\0t\37=\4L\0\0t\30=\6L\0\0t\21=\5L\0\0t\12\270\12\0\11\200\351_\2\0\0\203{\30\0VWu$\276h\3\0\0V\350\34\247\0\0\213\370\205\377\211{\30\17\204\342\1\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\205:\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\246\0\0\0H\17\205\335\1\0\0\213F\10\250\7\17\205\322\1\0\0\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\204\1\0\0\350\234o\377\377\205\300u\12\270\11\0\11\200\351\316\1\0\0\213F\4-\1f\0\0t\37Ht\34Ht\31\203\350\6t\24-\370\1\0\0\17\205\211\1\0\0\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3", ) , ) == 0x0
 01439   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\20\0\314\314\314\314\314\213\377U\213\354\203\354\30\213E\10S\213X\14\213E\20V3\3663\3119u\24W\211u\364t0\213M\14%\0\4\0\0\211E\360t\23\307E\370\254\26\375\17\307E\20\3\0\0\0\215\14I\353D\307E\370\250\26\375\17\307E\20\2\0\0\0\353+%\0\4\0\0\211E\360t\20\307E\370\240\26\375\17\307E\20\5\0\0\0\353\32\213M\14\307E\370\230\26\375\17\307E\20\4\0\0\0\213\203(\2\0\0\215\14\210\213E\20\17\257E\14\215\4@\3\2030\4\0\0\3\203 \2\0\0\3\203\34\1\0\0\215D\1\1P\211E\354\350\225\227\0\0\213\370;\376\211}\374u\10j\10^\351\323\1\0\0\213M\143\300@9u\24\210\17t';\316v#\211M\24\213M\20\213u\370\213\321\3\370\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244\213}\374u\340\213\2130\4\0\0\213\321\301\351\2\3\370\215\2630\3\0\0\363\245\213\312\203\341\3\363\244\213M\14\3\2030\4\0\0\205\311v$\211M\24\213U\374\213M\20\213u\370\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244u\337\213\213 \2\0\0\213U\374\215<\20\213\321\301\351\2\215\263 \1\0\0\363\245\213\312\203\341\3\363\244\213M\14\3\203 \2\0\0\205\311v$\211M\24\213U\374\213M\20\213u\370\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244u\337\203}\360\0uS\213\213(\2\0\0\213U\374\213\263$\2\0\0\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\363\244\3\203(\2\0\0\203}\14\0v'\213M\14\211M\24\213U\374\213M\20\213u\370\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244u\337\213\213", ) , ) == 0x0
 01440   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "E\10P\245\215E\374Ph\364\26\375\17\245\377\263@\1\0\0\350,\246\377\377\205\300t\4\213\360\353nj\1\215E\364P\215E\370Ph\344\26\375\17\377\263@\1\0\0\350\12\246\377\377\205\300u\336\213u\374\205\366t \213\273X\1\0\0\203\307\10\245\245\245\245\213u\374\213\273X\1\0\0\203\306\20\203\307\30\245\245\245\245\213u\370\205\366t \213\273X\1\0\0\203\307(\245\245\245\245\213u\370\213\273X\1\0\0\203\306\20\203\3078\245\245\245\2453\366\203}\374\0t\10\377u\374\350\361\207\0\0\203}\370\0t\10\377u\370\350\343\207\0\0_\213\306^[\311\302\4\0\314\314\314\314\314\213\377U\213\354SV\213u\10W3\3333\3779\236X\1\0\0u\7\270\26\0\11\200\353T9]\14t(\377u\14\377\25\254\21\375\17\215|\0\2W\350\\207\0\0\213\330\205\333u\5j\10X\3531\377u\14S\377\25x\21\375\17\213\206X\1\0\0\213@H\205\300t\6P\350w\207\0\0\213\206X\1\0\0\211xL\213\206X\1\0\0\211XH3\300_^[]\302\10\0\314\314\314\314\314\213\377U\213\354SV\213u\10\205\366WtE\213\6\213M\14\213]\20\213}\24\211\1\213F\4\211\3\213\7\205\300t\6P\350*\207\0\0\3773\350\340\206\0\0\205\300\211\7u\5j\10X\353\27\213\13\213\370\213\301\301\351\2\203\306\10\363\245\213\310\203\341\3\363\2443\300_^[]\302\20\0\314\314\314\314\314\213\377U\213\354\203\354\24\213M\10\213\201X\1\0\0S3\3339] V\211]\374\213p\4\213E$W\211]\10\211\30t\7\307E\10\1\0\0\03\3009]\34\215}\354\253\253\253\253\307E\354\20\0\0\0t\329Y(\17\204\213\0\0\0\213\201X\1\0\0\215P\10\203\300\30\215", ) , ) == 0x0
 01441   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\213\2338\36\375\173\373\213\2318\37\375\173\373\213\2308\34\375\173\373\213\2328\35\375\173\373\213E\103\333\213U\143\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\365\213\2518\32\375\173\365\212\316\301\350\20\213\2538\31\375\173\365\212\334\301\352\20\213\2518\33\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\173\363\213\2318\37\375\173\363\213\2308\34\375\173\363\213\2328\35\375\173\363\213E\203\333\213U\243\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\375\213\2518\32\375\173\375\212\316\301\350\20\213\2538\31\375\173\375\212\334\301\352\20\213\2518\33\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\173\373\213\2318\37\375\173\373\213\2308\34\375\173\373\213\2328\35\375\173\373\213E\303\333\213U\343\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\365\213\2518\32\375\173\365\212\316\301\350\20\213\2538\31\375\173\365\212\334\301\352\20\213\2518\33\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\173\363\213\2318\37\375\173\363\213\2308\34\375\173\363\213\2328\35\375\173\363\213E 3\333\213U$3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\375\213\2518\32\375\173\375\212\316\301\350\20\213\2538\31\375\173\375\212\334\301\352\20\213\2518\33\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\17", ) , ) == 0x0
 01442   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "D$ \205\300\17\204\31\7\0\0\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320", ) , ) == 0x0
 01443   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\213M\14\203\371\1\17\216\346\0\0\0\213E\10V\203\300\26IW\215\233\0\0\0\0\17\266p\374\213<\265XR\375\17\17\266P\375\213\24\225XV\375\17\17\266p\3733\327\213<\265XN\375\17\17\266p\3723\3273\24\265XJ\375\17\211P\372\17\266p\377\213<\265XN\375\17\17\266P\1\213\24\225XV\375\17\17\26603\327\213<\265XR\375\17\17\266p\3763\3273\24\265XJ\375\17\211P\376\17\266p\4\213<\265XR\375\17\17\266P\5\213\24\225XV\375\17\17\266p\33\327\213<\265XN\375\17\17\266p\23\3273\24\265XJ\375\17\211P\2\17\266p\10\17\266P\11\213<\265XR\375\17\17\266p\7\213\24\225XV\375\173\327\213<\265XN\375\17\17\266p\63\3273\24\265XJ\375\17\211P\6\203\300\20I\17\205+\377\377\377_^]\302\10\0\314\314\314\314\314\213\377U\213\354\203\354\30SV\213u\10\213\16W\213}\20\213\27\213_\4\213~\103\312\213V\4\213v\143\323\213]\203{\10\241\244B\377\17\211}\364\213\373\213_\14\17\266}\3663\363\213\34\275X1\375\17\211u\370\301\356\30\2134\265X5\375\173\363\17\266\37634\275X-\375\17\17\266\371\213\34\275X)\375\17\17\266}\3723\363\211E\374\213E\14\2110\213\34\275X1\375\17\213\361\301\356\30\2134\265X5\375\173\363\213]\364\211U\360\17\266\37734\275X-\375\17\17\266\322\213<\225X)\375\17\17\266U\3633\367\211p\4\213<\225X5\375\17\211M\354\17\266u\3563<\265X1\375\17\213U\370\17\266\3663<\265X-\375\17\17\266\363\213\34\265X)\375\17\17\266u\3673\373", ) , ) == 0x0
 01444   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "]\370\301\353\10\17\266\33334\235X-\375\17\17\266]\36434\235X)\375\17\17\266]\362\211p\10\17\266u\367\2134\265X5\375\1734\235X1\375\17\17\266\326\213\34\225X-\375\17\17\266U\3703\363\213\34\225X)\375\17\213U\3503\363\203\301@J\211p\14\211U\350\17\205\365\373\377\377\213\217\220\0\0\0\213\227\224\0\0\0\213\303P\4\213\267\230\0\0\03\3133p\10\213X\14\211u\364\213\267\234\0\0\03\363\211u\370\17\266\361\212\34\265Y)\375\17\210\30\17\266\366\212\34\265Y)\375\17\17\266u\366\210X\1\212\34\265Y)\375\17\213u\370\210X\2\211U\360\17\266\322\301\356\30\212\34\265Y)\375\17\210X\3\212\24\225Y)\375\17\210P\4\213U\364\17\266\366\212\34\265Y)\375\17\17\266u\372\210X\5\212\34\265Y)\375\17\210X\6\211M\354\17\266u\357\212\34\265Y)\375\17\210X\7\17\266\322\212\24\225Y)\375\17\210P\10\213U\370\17\266\366\212\34\265Y)\375\17\17\266u\356\210X\11\212\34\265Y)\375\17\17\266u\363\210X\12\212\34\265Y)\375\17\210X\13\213\30\213p\4\17\266\322\212\24\225Y)\375\17\210P\14\17\266\315\212\24\215Y)\375\17\17\266M\362\210P\15\212\24\215Y)\375\17\17\266M\367\210P\16\212\24\215Y)\375\17\210P\17\213\217\240\0\0\03\331\211\30\213\227\244\0\0\03\362\213P\10\211p\4\213\217\250\0\0\03\321\213H\14\211P\10\213\227\254\0\0\03\312_\211H\14\213M\374^[\350*\304\377\377\213\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\203\354\30\213U\24\213M\20\301\342\4S\213\34\12V\2154\12\213U\10\213\22W\213~\43\323\213]\103{\4\241\244B\377\17\211", ) , ) == 0x0
 01445   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\17\17\266\326\213<\225X=\375\17\213U\3643\367\17\266\37234\275X9\375\17\17\266}\362\211p\10\17\266u\357\2134\265XE\375\1734\275XA\375\17\17\266\326\213<\225X=\375\17\17\266\3233\36734\225X9\375\17\213U\350\203\351@J\211p\14\211U\350\17\205G\374\377\377\213M\20\213q\24\213Q\20\213x\43\20\213X\103\367\213x\14\211u\360\213q\303\363\211u\364\213q\343\367\211u\370\17\266\362\212\236XI\375\17\17\266u\371\210\30\212\236XI\375\17\17\266u\366\210X\1\212\236XI\375\17\213u\360\210X\2\211U\354\301\356\30\212\236XI\375\17\17\266u\360\210X\3\212\236XI\375\17\210X\4\17\266\326\212\222XI\375\17\210P\5\213U\370\301\352\20\17\266\322\212\222XI\375\17\210P\6\213U\364\301\352\30\212\222XI\375\17\210P\7\213U\364\17\266\362\212\236XI\375\17\17\266u\361\210X\10\212\236XI\375\17\17\266u\356\210X\11\212\236XI\375\17\17\266u\373\210X\12\212\236XI\375\17\17\266u\370\210X\13\212\236XI\375\17\213x\4\17\266\326\210X\14\212\222XI\375\17\213\30\213p\10\210P\15\17\266U\362\212\222XI\375\17\210P\16\17\266U\357\212\222XI\375\17\210P\17\213\213\332\211\30\213Q\43\372\211x\4\213Q\103\362\213P\14\211p\10\213I\14_3\321\213M\374^\211P\14[\350H\264\377\377\213\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\203}\24\1\213M\20\213\1uD\203\301\4\203\370\16u\22\213E\10Q\213M\14PQ\350\332\342\377\377]\302\20\0\203\370\12u\22\213U\10\213E\14QRP\350S\351\377\377]\302\20\0\213U\14PQ\213M\10QR\350 \337\377\377", ) , ) == 0x0
 01446   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\377v?SV\213u\10\212\142\17\266\301\213\330\301\353\4\17\266\233H(\375\17\203\340\17\17\266\200H(\375\17\3\330\201\343\1\0\0\200y\5K\203\313\376Cu\6\200\361\1\210\142B;\327r\310^[_]\302\10\0\314\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354V\213u\10W\213}\14WV\350\254\371\377\377\203\307\10W\215\206\200\0\0\0P\350\234\371\377\377\215\276\0\1\0\0\271 \0\0\0\363\245_^]\302\10\0\314\314\314\314\314\314\314\314\314\213\377U\213\354V\213u\14W\213}\10VW\350l\371\377\377\215F\10P\215\217\200\0\0\0Q\350\\371\377\377\203\306\20V\201\307\0\1\0\0W\350L\371\377\377_^]\302\10\0\314\314\314\314\314\314\213\377U\213\354\213E\24\215P\7\301\352\3\215\14\325\0\0\0\0+\310\270\377\0\0\0\323\370S\213]\20V\213u\14\213\313W\213}\10\210E\27\213\301\301\351\2\363\245\213\310\203\341\3\201\373\200\0\0\0\363\244}9\213M\10\277\1\0\0\0\276\200\0\0\0+\373\215D\31\377+\363\215\233\0\0\0\03\311\212\14\73\333\212\30\3\313\201\341\377\0\0\0\212\211 \27\375\17\210H\1@Nu\342\213u\10\17\266M\27\213\306+\302\17\266\270\200\0\0\0\5\200\0\0\0#\317\212\211 \27\375\17\210\10\271\177\0\0\0+\312x\37\215D1\1\215q\1\220\17\266L\2\377\17\26683\317\212\211 \27\375\17\210H\377HNu\351_^3\300[]\302\20\0\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\213L$\203\300\205\311v7W\213|$\14V\213t$\24SU\213\$\24+\376+\336\213\24>\213.\3\320\270\0\0\0\0\23\300\3\325\203\320\0\211\24\36\203\340\1\203\306\4Iu\341][^", ) , ) == 0x0
 01447   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\213\313\215\4\23\213\321\301\351\2\213\360\363\245\213\312\203\341\3\363\244\213u\370\213}\10\213\313\301\351\2\363\245\213\312\213U\360\203\341\3\363\244\213}\374\2154\23\213\313\213\321\301\351\2\363\245\213\312\213U\364\203\341\3\363\244\213\313\213\370\213\301\301\351\2\213\362\363\245\213\310\203\341\3\363\244\213}\370\3\323\213\362\213\313\213\321\301\351\2\363\245\213\312\213U\370\351\317\376\377\377\213E\14\213L\3\374\277\0\0\0\200\205\317t\14\213M\30VQPP\350%\361\377\377\213E\20\205|\3\374t\14\213U\24VRPP\350\20\361\377\377\213E\350\205\300^t\7P\377\25\250\21\375\17_\270\1\0\0\0[\213\345]\302\30\0_3\300[\213\345]\302\30\0\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\201\354\220\0\0\0S\213]\10\213\3W3\377=RSA1\211}\374t\12_3\300[\213\345]\302\14\0\213C\10\321\350V\213\360\301\356\5F\250\37t\1F\213K\20\270\1\0\0\0;\310\215\146u\21\213u\14\213}\20\363\245^_[\213\345]\302\14\0\215C\24QP\211E\370\213E\14P\211M\10\350\223\363\377\377\205\300}b\301\346\3\201\376\210\0\0\0v\24Vj\0\377\25\364\20\375\17\205\300\211E\374tG\213\320\353\6\215\225p\377\377\3773\300\213\316\301\351\2\213\372\363\253\213\316\203\341\3\363\252\213K\20\213E\10P\213E\20\211\12\213M\370QR\213U\14RP\350\355\20\0\0\213\370\213E\374\205\300t\7P\377\25\250\21\375\17^\213\307_[\213\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\203\354(V\213u\10\201>RSA2u\16\215E\330PV\350\22\6\0\0\205\300u\113\300^\213\345]\302\14\0\213N\10\321\351", ) , ) == 0x0
 01448   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "u\325_^[]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354Q\213E\20\205\300VW\17\204\374\0\0\0\213}\14\2154\205\0\0\0\0\213L>\374\205\311\17\204\346\0\0\0\215\14v\215T\301\4Rj\0\377\25\364\20\375\17\205\300\211E\374\17\204\313\0\0\0\215\140S\213]\10\211K\10\3\316\211K\14\3\316\211K\20\213\316\211C\4\213\367\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\20\213K\4\301\346\2\213D\16\374\277\0\0\0\200\205\307u\30\213C\4\213U\20RPPP\350\14\341\377\377\213C\4\205|\6\374t\350\213{\20\215N\4\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213C\20\213}\14\307D0\4\1\0\0\0\213u\20\213S\10\213C\20V\215N\2QRWP\350\351\345\377\377\205\300u\25\213M\374Q\377\25\250\21\375\17[_3\300^\213\345]\302\14\0\213S\10\213C\14VRWP\350\345\340\377\377\2113[_\270\1\0\0\0^\213\345]\302\14\0_3\300^\213\345]\302\14\0\314\314\314\314\314\314\314\213\377U\213\354\203\354\10\213E\10\213H\10\213P\14SV\213u\14W\2138\213@\4\211E\10\215\\276\3703\300;\336\211M\374\211U\370r'\220\213L\273\4;\310Ws\11\213U\374R+\301P\353\7\213U\370R+\310QS\350a\375\377\377\203\353\4;\336s\332\215\34\275\0\0\0\0\213\143;\310s!+\310\211\143\215\244$\0\0\0\0\213E\10WP\215F\4PP\350\1\340\377\377\205\300t\355\353&+\310\211\143\213M\10W\215F\4QP\350\10\343\377\377\205\300|\17\213U\10WR\215F\4PP\350\31\340\377\377\213E\10\213L3\374\213\243WP\213D\3\374PQR\350E", ) , ) == 0x0
 01449   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\253\253\2533\300\203e\374\0\215}\364\253\2533\300\215}\354\253\253\215E\374\211E\370\215E\354Pj\0\215E\324Pj\0\215E\344Ph4]\375\17\215E\364P\307E\324\20\0\0\0\307E\364\4\0\0\0\307E\344\21\0\0\0\307E\350 ]\375\17\350\273\371\377\377\203}\360\0\213\370t\11\377u\360\377\25\250\21\375\17\213\307_\311\303\314\314\314\314\314\213\377U\213\354\203\354(3\300VW\215}\330\253\253\253\2533\300\215}\360\253\2533\300\215}\370\2533\3119M\14j\4\253Xt\2\213\310\211E\360\215E\10\211E\364\215E\370PQ\215E\330Pj\0\215E\350Ph4]\375\17\215E\360P\307E\330\20\0\0\0\307E\350\21\0\0\0\307E\354 ]\375\17\3508\371\377\377\205\300t\4\213\360\3533\377u\370\350b\367\377\377\205\300\213U\20\211\2u\5j\10^\353\35\213M\370\213E\24\213u\374\211\10\213:\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\203}\374\0t\11\377u\374\377\25\250\21\375\17_\213\306^\311\302\20\0\314\314\314\314\314\213\377U\213\354\203\354(W3\300\215}\330\253\253\253\2533\300\215}\360\253\2533\300\215}\350\253\2533\300\215}\370\2533\3119M\10\253t\3j\4Y\213E\20\211E\360\213E\14j\0\211E\364\215E\350PQ\215E\330Pj\0\215E\370Pj\0\215E\360P\307E\330\20\0\0\0\307E\370\21\0\0\0\307E\374 ]\375\17\350\343\370\377\377\205\300\213M\354t\4\213\370\353\26\203}\350\4t\7\277\26\0\11\200\353\11\213\1\213U\24\211\23\377\205\311t\7Q\377\25\250\21\375\17\213\307_\311\302\20\0\314\314\314\314\314\213\377U\213\354\203\354 \241\244B\377\17S3\333VW\2135D\20\375\17\213}\10\211E\374", ) , ) == 0x0
 01450   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\363\2443\300_^[\311\302\14\0\314\314\314\314\314\213\377U\213\354\203\3548\241\244B\377\17\213M S\213]\34V\2135 \21\375\17W3\377WS\377u\30\211E\374\213E\14W\377u\24\211E\320\377u\20\211M\314P\211}\330\211}\324\377\326\203\370\377\17\205\246\0\0\0\377\25\310\21\375\179}\10\17\204\223\0\0\0\211E\310\215E\330Pj\10\3508\351\377\377;\307uxj\103\300\366E\23\200Y\215}\334\363\253\215E\344\307E\334\1\0\0\0Pt\7hx^\375\17\353\5hd^\375\17j\0\377\25p\20\375\173\377;\307t=\215E\324P\215E\334P\377u\330\307E\354\2\0\0\0\377\25l\20\375\17\205\300t!9}\324t&W\201\313\0\0\0\2S\377u\30W\377u\24\377u\20\377u\320\377\326\203\370\377u\23\377\25\310\21\375\17\213\360\353\20\213u\310\353\13\213\360\353\26\213M\314\211\13\366\203}\330\0t\11\377u\330\377\25\370\20\375\17\213M\374_\213\306^[\350\273d\377\377\311\302\34\0\314\314\314\314\314\213\377U\213\354QQSV\213u\30\203\16\377Wj\33\3773\333\366E\17\200X\211}\374\211E\370t\4C\211E\370\366E\17@t\12j\4X3\333\211E\370\213\370\215E\374P\377u\24\377u\20\350&\376\377\377\205\300ufV\201\317\0\0\0\10W\377u\370S\377u\14\377u\374\377u\10\350\202\376\377\377\205\300t:3\366\203\370 t\5\203\370\5u2\203\376\30s-\377\266\364B\377\17\377\25\20\21\375\17\377u\30\203\306\4W\377u\370S\377u\14\377u\374\377u\10\350H\376\377\377\205\300u\3103\366\353\14\203\370\2\276\26\0\11\200t\2\213\360\203}\374\0t\10\377u\374\350\244\346\377\377_\213\306^[\311\302\24\0\314", ) , ) == 0x0
 01451   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "6\377\327\205\300\17\204\316\0\0\09]\14u\109\235\234\375\377\377tL\215\205\244\375\377\377P\350\14\335\377\377;\303\17\205\277\0\0\09\235\244\375\377\377u\32\276 \0\11\200\353g\215\205\254\375\377\377P\3776\377\327\205\300\17\204\213\0\0\0\377\265\244\375\377\377\215\205\330\375\377\377P\350"\376\377\377\205\300t\327\377\265\224\375\377\377\215\205\330\375\377\377\377\265\230\375\377\377\377\265\250\375\377\377P\377u\14\350\345\373\377\377;\303\17\205k\377\377\3773\3669\235\244\375\377\377t\13\377\265\244\375\377\377\350\354\327\377\3779\235\250\375\377\377t\13\377\265\250\375\377\377\350\331\327\377\3779\235\240\375\377\377t\13\377\265\240\375\377\377\350\306\327\377\377\213M\374_\213\306^[\350\7U\377\377\311\302\30\0\377\25\310\21\375\17\203\370\22u\7\276\3\1\0\0\353\244\213\360\353\240\314\314\314\314\314\213\377U\213\354\201\354(\4\0\0\241\244B\377\17S\213]\14V\2135\24\21\375\17W3\322RR\211E\374\213E\10j\377\211\205\330\373\377\377\213E\30S\211\205\334\373\377\377j\23\300\271\5\1\0\0\215\275\350\373\377\377R\211\225\340\373\377\377\363\253\377\326\213\370\205\377u\15\377\25\310\21\375\17\213\360\351\251\0\0\0\215G\1=\12\2\0\0v(\215D?\2P\350\336\326\377\377\205\300\211\205\344\373\377\377u\10j\10^\351\203\0\0\0\307\205\340\373\377\377\1\0\0\0\353\14\215\205\350\373\377\377\211\205\344\373\377\377W\377\265\344\373\377\377j\377Sj\2j\0\377\326\205\300u\12\377\25\310\21\375\17\213\360\3530\377\265\334\373\377\377\377u\24\377u\20\377\265\344\373\377\377\377\265\330\373\377\377\377\25t\20\375\17\205\300t\14\203\370\2u\325\276\26\0\11\200\353\23\366\203\275\340\373\377\377\0t\24\203\275\344\373\377\377", ) \376\377\377\205\300t\327\377\265\224\375\377\377\215\205\330\375\377\377\377\265\230\375\377\377\377\265\250\375\377\377P\377u\14\350\345\373\377\377;\303\17\205k\377\377\3773\3669\235\244\375\377\377t\13\377\265\244\375\377\377\350\354\327\377\3779\235\250\375\377\377t\13\377\265\250\375\377\377\350\331\327\377\3779\235\240\375\377\377t\13\377\265\240\375\377\377\350\306\327\377\377\213M\374_\213\306^[\350\7U\377\377\311\302\30\0\377\25\310\21\375\17\203\370\22u\7\276\3\1\0\0\353\244\213\360\353\240\314\314\314\314\314\213\377U\213\354\201\354(\4\0\0\241\244B\377\17S\213]\14V\2135\24\21\375\17W3\322RR\211E\374\213E\10j\377\211\205\330\373\377\377\213E\30S\211\205\334\373\377\377j\23\300\271\5\1\0\0\215\275\350\373\377\377R\211\225\340\373\377\377\363\253\377\326\213\370\205\377u\15\377\25\310\21\375\17\213\360\351\251\0\0\0\215G\1=\12\2\0\0v(\215D?\2P\350\336\326\377\377\205\300\211\205\344\373\377\377u\10j\10^\351\203\0\0\0\307\205\340\373\377\377\1\0\0\0\353\14\215\205\350\373\377\377\211\205\344\373\377\377W\377\265\344\373\377\377j\377Sj\2j\0\377\326\205\300u\12\377\25\310\21\375\17\213\360\3530\377\265\334\373\377\377\377u\24\377u\20\377\265\344\373\377\377\377\265\330\373\377\377\377\25t\20\375\17\205\300t\14\203\370\2u\325\276\26\0\11\200\353\23\366\203\275\340\373\377\377\0t\24\203\275\344\373\377\377", ) == 0x0
 01452   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\353U\215E\10P\215E\374PS\350\11\375\377\377\205\300t\4\213\360\3531\213}\30\205\377\213M\10\213E\34u\4\211\10\353\369\10\211\10s\7\276\352\0\0\0\353\23\213u\374\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\203}\374\0t\10\377u\374\3507\310\377\377\205\333t\6S\350-\310\377\377[\203}\370\0t\10\377u\370\350\36\310\377\377\203}\364\0t\10\377u\364\350\20\310\377\377_\213\306^\311\302\30\0\314\314\314\314\314\213\377U\213\354V\213u\10\205\366t\24\213F\4\205\300t\7P\377\25\244\21\375\17V\350\342\307\377\377^]\302\4\0\314\314\314\314\314h4\1\0\0hx_\375\17\350\303G\377\377\241\244B\377\17\211E\344\213E\10\211\205\274\376\377\3773\333\211\235\330\376\377\377\211\235\304\376\377\377\211\235\300\376\377\377\211\235\324\376\377\377\211\235\314\376\377\377\211]\374\215\205\324\376\377\377Ph\31\0\2\0ShP_\375\17h\2\0\0\200\377\25\224\20\375\17\211\205\310\376\377\377;\303\17\205\341\0\0\0\307\205\320\376\377\377\5\1\0\0\215\205\320\376\377\377P\215\205\334\376\377\377PSS\277D_\375\17W\377\265\324\376\377\377\2135\300\20\375\17\377\326\211\205\310\376\377\377;\303tL=\352\0\0\0\17\205\236\0\0\0\377\265\320\376\377\377\350\331\306\377\377\211\205\330\376\377\377;\303\17\204\205\0\0\0\307\205\304\376\377\377\1\0\0\0\215\215\320\376\377\377QPSSWh\2\0\0\200\377\326\211\205\310\376\377\377;\303t\16\353]\215\205\334\376\377\377\211\205\330\376\377\377j\14_W\350\216\306\377\377\213\360\211\265\300\376\377\377;\363t<\211>SS\377\265\330\376\377\377\377\25H\21\375\17\211F\4;\303t%h4_\375\17P\377\25\234\21\375\17\211F\10;\303t\22\213", ) , ) == 0x0
 01453   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\350\307E\334\10\0\0\0\377u\330\350~\270\377\377\203M\374\3773\3779}\340t\11\377u\340\377\25\304\20\375\17\213E\334\350\2278\377\377\303\314\314\314\314\314\213\377U\213\354\213M\20\205\311\213E\14V\213u\10u\10\213H$\211N\30\353\6\213P$\211Q$P\350\310\375\377\377\377N$^]\302\14\0\314\314\314\314\314\213\377U\213\354\213U\10\213B\30VW3\3663\3113\377\205\300t#S\205\311t\10\213X ;Y s\4\213\310\213\376\213\360\213@$\205\300u\347WQR\350\223\377\377\377[_^]\302\4\0\314\314\314\314\314\213\377U\213\354VW\377\25l\21\375\17\213U\10\213J,\213u\14\213\3703\300@\203\371\377t\27S\213\337+^ ;\331[v\14\377u\20VR\350R\377\377\3773\300\211~ _^]\302\14\0\314\314\314\314\314\213\377U\213\354QQ\213E\10S\213X\30W3\300\215}\370\253\253\213E\24\203 \0\215E\370P\350\235\266\377\377\205\300t\43\300\353}\205\333twV\213C\24;E\20uI\213s\20\213}\14\212\17\212\301:\16u\32\204\300t\22\212O\1\212\301:N\1u\14GGFF\204\300u\3423\300\353\5\33\300\203\330\377\205\300u\30j\10Y\215{\30\215u\3703\300\363\246t\5\33\300\203\330\377\205\300t\14\213E\24\211\30\213[$\205\333u\243\205\333^t\24\213E\24\3770S\377u\10\350\31\377\377\377\205\300u\23\333\213\303_[\311\302\20\0\314\314\314\314\314\213\377U\213\354QVW\213}\10\213w\30\203e\10\0\377\25l\21\375\17\211E\374+G\349G(w2\205\366t(S\213E\374+F 9G(s\21\377u\10\213^$VW\350M\376\377\377\213\363\353\6\211u\10\213v$\205\366u\332[", ) , ) == 0x0
 01454   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "D\22\2\0\236\21\2\0\252\21\2\0\266\21\2\0\300\21\2\0\316\21\2\0\334\21\2\0\350\21\2\0\372\21\2\0\16\22\2\0"\22\2\00\22\2\0<\26\2\0\0\0\0\0r\21\2\0V\21\2\0B\21\2\0.\21\2\0\24\21\2\0\376\20\2\0\272\22\2\0\322\22\2\0\342\22\2\0\360\22\2\0\376\22\2\0\22\23\2\0\36\23\2\00\23\2\0>\23\2\0J\23\2\0R\23\2\0h\23\2\0x\23\2\0\216\23\2\0\234\23\2\0\260\23\2\0\274\23\2\0\312\23\2\0\330\23\2\0\352\23\2\0\372\23\2\0\20\24\2\0&\24\2\06\24\2\0H\24\2\0Z\24\2\0j\24\2\0z\24\2\0\206\24\2\0\220\24\2\0\242\24\2\0\350\20\2\0\330\20\2\0\276\20\2\0\240\20\2\0\224\20\2\0x\20\2\0b\20\2\0J\20\2\0:\20\2\0.\20\2\0"\20\2\0\6\20\2\0\366\17\2\0\344\17\2\0\330\17\2\0\312\17\2\0\276\17\2\0\262\17\2\0\240\17\2\0\210\17\2\0p\17\2\0d\17\2\0X\17\2\0H\17\2\08\17\2\0\0\0\0\0\216\25\2\0\202\25\2\0v\25\2\0\0\0\0\0\364\16\2\0\376\16\2\0\6\17\2\0\22\17\2\0\34\17\2\0\326\24\2\0\314\24\2\0\302\24\2\0\270\24\2\0\256\24\2\0\340\16\2\0\0\0\0\0\376\24\2\0\10\25\2\0\26\25\2\0&\25\2\0F\25\2\0X\25\2\0\346\24\2\0\0\0\0\0\355\0_except_handler3\0\0\372\1_strlwr\0\245\2free\0\0;\1_initterm\0\330\2malloc\0\0\266\0_adjust_fdiv\0\0msvcrt.dll\0\0h\1GetLas", ) \22\2\00\22\2\0<\26\2\0\0\0\0\0r\21\2\0V\21\2\0B\21\2\0.\21\2\0\24\21\2\0\376\20\2\0\272\22\2\0\322\22\2\0\342\22\2\0\360\22\2\0\376\22\2\0\22\23\2\0\36\23\2\00\23\2\0>\23\2\0J\23\2\0R\23\2\0h\23\2\0x\23\2\0\216\23\2\0\234\23\2\0\260\23\2\0\274\23\2\0\312\23\2\0\330\23\2\0\352\23\2\0\372\23\2\0\20\24\2\0&\24\2\06\24\2\0H\24\2\0Z\24\2\0j\24\2\0z\24\2\0\206\24\2\0\220\24\2\0\242\24\2\0\350\20\2\0\330\20\2\0\276\20\2\0\240\20\2\0\224\20\2\0x\20\2\0b\20\2\0J\20\2\0:\20\2\0.\20\2\0 (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "D\22\2\0\236\21\2\0\252\21\2\0\266\21\2\0\300\21\2\0\316\21\2\0\334\21\2\0\350\21\2\0\372\21\2\0\16\22\2\0"\22\2\00\22\2\0<\26\2\0\0\0\0\0r\21\2\0V\21\2\0B\21\2\0.\21\2\0\24\21\2\0\376\20\2\0\272\22\2\0\322\22\2\0\342\22\2\0\360\22\2\0\376\22\2\0\22\23\2\0\36\23\2\00\23\2\0>\23\2\0J\23\2\0R\23\2\0h\23\2\0x\23\2\0\216\23\2\0\234\23\2\0\260\23\2\0\274\23\2\0\312\23\2\0\330\23\2\0\352\23\2\0\372\23\2\0\20\24\2\0&\24\2\06\24\2\0H\24\2\0Z\24\2\0j\24\2\0z\24\2\0\206\24\2\0\220\24\2\0\242\24\2\0\350\20\2\0\330\20\2\0\276\20\2\0\240\20\2\0\224\20\2\0x\20\2\0b\20\2\0J\20\2\0:\20\2\0.\20\2\0"\20\2\0\6\20\2\0\366\17\2\0\344\17\2\0\330\17\2\0\312\17\2\0\276\17\2\0\262\17\2\0\240\17\2\0\210\17\2\0p\17\2\0d\17\2\0X\17\2\0H\17\2\08\17\2\0\0\0\0\0\216\25\2\0\202\25\2\0v\25\2\0\0\0\0\0\364\16\2\0\376\16\2\0\6\17\2\0\22\17\2\0\34\17\2\0\326\24\2\0\314\24\2\0\302\24\2\0\270\24\2\0\256\24\2\0\340\16\2\0\0\0\0\0\376\24\2\0\10\25\2\0\26\25\2\0&\25\2\0F\25\2\0X\25\2\0\346\24\2\0\0\0\0\0\355\0_except_handler3\0\0\372\1_strlwr\0\245\2free\0\0;\1_initterm\0\330\2malloc\0\0\266\0_adjust_fdiv\0\0msvcrt.dll\0\0h\1GetLas", ) , ) == 0x0
 01455   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\225\13#\305r\230\235IzFN\341\346/\306c!\217f\334\233\314\342'\3'\205\360:\2\373@\0\0\0\0Qt\366\362#\354\241vUX\7q\277\177\12\36kHH\273\222\266*\261\7\244!\321\306\313_@\316\335\272\333\374\27\373\247\275\341\364c\330\236\211\342\335z\354\21\326\251\234\272\307^5\226\246o\177,\0\0\0\0\0\0\0\0RSA1H\0\0\0\0\2\0\0?\0\0\0\1\0\1\0\357L\154\317D\17\261s\254\324\233\276\314-\21*+\275!\4\216\254\255\325\374\322P\245\33C\25bg\217^\0\271%\33\342O\276\241P\241D;\27\330\221\365(\371\372\256\347\300\375\271\315vO\0\0\0\0\0\0\0\0\270/k\211\310\354\364\376\13\360m*\332?\303\350\226\202\205\353\256\1\24s\371\10E\300jm>i\200j\14a\212c\322\373\0\0\0\334\356L\371,\0\0\0\3618)\311\336\0\0\0\224Vx\220\253\315\357YE\232\371'\204t\312\325Xu\22\316\357w\223{\230\337\235\242\334{z\235\223\216\366|\1^\353\1#\4g\10\253\15\357Now is t\254\227M\331\2\23\210,G\334\360\23\177\245\3262\1#Eg\211\253\315\357Now is t?\244\16\212\230MH\25\345\307\315\336\207+\362|\1#Eg\211\253\315\357#Eg\211\253\315\357\1Eg\211\253\315\357\1#Now is t1O\203'\372z\11\250\363\300\377\2l\20\211\1#Eg\211\253\315\357#Eg\211\253\315\357\1Now is t\267\203Wy\356&\254\267\23K\230\370\356\263\366\7\0\1\2\3\4\5\6\7\10\11\12\13\14\15\16\17\0\1\2\3\4\5\6\7\10\11\12\13\14\15\16\17\12\224\13\265An\360E\361\303\224X\306S\352Z", ) , ) == 0x0
 01456   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "age Authentication Code\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\0\0\4\0\0\200\1\0\0\0@\0\00\0\0\0\11\0\0\0RSA_SIGN\0\0\0\0\0\0\0\0\0\0\0\0\16\0\0\0RSA Signature\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\0\0\0\4\0\0\200\1\0\0\0@\0\00\0\0\0\11\0\0\0RSA_KEYX\0\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0RSA Key Exchange\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\11\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0HMAC\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\22\0\0\0Hugo's MAC (HMAC)\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0", ) , ) == 0x0
 01457   896   NtReadFile  (136, 0, 0, 0, 1924, 0x0, 0, ... {status=0x0, info=1924},  (136, 0, 0, 0, 1924, 0x0, 0, ... {status=0x0, info=1924}, " \1\0\0\0\0\0\0\14\0\0\0SSL3 SHAMD5\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 SHAMD5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\0\0\4\0\0\200\1\0\0\0@\0\0 \0\0\0\11\0\0\0RSA_SIGN\0\0\0\0\0\0\0\0\0\0\0\0\16\0\0\0RSA Signature\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10$\377\17\200(\377\17\250-\377\17\09\377\17\340?\377\17\3202\377\17\20\244\37M\331o\320\21\214X\0\300O\331\22k\21\244\37M\331o\320\21\214X\0\300O\331\22k\22\244\37M\331o\320\21\214X\0\300O\331\22k0\214\7\212U7\320\21\240\275\0\252\0aBj\277D\377\377@\273\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320[\375\17\324[\375\17\330[\375\17\334[\375\17\340[\375\17\350[\375\17\360[\375\17\370[\375\17\0\\375\17\14\\375\17\30\\375\17$\\375\170\\375\17@\\375\17P\\375\17`\\375\17\1\0\0\0\12\0\0\0d\0\0\0\364\1\0\0\350\3\0\0\210\23\0\0\0\0\0\0\355\11\377\17\10\12\377\17\0\0\0\0\357\6\377\17\0\0\0\0\333\6\377\17\300\6\377\17\345\6\377\17\0\0\0\0\22\12\377\17\0\0\0\0\310\11\377\17", ) , ) == 0x0
 01458   896   NtQueryInformationFile  (136, 1237460, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01459   896   NtSetInformationFile  (136, 1237460, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01460   896   NtQueryInformationFile  (136, 1237460, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01461   896   NtSetInformationFile  (136, 1237460, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01462   896   NtReadFile  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (136, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 01463   896   NtReadFile  (136, 0, 0, 0, 2704, 0x0, 0, ... {status=0x0, info=2704},  (136, 0, 0, 0, 2704, 0x0, 0, ... {status=0x0, info=2704}, "\2208\3138\3258\3378\3518\09\79\279$9=9D9Q9\9n9u9\1779\2119\3129\3279\3479\3619\10:\17:\37:*:A:H:X:c:u:|:\206:\223:\316:\333:\353:\365:\14;\23;#;.;B;I;Y;d;v;};\207;\224;\317;\331;\351;\363;\7<\24<$\30>(>6>G>T>d>r>\200>\222>\237>\255>\273>;?]?j?t?~?\226?\247?\256?\275?\323?\332?\341?\360?\0p\1\0\324\1\0\0\20\110\230\370q0x0\2020\2140\2360\2570\2660\3050\3330\3420\3510\3700\121\211\331'1n1z1\2071\2311\2461\2621\3041\3231\3421\3571\3741\112\262%272D2\2732\3422\3512\3632\3752\303&3-373E3R3a3o3\2033\2123\2263\2403\3533\3623\3743\64\304&404?4R4Y4c4r4\2044\2134\2254\2374\3324\3474\3614\3734\165\255\375,5B5I5P5]5o5v5\2005\2125\3035\3125\3245\3365\3645\3735\106\276&616;6H6Z6a6k6u6\2546\2636\2756\3076\3316\3526\3616\07\237\327$737E7L7V7b7\2477\2637\3007\3227\3377\3537\3757\148\338(858B8O8^8p8}8\3538\229\319", ) , ) == 0x0
 01464   896   NtUnmapViewOfSection  (-1, 0x3c0000, ... ) == 0x0
 01465   896   NtClose  (144, ... ) == 0x0
 01466   896   NtClose  (136, ... ) == 0x0
 01467   896   NtOpenKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Cryptography"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468   896   NtOpenKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 136, ) }, ... 136, ) == 0x0
 01469   896   NtQueryValueKey  (136,  (136, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) }, 86, ) == 0x0
 01470   896   NtQueryValueKey  (136,  (136, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) }, 86, ) == 0x0
 01471   896   NtQueryValueKey  (136,  (136, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) }, 86, ) == 0x0
 01472   896   NtQueryValueKey  (136,  (136, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) }, 86, ) == 0x0
 01473   896   NtClose  (136, ... ) == 0x0
 01474   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475   896   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01476   896   NtOpenProcessToken  (-1, 0x8, ... 136, ) == 0x0
 01477   896   NtQueryInformationToken  (136, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01478   896   NtClose  (136, ... ) == 0x0
 01479   896   NtDeviceIoControlFile  (52, 0, 0x0, 0x0, 0x390008,  (52, 0, 0x0, 0x0, 0x390008, "\362\267\324\15\237\307S\341\\237K]7{\225\261\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01480   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01481   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01482   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01483   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01484   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01485   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01486   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01487   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 01488   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "\3268W\330YZ\340:\360\227\233\241\240\234Ma\232C?\350\274\307\242\254\14\301\316\370\34\221\2201\26[OJ\320l\237o\37\368w\34\355G\2\255S\274\325\316\376\26\203Y\222\37\36L\232\12\15[w\363\361\212]_i\16W#\0w7f", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "\3268W\330YZ\340:\360\227\233\241\240\234Ma\232C?\350\274\307\242\254\14\301\316\370\34\221\2201\26[OJ\320l\237o\37\368w\34\355G\2\255S\274\325\316\376\26\203Y\222\37\36L\232\12\15[w\363\361\212]_i\16W#\0w7f", 80, ... ) , 80, ... ) == 0x0
 01489   896   NtClose  (-2147481368, ... ) == 0x0
 01479   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\321\362\220a\4b;\227\232\245\11El\262I\307\340\312qe\255\300\306\23\314i\240\222\340~\306\36\212\265\245\250\3153\21\5\11I~\341Q\306q)\377\26+QH\273\3639GY:p\357\340\257!\6\226\246\224\317\217\232\316\33\3719T\16jk\4k\321(#\377$:V\372b\301\3\241\31G\245\331\244/\357\12!a{\33252U\365b\323\2510\177\361\10'\272Y\372\314\314\224-\207\332\314\241/\313o\346"t6\231\354\211\273\207\13\243\16"M\222\372\272\1|\334'\232\14+X\257\252np\344\313QS}\\214d\266\257&\13XU\C\333\12\207Ts\260\220\270\210\36\342\353kt)\342\347\67R\362\300bC\305\377U\350A\370\27\256\3\31\25}\272\374\200p\312{\244\331]\262\25\264\262\33\350P{\201\357A\335\206\340+\277\215JM\206\354\10\257-", ) t6\231\354\211\273\207\13\243\16 ... {status=0x0, info=256}, "\321\362\220a\4b;\227\232\245\11El\262I\307\340\312qe\255\300\306\23\314i\240\222\340~\306\36\212\265\245\250\3153\21\5\11I~\341Q\306q)\377\26+QH\273\3639GY:p\357\340\257!\6\226\246\224\317\217\232\316\33\3719T\16jk\4k\321(#\377$:V\372b\301\3\241\31G\245\331\244/\357\12!a{\33252U\365b\323\2510\177\361\10'\272Y\372\314\314\224-\207\332\314\241/\313o\346"t6\231\354\211\273\207\13\243\16"M\222\372\272\1|\334'\232\14+X\257\252np\344\313QS}\\214d\266\257&\13XU\C\333\12\207Ts\260\220\270\210\36\342\353kt)\342\347\67R\362\300bC\305\377U\350A\370\27\256\3\31\25}\272\374\200p\312{\244\331]\262\25\264\262\33\350P{\201\357A\335\206\340+\277\215JM\206\354\10\257-", ) M\222\372\272\1|\334'\232\14+X\257\252np\344\313QS}\\214d\266\257&\13XU\C\333\12\207Ts\260\220\270\210\36\342\353kt)\342\347\67R\362\300bC\305\377U\350A\370\27\256\3\31\25}\272\374\200p\312{\244\331]\262\25\264\262\33\350P{\201\357A\335\206\340+\277\215JM\206\354\10\257-", ) == 0x0
 01490   896   NtDeviceIoControlFile  (52, 0, 0x0, 0x0, 0x390008,  (52, 0, 0x0, 0x0, 0x390008, "\362\267\324\15\237\307S\341\\237K]7{y\215_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01491   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01492   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01493   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01494   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01495   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01496   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01497   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01498   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 01499   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "2\244\267\7\35_\22\362\320\242-\346\2633\205\7\351J\263\3\206%b\345ke\356\200\245\260\214\0y\2044?\361\321\331\332\270\31v\377` ?\224\263\244+y\356\230\13Q\243\325pA~\4\215\244d\3575\6/\330j\245\21M\362\232\214", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "2\244\267\7\35_\22\362\320\242-\346\2633\205\7\351J\263\3\206%b\345ke\356\200\245\260\214\0y\2044?\361\321\331\332\270\31v\377` ?\224\263\244+y\356\230\13Q\243\325pA~\4\215\244d\3575\6/\330j\245\21M\362\232\214", 80, ... ) , 80, ... ) == 0x0
 01500   896   NtClose  (-2147481368, ... ) == 0x0
 01490   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\316\257*L\234K\214\351\344I\251\244\263\254bos\23\367\24\205\302\352\372\205\323%\20a\24\240\37\372\332\227\257F\221E\230\334\1j\265\246\306\207"\264R]\23\212\264\331%\263yM\377\14\20\364\242~z\370e\255 1\203\20H\270\327\227\30sa\221\247L\21\15\203\302'\276da\2110\206\210\27\235\241\2\210X\323[\203\311\253\235\1\226CmU\362H\261'\321l\242\333eVr\236\7\32{\233\375>\241\247\201%\6(\333z\265?\337\250\270\265\317\212\204!\306\205\32na\365\337V\367\257\15e\311\26623\212\264\331%\263yM\377\14\20\364\242~z\370e\255 1\203\20H\270\327\227\30sa\221\247L\21\15\203\302'\276da\2110\206\210\27\235\241\2\210X\323[\203\311\253\235\1\226CmU\362H\261'\321l\242\333eVr\236\7\32{\233\375>\241\247\201%\6(\333z\265?\337\250\270\265\317\212\204!\306\205\32na\365\337V\367\257\15e\311\266376\3551\253.\207x\351nBl\277\301\200Z:\34An\220qn\207\350\262\20]\233\13u,\322\33T\233\31\4S3l\367\363\245\177\254\6\351.\323,\230\3403\304\36\333\263\376\333l\212\313c\220\261\34\374\261\200\17\301\234\26\300)\310\266$\363\224L{\351\363\2518t\207\237p\336", ) == 0x0
 01501   896   NtDeviceIoControlFile  (52, 0, 0x0, 0x0, 0x390008,  (52, 0, 0x0, 0x0, 0x390008, "\362\267\324\15\237\307S\341\\237K]7{y\215_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01502   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01503   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01504   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01505   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01506   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01507   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01508   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01509   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 01510   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "ns\224\13\227\314L}V\353\340\302q0\220\206B\204\244+e&\277\33J\202\273\326\277B3\266"\251\233\6\342i\201\346\2\204\211\221\316\245\265kQ\200\322D\317\20G\261\11$\207\263\34\6\355{H\225\363AT\307\252\277U\366G}\350\350\\265", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "ns\224\13\227\314L}V\353\340\302q0\220\206B\204\244+e&\277\33J\202\273\326\277B3\266"\251\233\6\342i\201\346\2\204\211\221\316\245\265kQ\200\322D\317\20G\261\11$\207\263\34\6\355{H\225\363AT\307\252\277U\366G}\350\350\\265", 80, ... ) \251\233\6\342i\201\346\2\204\211\221\316\245\265kQ\200\322D\317\20G\261\11$\207\263\34\6\355{H\225\363AT\307\252\277U\366G}\350\350\\265", 80, ... ) == 0x0
 01511   896   NtClose  (-2147481368, ... ) == 0x0
 01501   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\241x\2236e\301\277\11\247Mz\346\365]\247G\371H\322UvdN\310\271\306\275\331\246:\35\34\10Y`\274\312u\346\12.\15\351\271\1%\357\375\350\252#\301\323_\2061\222\310\262\20\206\345`?\204\254\353\317\351-\3510\353[\177\353\234\\326\276\327\36\214\307/\314w\3\2j\27G\361?\253\227\337B\363\304m\310m\322\230}\177\276,\17\320LVB7d\206[\311t\271\333,\205%\345", ) , ) == 0x0
 01512   896   NtDeviceIoControlFile  (52, 0, 0x0, 0x0, 0x390008,  (52, 0, 0x0, 0x0, 0x390008, "\362\267\324\15\237\307S\341\\237K]7{y\215_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01513   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01514   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01515   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01516   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01517   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01518   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01519   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01520   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 01521   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "D\355\231\36\3503\216#\244\217\229>pA\363\347\353\311&x\177\3330\206\262D\7\220\332O\333\214\332\344\323\\246;N\227 \335\353\345\177\371\372&\17\252\3379F\343\\240\266\272\12\335#\313~-\272k\210e\264\27\361v13\323\26\36W\321", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "D\355\231\36\3503\216#\244\217\229>pA\363\347\353\311&x\177\3330\206\262D\7\220\332O\333\214\332\344\323\\246;N\227 \335\353\345\177\371\372&\17\252\3379F\343\\240\266\272\12\335#\313~-\272k\210e\264\27\361v13\323\26\36W\321", 80, ... ) , 80, ... ) == 0x0
 01522   896   NtClose  (-2147481368, ... ) == 0x0
 01512   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "o)K\17\325\300\17\26\215<\334\211\200\217D\257\3\215'\345b[\3046/\207B;a\3245\237 "?\317\214Th\7\341\263\30oi\255\202\347O\24\270Q]\261\3704\10\376mT\11\362\12\256\322%Ag\277J\6\24\254\232\20\263\20<\245\253\213\25\7\256\34\20;_\263\353\224A\343{\24)\25\4\311&,e\17C\7\25\246\247\356\325\273{\357CP-\212\13\270\241W}\231\255\305\211\342\263gGU\277\7u\36#\304nl>Nd\20Ob\227\250-s\1\242\343\362s\27\13`\33\352\246\256\330\346Kh\31z@\246\344\223\376$\300\4c\352\16\342\16\377q\231\216U=\222\3767\260\271i\22\253\366\273\364\304o\253\374\234dM\16\30\302\262\351\216/;f\113\377\323w\360]\234?\245\202\234\270\236d\223\207H\267\270\235&\235\325\212\265\376\261\342\320\351\252N\16\376Q\207r\332\22VGx", ) ?\317\214Th\7\341\263\30oi\255\202\347O\24\270Q]\261\3704\10\376mT\11\362\12\256\322%Ag\277J\6\24\254\232\20\263\20<\245\253\213\25\7\256\34\20;_\263\353\224A\343{\24)\25\4\311&,e\17C\7\25\246\247\356\325\273{\357CP-\212\13\270\241W}\231\255\305\211\342\263gGU\277\7u\36#\304nl>Nd\20Ob\227\250-s\1\242\343\362s\27\13`\33\352\246\256\330\346Kh\31z@\246\344\223\376$\300\4c\352\16\342\16\377q\231\216U=\222\3767\260\271i\22\253\366\273\364\304o\253\374\234dM\16\30\302\262\351\216/;f\113\377\323w\360]\234?\245\202\234\270\236d\223\207H\267\270\235&\235\325\212\265\376\261\342\320\351\252N\16\376Q\207r\332\22VGx", ) == 0x0
 01523   896   NtDeviceIoControlFile  (52, 0, 0x0, 0x0, 0x390008,  (52, 0, 0x0, 0x0, 0x390008, "\362\267\324\15\237\307S\341\\237K]7{y\215_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01524   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01525   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01526   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01527   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01528   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01529   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01530   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01531   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 01532   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "\315Kbb\330,\22U[3\367\250I\277o(\23^\266{\257d\241\236\272L\16K3\272\222\271\3377Uk\357?\315BB\337#\346\321\236b\310\341\374\256\247\12\12~\300\4\20\273H\274!s\225 w\272\275\375\362]\301=\215\223N\357\14\264\273", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "\315Kbb\330,\22U[3\367\250I\277o(\23^\266{\257d\241\236\272L\16K3\272\222\271\3377Uk\357?\315BB\337#\346\321\236b\310\341\374\256\247\12\12~\300\4\20\273H\274!s\225 w\272\275\375\362]\301=\215\223N\357\14\264\273", 80, ... ) , 80, ... ) == 0x0
 01533   896   NtClose  (-2147481368, ... ) == 0x0
 01523   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\36z\301:\277\252\214\220~\323\33\13\345\353\21\362\331\22\316#\275UU\215\25\314rwD\242%\205g\210*b\306\223\254\211\313\245\325e\214\224\376VE\4\36\364\23\274;\330\373I\241\353~a\37\247\11\365\246\4\361\371g\231\202\300\202\375\3z\246\35\2243\305\222R\316V\304\374\302\373Z\11\256\372\346\20\203T\223kY\273\227J\331\17U\27\6\327\240)\322\277+\204\31\324\177\3451\323{%^_\270\304\266\343\307\2\177Y]\346\352\200\24\3\265g\231\260\206FZ\255\306\353\25\341\242\254\200\7\24\202\345\316\3664D\272rj\220t\336|\206Y\373\12\217\30\274\216\2364/\272\314\362\25Z\231$\262_\357\377\300\260=No\337!\274c\344\332\16"\314x\12\330S\362\11\232c\266\273\360\316\327p\323V\15\225\320S~X\245u\373Y\32W\26349P\355\240_\265.L\245l,JTBZE!", ) \314x\12\330S\362\11\232c\266\273\360\316\327p\323V\15\225\320S~X\245u\373Y\32W\26349P\355\240_\265.L\245l,JTBZE!", ) == 0x0
 01534   896   NtDeviceIoControlFile  (52, 0, 0x0, 0x0, 0x390008,  (52, 0, 0x0, 0x0, 0x390008, "\362\267\324\15\237\307S\341\\237K]7{y\215_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01535   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01536   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01537   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01538   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01539   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01540   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01541   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01542   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 01543   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "\344\23k\324\244d\246R\316\305\23359\202yq\325\213\247\254E5\35!\244u\200\350f)&\224\215\334\230K_\230[\247\236\35N9mR\302f\261\306\310\14\33\3\\220\332\333\25\217G\360,}3G\256\345\236\213\17\211\333\14\277\244\150Wc", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "\344\23k\324\244d\246R\316\305\23359\202yq\325\213\247\254E5\35!\244u\200\350f)&\224\215\334\230K_\230[\247\236\35N9mR\302f\261\306\310\14\33\3\\220\332\333\25\217G\360,}3G\256\345\236\213\17\211\333\14\277\244\150Wc", 80, ... ) , 80, ... ) == 0x0
 01544   896   NtClose  (-2147481368, ... ) == 0x0
 01534   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\245B/n\20\6\273\246P\207\320"<\27\325\211i\3\30\307\353E\256,V\224\205\227\340Y\244\302.g\265 \360\320ME\375\200\213\340\203g\210\235:t\200c\373~0\340\233\322\267\2617\2468\274\374l\273M\260\256\341\7ov\201\361\335\263\5\257_el\267\275\321;\364\330\273\256\327\363v1\233\261\262$\325Hi\347n\234{\247\207\373o\351&\23\357\335JJi\2115\300\2\305B\323\205\207\2631\35:\3740\335\320FX\21\260\4\16\340\250|4\311\27\310\314\331CP\340\315_\224\332\240xzF\251\12\11"\343\340\233\2662b\303o\371pY\305\264\32o\362\221&5\344\316\271a\311\357\225i\332\210\340\357f\34\21\2351_\24g\314F\200\250\206\251\32"\275\375$\265r\311\301\256\344\274R\6\231g\303\4\246i"\337~\2671o\34\375\374\276AkT\354|Q+0\342.\36\312\226\222", ) <\27\325\211i\3\30\307\353E\256,V\224\205\227\340Y\244\302.g\265 \360\320ME\375\200\213\340\203g\210\235:t\200c\373~0\340\233\322\267\2617\2468\274\374l\273M\260\256\341\7ov\201\361\335\263\5\257_el\267\275\321;\364\330\273\256\327\363v1\233\261\262$\325Hi\347n\234{\247\207\373o\351&\23\357\335JJi\2115\300\2\305B\323\205\207\2631\35:\3740\335\320FX\21\260\4\16\340\250|4\311\27\310\314\331CP\340\315_\224\332\240xzF\251\12\11 ... {status=0x0, info=256}, "\245B/n\20\6\273\246P\207\320"<\27\325\211i\3\30\307\353E\256,V\224\205\227\340Y\244\302.g\265 \360\320ME\375\200\213\340\203g\210\235:t\200c\373~0\340\233\322\267\2617\2468\274\374l\273M\260\256\341\7ov\201\361\335\263\5\257_el\267\275\321;\364\330\273\256\327\363v1\233\261\262$\325Hi\347n\234{\247\207\373o\351&\23\357\335JJi\2115\300\2\305B\323\205\207\2631\35:\3740\335\320FX\21\260\4\16\340\250|4\311\27\310\314\331CP\340\315_\224\332\240xzF\251\12\11"\343\340\233\2662b\303o\371pY\305\264\32o\362\221&5\344\316\271a\311\357\225i\332\210\340\357f\34\21\2351_\24g\314F\200\250\206\251\32"\275\375$\265r\311\301\256\344\274R\6\231g\303\4\246i"\337~\2671o\34\375\374\276AkT\354|Q+0\342.\36\312\226\222", ) \275\375$\265r\311\301\256\344\274R\6\231g\303\4\246i ... {status=0x0, info=256}, "\245B/n\20\6\273\246P\207\320"<\27\325\211i\3\30\307\353E\256,V\224\205\227\340Y\244\302.g\265 \360\320ME\375\200\213\340\203g\210\235:t\200c\373~0\340\233\322\267\2617\2468\274\374l\273M\260\256\341\7ov\201\361\335\263\5\257_el\267\275\321;\364\330\273\256\327\363v1\233\261\262$\325Hi\347n\234{\247\207\373o\351&\23\357\335JJi\2115\300\2\305B\323\205\207\2631\35:\3740\335\320FX\21\260\4\16\340\250|4\311\27\310\314\331CP\340\315_\224\332\240xzF\251\12\11"\343\340\233\2662b\303o\371pY\305\264\32o\362\221&5\344\316\271a\311\357\225i\332\210\340\357f\34\21\2351_\24g\314F\200\250\206\251\32"\275\375$\265r\311\301\256\344\274R\6\231g\303\4\246i"\337~\2671o\34\375\374\276AkT\354|Q+0\342.\36\312\226\222", ) , ) == 0x0
 01545   896   NtDeviceIoControlFile  (52, 0, 0x0, 0x0, 0x390008,  (52, 0, 0x0, 0x0, 0x390008, "\362\267\324\15\237\307S\341\\237K]7{y\215_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01546   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01547   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01548   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01549   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01550   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01551   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01552   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01553   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 01554   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "E\324p\351\332\270y\6\177O=\334\344\372\235\10\321\301\202%\246j\344t\341\255\324o\312\271oom'k\305\335d!\353\375/\324\212 \300\361)(a\30\373\332>D\372\354\203F\7q\14A \323\242~\214\31\372\345\246\271\240\343\35-\30\316\211", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "E\324p\351\332\270y\6\177O=\334\344\372\235\10\321\301\202%\246j\344t\341\255\324o\312\271oom'k\305\335d!\353\375/\324\212 \300\361)(a\30\373\332>D\372\354\203F\7q\14A \323\242~\214\31\372\345\246\271\240\343\35-\30\316\211", 80, ... ) , 80, ... ) == 0x0
 01555   896   NtClose  (-2147481368, ... ) == 0x0
 01545   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\313\371\356%\311\20\d\23\343\356Z\232\27ChW\34_\213\334\202\16|2$\274\26\352\311\264\206\366\275\360\233x\253\372r\223NsJ\361\267XD\367\252;\300C\217\302\265\327\332\326\244\335\26d\37\375&zV\346i.V\203\235\232\271\16\0xN\14\225\12\350\332\260\346\277yB\232\35p\311\30\233\13\367\245\276\242\221Z\7\273\216\277\255\30\274\273\357\227V\223\234Lz\335\316\320I\365\206\270\310L\356\201\360RJ\226\364\34\2640\14c\3512", ) \234Lz\335\316\320I\365\206\270\310L\356\201\360RJ\226\364\34\2640\14c\3512", ) == 0x0
 01556   896   NtClose  (140, ... ) == 0x0
 01557   896   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 140, {status=0x0, info=1}, ) }, 3, 33, ... 140, {status=0x0, info=1}, ) == 0x0
 01558   896   NtQueryVolumeInformationFile  (140, 1238992, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01559   896   NtClose  (12, ... ) == 0x0
 01560   896   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\explorer.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01561   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238156,  (0x80100080, {24, 0, 0x40, 0, 1238156, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 01562   896   NtQueryInformationFile  (12, 1238592, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01563   896   NtQueryInformationFile  (12, 1238508, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01564   896   NtQueryInformationFile  (12, 1238324, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01565   896   NtAllocateVirtualMemory  (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0
 01566   896   NtQueryInformationFile  (12, 1370088, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01567   896   NtQueryInformationFile  (12, 1236772, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01568   896   NtQueryInformationFile  (12, 1237048, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01569   896   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1236924,  (0x40110080, {24, 0, 0x40, 0, 1236924, "\??\C:\WINDOWS\system32\explorer.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01570   896   NtClose  (-2147481368, ... ) == 0x0
 01569   896   NtCreateFile  ... 136, {status=0x0, info=2}, ) == 0x0
 01571   896   NtQueryVolumeInformationFile  (136, 1237076, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01572   896   NtQueryInformationFile  (136, 1236660, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01573   896   NtQueryVolumeInformationFile  (12, 1237076, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01574   896   NtQueryVolumeInformationFile  (12, 1236420, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01575   896   NtSetInformationFile  (136, 1236976, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01576   896   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 144, ) == 0x0
 01577   896   NtMapViewOfSection  (144, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3c0000), {0, 0}, 65536, ) == 0x0
 01578   896   NtClose  (144, ... ) == 0x0
 01579   896   NtWriteFile  (136, 0, 0, 0,  (136, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\2\0<\360\337F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\0\0\0\0\320\0\0\0\0\2\0\0\240\4\0\0\20\0\0\0\20\2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\5\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\30\300\3\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.dfg\0\0\0\0\0\260\3\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01580   896   NtWriteFile  (136, 0, 0, 0,  (136, 0, 0, 0, "\307k\33\317\230\207\261\204R\32\241\320\254\3c\3566/\31\313\27\6n>\11!\7\1\21\214\203\257\251\0\226\22\246\336\221\6D\241\273HBD^kg\310\244\247sjT\0\277uu\244\236_\356\343\311<(#\310\326\340^\370\234\312\34\32,{\221IO\311Hz\7m\337\30\30\363\251\206\270Q\306TN\325\22\314\375\364\364I\337\310\314\202L\265\224ef`\201\14y\203\261\253,\230\356\273\337\217w\317\362\343\236\365\25\17=\267\6\22\25\253\35\324\275-76\341\325\203\20\6\5\202\277\243\315)\260e\11[Ra\323\270\346y\177P\23C\263|\350$\225\226\220W\11\271\263\341Z\342\206V\267\250\367\242\204!\33J\307\2026\301[jn\24\23\212\204\263\221\215\322%|\354\360\366v\177\355\34\26\273\35\37\31\31\23_};3\361\12\0\325\224\202\327\340J\273:\237\206\234\234\227`\212u\6D\24\1\7"9\227\14\205t{_'\207\260\221\300MX\346\34H\264\3736\03:xrsM\243LF@n,\6\24\377\347\343\347\320\256P<\6\375\342\314\1774\201\331.\336\221\227\273\26\13525^[\206\4\320*\377\363[\13\31\352\367\301b|\232\377"\14]4\374{az\12\3\2\262\356tZ@\236\37\235\267>.q\235\324\336'\32\207\214m\351\31#$\346\217\315\24fk\201ke\222\214\323\11X\322\254\233\330Yi\215\313\305\367z\253S*$A8\306\274\351\31Pj\207r&\366/\347\226\220\315L\\374\300\332\354\345\226:?96\2710D\321@UO\203\343\21^\257\231p\\236\370\333\316\214\274\204\207Xj}\215CGFM\0"'+\2\23mTA\6_\330@i\341.8\320\274\220\377\17\256\241u\1\221\243\371!\179\334Hb\\210\17\2012U", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) 9\227\14\205t{_'\207\260\221\300MX\346\34H\264\3736\03:xrsM\243LF@n,\6\24\377\347\343\347\320\256P<\6\375\342\314\1774\201\331.\336\221\227\273\26\13525^[\206\4\320*\377\363[\13\31\352\367\301b|\232\377 (136, 0, 0, 0, "\307k\33\317\230\207\261\204R\32\241\320\254\3c\3566/\31\313\27\6n>\11!\7\1\21\214\203\257\251\0\226\22\246\336\221\6D\241\273HBD^kg\310\244\247sjT\0\277uu\244\236_\356\343\311<(#\310\326\340^\370\234\312\34\32,{\221IO\311Hz\7m\337\30\30\363\251\206\270Q\306TN\325\22\314\375\364\364I\337\310\314\202L\265\224ef`\201\14y\203\261\253,\230\356\273\337\217w\317\362\343\236\365\25\17=\267\6\22\25\253\35\324\275-76\341\325\203\20\6\5\202\277\243\315)\260e\11[Ra\323\270\346y\177P\23C\263|\350$\225\226\220W\11\271\263\341Z\342\206V\267\250\367\242\204!\33J\307\2026\301[jn\24\23\212\204\263\221\215\322%|\354\360\366v\177\355\34\26\273\35\37\31\31\23_};3\361\12\0\325\224\202\327\340J\273:\237\206\234\234\227`\212u\6D\24\1\7"9\227\14\205t{_'\207\260\221\300MX\346\34H\264\3736\03:xrsM\243LF@n,\6\24\377\347\343\347\320\256P<\6\375\342\314\1774\201\331.\336\221\227\273\26\13525^[\206\4\320*\377\363[\13\31\352\367\301b|\232\377"\14]4\374{az\12\3\2\262\356tZ@\236\37\235\267>.q\235\324\336'\32\207\214m\351\31#$\346\217\315\24fk\201ke\222\214\323\11X\322\254\233\330Yi\215\313\305\367z\253S*$A8\306\274\351\31Pj\207r&\366/\347\226\220\315L\\374\300\332\354\345\226:?96\2710D\321@UO\203\343\21^\257\231p\\236\370\333\316\214\274\204\207Xj}\215CGFM\0"'+\2\23mTA\6_\330@i\341.8\320\274\220\377\17\256\241u\1\221\243\371!\179\334Hb\\210\17\2012U", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) '+\2\23mTA\6_\330@i\341.8\320\274\220\377\17\256\241u\1\221\243\371!\179\334Hb\\210\17\2012U", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 01581   896   NtUnmapViewOfSection  (-1, 0x3c0000, ... ) == 0x0
 01582   896   NtSetInformationFile  (136, 1238324, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01583   896   NtClose  (12, ... ) == 0x0
 01584   896   NtClose  (136, ... ) == 0x0
 01585   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\explorer.exe"}, 7, 2113568, ... 136, {status=0x0, info=1}, ) }, 7, 2113568, ... 136, {status=0x0, info=1}, ) == 0x0
 01586   896   NtSetInformationFile  (136, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01587   896   NtClose  (136, ... ) == 0x0
 01588   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\explorer.exe"}, 7, 2113568, ... 136, {status=0x0, info=1}, ) }, 7, 2113568, ... 136, {status=0x0, info=1}, ) == 0x0
 01589   896   NtSetInformationFile  (136, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01590   896   NtClose  (136, ... ) == 0x0
 01591   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238952,  (0x80100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0
 01592   896   NtQueryInformationFile  (136, 1239004, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01593   896   NtClose  (136, ... ) == 0x0
 01594   896   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1238952,  (0x40100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\system32\explorer.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0
 01595   896   NtSetInformationFile  (136, 1239004, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01596   896   NtClose  (136, ... ) == 0x0
 01597   896   NtOpenFile  (0x10080, {24, 140, 0x40, 0, 0,  (0x10080, {24, 140, 0x40, 0, 0, "kpvycv.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01598   896   NtCreateFile  (0x40100080, {24, 140, 0x40, 0, 1239200,  (0x40100080, {24, 140, 0x40, 0, 1239200, "kpvycv.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 136, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 136, {status=0x0, info=2}, ) == 0x0
 01599   896   NtWriteFile  (136, 0, 0, 0,  (136, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del kpvycv.bat\15\12", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 01600   896   NtClose  (136, ... ) == 0x0
 01601   896   NtOpenKey  (0x9, {24, 16, 0x40, 0, 0,  (0x9, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01602   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1232480, ... ) }, 1232480, ... ) == 0x0
 01603   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 01604   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 136, ... 12, ) == 0x0
 01605   896   NtClose  (136, ... ) == 0x0
 01606   896   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb40000), 0x0, 401408, ) == 0x0
 01607   896   NtClose  (12, ... ) == 0x0
 01608   896   NtUnmapViewOfSection  (-1, 0xb40000, ... ) == 0x0
 01609   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01610   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01611   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01612   896   NtAllocateVirtualMemory  (-1, 1380352, 0, 16384, 4096, 4, ... 1380352, 16384, ) == 0x0
 01613   896   NtUserRegisterClassExWOW  (1234088, 1234156, 1234172, 1234188, 0, 384, 0, ... ) == 0x8177c038
 01614   896   NtUserGetAtomName  (49208, 1233416, ... ) == 0x15
 01615   896   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 2001600512, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 2001600512, 0, 1073742848, 0, ...
 01616   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230888, ... ) }, 1230888, ... ) == 0x0
 01617   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 01618   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 136, ) == 0x0
 01619   896   NtClose  (12, ... ) == 0x0
 01620   896   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3c0000), 0x0, 221184, ) == 0x0
 01621   896   NtClose  (136, ... ) == 0x0
 01622   896   NtUnmapViewOfSection  (-1, 0x3c0000, ... ) == 0x0
 01623   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1231196, ... ) }, 1231196, ... ) == 0x0
 01624   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 01625   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 136, ... 12, ) == 0x0
 01626   896   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01627   896   NtClose  (136, ... ) == 0x0
 01628   896   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 01629   896   NtClose  (12, ... ) == 0x0
 01630   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 01631   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 01632   896   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 01633   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 01634   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 01635   896   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 01636   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 01637   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 01638   896   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 01639   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 01640   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 01641   896   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 01642   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01643   896   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01644   896   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 01645   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01646   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01647   896   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01648   896   NtClose  (12, ... ) == 0x0
 01649   896   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01650   896   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01651   896   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 136, ) }, ... 136, ) == 0x0
 01652   896   NtQueryValueKey  (136,  (136, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01653   896   NtClose  (136, ... ) == 0x0
 01654   896   NtClose  (12, ... ) == 0x0
 01655   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01656   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01657   896   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01658   896   NtClose  (12, ... ) == 0x0
 01659   896   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01660   896   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 136, ) }, ... 136, ) == 0x0
 01661   896   NtQueryValueKey  (136,  (136, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01662   896   NtClose  (136, ... ) == 0x0
 01663   896   NtClose  (12, ... ) == 0x0
 01664   896   NtUserGetProcessWindowStation  (... ) == 0x1c
 01665   896   NtUserGetObjectInformation  (28, 2, 1232984, 64, 1232980, ... ) == 0x1
 01666   896   NtUserGetGUIThreadInfo  (896, 1233004, ... ) == 0x1
 01667   896   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1232848, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1232848, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 01668   896   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81851, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1252, 896, 81851, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81851, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01669   896   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81852, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1252, 896, 81852, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81852, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01670   896   NtUserCallNoParam  (29, ...
 01671   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230244, ... ) }, 1230244, ... ) == 0x0
 01670   896   NtUserCallNoParam  ... ) == 0x0
 01672   896   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ... ) == 0x1
 01673   896   NtGdiHfontCreate  (1232372, 356, 0, 0, 1332232, ... ) == 0x640a0596
 01674   896   NtGdiHfontCreate  (1232372, 356, 0, 0, 1332224, ... ) == 0x740a05de
 01675   896   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81853, 0} "\0\0\0\0\0\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1252, 896, 81853, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81853, 0} "\0\0\0\0\0\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01676   896   NtMapViewOfSection  (136, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xb40000), {0, 0}, 327680, ) == 0x0
 01677   896   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01678   896   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 01679   896   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01680   896   NtQueryVirtualMemory  (-1, 0x416dba, Basic, 28, ... {BaseAddress=0x416000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x18000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 01681   896   NtQueryVirtualMemory  (-1, 0x417298, Basic, 28, ... {BaseAddress=0x417000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x17000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 01682   896   NtRaiseException  (1232112, 1232136, 0, ...
 01226   188   NtWaitForMultipleObjects  ... ) == 0xc0
 01683   896   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
NtAddAtom(>)	1	NtSecureConnectPort(>)	1	NtUserCallOneParam(>)	3	NtQueryDirectoryFile(>)	14
NtCallbackReturn(>)	1	NtSetInformationThread(>)	1	NtUserGetWindowDC(>)	3	NtUnmapViewOfSection(>)	15
NtConnectPort(>)	1	NtUserCreateWindowEx(>)	1	NtUserRegisterWindowMessage(>)	3	NtQueryDebugFilterState(>)	16
NtCreateMutant(>)	1	NtUserGetAtomName(>)	1	NtWaitForMultipleObjects(>)	3	NtQueryInformationToken(>)	17
NtCreateThread(>)	1	NtUserGetDC(>)	1	NtWriteFile(>)	3	NtQueryInformationFile(>)	19
NtDelayExecution(>)	1	NtUserGetGUIThreadInfo(>)	1	NtAccessCheck(>)	4	NtCreateFile(>)	22
NtDuplicateToken(>)	1	NtUserGetObjectInformation(>)	1	NtContinue(>)	4	NtDeviceIoControlFile(>)	22
NtEnumerateValueKey(>)	1	NtUserGetProcessWindowStation(>)	1	NtCreateSemaphore(>)	4	NtOpenSection(>)	29
NtGdiCreateBitmap(>)	1	NtUserGetThreadDesktop(>)	1	NtSetEvent(>)	4	NtQueryDefaultLocale(>)	30
NtGdiInit(>)	1	NtDuplicateObject(>)	2	NtGdiGetStockObject(>)	5	NtOpenFile(>)	35
NtGdiQueryFontAssocInfo(>)	1	NtFsControlFile(>)	2	NtFreeVirtualMemory(>)	7	NtQueryAttributesFile(>)	36
NtGdiSelectBitmap(>)	1	NtGdiCreateSolidBrush(>)	2	NtOpenProcessToken(>)	7	NtQueryVirtualMemory(>)	36
NtNotifyChangeKey(>)	1	NtGdiHfontCreate(>)	2	NtQueryInformationProcess(>)	7	NtQueryValueKey(>)	46
NtOpenEvent(>)	1	NtOpenDirectoryObject(>)	2	NtSetValueKey(>)	8	NtAllocateVirtualMemory(>)	47
NtOpenKeyedEvent(>)	1	NtOpenThreadToken(>)	2	NtCreateEvent(>)	9	NtMapViewOfSection(>)	48
NtOpenProcess(>)	1	NtRegisterThreadTerminatePort(>)	2	NtCreateKey(>)	9	NtUserFindExistingCursorIcon(>)	50
NtOpenSymbolicLinkObject(>)	1	NtSetEventBoostPriority(>)	2	NtQueryVolumeInformationFile(>)	9	NtUserRegisterClassExWOW(>)	62
NtQueryFullAttributesFile(>)	1	NtSetInformationProcess(>)	2	NtQueryDefaultUILanguage(>)	10	NtCreateSection(>)	75
NtQueryInformationThread(>)	1	NtTestAlert(>)	2	NtQuerySection(>)	10	NtQuerySystemInformation(>)	78
NtQueryInstallUILanguage(>)	1	NtWaitForSingleObject(>)	2	NtSetInformationFile(>)	10	NtReadFile(>)	79
NtQueryObject(>)	1	NtGdiCreateCompatibleDC(>)	3	NtRequestWaitReplyPort(>)	12	NtOpenKey(>)	90
NtQuerySymbolicLinkObject(>)	1	NtQueryPerformanceCounter(>)	3	NtUserSystemParametersInfo(>)	12	NtFlushInstructionCache(>)	110
NtRaiseException(>)	1	NtSetInformationObject(>)	3	NtOpenProcessTokenEx(>)	13	NtProtectVirtualMemory(>)	227
NtResumeThread(>)	1	NtUserCallNoParam(>)	3	NtOpenThreadTokenEx(>)	13	NtClose(>)	265