Summary:


NtAddAtom(>)  1 
NtUserCreateWindowEx(>)  1 
NtUserGetWindowDC(>)  3 
NtFlushInstructionCache(>)  18 

NtCallbackReturn(>)  1 
NtUserGetAtomName(>)  1 
NtUserOpenDesktop(>)  3 
NtQueryInformationFile(>)  21 

NtConnectPort(>)  1 
NtUserGetDC(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtUnmapViewOfSection(>)  21 

NtCreateMutant(>)  1 
NtUserGetGUIThreadInfo(>)  1 
NtCreateEvent(>)  4 
NtCreateSection(>)  27 

NtCreateProcessEx(>)  1 
NtUserGetThreadDesktop(>)  1 
NtWriteVirtualMemory(>)  4 
NtOpenProcessTokenEx(>)  28 

NtCreateThread(>)  1 
NtAccessCheck(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenSection(>)  28 

NtDelayExecution(>)  1 
NtEnumerateKey(>)  2 
NtSetInformationProcess(>)  5 
NtOpenThreadTokenEx(>)  28 

NtDuplicateObject(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtUserBuildHwndList(>)  5 
NtQueryInformationToken(>)  35 

NtDuplicateToken(>)  1 
NtGdiDeleteObjectApp(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtQueryDefaultLocale(>)  39 

NtEnumerateValueKey(>)  1 
NtGdiHfontCreate(>)  2 
NtWriteFile(>)  5 
NtOpenFile(>)  43 

NtFsControlFile(>)  1 
NtOpenDirectoryObject(>)  2 
NtOpenProcessToken(>)  6 
NtQueryAttributesFile(>)  46 

NtGdiCreateBitmap(>)  1 
NtOpenEvent(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtUserUnregisterClass(>)  46 

NtGdiInit(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtQueryVirtualMemory(>)  8 
NtMapViewOfSection(>)  47 

NtGdiQueryFontAssocInfo(>)  1 
NtQueryInstallUILanguage(>)  2 
NtSetInformationThread(>)  8 
NtUserFindExistingCursorIcon(>)  48 

NtGdiSelectBitmap(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtQueryDirectoryFile(>)  9 
NtAllocateVirtualMemory(>)  53 

NtNotifyChangeKey(>)  1 
NtReadVirtualMemory(>)  2 
NtQueryVolumeInformationFile(>)  9 
NtQueryValueKey(>)  53 

NtOpenKeyedEvent(>)  1 
NtTerminateProcess(>)  2 
NtSetValueKey(>)  9 
NtUserRegisterClassExWOW(>)  64 

NtOpenMutant(>)  1 
NtUserCloseDesktop(>)  2 
NtCreateKey(>)  10 
NtReadFile(>)  68 

NtOpenProcess(>)  1 
NtUserGetObjectInformation(>)  2 
NtUserSystemParametersInfo(>)  11 
NtQuerySystemInformation(>)  79 

NtQueryFullAttributesFile(>)  1 
NtUserWaitForInputIdle(>)  2 
NtQueryInformationProcess(>)  12 
NtUserGetClassInfo(>)  82 

NtQueryInformationJobObject(>)  1 
NtContinue(>)  3 
NtQuerySection(>)  12 
NtOpenKey(>)  107 

NtQueryObject(>)  1 
NtCreateSemaphore(>)  3 
NtRequestWaitReplyPort(>)  12 
NtUserQueryWindow(>)  136 

NtRegisterThreadTerminatePort(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtSetInformationFile(>)  12 
NtClose(>)  196 

NtResumeThread(>)  1 
NtOpenThreadToken(>)  3 
NtFreeVirtualMemory(>)  14 
NtProtectVirtualMemory(>)  216 

NtSecureConnectPort(>)  1 
NtSetInformationObject(>)  3 
NtCreateFile(>)  16 

NtTestAlert(>)  1 
NtUserCallNoParam(>)  3 
NtDeviceIoControlFile(>)  16 

NtUserBuildNameList(>)  1 

Trace:
 00001   452   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   452   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   452   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   452   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   452   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   452   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   452   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   452   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   452   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   452   NtClose  (12, ... ) == 0x0
 00014   452   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   452   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   452   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   452   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   452   NtClose  (16, ... ) == 0x0
 00021   452   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   452   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   452   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   452   NtClose  (16, ... ) == 0x0
 00026   452   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   452   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   452   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   452   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   452   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 444, 452, 1529, 0} "`\266\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 444, 452, 1529, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 444, 452, 1529, 0} "`\266\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   452   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   452   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   452   NtClose  (16, ... ) == 0x0
 00036   452   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   452   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   452   NtClose  (28, ... ) == 0x0
 00041   452   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   452   NtClose  (28, ... ) == 0x0
 00045   452   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   452   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   452   NtClose  (28, ... ) == 0x0
 00049   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   452   NtClose  (28, ... ) == 0x0
 00052   452   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   452   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 444, 452, 1533, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 444, 452, 1533, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 444, 452, 1533, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   452   NtProtectVirtualMemory  (-1, (0x438000), 96428, 4, ... (0x438000), 98304, 128, ) == 0x0
 00057   452   NtProtectVirtualMemory  (-1, (0x438000), 98304, 128, ... (0x438000), 98304, 4, ) == 0x0
 00058   452   NtFlushInstructionCache  (-1, 4423680, 96428, ... ) == 0x0
 00059   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   452   NtClose  (28, ... ) == 0x0
 00062   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   452   NtClose  (28, ... ) == 0x0
 00065   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   452   NtClose  (28, ... ) == 0x0
 00068   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   452   NtClose  (28, ... ) == 0x0
 00071   452   NtProtectVirtualMemory  (-1, (0x438000), 96428, 4, ... (0x438000), 98304, 64, ) == 0x0
 00072   452   NtProtectVirtualMemory  (-1, (0x438000), 98304, 64, ... (0x438000), 98304, 4, ) == 0x0
 00073   452   NtFlushInstructionCache  (-1, 4423680, 96428, ... ) == 0x0
 00074   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00076   452   NtClose  (28, ... ) == 0x0
 00077   452   NtProtectVirtualMemory  (-1, (0x438000), 96428, 4, ... (0x438000), 98304, 64, ) == 0x0
 00078   452   NtProtectVirtualMemory  (-1, (0x438000), 98304, 64, ... (0x438000), 98304, 4, ) == 0x0
 00079   452   NtFlushInstructionCache  (-1, 4423680, 96428, ... ) == 0x0
 00080   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081   452   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00082   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00084   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00085   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00086   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00087   452   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00088   452   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00089   452   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00090   452   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00092   452   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00093   452   NtClose  (40, ... ) == 0x0
 00094   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00095   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00096   452   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00097   452   NtClose  (40, ... ) == 0x0
 00098   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00099   452   NtClose  (36, ... ) == 0x0
 00100   452   NtClose  (28, ... ) == 0x0
 00101   452   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00102   452   NtClose  (32, ... ) == 0x0
 00103   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00107   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00108   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00109   452   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00110   452   NtClose  (32, ... ) == 0x0
 00111   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00112   452   NtClose  (28, ... ) == 0x0
 00113   452   NtProtectVirtualMemory  (-1, (0x438000), 96428, 4, ... (0x438000), 98304, 64, ) == 0x0
 00114   452   NtProtectVirtualMemory  (-1, (0x438000), 98304, 64, ... (0x438000), 98304, 4, ) == 0x0
 00115   452   NtFlushInstructionCache  (-1, 4423680, 96428, ... ) == 0x0
 00116   452   NtProtectVirtualMemory  (-1, (0x438000), 96428, 4, ... (0x438000), 98304, 64, ) == 0x0
 00117   452   NtProtectVirtualMemory  (-1, (0x438000), 98304, 64, ... (0x438000), 98304, 4, ) == 0x0
 00118   452   NtFlushInstructionCache  (-1, 4423680, 96428, ... ) == 0x0
 00119   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00120   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00121   452   NtClose  (28, ... ) == 0x0
 00122   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00123   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00124   452   NtClose  (28, ... ) == 0x0
 00125   452   NtProtectVirtualMemory  (-1, (0x438000), 96428, 4, ... (0x438000), 98304, 64, ) == 0x0
 00126   452   NtProtectVirtualMemory  (-1, (0x438000), 98304, 64, ... (0x438000), 98304, 4, ) == 0x0
 00127   452   NtFlushInstructionCache  (-1, 4423680, 96428, ... ) == 0x0
 00128   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00129   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00130   452   NtClose  (28, ... ) == 0x0
 00131   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00132   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00133   452   NtClose  (28, ... ) == 0x0
 00134   452   NtProtectVirtualMemory  (-1, (0x438000), 96428, 4, ... (0x438000), 98304, 64, ) == 0x0
 00135   452   NtProtectVirtualMemory  (-1, (0x438000), 98304, 64, ... (0x438000), 98304, 4, ) == 0x0
 00136   452   NtFlushInstructionCache  (-1, 4423680, 96428, ... ) == 0x0
 00137   452   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00138   452   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00139   452   NtClose  (28, ... ) == 0x0
 00140   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00141   452   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00142   452   NtClose  (28, ... ) == 0x0
 00143   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   452   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   452   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00146   452   NtClose  (28, ... ) == 0x0
 00147   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00148   452   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149   452   NtClose  (28, ... ) == 0x0
 00150   452   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00151   452   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00152   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00153   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00154   452   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\32\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 444, 452, 1570, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 444, 452, 1570, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\32\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 444, 452, 1570, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00155   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   452   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x450000), 0x0, 1060864, ) == 0x0
 00157   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00158   452   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00159   452   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00160   452   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00161   452   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00162   452   NtClose  (-2147482020, ... ) == 0x0
 00163   452   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00164   452   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00165   452   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00166   452   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00167   452   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00168   452   NtClose  (-2147482020, ... ) == 0x0
 00169   452   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00170   452   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00171   452   NtClose  (-2147482020, ... ) == 0x0
 00172   452   NtQueryDefaultLocale  (0, -136214004, ... ) == 0x0
 00173   452   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00174   452   NtUserCallNoParam  (24, ... ) == 0x0
 00175   452   NtGdiCreateCompatibleDC  (0, ...
 00176   452   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00175   452   NtGdiCreateCompatibleDC  ... ) == 0x10010451
 00177   452   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00178   452   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00179   452   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb050458
 00180   452   NtGdiCreateSolidBrush  (0, 0, ...
 00181   452   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8781824, 4096, ) == 0x0
 00180   452   NtGdiCreateSolidBrush  ... ) == 0x810045b
 00182   452   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00183   452   NtGdiCreateCompatibleDC  (0, ... ) == 0x601045c
 00184   452   NtGdiSelectBitmap  (100729948, 184878168, ... ) == 0x185000f
 00185   452   NtUserGetThreadDesktop  (452, 0, ... ) == 0x2c
 00186   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00187   452   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00188   452   NtClose  (52, ... ) == 0x0
 00189   452   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00190   452   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00191   452   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00192   452   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00193   452   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00194   452   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00195   452   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00196   452   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00197   452   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00198   452   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00199   452   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00200   452   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00201   452   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00202   452   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00203   452   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00204   452   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00205   452   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00206   452   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00207   452   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc020
 00208   452   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00209   452   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc023
 00210   452   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc024
 00211   452   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00212   452   NtAllocateVirtualMemory  (-1, 5746688, 0, 4096, 4096, 32, ... 5746688, 4096, ) == 0x0
 00211   452   NtUserRegisterClassExWOW  ... ) == 0x810cc025
 00213   452   NtCallbackReturn  (0, 0, 0, ...
 00214   452   NtGdiInit  (... ) == 0x1
 00215   452   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00216   452   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00217   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8847360, 65536, ) == 0x0
 00219   452   NtAllocateVirtualMemory  (-1, 8847360, 0, 4096, 4096, 4, ... 8847360, 4096, ) == 0x0
 00220   452   NtAllocateVirtualMemory  (-1, 8851456, 0, 8192, 4096, 4, ... 8851456, 8192, ) == 0x0
 00221   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00222   452   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x880000), 0x0, 12288, ) == 0x0
 00223   452   NtClose  (52, ... ) == 0x0
 00224   452   NtAllocateVirtualMemory  (-1, 8859648, 0, 4096, 4096, 4, ... 8859648, 4096, ) == 0x0
 00225   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00226   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00227   452   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00228   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00229   452   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00230   452   NtClose  (52, ... ) == 0x0
 00231   452   NtQueryDefaultUILanguage  (1241756, ...
 00232   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00233   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00234   452   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00235   452   NtClose  (-2147482020, ... ) == 0x0
 00236   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00237   452   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   452   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00239   452   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   452   NtClose  (-2147482032, ... ) == 0x0
 00241   452   NtClose  (-2147482020, ... ) == 0x0
 00231   452   NtQueryDefaultUILanguage  ... ) == 0x0
 00242   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   452   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00244   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00245   452   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00246   452   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x890000), 0x0, 8323072, ) == 0x0
 00247   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   452   NtQueryDefaultUILanguage  (2013024600, ...
 00249   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00250   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00251   452   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00252   452   NtClose  (-2147482020, ... ) == 0x0
 00253   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00254   452   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255   452   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00256   452   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00257   452   NtClose  (-2147482032, ... ) == 0x0
 00258   452   NtClose  (-2147482020, ... ) == 0x0
 00248   452   NtQueryDefaultUILanguage  ... ) == 0x0
 00259   452   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00260   452   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00261   452   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00262   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   452   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1571, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 444, 452, 1571, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1571, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00264   452   NtClose  (52, ... ) == 0x0
 00265   452   NtClose  (56, ... ) == 0x0
 00266   452   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00267   452   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00268   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00269   452   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00270   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00271   452   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   452   NtClose  (56, ... ) == 0x0
 00273   452   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00275   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00276   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00277   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00278   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00279   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00280   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00281   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00282   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00283   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00284   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00285   452   NtClose  (52, ... ) == 0x0
 00286   452   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x890000), 0x0, 921600, ) == 0x0
 00287   452   NtClose  (60, ... ) == 0x0
 00288   452   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00289   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00290   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00291   452   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00292   452   NtClose  (60, ... ) == 0x0
 00293   452   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00294   452   NtClose  (52, ... ) == 0x0
 00295   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00296   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00297   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00298   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00299   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00300   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00301   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00302   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00303   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00304   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00305   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00306   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00307   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00308   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00309   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00310   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00311   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00312   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00313   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00314   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00315   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00316   452   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00317   452   NtQueryDefaultUILanguage  (1239368, ...
 00318   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00319   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00320   452   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00321   452   NtClose  (-2147482020, ... ) == 0x0
 00322   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00323   452   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00324   452   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00325   452   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00326   452   NtClose  (-2147482032, ... ) == 0x0
 00327   452   NtClose  (-2147482020, ... ) == 0x0
 00317   452   NtQueryDefaultUILanguage  ... ) == 0x0
 00328   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00330   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00331   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00332   452   NtClose  (52, ... ) == 0x0
 00333   452   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x890000), 0x0, 4096, ) == 0x0
 00334   452   NtClose  (60, ... ) == 0x0
 00335   452   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00336   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00337   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00338   452   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00339   452   NtClose  (60, ... ) == 0x0
 00340   452   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x890000), {0, 0}, 4096, ) == 0x0
 00341   452   NtClose  (52, ... ) == 0x0
 00342   452   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00343   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00344   452   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00345   452   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x890000), 0x0, 4096, ) == 0x0
 00346   452   NtQueryInformationFile  (52, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00347   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00348   452   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1572, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 444, 452, 1572, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1572, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00349   452   NtClose  (52, ... ) == 0x0
 00350   452   NtClose  (60, ... ) == 0x0
 00351   452   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00352   452   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00353   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00354   452   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00355   452   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00356   452   NtUserGetDC  (0, ... ) == 0x1010052
 00357   452   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00358   452   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00359   452   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00360   452   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00361   452   NtAccessCheck  (1329352, 60, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00362   452   NtClose  (60, ... ) == 0x0
 00363   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00364   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00365   452   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00366   452   NtClose  (60, ... ) == 0x0
 00367   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00368   452   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00369   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00370   452   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   452   NtClose  (52, ... ) == 0x0
 00372   452   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00373   452   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00374   452   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00375   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00376   452   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00377   452   NtClose  (64, ... ) == 0x0
 00378   452   NtClose  (52, ... ) == 0x0
 00379   452   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00380   452   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00381   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 52, ) }, ... 52, ) == 0x0
 00382   452   NtEnumerateValueKey  (52, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00383   452   NtClose  (52, ... ) == 0x0
 00384   452   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00385   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc03b
 00386   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc03d
 00387   452   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00388   452   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc03f
 00389   452   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00390   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc041
 00391   452   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00392   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc043
 00393   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc045
 00394   452   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00395   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc047
 00396   452   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00397   452   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc049
 00398   452   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00399   452   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00400   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc04b
 00401   452   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00402   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc04d
 00403   452   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00404   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc04f
 00405   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc051
 00406   452   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00407   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc053
 00408   452   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00409   452   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc055
 00410   452   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc057
 00411   452   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00412   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc059
 00413   452   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00414   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc05b
 00415   452   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00416   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc05d
 00417   452   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00418   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc05f
 00419   452   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00420   452   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc017
 00421   452   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00422   452   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc019
 00423   452   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00424   452   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc018
 00425   452   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00426   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc01a
 00427   452   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00428   452   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc01c
 00429   452   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00430   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc01e
 00431   452   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00432   452   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810cc01b
 00433   452   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00434   452   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810cc068
 00435   452   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00436   452   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc06a
 00437   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00438   452   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00439   452   NtClose  (52, ... ) == 0x0
 00440   452   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {444, 0}, ... 52, ) == 0x0
 00441   452   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00442   452   NtClose  (52, ... ) == 0x0
 00443   452   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00444   452   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00445   452   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00446   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00447   452   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00448   452   NtClose  (52, ... ) == 0x0
 00449   452   NtUserSystemParametersInfo  (41, 500, 1241332, 0, ... ) == 0x1
 00450   452   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00451   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00452   452   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00453   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ...
 00454   452   NtAllocateVirtualMemory  (-1, 5750784, 0, 4096, 4096, 32, ... 5750784, 4096, ) == 0x0
 00453   452   NtUserRegisterClassExWOW  ... ) == 0x810cc03b
 00455   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00456   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc03d
 00457   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00458   452   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00459   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc03f
 00460   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00461   452   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00462   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc041
 00463   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00464   452   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00465   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc043
 00466   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00467   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc045
 00468   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00469   452   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00470   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc047
 00471   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00472   452   NtUserFindExistingCursorIcon  (1241120, 1241136, 1241704, ... ) == 0x10011
 00473   452   NtUserRegisterClassExWOW  (1241572, 1241652, 1241636, 1241668, 0, 384, 0, ... ) == 0x810cc049
 00474   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00475   452   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00476   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc04b
 00477   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00478   452   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00479   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc04d
 00480   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00481   452   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00482   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc04f
 00483   452   NtUserGetClassInfo  (1999896576, 1241744, 1241696, 1241772, 0, ... ) == 0x0
 00484   452   NtUserRegisterClassExWOW  (1241580, 1241660, 1241644, 1241676, 0, 384, 0, ... ) == 0x810cc051
 00485   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00486   452   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00487   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc053
 00488   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00489   452   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00490   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc055
 00491   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc057
 00492   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00493   452   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00494   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc059
 00495   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00496   452   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10013
 00497   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc05b
 00498   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00499   452   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00500   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc05d
 00501   452   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00502   452   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00503   452   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc05f
 00504   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03b
 00505   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03d
 00506   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03f
 00507   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc041
 00508   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc043
 00509   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc045
 00510   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc047
 00511   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc049
 00512   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04b
 00513   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04d
 00514   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04f
 00515   452   NtUserGetClassInfo  (1999896576, 1243496, 1243448, 1243524, 0, ... ) == 0xc051
 00516   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc053
 00517   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc055
 00518   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc059
 00519   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05b
 00520   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05d
 00521   452   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05f
 00522   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00523   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00524   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00525   452   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00526   452   NtClose  (52, ... ) == 0x0
 00527   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00528   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00529   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00530   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00531   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00532   452   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00533   452   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00534   452   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00535   452   NtClose  (52, ... ) == 0x0
 00536   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00537   452   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538   452   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00539   452   NtClose  (52, ... ) == 0x0
 00540   452   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00541   452   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00542   452   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00543   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00544   452   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00545   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00546   452   NtTestAlert  (... ) == 0x0
 00547   452   NtContinue  (1244464, 1, ...
 00548   452   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x4398ac,}, 4, ... ) == 0x0
 00549   452   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00550   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1243656, ... ) }, 1243656, ... ) == 0x0
 00551   452   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1310720, 1331736, 5, 1311464}  (24, {20, 48, new_msg, 0, 1310720, 1331736, 5, 1311464} "\0\0\0\0\2\0\1\0\275\1\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 444, 452, 1573, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 444, 452, 1573, 0}  (24, {20, 48, new_msg, 0, 1310720, 1331736, 5, 1311464} "\0\0\0\0\2\0\1\0\275\1\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 444, 452, 1573, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00552   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243664,  (0x80100080, {24, 0, 0x40, 0, 1243664, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00553   452   NtQueryDirectoryFile  (-2147482020, 0, 0, 0, -519077888, 4096, Names, 1,  (-2147482020, 0, 0, 0, -519077888, 4096, Names, 1, "~1.tmp", 1, ... {status=0x0, info=24}, ) , 1, ... {status=0x0, info=24}, ) == 0x0
 00554   452   NtClose  (-2147482020, ... ) == 0x0
 00552   452   NtCreateFile  ... 64, {status=0x0, info=2}, ) == 0x0
 00555   452   NtClose  (64, ... ) == 0x0
 00556   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1242912, ... ) }, 1242912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00557   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243644,  (0xc0100080, {24, 0, 0x40, 0, 1243644, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00558   452   NtClose  (-2147482020, ... ) == 0x0
 00559   452   NtQueryDirectoryFile  (-2147482020, 0, 0, 0, -519077888, 4096, Names, 1,  (-2147482020, 0, 0, 0, -519077888, 4096, Names, 1, "~1.tmp.exe", 1, ... ) , 1, ... ) == STATUS_NO_SUCH_FILE
 00560   452   NtClose  (-2147482020, ... ) == 0x0
 00557   452   NtCreateFile  ... 64, {status=0x0, info=2}, ) == 0x0
 00561   452   NtQueryVolumeInformationFile  (64, 1243804, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00562   452   NtQueryInformationFile  (64, 1243696, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00563   452   NtWriteFile  (64, 0, 0, 0,  (64, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\376\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 88574, 0x0, 0, ... {status=0x0, info=88574}, ) , 88574, 0x0, 0, ... {status=0x0, info=88574}, ) == 0x0
 00564   452   NtClose  (64, ... ) == 0x0
 00565   452   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00566   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1240368, ... ) }, 1240368, ... ) == 0x0
 00567   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1241060, ... ) }, 1241060, ... ) == 0x0
 00568   452   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00569   452   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00570   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 72, ) }, ... 72, ) == 0x0
 00572   452   NtQueryValueKey  (72,  (72, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   452   NtClose  (72, ... ) == 0x0
 00574   452   NtQueryVolumeInformationFile  (64, 1240368, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00575   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238352, ... ) }, 1238352, ... ) == 0x0
 00576   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00577   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 72, ... 76, ) == 0x0
 00578   452   NtClose  (72, ... ) == 0x0
 00579   452   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8b0000), 0x0, 106496, ) == 0x0
 00580   452   NtClose  (76, ... ) == 0x0
 00581   452   NtUnmapViewOfSection  (-1, 0x8b0000, ... ) == 0x0
 00582   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238668, ... ) }, 1238668, ... ) == 0x0
 00583   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00584   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 72, ) == 0x0
 00585   452   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00586   452   NtClose  (76, ... ) == 0x0
 00587   452   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00588   452   NtClose  (72, ... ) == 0x0
 00589   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00590   452   NtQueryInformationFile  (72, 1238956, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00591   452   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 76, ) == 0x0
 00592   452   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8b0000), 0x0, 1028096, ) == 0x0
 00593   452   NtQueryInformationFile  (72, 1239052, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00594   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00596   452   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00597   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00598   452   NtQueryDirectoryFile  (80, 0, 0, 0, 1236616, 616, BothDirectory, 1,  (80, 0, 0, 0, 1236616, 616, BothDirectory, 1, "~1.tmp.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00599   452   NtClose  (80, ... ) == 0x0
 00600   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00601   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00602   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1236004, ... ) }, 1236004, ... ) == 0x0
 00603   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00604   452   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 00605   452   NtClose  (80, ... ) == 0x0
 00606   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00607   452   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00608   452   NtClose  (80, ... ) == 0x0
 00609   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00610   452   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 00611   452   NtClose  (80, ... ) == 0x0
 00612   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00613   452   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00614   452   NtClose  (80, ... ) == 0x0
 00615   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00616   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00617   452   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00618   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00619   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00620   452   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00621   452   NtClose  (80, ... ) == 0x0
 00622   452   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00623   452   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00624   452   NtUnmapViewOfSection  (-1, 0x8b0000, ... ) == 0x0
 00625   452   NtClose  (76, ... ) == 0x0
 00626   452   NtClose  (72, ... ) == 0x0
 00627   452   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00628   452   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00629   452   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00630   452   NtOpenProcessToken  (-1, 0xa, ... 72, ) == 0x0
 00631   452   NtQueryInformationToken  (72, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00632   452   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00633   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00634   452   NtQueryValueKey  (76,  (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00635   452   NtQueryValueKey  (76,  (76, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (76, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00636   452   NtClose  (76, ... ) == 0x0
 00637   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00638   452   NtQueryValueKey  (76,  (76, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00639   452   NtQueryValueKey  (76,  (76, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (76, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00640   452   NtClose  (76, ... ) == 0x0
 00641   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00642   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00643   452   NtQueryValueKey  (76,  (76, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00644   452   NtClose  (76, ... ) == 0x0
 00645   452   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00646   452   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00647   452   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00648   452   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00649   452   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00650   452   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00651   452   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00652   452   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00653   452   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00654   452   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00655   452   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00656   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 76, ) }, ... 76, ) == 0x0
 00657   452   NtEnumerateKey  (76, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (76, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00658   452   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 80, ) }, ... 80, ) == 0x0
 00659   452   NtQueryValueKey  (80,  (80, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (80, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00660   452   NtQueryValueKey  (80,  (80, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (80, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00661   452   NtClose  (80, ... ) == 0x0
 00662   452   NtEnumerateKey  (76, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00663   452   NtClose  (76, ... ) == 0x0
 00664   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00666   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00669   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00670   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00671   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00679   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00680   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00681   452   NtClose  (76, ... ) == 0x0
 00682   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00683   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00684   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00685   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00686   452   NtClose  (76, ... ) == 0x0
 00687   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00688   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00689   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00690   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00691   452   NtClose  (76, ... ) == 0x0
 00692   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00693   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00694   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00695   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00696   452   NtClose  (76, ... ) == 0x0
 00697   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00698   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00699   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00700   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00701   452   NtClose  (76, ... ) == 0x0
 00702   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00703   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00704   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00705   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00706   452   NtClose  (76, ... ) == 0x0
 00707   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00708   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00709   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00710   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00711   452   NtClose  (76, ... ) == 0x0
 00712   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00713   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00714   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00715   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00716   452   NtClose  (76, ... ) == 0x0
 00717   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00718   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00719   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00720   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00721   452   NtClose  (76, ... ) == 0x0
 00722   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00723   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00724   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00725   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00726   452   NtClose  (76, ... ) == 0x0
 00727   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00728   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00729   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00730   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00731   452   NtClose  (76, ... ) == 0x0
 00732   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00733   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00734   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00735   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00736   452   NtClose  (76, ... ) == 0x0
 00737   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00738   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00739   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00740   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00741   452   NtClose  (76, ... ) == 0x0
 00742   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00743   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00744   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00745   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00746   452   NtClose  (76, ... ) == 0x0
 00747   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00748   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00749   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00750   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00751   452   NtClose  (76, ... ) == 0x0
 00752   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00753   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00754   452   NtQueryValueKey  (76,  (76, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (76, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (76, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 00755   452   NtClose  (76, ... ) == 0x0
 00756   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00757   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00758   452   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00759   452   NtClose  (76, ... ) == 0x0
 00760   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761   452   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00762   452   NtOpenProcessToken  (-1, 0xa, ... 76, ) == 0x0
 00763   452   NtDuplicateToken  (76, 0xc, {24, 0, 0x0, 0, 1240260, 0x0}, 0, 2, ... 80, ) == 0x0
 00764   452   NtClose  (76, ... ) == 0x0
 00765   452   NtAccessCheck  (1337568, 80, 0x1, 1240388, 1240332, 56, 1240416, ... (0x1), ) == 0x0
 00766   452   NtClose  (80, ... ) == 0x0
 00767   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 80, ) }, ... 80, ) == 0x0
 00768   452   NtQueryValueKey  (80,  (80, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (80, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00769   452   NtClose  (80, ... ) == 0x0
 00770   452   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 80, ) }, ... 80, ) == 0x0
 00771   452   NtQuerySymbolicLinkObject  (80, ...  (80, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 00772   452   NtClose  (80, ... ) == 0x0
 00773   452   NtQueryInformationFile  (64, 1238720, 528, Name, ... {status=0x0, info=130}, ) == 0x0
 00774   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00775   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00776   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\~1.tmp.exe"}, 1237400, ... ) }, 1237400, ... ) == 0x0
 00777   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00778   452   NtQueryDirectoryFile  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00779   452   NtClose  (80, ... ) == 0x0
 00780   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00781   452   NtQueryDirectoryFile  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00782   452   NtClose  (80, ... ) == 0x0
 00783   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00784   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00785   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00786   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00787   452   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00788   452   NtClose  (80, ... ) == 0x0
 00789   452   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 80, ) }, ... 80, ) == 0x0
 00790   452   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 76, ) }, ... 76, ) == 0x0
 00791   452   NtClose  (80, ... ) == 0x0
 00792   452   NtQueryValueKey  (76,  (76, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00793   452   NtQueryValueKey  (76,  (76, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (76, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 00794   452   NtClose  (76, ... ) == 0x0
 00795   452   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 8978432, 4096, ) == 0x0
 00796   452   NtAllocateVirtualMemory  (-1, 8978432, 0, 4096, 4096, 4, ... 8978432, 4096, ) == 0x0
 00797   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00798   452   NtQueryValueKey  (76,  (76, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00799   452   NtClose  (76, ... ) == 0x0
 00800   452   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00801   452   NtQueryInformationToken  (72, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 00802   452   NtQueryInformationToken  (72, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 00803   452   NtClose  (72, ... ) == 0x0
 00804   452   NtCreateProcessEx  (1242996, 2035711, 0, -1, 0, 68, 0, 0, 0, ... ) == 0x0
 00805   452   NtQueryInformationProcess  (72, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=864,ParentPid=444,}, 0x0, ) == 0x0
 00806   452   NtReadVirtualMemory  (72, 0x7ffdf008, 4, ...  (72, 0x7ffdf008, 4, ... "\0\0\200\11", 0x0, ) , 0x0, ) == 0x0
 00807   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808   452   NtAllocateVirtualMemory  (-1, 1339392, 0, 8192, 4096, 4, ... 1339392, 8192, ) == 0x0
 00809   452   NtReadVirtualMemory  (72, 0x9800000, 4096, ...  (72, 0x9800000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\376\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 4096, ) , 4096, ) == 0x0
 00810   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00811   452   NtQueryInformationProcess  (72, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=864,ParentPid=444,}, 0x0, ) == 0x0
 00812   452   NtAllocateVirtualMemory  (-1, 0, 0, 1772, 4096, 4, ... 9109504, 4096, ) == 0x0
 00813   452   NtAllocateVirtualMemory  (72, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 00814   452   NtWriteVirtualMemory  (72, 0x10000,  (72, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 00815   452   NtAllocateVirtualMemory  (72, 0, 0, 1772, 4096, 4, ... 131072, 4096, ) == 0x0
 00816   452   NtWriteVirtualMemory  (72, 0x20000,  (72, 0x20000, "\0\20\0\0\354\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0Z\0\\0\264\5\0\0Z\0\\0\20\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0Z\0\\0l\6\0\0\36\0 \0\310\6\0\0\0\0\2\0\350\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1772, ... 0x0, ) , 1772, ... 0x0, ) == 0x0
 00817   452   NtWriteVirtualMemory  (72, 0x7ffdf010,  (72, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00818   452   NtWriteVirtualMemory  (72, 0x7ffdf1e8,  (72, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00819   452   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 4096, ) == 0x0
 00820   452   NtAllocateVirtualMemory  (72, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 00821   452   NtAllocateVirtualMemory  (72, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 00822   452   NtProtectVirtualMemory  (72, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 00823   452   NtCreateThread  (0x1f03ff, 0x0, 72, 1241260, 1241980, 1, ... 76, {864, 868}, ) == 0x0
 00824   452   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1331744, 1243080}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1331744, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367wK\0\0\0L\0\0\0`\3\0\0d\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 444, 452, 1574, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wH\0\0\0L\0\0\0`\3\0\0d\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 444, 452, 1574, 0}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1331744, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367wK\0\0\0L\0\0\0`\3\0\0d\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 444, 452, 1574, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wH\0\0\0L\0\0\0`\3\0\0d\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00825   452   NtResumeThread  (76, ... 1, ) == 0x0
 00826   452   NtClose  (64, ... ) == 0x0
 00827   452   NtClose  (68, ... ) == 0x0
 00828   452   NtQueryInformationProcess  (72, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=864,ParentPid=444,}, 0x0, ) == 0x0
 00829   452   NtUserWaitForInputIdle  (864, 30000, 0, ...
 00830   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00831   452   NtClose  (68, ... ) == 0x0
 00829   452   NtUserWaitForInputIdle  ... ) == 0x102
 00832   452   NtClose  (72, ... ) == 0x0
 00833   452   NtClose  (76, ... ) == 0x0
 00834   452   NtAllocateVirtualMemory  (-1, 0, 0, 128, 4096, 4, ... 9109504, 4096, ) == 0x0
 00835   452   NtAllocateVirtualMemory  (-1, 0, 0, 260, 4096, 4, ... 9175040, 4096, ) == 0x0
 00836   452   NtAllocateVirtualMemory  (-1, 0, 0, 260, 4096, 4, ... 9240576, 4096, ) == 0x0
 00837   452   NtAllocateVirtualMemory  (-1, 0, 0, 176128, 4096, 4, ... 9306112, 176128, ) == 0x0
 00838   452   NtAllocateVirtualMemory  (-1, 0, 0, 28268, 4096, 4, ... 9502720, 28672, ) == 0x0
 00839   452   NtFreeVirtualMemory  (-1, (0x910000), 0, 32768, ... (0x910000), 28672, ) == 0x0
 00840   452   NtFreeVirtualMemory  (-1, (0x8e0000), 0, 32768, ... (0x8e0000), 176128, ) == 0x0
 00841   452   NtProtectVirtualMemory  (-1, (0x42b820), 20, 64, ... (0x42b000), 4096, 4, ) == 0x0
 00842   452   NtProtectVirtualMemory  (-1, (0x42a234), 4, 64, ... (0x42a000), 4096, 4, ) == 0x0
 00843   452   NtProtectVirtualMemory  (-1, (0x42a238), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00844   452   NtProtectVirtualMemory  (-1, (0x42a23c), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00845   452   NtProtectVirtualMemory  (-1, (0x42a240), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00846   452   NtProtectVirtualMemory  (-1, (0x42a244), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00847   452   NtProtectVirtualMemory  (-1, (0x42a248), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00848   452   NtProtectVirtualMemory  (-1, (0x42a24c), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00849   452   NtProtectVirtualMemory  (-1, (0x42a250), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00850   452   NtProtectVirtualMemory  (-1, (0x42a254), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00851   452   NtProtectVirtualMemory  (-1, (0x42b834), 20, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00852   452   NtProtectVirtualMemory  (-1, (0x42a25c), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00853   452   NtProtectVirtualMemory  (-1, (0x42a260), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00854   452   NtProtectVirtualMemory  (-1, (0x42b848), 20, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00855   452   NtProtectVirtualMemory  (-1, (0x42b8fc), 4, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00856   452   NtProtectVirtualMemory  (-1, (0x42b85c), 20, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00857   452   NtProtectVirtualMemory  (-1, (0x42b904), 4, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00858   452   NtProtectVirtualMemory  (-1, (0x42b870), 20, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00859   452   NtProtectVirtualMemory  (-1, (0x42b90c), 4, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00860   452   NtProtectVirtualMemory  (-1, (0x42b884), 20, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00861   452   NtProtectVirtualMemory  (-1, (0x42b914), 4, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00862   452   NtProtectVirtualMemory  (-1, (0x42b898), 20, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00863   452   NtProtectVirtualMemory  (-1, (0x42b91c), 4, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00864   452   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 4096, ) == 0x0
 00865   452   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 4096, ) == 0x0
 00866   452   NtFreeVirtualMemory  (-1, (0x8c0000), 0, 32768, ... (0x8c0000), 4096, ) == 0x0
 00867   452   NtContinue  (1244280, 0, ...
 00868   452   NtAllocateVirtualMemory  (-1, 0, 0, 128, 4096, 4, ... 9109504, 4096, ) == 0x0
 00869   452   NtAllocateVirtualMemory  (-1, 0, 0, 260, 4096, 4, ... 9175040, 4096, ) == 0x0
 00870   452   NtAllocateVirtualMemory  (-1, 0, 0, 260, 4096, 4, ... 9240576, 4096, ) == 0x0
 00871   452   NtAllocateVirtualMemory  (-1, 0, 0, 126976, 4096, 4, ... 9306112, 126976, ) == 0x0
 00872   452   NtAllocateVirtualMemory  (-1, 0, 0, 28268, 4096, 4, ... 9437184, 28672, ) == 0x0
 00873   452   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 28672, ) == 0x0
 00874   452   NtFreeVirtualMemory  (-1, (0x8e0000), 0, 32768, ... (0x8e0000), 126976, ) == 0x0
 00875   452   NtProtectVirtualMemory  (-1, (0x4173c8), 20, 64, ... (0x417000), 4096, 4, ) == 0x0
 00876   452   NtProtectVirtualMemory  (-1, (0x417114), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00877   452   NtProtectVirtualMemory  (-1, (0x417118), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00878   452   NtProtectVirtualMemory  (-1, (0x41711c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00879   452   NtProtectVirtualMemory  (-1, (0x417120), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00880   452   NtProtectVirtualMemory  (-1, (0x417124), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00881   452   NtProtectVirtualMemory  (-1, (0x417128), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00882   452   NtProtectVirtualMemory  (-1, (0x41712c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00883   452   NtProtectVirtualMemory  (-1, (0x417130), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00884   452   NtProtectVirtualMemory  (-1, (0x417134), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00885   452   NtProtectVirtualMemory  (-1, (0x417138), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00886   452   NtProtectVirtualMemory  (-1, (0x41713c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00887   452   NtProtectVirtualMemory  (-1, (0x417140), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00888   452   NtProtectVirtualMemory  (-1, (0x417144), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00889   452   NtProtectVirtualMemory  (-1, (0x417148), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00890   452   NtProtectVirtualMemory  (-1, (0x41714c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00891   452   NtProtectVirtualMemory  (-1, (0x417150), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00892   452   NtProtectVirtualMemory  (-1, (0x417154), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00893   452   NtProtectVirtualMemory  (-1, (0x417158), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00894   452   NtProtectVirtualMemory  (-1, (0x41715c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00895   452   NtProtectVirtualMemory  (-1, (0x417160), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00896   452   NtProtectVirtualMemory  (-1, (0x417164), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00897   452   NtProtectVirtualMemory  (-1, (0x417168), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00898   452   NtProtectVirtualMemory  (-1, (0x41716c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00899   452   NtProtectVirtualMemory  (-1, (0x417170), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00900   452   NtProtectVirtualMemory  (-1, (0x417174), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00901   452   NtProtectVirtualMemory  (-1, (0x417178), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00902   452   NtProtectVirtualMemory  (-1, (0x41717c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00903   452   NtProtectVirtualMemory  (-1, (0x417180), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00904   452   NtProtectVirtualMemory  (-1, (0x417184), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00905   452   NtProtectVirtualMemory  (-1, (0x417188), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00906   452   NtProtectVirtualMemory  (-1, (0x41718c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00907   452   NtProtectVirtualMemory  (-1, (0x417190), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00908   452   NtProtectVirtualMemory  (-1, (0x417194), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00909   452   NtProtectVirtualMemory  (-1, (0x417198), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00910   452   NtProtectVirtualMemory  (-1, (0x41719c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00911   452   NtProtectVirtualMemory  (-1, (0x4171a0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00912   452   NtProtectVirtualMemory  (-1, (0x4171a4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00913   452   NtProtectVirtualMemory  (-1, (0x4171a8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00914   452   NtProtectVirtualMemory  (-1, (0x4171ac), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00915   452   NtProtectVirtualMemory  (-1, (0x4171b0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00916   452   NtProtectVirtualMemory  (-1, (0x4171b4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00917   452   NtProtectVirtualMemory  (-1, (0x4171b8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00918   452   NtProtectVirtualMemory  (-1, (0x4171bc), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00919   452   NtProtectVirtualMemory  (-1, (0x4171c0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00920   452   NtProtectVirtualMemory  (-1, (0x4173dc), 20, 64, ... (0x417000), 4096, 64, ) == 0x0
 00921   452   NtProtectVirtualMemory  (-1, (0x4171f4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00922   452   NtProtectVirtualMemory  (-1, (0x4171f8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00923   452   NtProtectVirtualMemory  (-1, (0x4171fc), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00924   452   NtProtectVirtualMemory  (-1, (0x417200), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00925   452   NtProtectVirtualMemory  (-1, (0x417204), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00926   452   NtProtectVirtualMemory  (-1, (0x417208), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00927   452   NtProtectVirtualMemory  (-1, (0x41720c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00928   452   NtProtectVirtualMemory  (-1, (0x417210), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00929   452   NtProtectVirtualMemory  (-1, (0x417214), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00930   452   NtProtectVirtualMemory  (-1, (0x417218), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00931   452   NtProtectVirtualMemory  (-1, (0x41721c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00932   452   NtProtectVirtualMemory  (-1, (0x417220), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00933   452   NtProtectVirtualMemory  (-1, (0x417224), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00934   452   NtProtectVirtualMemory  (-1, (0x417228), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00935   452   NtProtectVirtualMemory  (-1, (0x41722c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00936   452   NtProtectVirtualMemory  (-1, (0x417230), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00937   452   NtProtectVirtualMemory  (-1, (0x417234), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00938   452   NtProtectVirtualMemory  (-1, (0x417238), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00939   452   NtProtectVirtualMemory  (-1, (0x41723c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00940   452   NtProtectVirtualMemory  (-1, (0x417240), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00941   452   NtProtectVirtualMemory  (-1, (0x417244), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00942   452   NtProtectVirtualMemory  (-1, (0x417248), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00943   452   NtProtectVirtualMemory  (-1, (0x41724c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00944   452   NtProtectVirtualMemory  (-1, (0x417250), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00945   452   NtProtectVirtualMemory  (-1, (0x417254), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00946   452   NtProtectVirtualMemory  (-1, (0x417258), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00947   452   NtProtectVirtualMemory  (-1, (0x41725c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00948   452   NtProtectVirtualMemory  (-1, (0x417260), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00949   452   NtProtectVirtualMemory  (-1, (0x417264), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00950   452   NtProtectVirtualMemory  (-1, (0x417268), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00951   452   NtProtectVirtualMemory  (-1, (0x4173f0), 20, 64, ... (0x417000), 4096, 64, ) == 0x0
 00952   452   NtProtectVirtualMemory  (-1, (0x417030), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00953   452   NtProtectVirtualMemory  (-1, (0x417034), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00954   452   NtProtectVirtualMemory  (-1, (0x417038), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00955   452   NtProtectVirtualMemory  (-1, (0x41703c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00956   452   NtProtectVirtualMemory  (-1, (0x417040), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00957   452   NtProtectVirtualMemory  (-1, (0x417044), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00958   452   NtProtectVirtualMemory  (-1, (0x417048), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00959   452   NtProtectVirtualMemory  (-1, (0x41704c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00960   452   NtProtectVirtualMemory  (-1, (0x417050), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00961   452   NtProtectVirtualMemory  (-1, (0x417054), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00962   452   NtProtectVirtualMemory  (-1, (0x417058), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00963   452   NtProtectVirtualMemory  (-1, (0x41705c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00964   452   NtProtectVirtualMemory  (-1, (0x417060), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00965   452   NtProtectVirtualMemory  (-1, (0x417064), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00966   452   NtProtectVirtualMemory  (-1, (0x417068), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00967   452   NtProtectVirtualMemory  (-1, (0x41706c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00968   452   NtProtectVirtualMemory  (-1, (0x417070), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00969   452   NtProtectVirtualMemory  (-1, (0x417074), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00970   452   NtProtectVirtualMemory  (-1, (0x417078), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00971   452   NtProtectVirtualMemory  (-1, (0x41707c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00972   452   NtProtectVirtualMemory  (-1, (0x417080), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00973   452   NtProtectVirtualMemory  (-1, (0x417084), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00974   452   NtProtectVirtualMemory  (-1, (0x417088), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00975   452   NtProtectVirtualMemory  (-1, (0x41708c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00976   452   NtProtectVirtualMemory  (-1, (0x417090), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00977   452   NtProtectVirtualMemory  (-1, (0x417094), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00978   452   NtProtectVirtualMemory  (-1, (0x417098), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00979   452   NtProtectVirtualMemory  (-1, (0x41709c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00980   452   NtProtectVirtualMemory  (-1, (0x4170a0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00981   452   NtProtectVirtualMemory  (-1, (0x4170a4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00982   452   NtProtectVirtualMemory  (-1, (0x4170a8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00983   452   NtProtectVirtualMemory  (-1, (0x4170ac), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00984   452   NtProtectVirtualMemory  (-1, (0x4170b0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00985   452   NtProtectVirtualMemory  (-1, (0x4170b4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00986   452   NtProtectVirtualMemory  (-1, (0x4170b8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00987   452   NtProtectVirtualMemory  (-1, (0x4170bc), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00988   452   NtProtectVirtualMemory  (-1, (0x4170c0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00989   452   NtProtectVirtualMemory  (-1, (0x4170c4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00990   452   NtProtectVirtualMemory  (-1, (0x4170c8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00991   452   NtProtectVirtualMemory  (-1, (0x4170cc), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00992   452   NtProtectVirtualMemory  (-1, (0x4170d0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00993   452   NtProtectVirtualMemory  (-1, (0x4170d4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00994   452   NtProtectVirtualMemory  (-1, (0x4170d8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00995   452   NtProtectVirtualMemory  (-1, (0x4170dc), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00996   452   NtProtectVirtualMemory  (-1, (0x4170e0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00997   452   NtProtectVirtualMemory  (-1, (0x4170e4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00998   452   NtProtectVirtualMemory  (-1, (0x4170e8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00999   452   NtProtectVirtualMemory  (-1, (0x4170ec), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01000   452   NtProtectVirtualMemory  (-1, (0x4170f0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01001   452   NtProtectVirtualMemory  (-1, (0x4170f4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01002   452   NtProtectVirtualMemory  (-1, (0x4170f8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01003   452   NtProtectVirtualMemory  (-1, (0x4170fc), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01004   452   NtProtectVirtualMemory  (-1, (0x417100), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01005   452   NtProtectVirtualMemory  (-1, (0x417104), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01006   452   NtProtectVirtualMemory  (-1, (0x417108), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01007   452   NtProtectVirtualMemory  (-1, (0x41710c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01008   452   NtProtectVirtualMemory  (-1, (0x417404), 20, 64, ... (0x417000), 4096, 64, ) == 0x0
 01009   452   NtProtectVirtualMemory  (-1, (0x4171d8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01010   452   NtProtectVirtualMemory  (-1, (0x4171dc), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01011   452   NtProtectVirtualMemory  (-1, (0x4171e0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01012   452   NtProtectVirtualMemory  (-1, (0x4171e4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01013   452   NtProtectVirtualMemory  (-1, (0x4171e8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01014   452   NtProtectVirtualMemory  (-1, (0x4171ec), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01015   452   NtProtectVirtualMemory  (-1, (0x417418), 20, 64, ... (0x417000), 4096, 64, ) == 0x0
 01016   452   NtProtectVirtualMemory  (-1, (0x417000), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01017   452   NtProtectVirtualMemory  (-1, (0x417004), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01018   452   NtProtectVirtualMemory  (-1, (0x417008), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01019   452   NtProtectVirtualMemory  (-1, (0x41700c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01020   452   NtProtectVirtualMemory  (-1, (0x417010), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01021   452   NtProtectVirtualMemory  (-1, (0x417014), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01022   452   NtProtectVirtualMemory  (-1, (0x417018), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01023   452   NtProtectVirtualMemory  (-1, (0x41701c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01024   452   NtProtectVirtualMemory  (-1, (0x417020), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01025   452   NtProtectVirtualMemory  (-1, (0x417024), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01026   452   NtProtectVirtualMemory  (-1, (0x417028), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01027   452   NtProtectVirtualMemory  (-1, (0x41742c), 20, 64, ... (0x417000), 4096, 64, ) == 0x0
 01028   452   NtProtectVirtualMemory  (-1, (0x4171d0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01029   452   NtProtectVirtualMemory  (-1, (0x417440), 20, 64, ... (0x417000), 4096, 64, ) == 0x0
 01030   452   NtProtectVirtualMemory  (-1, (0x4171c8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 01031   452   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 4096, ) == 0x0
 01032   452   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 4096, ) == 0x0
 01033   452   NtFreeVirtualMemory  (-1, (0x8c0000), 0, 32768, ... (0x8c0000), 4096, ) == 0x0
 01034   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01035   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01036   452   NtDelayExecution  (0, {-10000000, -1}, ... ) == 0x0
 01037   452   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "e3f44ac0094cfa2ba3b711b29a822b0ed8bc"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 01038   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01040   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == 0x0
 01042   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 01043   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 68, ) == 0x0
 01044   452   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01045   452   NtClose  (72, ... ) == 0x0
 01046   452   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01047   452   NtClose  (68, ... ) == 0x0
 01048   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 68, ) }, ... 68, ) == 0x0
 01049   452   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 01050   452   NtClose  (68, ... ) == 0x0
 01051   452   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 68, ) == 0x0
 01052   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 01053   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 64, ) }, ... 64, ) == 0x0
 01054   452   NtNotifyChangeKey  (64, 72, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 01055   452   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 01056   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 80, ) == 0x0
 01057   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 84, ) == 0x0
 01058   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01059   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01060   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01061   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == 0x0
 01062   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 01063   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 01064   452   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01065   452   NtClose  (88, ... ) == 0x0
 01066   452   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 01067   452   NtClose  (92, ... ) == 0x0
 01068   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01069   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01070   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01071   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == 0x0
 01072   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01073   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 01074   452   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01075   452   NtClose  (92, ... ) == 0x0
 01076   452   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01077   452   NtClose  (88, ... ) == 0x0
 01078   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01079   452   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9109504, 262144, ) == 0x0
 01080   452   NtAllocateVirtualMemory  (-1, 9109504, 0, 4096, 4096, 4, ... 9109504, 4096, ) == 0x0
 01081   452   NtAllocateVirtualMemory  (-1, 9113600, 0, 8192, 4096, 4, ... 9113600, 8192, ) == 0x0
 01082   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01083   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01084   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 88, ) }, ... 88, ) == 0x0
 01085   452   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 01086   452   NtClose  (88, ... ) == 0x0
 01087   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 88, ) }, ... 88, ) == 0x0
 01088   452   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 01089   452   NtClose  (88, ... ) == 0x0
 01090   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 88, ) }, ... 88, ) == 0x0
 01091   452   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 01092   452   NtClose  (88, ... ) == 0x0
 01093   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01094   452   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 01095   452   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 01096   452   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1238328, 0,  (0x1f0003, {24, 52, 0x80, 1238328, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01097   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 88, ) }, ... 88, ) == 0x0
 01098   452   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01099   452   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 01100   452   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 92, 2, ) }, 0, 0x0, 0, ... 92, 2, ) == 0x0
 01101   452   NtQueryDefaultUILanguage  (1236564, ...
 01102   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01103   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482024, ) == 0x0
 01104   452   NtQueryInformationToken  (-2147482024, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01105   452   NtClose  (-2147482024, ... ) == 0x0
 01106   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 01107   452   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01108   452   NtOpenKey  (0x80000000, {24, -2147482024, 0x640, 0, 0,  (0x80000000, {24, -2147482024, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 01109   452   NtQueryValueKey  (-2147482028,  (-2147482028, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01110   452   NtClose  (-2147482028, ... ) == 0x0
 01111   452   NtClose  (-2147482024, ... ) == 0x0
 01101   452   NtQueryDefaultUILanguage  ... ) == 0x0
 01112   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01113   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 01114   452   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 01115   452   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 593920, ) == 0x0
 01116   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   452   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01118   452   NtQueryDefaultLocale  (1, 1234600, ... ) == 0x0
 01119   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120   452   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\226\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 2307, 0} " S\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\226\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 444, 452, 2307, 0}  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\226\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 2307, 0} " S\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\226\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" )  ) == 0x0
 01121   452   NtClose  (96, ... ) == 0x0
 01122   452   NtClose  (100, ... ) == 0x0
 01123   452   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01124   452   NtUnmapViewOfSection  (-1, 0x12e100, ... ) == STATUS_NOT_MAPPED_VIEW
 01125   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01126   452   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01127   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01128   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01129   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233140, ... ) }, 1233140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01130   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01131   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01132   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01133   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1233732, ... ) }, 1233732, ... ) == 0x0
 01134   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 01135   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01136   452   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 01137   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01138   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01139   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01140   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == 0x0
 01141   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01142   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 01143   452   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01144   452   NtClose  (104, ... ) == 0x0
 01145   452   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 01146   452   NtClose  (108, ... ) == 0x0
 01147   452   NtAllocateVirtualMemory  (-1, 8863744, 0, 8192, 4096, 4, ... 8863744, 8192, ) == 0x0
 01148   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01149   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01150   452   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01151   452   NtClose  (108, ... ) == 0x0
 01152   452   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 108, ) }, ... 108, ) == 0x0
 01153   452   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01154   452   NtClose  (108, ... ) == 0x0
 01155   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 108, ) }, ... 108, ) == 0x0
 01156   452   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01157   452   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01158   452   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01159   452   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01160   452   NtClose  (108, ... ) == 0x0
 01161   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 108, ) }, ... 108, ) == 0x0
 01162   452   NtQueryValueKey  (108,  (108, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01163   452   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01164   452   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01165   452   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01166   452   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01167   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237776, ... ) }, 1237776, ... ) == 0x0
 01168   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01169   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 112, ) == 0x0
 01170   452   NtClose  (104, ... ) == 0x0
 01171   452   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 135168, ) == 0x0
 01172   452   NtClose  (112, ... ) == 0x0
 01173   452   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01174   452   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 01175   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238664, ... ) }, 1238664, ... ) == 0x0
 01176   452   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1239332, ... ) }, 1239332, ... ) == 0x0
 01177   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239188,  (0x80100080, {24, 0, 0x40, 0, 1239188, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01178   452   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 104, ) == 0x0
 01179   452   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8f0000), {0, 0}, 135168, ) == 0x0
 01180   452   NtQueryDefaultLocale  (1, 1238996, ... ) == 0x0
 01181   452   NtQueryVirtualMemory  (-1, 0x8f0000, Basic, 28, ... {BaseAddress=0x8f0000,AllocationBase=0x8f0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01182   452   NtQueryVirtualMemory  (-1, 0x8f0000, Basic, 28, ... {BaseAddress=0x8f0000,AllocationBase=0x8f0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01183   452   NtReadFile  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01184   452   NtQueryInformationFile  (112, 1239240, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01185   452   NtSetInformationFile  (112, 1239240, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01186   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01187   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01188   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01189   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01190   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01191   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01192   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01193   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01194   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01195   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01196   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01197   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01198   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01199   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01200   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01201   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01202   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01203   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01204   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01205   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01206   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01207   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01208   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01209   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01210   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01211   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01212   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01213   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01214   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01215   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01216   452   NtReadFile  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01217   452   NtQueryInformationFile  (112, 1239240, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01218   452   NtSetInformationFile  (112, 1239240, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01219   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 01220   452   NtReadFile  (112, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (112, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 01221   452   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01222   452   NtClose  (104, ... ) == 0x0
 01223   452   NtClose  (112, ... ) == 0x0
 01224   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237720, ... ) }, 1237720, ... ) == 0x0
 01225   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01226   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 104, ) == 0x0
 01227   452   NtClose  (112, ... ) == 0x0
 01228   452   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 135168, ) == 0x0
 01229   452   NtClose  (104, ... ) == 0x0
 01230   452   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01231   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238036, ... ) }, 1238036, ... ) == 0x0
 01232   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01233   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 112, ) == 0x0
 01234   452   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01235   452   NtClose  (104, ... ) == 0x0
 01236   452   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 01237   452   NtClose  (112, ... ) == 0x0
 01238   452   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01239   452   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01240   452   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01241   452   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01242   452   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01243   452   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01244   452   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01245   452   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01246   452   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01247   452   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01248   452   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01249   452   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01250   452   NtAllocateVirtualMemory  (-1, 1368064, 0, 20480, 4096, 4, ... 1368064, 20480, ) == 0x0
 01251   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01252   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01253   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01254   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01255   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01256   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01257   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01258   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01259   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01260   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01261   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01262   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01263   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01264   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01265   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01266   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01267   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01268   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01269   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01270   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01271   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01272   452   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01273   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236988, ... ) }, 1236988, ... ) == 0x0
 01274   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237720,  (0x80100080, {24, 0, 0x40, 0, 1237720, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01275   452   NtQueryVolumeInformationFile  (112, 1237880, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01276   452   NtQueryInformationFile  (112, 1237772, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01277   452   NtQueryInformationFile  (112, 1238064, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01278   452   NtClose  (112, ... ) == 0x0
 01279   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236480, ... ) }, 1236480, ... ) == 0x0
 01280   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237212,  (0x80100080, {24, 0, 0x40, 0, 1237212, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01281   452   NtQueryVolumeInformationFile  (112, 1237372, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01282   452   NtQueryInformationFile  (112, 1237264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01283   452   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 104, ) == 0x0
 01284   452   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8f0000), {0, 0}, 135168, ) == 0x0
 01285   452   NtQueryDefaultLocale  (1, 1237352, ... ) == 0x0
 01286   452   NtQueryVirtualMemory  (-1, 0x8f0000, Basic, 28, ... {BaseAddress=0x8f0000,AllocationBase=0x8f0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01287   452   NtQueryVirtualMemory  (-1, 0x8f0000, Basic, 28, ... {BaseAddress=0x8f0000,AllocationBase=0x8f0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01288   452   NtQueryDefaultLocale  (1, 1237352, ... ) == 0x0
 01289   452   NtQueryVirtualMemory  (-1, 0x8f0000, Basic, 28, ... {BaseAddress=0x8f0000,AllocationBase=0x8f0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01290   452   NtQueryVirtualMemory  (-1, 0x8f0000, Basic, 28, ... {BaseAddress=0x8f0000,AllocationBase=0x8f0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01291   452   NtReadFile  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01292   452   NtQueryInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01293   452   NtSetInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01294   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01295   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01296   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01297   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01298   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01299   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01300   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01301   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01302   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01303   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01304   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01305   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01306   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01307   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01308   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01309   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01310   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01311   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01312   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01313   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01314   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01315   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01316   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01317   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01318   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01319   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01320   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01321   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01322   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01323   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01324   452   NtReadFile  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01325   452   NtQueryInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01326   452   NtSetInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01327   452   NtQueryInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01328   452   NtSetInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01329   452   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 01330   452   NtReadFile  (112, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (112, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 01331   452   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01332   452   NtClose  (104, ... ) == 0x0
 01333   452   NtClose  (112, ... ) == 0x0
 01334   452   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 112, ) }, ... 112, ) == 0x0
 01335   452   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01336   452   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01337   452   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01338   452   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01339   452   NtClose  (112, ... ) == 0x0
 01340   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01341   452   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01342   452   NtOpenProcessToken  (-1, 0x8, ... 112, ) == 0x0
 01343   452   NtQueryInformationToken  (112, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01344   452   NtClose  (112, ... ) == 0x0
 01345   452   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01346   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 112, {status=0x0, info=0}, ) }, 7, 16, ... 112, {status=0x0, info=0}, ) == 0x0
 01347   452   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\276\243\272>\7z\366\213\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01348   452   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01349   452   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01350   452   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01351   452   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01352   452   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01353   452   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01354   452   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01355   452   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482024, 2, ) }, 0, 0x0, 0, ... -2147482024, 2, ) == 0x0
 01356   452   NtSetValueKey  (-2147482024,  (-2147482024, "Seed", 0, 3, "\361O\34\3178sy\330\320WB\225\207\363\225\2\7\27\301\375n\12^"\20\316`\362j&o\2157)\2160di\207\262!\307'n$\20\262\370\343'\314\11.\12k\346\315\16\337AL#\352\264\304\365\355DG\275O\362@\231h\247]\246\235", 80, ... , 0, 3,  (-2147482024, "Seed", 0, 3, "\361O\34\3178sy\330\320WB\225\207\363\225\2\7\27\301\375n\12^"\20\316`\362j&o\2157)\2160di\207\262!\307'n$\20\262\370\343'\314\11.\12k\346\315\16\337AL#\352\264\304\365\355DG\275O\362@\231h\247]\246\235", 80, ... \20\316`\362j&o\2157)\2160di\207\262!\307'n$\20\262\370\343'\314\11.\12k\346\315\16\337AL#\352\264\304\365\355DG\275O\362@\231h\247]\246\235", 80, ...
 01357   452   NtSetInformationFile  (-2147482808, -136216964, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01358   452   NtSetInformationFile  (-2147482808, -136217000, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01356   452   NtSetValueKey  ... ) == 0x0
 01359   452   NtClose  (-2147482024, ... ) == 0x0
 01347   452   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\217\241a\313I\215\363\210\221\203X\370\311\315\K\334R\322\6Rf\320\205\341\340\217w\16\343\215\367\310\36\255\1]\256"\300\330r\373\34*O\234\2\221\300\23`W\27"\4j+\242\241&\223\360\274\365\301\335\303\233)\2702p\373\266\355\20.q\214Y.\3558\332k\314Ac\35\3242\2T%]\240\2133\3420vh\345\36V:\235\334.n\271\300%~\334\24\356[\32\234z\210*\370\306\222q\30\3J\206\16\253\336\5\341\370\343\371\353\227\177Kw\250>2\343\340\306%\23\5"\10=F#\332\233\240\221>qs\273\33\32Vf\263\254\210\246m\233\234\224\23\354\257\227I\355\364\367\2470\22^n5H\322\3015\241\266\4\6\213\373F\355\36"\23\227\246\371\371\5\331\351\310&.\254\312\311\321c/@\4\225\326\3357\33\373\12\202gM\237\17_\264!!", ) \300\330r\373\34*O\234\2\221\300\23`W\27 ... {status=0x0, info=256}, "\217\241a\313I\215\363\210\221\203X\370\311\315\K\334R\322\6Rf\320\205\341\340\217w\16\343\215\367\310\36\255\1]\256"\300\330r\373\34*O\234\2\221\300\23`W\27"\4j+\242\241&\223\360\274\365\301\335\303\233)\2702p\373\266\355\20.q\214Y.\3558\332k\314Ac\35\3242\2T%]\240\2133\3420vh\345\36V:\235\334.n\271\300%~\334\24\356[\32\234z\210*\370\306\222q\30\3J\206\16\253\336\5\341\370\343\371\353\227\177Kw\250>2\343\340\306%\23\5"\10=F#\332\233\240\221>qs\273\33\32Vf\263\254\210\246m\233\234\224\23\354\257\227I\355\364\367\2470\22^n5H\322\3015\241\266\4\6\213\373F\355\36"\23\227\246\371\371\5\331\351\310&.\254\312\311\321c/@\4\225\326\3357\33\373\12\202gM\237\17_\264!!", ) %]\240\2133\3420vh\345\36V:\235\334.n\271\300%~\334\24\356[\32\234z\210*\370\306\222q\30\3J\206\16\253\336\5\341\370\343\371\353\227\177Kw\250>2\343\340\306%\23\5 ... {status=0x0, info=256}, "\217\241a\313I\215\363\210\221\203X\370\311\315\K\334R\322\6Rf\320\205\341\340\217w\16\343\215\367\310\36\255\1]\256"\300\330r\373\34*O\234\2\221\300\23`W\27"\4j+\242\241&\223\360\274\365\301\335\303\233)\2702p\373\266\355\20.q\214Y.\3558\332k\314Ac\35\3242\2T%]\240\2133\3420vh\345\36V:\235\334.n\271\300%~\334\24\356[\32\234z\210*\370\306\222q\30\3J\206\16\253\336\5\341\370\343\371\353\227\177Kw\250>2\343\340\306%\23\5"\10=F#\332\233\240\221>qs\273\33\32Vf\263\254\210\246m\233\234\224\23\354\257\227I\355\364\367\2470\22^n5H\322\3015\241\266\4\6\213\373F\355\36"\23\227\246\371\371\5\331\351\310&.\254\312\311\321c/@\4\225\326\3357\33\373\12\202gM\237\17_\264!!", ) \23\227\246\371\371\5\331\351\310&.\254\312\311\321c/@\4\225\326\3357\33\373\12\202gM\237\17_\264!!", ) == 0x0
 01360   452   NtClose  (108, ... ) == 0x0
 01361   452   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377k\355as)Y\222\377i\245\205Ep\366\2b\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01362   452   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01363   452   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01364   452   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01365   452   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01366   452   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01367   452   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01368   452   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01369   452   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482024, 2, ) }, 0, 0x0, 0, ... -2147482024, 2, ) == 0x0
 01370   452   NtSetValueKey  (-2147482024,  (-2147482024, "Seed", 0, 3, "\6QCh\300\22\264\22O\26F$\227X_\221\3661g\325\270\326\273tj\266\345\210?ACw\341.\373Z=b*\336\220\363\233z('D\212\333\32\230\200vA#]\257\347\351\11\357\347B\207f\375\33\206~M\34\1\204\335b\266\1\277\364;", 80, ... ) , 0, 3,  (-2147482024, "Seed", 0, 3, "\6QCh\300\22\264\22O\26F$\227X_\221\3661g\325\270\326\273tj\266\345\210?ACw\341.\373Z=b*\336\220\363\233z('D\212\333\32\230\200vA#]\257\347\351\11\357\347B\207f\375\33\206~M\34\1\204\335b\266\1\277\364;", 80, ... ) , 80, ... ) == 0x0
 01371   452   NtClose  (-2147482024, ... ) == 0x0
 01361   452   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\15\244\313\334\261\266\361\233\223\373\221\345\3642\335l\314\315\340?j\2\22\33SP\215\256\206\20h\261\17\245!v\35H\5\217\13\37\37\261\30p\231\232\215\201\365\270O\210$\362 \252\237\37\13O5U\25\14u<\376\242\254\335\234]s\22\355]\5\216\3125\365\266\327\304\331\265aP\234>0\246f8\241o\7q\356\177\241[&\14\232\300.E\235g\367*\301\7\27\207\314sN\250\251>\351\301\324\G\331\270\372Y\222n\350)\264v\237\13]\276\371\7\321\12\370z\252\36Oy\326\6r\210m\354:\255N0O\306V\300\367\226x\26\312\243"`-S\257\334p\343\315\15P\34\357\261\225\230\333d\203\314]\317x\10\\\370\245>\37\7\214\344+\352:\213\313\212\321\226\354I\23\323r\351\361s\300\343\324\242- \12\23`\367u]\314U~A\242\6\2547\20;\14\320\22;.\257\307\333\10\261n", ) `-S\257\334p\343\315\15P\34\357\261\225\230\333d\203\314]\317x\10\\\370\245>\37\7\214\344+\352:\213\313\212\321\226\354I\23\323r\351\361s\300\343\324\242- \12\23`\367u]\314U~A\242\6\2547\20;\14\320\22;.\257\307\333\10\261n", ) == 0x0
 01372   452   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377k\355as)Y\222*'~\310kS\222v\253\245\205Ep\366\2b\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01373   452   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01374   452   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01375   452   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01376   452   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01377   452   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01378   452   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01379   452   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01380   452   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482024, 2, ) }, 0, 0x0, 0, ... -2147482024, 2, ) == 0x0
 01381   452   NtSetValueKey  (-2147482024,  (-2147482024, "Seed", 0, 3, "d\276\2355\24\34~Rs\215\265>\260\32~\266\320\15\365e\11\252\325\357\276\233\317C\231]%\263\177r\236\306w\365\2455c\240B\226\305?@\235\205\215a\276\203)\210\211\177$\203\321\2106d\337gk\5\301\224iy$q\311e\343\342g\13\355", 80, ... ) , 0, 3,  (-2147482024, "Seed", 0, 3, "d\276\2355\24\34~Rs\215\265>\260\32~\266\320\15\365e\11\252\325\357\276\233\317C\231]%\263\177r\236\306w\365\2455c\240B\226\305?@\235\205\215a\276\203)\210\211\177$\203\321\2106d\337gk\5\301\224iy$q\311e\343\342g\13\355", 80, ... ) , 80, ... ) == 0x0
 01382   452   NtClose  (-2147482024, ... ) == 0x0
 01372   452   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\33=\315\6]Rs\310C\257\325=\250\301\316\3468p\23\6\221\4\4(\366\212\301\363\345\0\25\371\212\203\240\336G\32V\361\2373\265\224\25\315\16\377\~\313#d\350\27\246\23\332\300\377k\235\3505\5A~F\310jp\275\206\370\245J`)5\242Cz2\367\231\32\340\330\365\323j^\327\273\)\260.\272fTo\252\2709k<\34\372\270\2476\235\264\371\274\30\224\373\3440:\360=\246>\2660\303\365.\230LO\334y:!\365H\300\217\244*\211\12\233\346kS\302\350\214}\37P\311\207\33\254)\307\225\32Ac\320\366".\324\332\361\317"i$\376U\351Fi\304\314\372\340\351\320E\210L\324T5!\207\326\305b\212>h\240\13\1)d\374_<\315qd&\325\210\371\26\337\323\245\277\2\333\236\366\3161\374g&%\326\33N\270L\234\226D\7\221\316\353\37t\257\37\374\337\233\3\223\247D", ) .\324\332\361\317 ... {status=0x0, info=256}, "\33=\315\6]Rs\310C\257\325=\250\301\316\3468p\23\6\221\4\4(\366\212\301\363\345\0\25\371\212\203\240\336G\32V\361\2373\265\224\25\315\16\377\~\313#d\350\27\246\23\332\300\377k\235\3505\5A~F\310jp\275\206\370\245J`)5\242Cz2\367\231\32\340\330\365\323j^\327\273\)\260.\272fTo\252\2709k<\34\372\270\2476\235\264\371\274\30\224\373\3440:\360=\246>\2660\303\365.\230LO\334y:!\365H\300\217\244*\211\12\233\346kS\302\350\214}\37P\311\207\33\254)\307\225\32Ac\320\366".\324\332\361\317"i$\376U\351Fi\304\314\372\340\351\320E\210L\324T5!\207\326\305b\212>h\240\13\1)d\374_<\315qd&\325\210\371\26\337\323\245\277\2\333\236\366\3161\374g&%\326\33N\270L\234\226D\7\221\316\353\37t\257\37\374\337\233\3\223\247D", ) , ) == 0x0
 01383   452   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377k\355as)Y\222*'~\310kS\222\243\345~\310kS\222v\253\245\205Ep\366\2b\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01384   452   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01385   452   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01386   452   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01387   452   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01388   452   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01389   452   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01390   452   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01391   452   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482024, 2, ) }, 0, 0x0, 0, ... -2147482024, 2, ) == 0x0
 01392   452   NtSetValueKey  (-2147482024,  (-2147482024, "Seed", 0, 3, "\226\335\08\264\336eV8\241\203\213\327\344Q\6_\234\201\27\200n\357O\223\365\305y\250`R\326|Mm+\226\262t\336u\273'dY\321\337(^\225\314\320:\367^4\320x\223m1\302\30\235\347g\25\\275x\222\252\375\364:+%\257H8", 80, ... ) , 0, 3,  (-2147482024, "Seed", 0, 3, "\226\335\08\264\336eV8\241\203\213\327\344Q\6_\234\201\27\200n\357O\223\365\305y\250`R\326|Mm+\226\262t\336u\273'dY\321\337(^\225\314\320:\367^4\320x\223m1\302\30\235\347g\25\\275x\222\252\375\364:+%\257H8", 80, ... ) , 80, ... ) == 0x0
 01393   452   NtClose  (-2147482024, ... ) == 0x0
 01383   452   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "!\245\234\320\16l]\302\372:\203V\34\360x\15gJ\334\33w+\37AO`g\315ES\216\231"/\271\366\235\216za\342Q\277}\316g\2505\10#Fq\342\336Y\221\4271\366\235\216za\342Q\277}\316g\2505\10#Fq\342\336Y\221\4302\317\200\243\3410\302\300\220\230\325CQe$q\241GX\331!?\246$8\366\364\202\203\234\262\305)\360\206\256\341\242\350\240\202a\201\33\205\373\257\4\3151G\3676\27I\365\353\251\200TX8\367\312\305\231\12\361\24\252\2129C\300\357\223\313z\27\247\317\266\250\7Cr~_\212\335\210H\36~\367h\316\266\231\337?\210'Ai\350\233)\16\235z\256\177=\247\370\17Ve\240\341\23\251\212h\333\316\273m}\236\272x\235\21~k3\361\256\306\374|\222\312\326\256\233\Z\305\252\345\27#\20N\14\374\325\217\245\325M]-\10\247\245\361\3;U\224\257_\265P9\3\355\301i\34e\202\5\247N\317\237a\202\331o\243b", ) == 0x0
 01394   452   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377k\355as)Y\222*'~\310kS\222\243\345~\310kS\222\243\345~\310kS\222v\253\245\205Ep\366\2b\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01395   452   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01396   452   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01397   452   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01398   452   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01399   452   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01400   452   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01401   452   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01402   452   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482024, 2, ) }, 0, 0x0, 0, ... -2147482024, 2, ) == 0x0
 01403   452   NtSetValueKey  (-2147482024,  (-2147482024, "Seed", 0, 3, "\336\265\217\260\330f\201o\203e\11\364\3664]\2171Qgh|\246\315\226\305\5\32g\261\353T\32\305]\116\235\264\364c\376\311*, 80, ... ) , 0, 3,  (-2147482024, "Seed", 0, 3, "\336\265\217\260\330f\201o\203e\11\364\3664]\2171Qgh|\246\315\226\305\5\32g\261\353T\32\305]\116\235\264\364c\376\311*, 80, ... ) , 80, ... ) == 0x0
 01404   452   NtClose  (-2147482024, ... ) == 0x0
 01394   452   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "[`b\351\307r\265\215\374u\230Q]\203\371\371\376\326\267\334\221s@\337sAh\247\363d5\24\31\226e\300R\3463x808\272\261\202Xw\364\2273\24\371U\3718\323WwJ\304\307\0-Joe\11\210\326Z\250\347\37\245Z\207\265T(\230W\266]\252\16\300\320xV+6\325g\317\32\330\5!\351\24\227\311-\17B\256z\306\336\35L\211%F\366M\353|\237:\357\256\17\333\12N\246<>\23\263{\255\333\10\354\257#nti\274>\377'\311\220S\207\311\21B\330\3168\366\5\17V\325>G\3735\271\34+-\12V=\36~\20g;|Q\210\224\327Nz\276Z\2248!\237$\32^\227#\221\300\246\34C)\350\11qIiF\374\322\5\363\214\2263\332\321\3318Q\235\247:\201\231\3717|d\334O=\242\207\336\260\227bE\324J\373\34xk\31\20\7\210\363\337\213\324?`\2371", ) , ) == 0x0
 01405   452   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377k\355as)Y\222*'~\310kS\222\243\345~\310kS\222\243\345~\310kS\222\243\345~\310kS\222v\253\245\205Ep\366\2b\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01406   452   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01407   452   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01408   452   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01409   452   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01410   452   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01411   452   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01412   452   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01413   452   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482024, 2, ) }, 0, 0x0, 0, ... -2147482024, 2, ) == 0x0
 01414   452   NtSetValueKey  (-2147482024,  (-2147482024, "Seed", 0, 3, "\341\201\370A@\31\27\275\27J\207_\302F8\10\212Yr\2456\34\214\360i\276\3122\355+\37\306A6\352\200\261s!\317}\272k\371\216\354\206\246a|KF\16\372\12t\270\241\236\257\26\204\321f\340_c\363\7ib\360;\377\3\302#E`\374", 80, ... ) , 0, 3,  (-2147482024, "Seed", 0, 3, "\341\201\370A@\31\27\275\27J\207_\302F8\10\212Yr\2456\34\214\360i\276\3122\355+\37\306A6\352\200\261s!\317}\272k\371\216\354\206\246a|KF\16\372\12t\270\241\236\257\26\204\321f\340_c\363\7ib\360;\377\3\302#E`\374", 80, ... ) , 80, ... ) == 0x0
 01415   452   NtClose  (-2147482024, ... ) == 0x0
 01405   452   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\2604\241\230N'\321HFs]\225\370\343m\24\5X\361\215\232\357q\\357\376\25>\366\373\271\322=\275(5\352\373\345\211\271\257\3308\242\274\211\323&U\311\234\23a\337\235o\27\265I/\214\365=U\49\251H\10\270\370\302\323\360\45{m\315A\377\260iG\322\206\370\225\234\360\257\201\4\357\255\360\37\226:.b_z!\210\233\252\21\305\372\3563\306\371\2127\234\15]?\270\21HA\3627iw\334\310\376\354\263\12\243\336\223\212\313\361n\2267\332&S\3519\345\302\230\1\5C\6\335n\334\330\350\270\237\224X'e\377\245Rn\233\360\2274v{\235l\262\213-(\374\0\243\315\370u\217\372\356\2508iE\205\230\267\306\251;\345_t\253\301\354]l\320\311\332\350\366]\227\34\243\272\350\244\22\370P\351\301\220\225\32\365\32R\361\3545\367[8\2313\304b\337Eo\315\371/\306\201\255\341\247\242", ) , ) == 0x0
 01416   452   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377k\355as)Y\222*'~\310kS\222\243\345~\310kS\222\243\345~\310kS\222\243\345~\310kS\222\243\345~\310kS\222v\253\245\205Ep\366\2b\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01417   452   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01418   452   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01419   452   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01420   452   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01421   452   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01422   452   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01423   452   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01424   452   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482024, 2, ) }, 0, 0x0, 0, ... -2147482024, 2, ) == 0x0
 01425   452   NtSetValueKey  (-2147482024,  (-2147482024, "Seed", 0, 3, "tE>\4AQ\3\255\244]\12\355\25\365\204~\376x\26QM\317\315\203\261\346\13\240i`\24\221\372\35\324\363]\307\260]M\331\245\15\200 \326\16=\365h\341\318\6\3064\236\237\333\6\13\324ZD_<\244/\275\217\274m\310\2\316\335\361\316F", 80, ... ) , 0, 3,  (-2147482024, "Seed", 0, 3, "tE>\4AQ\3\255\244]\12\355\25\365\204~\376x\26QM\317\315\203\261\346\13\240i`\24\221\372\35\324\363]\307\260]M\331\245\15\200 \326\16=\365h\341\318\6\3064\236\237\333\6\13\324ZD_<\244/\275\217\274m\310\2\316\335\361\316F", 80, ... ) , 80, ... ) == 0x0
 01426   452   NtClose  (-2147482024, ... ) == 0x0
 01416   452   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\260\346)\203S5@\311)\323\374N\34>\331&\6o\341:N\316\337q\246\367#\204fJ\226\202\346\356_!\16\303*\325\247\3$\14\301\335\334\32!w\305\330\26>]\5bJ\335\203\242\366\15b`F6\340\30\206\237\362\220\354\304y\253\335\257\242v*\215~&E\6jA\361,i\367l\3314\317\25\\10j\215m\366\313\2219\4T>\30\335\3667\370\5\260\221\20\13\364}\323\230\240\252\312w\11\26\241\221\333\13v\210\244Qu=\14\342\342\274\376\225\210#&\347Ex\271\21\363\304i\22\3130s\301\374\235\24\260\17\332{QI)CR}+\344\266\257g+\246\273H\326\6\315h\372\365?\24\15p\247(\12\355mF4\323\331T\253u$ml\343\247\351@y<\14s\346F\342\367&\325To\314\32\322s\203v\330\205OR1\337\342{\327\340iU?\217\\35\357&p\307\271nr\337\230", ) , ) == 0x0
 01427   452   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377k\355as)Y\222*'~\310kS\222\243\345~\310kS\222\243\345~\310kS\222\243\345~\310kS\222\243\345~\310kS\222\243\345~\310kS\222v\253\245\205Ep\366\2b\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01428   452   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01429   452   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01430   452   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01431   452   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01432   452   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01433   452   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01434   452   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01435   452   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482024, 2, ) }, 0, 0x0, 0, ... -2147482024, 2, ) == 0x0
 01436   452   NtSetValueKey  (-2147482024,  (-2147482024, "Seed", 0, 3, "WSfh8\230{W\20\341\336\237\330rk\376u\2041Yk\361$L\10\330\243,\336U\345c\272\32.\10\361\245B\22\375\1h\177\365q\332Y\271\261P\226\231O\263\274G\374\304\350\262\14\302[\216\361\335^\310\22\177\256\325\5\217/\254l ", 80, ... ) , 0, 3,  (-2147482024, "Seed", 0, 3, "WSfh8\230{W\20\341\336\237\330rk\376u\2041Yk\361$L\10\330\243,\336U\345c\272\32.\10\361\245B\22\375\1h\177\365q\332Y\271\261P\226\231O\263\274G\374\304\350\262\14\302[\216\361\335^\310\22\177\256\325\5\217/\254l ", 80, ... ) , 80, ... ) == 0x0
 01437   452   NtClose  (-2147482024, ... ) == 0x0
 01427   452   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\316\313\206C\357gE\206\16\330\223W\2\365\24=\324\\310\365\315\270\377\317\23\7+\16E\351\230\236\235\323w\324\177-\302,\332\177K\344\321\245',&\247\21\207\275RZ\2413H\31\304\233ozF<\305\317%\16\303\302'\322\370\31\367\361\362\331}\336\243\216\10?\224\237zl\15\255\267)\330\316\327P\255\244\242"\37\23\207\230\37\236\200~\312(D\1\300\253n\353-\2\317\225\200&\311`\320\O\365OU+gbp\253``h\323E\226-\355\220\303(\36\353Mz\213l\273\353H\13\264\267\327\255\306\204\213\274\250\316%\237\343\317}u\10\336$\35\264b\261\322$k\323S\276\377Q\331\267\33{\26\31\367\332/\177\300\351\11\25\223\244\327\311\301]\255\255\355R\159\253y\244\250E\0L*\321\30\310\372\322v\341\320\254x\330\262\14\361\204Q\4\361\31\207\331/\216\345\207\252Q\222\215\231%\363k-", ) \37\23\207\230\37\236\200~\312(D\1\300\253n\353-\2\317\225\200&\311`\320\O\365OU+gbp\253``h\323E\226-\355\220\303(\36\353Mz\213l\273\353H\13\264\267\327\255\306\204\213\274\250\316%\237\343\317}u\10\336$\35\264b\261\322$k\323S\276\377Q\331\267\33{\26\31\367\332/\177\300\351\11\25\223\244\327\311\301]\255\255\355R\159\253y\244\250E\0L*\321\30\310\372\322v\341\320\254x\330\262\14\361\204Q\4\361\31\207\331/\216\345\207\252Q\222\215\231%\363k-", ) == 0x0
 01438   452   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 108, {status=0x0, info=1}, ) }, 3, 33, ... 108, {status=0x0, info=1}, ) == 0x0
 01439   452   NtQueryVolumeInformationFile  (108, 1238968, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01440   452   NtClose  (12, ... ) == 0x0
 01441   452   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238188,  (0x80100080, {24, 0, 0x40, 0, 1238188, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 01443   452   NtQueryInformationFile  (12, 1239124, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01444   452   NtQueryInformationFile  (12, 1239096, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01445   452   NtQueryInformationFile  (12, 1239048, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01446   452   NtAllocateVirtualMemory  (-1, 1392640, 0, 8192, 4096, 4, ... 1392640, 8192, ) == 0x0
 01447   452   NtQueryInformationFile  (12, 1389024, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01448   452   NtQueryInformationFile  (12, 1237592, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01449   452   NtQueryInformationFile  (12, 1237436, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01450   452   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1237444,  (0x40110080, {24, 0, 0x40, 0, 1237444, "\??\C:\WINDOWS\System32\lssas.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01451   452   NtClose  (-2147482024, ... ) == 0x0
 01450   452   NtCreateFile  ... 104, {status=0x0, info=2}, ) == 0x0
 01452   452   NtQueryVolumeInformationFile  (104, 1236816, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01453   452   NtQueryInformationFile  (104, 1236776, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01454   452   NtQueryVolumeInformationFile  (12, 1236816, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01455   452   NtQueryVolumeInformationFile  (12, 1236500, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01456   452   NtSetInformationFile  (104, 1236604, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01457   452   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 116, ) == 0x0
 01458   452   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8f0000), {0, 0}, 143360, ) == 0x0
 01459   452   NtClose  (116, ... ) == 0x0
 01460   452   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0PE\0\0L\1\3\0a}\307F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\0\0\0\0\0\00\30\0\0\0\0\0\0\254\230\3\0\0\200\3\0\14\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\254\370\4\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\226\3\0,\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\08\230\3\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.data\0\0\0\0\260\2\0\0\20\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\300.pdata\0\0,\262\0\0\0\300\2\0,\262\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\300.ex_cod\0\254x\1\0\0\200\3\0\254x\1\0\0\266\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01461   452   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "\264%\264C\267\2s\224~\342d\200\314B<"\324\301s\352\30]\305o\2738\263(\217\261\223\263\230\360\0\333`\377\31(0\212\301|\222Y\356\5\222]\361\354+\334\11\276\0l\316q\203\334\250r\212\5\226&\256I\343e\256\37]\3334\34-\261\301~\321>\245^\350\30\352su\256\231g\244\14W\315\33\367\4\275\306(\233\302.\260h\2567\267[\2308\256f\300\315\233\346\15\260&\211\253\221\301Q\233\14\277.\300S\333r\341\33\273\327\224\4\14\3326\264\302\336t\376\\210E\226v\325\23T\276\225\325\267\250\6\260z}\3511\247\15+\27,6\2666\236\341&\224w\350\36\220..\333\233\255w\231!\267\222\212I\255\251/\236\305%\326+\336 \242\357\230y\232:\214V z\372o\245-\314\35\350H\311\11\341>F\212\4R\31048\332\20\215u\3213\272X\260\326\257\3\204\33\244[\350 \210\34Z\304f\314"\236\367\271\347\221\232\352f\313\3\243\223\317\12\372a\334>\341!\335}\205\344\264\336\237\212\21_\371\26\322@\221K\201I\244O\242I\365x\365H \352N\21\360\22\375o\254R\217Z\252\276\334p\207\13\304s\346=*\366\20\331\261\24m\370q\257N\373^`\275]\351'\266>\331g\273\13|H\22(\230\332# ]\3543\274_\370\22\347h\235 \241\245\20\233#\177\362\7\254+\225\177\26}\217Z\201\17\342,D\234l\212,\253P\2375\222\370M\366\222\326T\251\264\112(C\355t\225e\325nE\203\235\244\377y\361\35\277\14\16\263(V\243\320n\327\15\254V\340\24\355\333Q\253\20D\324e\305"\210\225t\202p\343}\350\17L8J\341.\4\234\336|\234I\357|\306\5\272/@\354\322P\302\351\225u]\230\7\345\23[\250L\336\\352\26", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \324\301s\352\30]\305o\2738\263(\217\261\223\263\230\360\0\333`\377\31(0\212\301|\222Y\356\5\222]\361\354+\334\11\276\0l\316q\203\334\250r\212\5\226&\256I\343e\256\37]\3334\34-\261\301~\321>\245^\350\30\352su\256\231g\244\14W\315\33\367\4\275\306(\233\302.\260h\2567\267[\2308\256f\300\315\233\346\15\260&\211\253\221\301Q\233\14\277.\300S\333r\341\33\273\327\224\4\14\3326\264\302\336t\376\\210E\226v\325\23T\276\225\325\267\250\6\260z}\3511\247\15+\27,6\2666\236\341&\224w\350\36\220..\333\233\255w\231!\267\222\212I\255\251/\236\305%\326+\336 \242\357\230y\232:\214V z\372o\245-\314\35\350H\311\11\341>F\212\4R\31048\332\20\215u\3213\272X\260\326\257\3\204\33\244[\350 \210\34Z\304f\314 (104, 0, 0, 0, "\264%\264C\267\2s\224~\342d\200\314B<"\324\301s\352\30]\305o\2738\263(\217\261\223\263\230\360\0\333`\377\31(0\212\301|\222Y\356\5\222]\361\354+\334\11\276\0l\316q\203\334\250r\212\5\226&\256I\343e\256\37]\3334\34-\261\301~\321>\245^\350\30\352su\256\231g\244\14W\315\33\367\4\275\306(\233\302.\260h\2567\267[\2308\256f\300\315\233\346\15\260&\211\253\221\301Q\233\14\277.\300S\333r\341\33\273\327\224\4\14\3326\264\302\336t\376\\210E\226v\325\23T\276\225\325\267\250\6\260z}\3511\247\15+\27,6\2666\236\341&\224w\350\36\220..\333\233\255w\231!\267\222\212I\255\251/\236\305%\326+\336 \242\357\230y\232:\214V z\372o\245-\314\35\350H\311\11\341>F\212\4R\31048\332\20\215u\3213\272X\260\326\257\3\204\33\244[\350 \210\34Z\304f\314"\236\367\271\347\221\232\352f\313\3\243\223\317\12\372a\334>\341!\335}\205\344\264\336\237\212\21_\371\26\322@\221K\201I\244O\242I\365x\365H \352N\21\360\22\375o\254R\217Z\252\276\334p\207\13\304s\346=*\366\20\331\261\24m\370q\257N\373^`\275]\351'\266>\331g\273\13|H\22(\230\332# ]\3543\274_\370\22\347h\235 \241\245\20\233#\177\362\7\254+\225\177\26}\217Z\201\17\342,D\234l\212,\253P\2375\222\370M\366\222\326T\251\264\112(C\355t\225e\325nE\203\235\244\377y\361\35\277\14\16\263(V\243\320n\327\15\254V\340\24\355\333Q\253\20D\324e\305"\210\225t\202p\343}\350\17L8J\341.\4\234\336|\234I\357|\306\5\272/@\354\322P\302\351\225u]\230\7\345\23[\250L\336\\352\26", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \210\225t\202p\343}\350\17L8J\341.\4\234\336|\234I\357|\306\5\272/@\354\322P\302\351\225u]\230\7\345\23[\250L\336\\352\26", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01462   452   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "Q\306c\240\315\33#T~y`g\255\357\300\236\15\340tn \303\23U<\371@\333f\324\2033\364O\366E\274\207$\215\1M'\22\341\10W\360\324Y\302\4\21<\20?A}\317{\316D\261l\205\14\212\261\374V\327\346Q@\27G\274>\305\264\253\256\255\254Q\5\376]\4\207\376QI\304B\360\305\344\307\366\235:p!0\227\224\222\321\0\251\332U<\303\312{\276\314\5f\327\226\272\253i\240\303\3m\33\362\354\14\327:\324\236\221b\346\304g\254\227\2021\27\24O\352\233)\355l[\307\206\23\32"\310\266\363\342\321L\213)]\275:c\12AT\303\342\263i"E\4[\332\301\220\231\306\236\a\302\231x\213\261X\354 \1\200\354Q\200&C\376\207%(j\233\255\310\37\333S\351\226}\200?\256\225\353\367\367\33\232a\357\266\365O4s\266gN\221\200\23\326*\246&/\2129\230\353\13;^\317.\1776k\342O\255}\325\224A^G\325\226\7\356\265\214|*\266y\360w\215=L\277\4\326:\263RY\342\360\34\2{\12\251)\205\353\26Ud\301\244\316\320H\333\272\11a\300\260\251\372\350\21\302I\260\307`\241\265Y\310\37\246\203\13F/\317\346\315\344>\20e\222\221\336\35\320\353)\6\307\336\311\264g\332-<\373\242\335%}(W.[Y\\3o\212\250\5v\240)\205\227\270n\356\277\352\373:\231\324\302\25b\236\245\27\\207\370\340\262\2bI\201\260\15\220\207G\302\303QR\7\373\312f\273\236\5\35\322\371\34\247\36P\227\327\6Q\225\176=Pe\327\221\235i\346\250\5\225\212\317\313\316\0\317\367\216s\202\353\327*\233\243\311\244\17\311\30G\232:\374\226\327AN3\305*\342\342\3\262i\26\275u\207sU_i\231L(\177n:\265\365\331\6\262\336\325", 20140, 0x0, 0, ... {status=0x0, info=20140}, ) \310\266\363\342\321L\213)]\275:c\12AT\303\342\263i (104, 0, 0, 0, "Q\306c\240\315\33#T~y`g\255\357\300\236\15\340tn \303\23U<\371@\333f\324\2033\364O\366E\274\207$\215\1M'\22\341\10W\360\324Y\302\4\21<\20?A}\317{\316D\261l\205\14\212\261\374V\327\346Q@\27G\274>\305\264\253\256\255\254Q\5\376]\4\207\376QI\304B\360\305\344\307\366\235:p!0\227\224\222\321\0\251\332U<\303\312{\276\314\5f\327\226\272\253i\240\303\3m\33\362\354\14\327:\324\236\221b\346\304g\254\227\2021\27\24O\352\233)\355l[\307\206\23\32"\310\266\363\342\321L\213)]\275:c\12AT\303\342\263i"E\4[\332\301\220\231\306\236\a\302\231x\213\261X\354 \1\200\354Q\200&C\376\207%(j\233\255\310\37\333S\351\226}\200?\256\225\353\367\367\33\232a\357\266\365O4s\266gN\221\200\23\326*\246&/\2129\230\353\13;^\317.\1776k\342O\255}\325\224A^G\325\226\7\356\265\214|*\266y\360w\215=L\277\4\326:\263RY\342\360\34\2{\12\251)\205\353\26Ud\301\244\316\320H\333\272\11a\300\260\251\372\350\21\302I\260\307`\241\265Y\310\37\246\203\13F/\317\346\315\344>\20e\222\221\336\35\320\353)\6\307\336\311\264g\332-<\373\242\335%}(W.[Y\\3o\212\250\5v\240)\205\227\270n\356\277\352\373:\231\324\302\25b\236\245\27\\207\370\340\262\2bI\201\260\15\220\207G\302\303QR\7\373\312f\273\236\5\35\322\371\34\247\36P\227\327\6Q\225\176=Pe\327\221\235i\346\250\5\225\212\317\313\316\0\317\367\216s\202\353\327*\233\243\311\244\17\311\30G\232:\374\226\327AN3\305*\342\342\3\262i\26\275u\207sU_i\231L(\177n:\265\365\331\6\262\336\325", 20140, 0x0, 0, ... {status=0x0, info=20140}, ) , 20140, 0x0, 0, ... {status=0x0, info=20140}, ) == 0x0
 01463   452   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01464   452   NtSetInformationFile  (104, 1239048, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01465   452   NtClose  (12, ... ) == 0x0
 01466   452   NtClose  (104, ... ) == 0x0
 01467   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 01468   452   NtSetInformationFile  (104, 1239248, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01469   452   NtClose  (104, ... ) == 0x0
 01470   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 01471   452   NtSetInformationFile  (104, 1239248, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01472   452   NtClose  (104, ... ) == 0x0
 01473   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238952,  (0x80100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 01474   452   NtQueryInformationFile  (104, 1239004, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01475   452   NtClose  (104, ... ) == 0x0
 01476   452   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1238952,  (0x40100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\System32\lssas.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 01477   452   NtSetInformationFile  (104, 1239004, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01478   452   NtClose  (104, ... ) == 0x0
 01479   452   NtOpenFile  (0x10080, {24, 108, 0x40, 0, 0,  (0x10080, {24, 108, 0x40, 0, 0, "wztu.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480   452   NtCreateFile  (0x40100080, {24, 108, 0x40, 0, 1239200,  (0x40100080, {24, 108, 0x40, 0, 1239200, "wztu.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=2}, ) == 0x0
 01481   452   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del wztu.bat\15\12", 120, 0x0, 0, ... {status=0x0, info=120}, ) , 120, 0x0, 0, ... {status=0x0, info=120}, ) == 0x0
 01482   452   NtClose  (104, ... ) == 0x0
 01483   452   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1232540, ... ) }, 1232540, ... ) == 0x0
 01485   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01486   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 12, ) == 0x0
 01487   452   NtClose  (104, ... ) == 0x0
 01488   452   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 262144, ) == 0x0
 01489   452   NtClose  (12, ... ) == 0x0
 01490   452   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01491   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01492   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01493   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01494   452   NtAllocateVirtualMemory  (-1, 1400832, 0, 16384, 4096, 4, ... 1400832, 16384, ) == 0x0
 01495   452   NtUserRegisterClassExWOW  (1234624, 1234704, 1234688, 1234720, 0, 384, 0, ... ) == 0x810cc038
 01496   452   NtUserGetAtomName  (49208, 1233388, ... ) == 0x15
 01497   452   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 01498   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230912, ... ) }, 1230912, ... ) == 0x0
 01499   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 01500   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 104, ) == 0x0
 01501   452   NtClose  (12, ... ) == 0x0
 01502   452   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 204800, ) == 0x0
 01503   452   NtClose  (104, ... ) == 0x0
 01504   452   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01505   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1231228, ... ) }, 1231228, ... ) == 0x0
 01506   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01507   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 12, ) == 0x0
 01508   452   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01509   452   NtClose  (104, ... ) == 0x0
 01510   452   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01511   452   NtClose  (12, ... ) == 0x0
 01512   452   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01513   452   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01514   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01515   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01516   452   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01517   452   NtClose  (12, ... ) == 0x0
 01518   452   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01519   452   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01520   452   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 104, ) }, ... 104, ) == 0x0
 01521   452   NtQueryValueKey  (104,  (104, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01522   452   NtClose  (104, ... ) == 0x0
 01523   452   NtClose  (12, ... ) == 0x0
 01524   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01525   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01526   452   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01527   452   NtClose  (12, ... ) == 0x0
 01528   452   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01529   452   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 104, ) }, ... 104, ) == 0x0
 01530   452   NtQueryValueKey  (104,  (104, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01531   452   NtClose  (104, ... ) == 0x0
 01532   452   NtClose  (12, ... ) == 0x0
 01533   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1230728, ... ) }, 1230728, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534   452   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "UxTheme.dll"}, 1230728, ... ) }, 1230728, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1230728, ... ) }, 1230728, ... ) == 0x0
 01536   452   NtUserGetProcessWindowStation  (... ) == 0x28
 01537   452   NtUserGetObjectInformation  (40, 2, 0, 0, 1233024, ... ) == 0x0
 01538   452   NtUserGetObjectInformation  (40, 2, 1354136, 16, 1233024, ... ) == 0x1
 01539   452   NtUserGetGUIThreadInfo  (452, 1232980, ... ) == 0x1
 01540   452   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1232800, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1232800, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 01541   452   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 452, 2309, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 444, 452, 2309, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 452, 2309, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01542   452   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 452, 2310, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 444, 452, 2310, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 452, 2310, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01543   452   NtUserCallNoParam  (29, ...
 01544   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230272, ... ) }, 1230272, ... ) == 0x0
 01543   452   NtUserCallNoParam  ... ) == 0x0
 01545   452   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01546   452   NtGdiHfontCreate  (1232352, 356, 0, 0, 1363200, ... ) == 0x80a0311
 01547   452   NtGdiHfontCreate  (1232352, 356, 0, 0, 1363192, ... ) == 0x90a0344
 01548   452   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 452, 2311, 0} "\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 444, 452, 2311, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 452, 2311, 0} "\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01549   452   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8f0000), {0, 0}, 331776, ) == 0x0
 01550   452   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01551   452   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01552   452   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01553   452   NtContinue  (1230888, 0, ...
 01554   452   NtTerminateProcess  (0, 0, ... ) == 0x0
 01555   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01556   452   NtUserGetProcessWindowStation  (... ) == 0x28
 01557   452   NtUserBuildNameList  (40, 256, 1328008, 1239640, ... ) == 0x0
 01558   452   NtUserGetProcessWindowStation  (... ) == 0x28
 01559   452   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x74
 01560   452   NtUserBuildHwndList  (116, 0, 0, 0, 64, ... (0x3004c, 0x100dc, 0x100aa, 0x100a8, 0x100a6, 0x60036, 0x20062, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x1009c, 0x10090, 0x1007c, 0x10026, 0x100d8, 0x100d0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x2005e, 0x20060, 0x300e2, 0x500b2, 0x100cc, 0x100c2, 0x100c0, 0x100ac, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 42, ) == 0x0
 01561   452   NtUserQueryWindow  (196684, 0, ... ) == 0x754
 01562   452   NtUserQueryWindow  (196684, 1, ... ) == 0x768
 01563   452   NtUserQueryWindow  (65756, 0, ... ) == 0x754
 01564   452   NtUserQueryWindow  (65756, 1, ... ) == 0x768
 01565   452   NtUserQueryWindow  (65706, 0, ... ) == 0x7cc
 01566   452   NtUserQueryWindow  (65706, 1, ... ) == 0x7d0
 01567   452   NtUserQueryWindow  (65704, 0, ... ) == 0x7cc
 01568   452   NtUserQueryWindow  (65704, 1, ... ) == 0x7d0
 01569   452   NtUserQueryWindow  (65702, 0, ... ) == 0x7cc
 01570   452   NtUserQueryWindow  (65702, 1, ... ) == 0x7d0
 01571   452   NtUserQueryWindow  (393270, 0, ... ) == 0x7cc
 01572   452   NtUserQueryWindow  (393270, 1, ... ) == 0x7d0
 01573   452   NtUserQueryWindow  (131170, 0, ... ) == 0x754
 01574   452   NtUserQueryWindow  (131170, 1, ... ) == 0x768
 01575   452   NtUserQueryWindow  (65662, 0, ... ) == 0x754
 01576   452   NtUserQueryWindow  (65662, 1, ... ) == 0x768
 01577   452   NtUserBuildHwndList  (0, 65662, 1, 0, 64, ... (0x10080, 0x1008a, 0x1008c, 0x1008e, 0x10092, 0x10094, 0x10096, 0x10098, 0x1009a, 0x1009e, 0x100a0, 0x100a2, 0x1, ), 13, ) == 0x0
 01578   452   NtUserQueryWindow  (65664, 0, ... ) == 0x754
 01579   452   NtUserQueryWindow  (65664, 1, ... ) == 0x768
 01580   452   NtUserQueryWindow  (65674, 0, ... ) == 0x754
 01581   452   NtUserQueryWindow  (65674, 1, ... ) == 0x768
 01582   452   NtUserQueryWindow  (65676, 0, ... ) == 0x754
 01583   452   NtUserQueryWindow  (65676, 1, ... ) == 0x768
 01584   452   NtUserQueryWindow  (65678, 0, ... ) == 0x754
 01585   452   NtUserQueryWindow  (65678, 1, ... ) == 0x768
 01586   452   NtUserQueryWindow  (65682, 0, ... ) == 0x754
 01587   452   NtUserQueryWindow  (65682, 1, ... ) == 0x768
 01588   452   NtUserQueryWindow  (65684, 0, ... ) == 0x754
 01589   452   NtUserQueryWindow  (65684, 1, ... ) == 0x768
 01590   452   NtUserQueryWindow  (65686, 0, ... ) == 0x754
 01591   452   NtUserQueryWindow  (65686, 1, ... ) == 0x768
 01592   452   NtUserQueryWindow  (65688, 0, ... ) == 0x754
 01593   452   NtUserQueryWindow  (65688, 1, ... ) == 0x768
 01594   452   NtUserQueryWindow  (65690, 0, ... ) == 0x754
 01595   452   NtUserQueryWindow  (65690, 1, ... ) == 0x768
 01596   452   NtUserQueryWindow  (65694, 0, ... ) == 0x754
 01597   452   NtUserQueryWindow  (65694, 1, ... ) == 0x768
 01598   452   NtUserQueryWindow  (65696, 0, ... ) == 0x754
 01599   452   NtUserQueryWindow  (65696, 1, ... ) == 0x768
 01600   452   NtUserQueryWindow  (65698, 0, ... ) == 0x754
 01601   452   NtUserQueryWindow  (65698, 1, ... ) == 0x768
 01602   452   NtUserQueryWindow  (65652, 0, ... ) == 0x754
 01603   452   NtUserQueryWindow  (65652, 1, ... ) == 0x768
 01604   452   NtUserQueryWindow  (65640, 0, ... ) == 0x754
 01605   452   NtUserQueryWindow  (65640, 1, ... ) == 0x768
 01606   452   NtUserQueryWindow  (196682, 0, ... ) == 0x754
 01607   452   NtUserQueryWindow  (196682, 1, ... ) == 0x768
 01608   452   NtUserQueryWindow  (65638, 0, ... ) == 0x754
 01609   452   NtUserQueryWindow  (65638, 1, ... ) == 0x768
 01610   452   NtUserQueryWindow  (196668, 0, ... ) == 0x754
 01611   452   NtUserQueryWindow  (196668, 1, ... ) == 0x768
 01612   452   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 01613   452   NtUserQueryWindow  (196670, 0, ... ) == 0x754
 01614   452   NtUserQueryWindow  (196670, 1, ... ) == 0x768
 01615   452   NtUserQueryWindow  (196674, 0, ... ) == 0x754
 01616   452   NtUserQueryWindow  (196674, 1, ... ) == 0x768
 01617   452   NtUserQueryWindow  (196672, 0, ... ) == 0x754
 01618   452   NtUserQueryWindow  (196672, 1, ... ) == 0x768
 01619   452   NtUserQueryWindow  (196676, 0, ... ) == 0x754
 01620   452   NtUserQueryWindow  (196676, 1, ... ) == 0x768
 01621   452   NtUserQueryWindow  (196678, 0, ... ) == 0x754
 01622   452   NtUserQueryWindow  (196678, 1, ... ) == 0x768
 01623   452   NtUserQueryWindow  (196680, 0, ... ) == 0x754
 01624   452   NtUserQueryWindow  (196680, 1, ... ) == 0x768
 01625   452   NtUserQueryWindow  (65642, 0, ... ) == 0x754
 01626   452   NtUserQueryWindow  (65642, 1, ... ) == 0x768
 01627   452   NtUserQueryWindow  (65646, 0, ... ) == 0x754
 01628   452   NtUserQueryWindow  (65646, 1, ... ) == 0x768
 01629   452   NtUserQueryWindow  (65650, 0, ... ) == 0x754
 01630   452   NtUserQueryWindow  (65650, 1, ... ) == 0x768
 01631   452   NtUserQueryWindow  (65692, 0, ... ) == 0x754
 01632   452   NtUserQueryWindow  (65692, 1, ... ) == 0x768
 01633   452   NtUserQueryWindow  (65680, 0, ... ) == 0x754
 01634   452   NtUserQueryWindow  (65680, 1, ... ) == 0x768
 01635   452   NtUserQueryWindow  (65660, 0, ... ) == 0x754
 01636   452   NtUserQueryWindow  (65660, 1, ... ) == 0x758
 01637   452   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 01638   452   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 01639   452   NtUserQueryWindow  (65752, 0, ... ) == 0x108
 01640   452   NtUserQueryWindow  (65752, 1, ... ) == 0x10c
 01641   452   NtUserQueryWindow  (65744, 0, ... ) == 0x108
 01642   452   NtUserQueryWindow  (65744, 1, ... ) == 0x10c
 01643   452   NtUserQueryWindow  (65726, 0, ... ) == 0x7d4
 01644   452   NtUserQueryWindow  (65726, 1, ... ) == 0x7d8
 01645   452   NtUserQueryWindow  (65724, 0, ... ) == 0x7d4
 01646   452   NtUserQueryWindow  (65724, 1, ... ) == 0x7d8
 01647   452   NtUserQueryWindow  (65722, 0, ... ) == 0x7d4
 01648   452   NtUserQueryWindow  (65722, 1, ... ) == 0x7d8
 01649   452   NtUserQueryWindow  (65720, 0, ... ) == 0x7d4
 01650   452   NtUserQueryWindow  (65720, 1, ... ) == 0x7d8
 01651   452   NtUserQueryWindow  (65718, 0, ... ) == 0x7d4
 01652   452   NtUserQueryWindow  (65718, 1, ... ) == 0x7d8
 01653   452   NtUserQueryWindow  (65716, 0, ... ) == 0x7d4
 01654   452   NtUserQueryWindow  (65716, 1, ... ) == 0x7d8
 01655   452   NtUserQueryWindow  (65712, 0, ... ) == 0x7d4
 01656   452   NtUserQueryWindow  (65712, 1, ... ) == 0x7d8
 01657   452   NtUserQueryWindow  (65710, 0, ... ) == 0x7d4
 01658   452   NtUserQueryWindow  (65710, 1, ... ) == 0x7d8
 01659   452   NtUserQueryWindow  (131166, 0, ... ) == 0x7c4
 01660   452   NtUserQueryWindow  (131166, 1, ... ) == 0x7c8
 01661   452   NtUserQueryWindow  (131168, 0, ... ) == 0x7e0
 01662   452   NtUserQueryWindow  (131168, 1, ... ) == 0x7e4
 01663   452   NtUserQueryWindow  (196834, 0, ... ) == 0x754
 01664   452   NtUserQueryWindow  (196834, 1, ... ) == 0x588
 01665   452   NtUserQueryWindow  (327858, 0, ... ) == 0x754
 01666   452   NtUserQueryWindow  (327858, 1, ... ) == 0x5fc
 01667   452   NtUserQueryWindow  (65740, 0, ... ) == 0x754
 01668   452   NtUserQueryWindow  (65740, 1, ... ) == 0x118
 01669   452   NtUserQueryWindow  (65730, 0, ... ) == 0x754
 01670   452   NtUserQueryWindow  (65730, 1, ... ) == 0x118
 01671   452   NtUserBuildHwndList  (0, 65730, 1, 0, 64, ... (0x100c4, 0x100c6, 0x100c8, 0x100ca, 0x1, ), 5, ) == 0x0
 01672   452   NtUserQueryWindow  (65732, 0, ... ) == 0x754
 01673   452   NtUserQueryWindow  (65732, 1, ... ) == 0x118
 01674   452   NtUserQueryWindow  (65734, 0, ... ) == 0x754
 01675   452   NtUserQueryWindow  (65734, 1, ... ) == 0x118
 01676   452   NtUserQueryWindow  (65736, 0, ... ) == 0x754
 01677   452   NtUserQueryWindow  (65736, 1, ... ) == 0x118
 01678   452   NtUserQueryWindow  (65738, 0, ... ) == 0x754
 01679   452   NtUserQueryWindow  (65738, 1, ... ) == 0x118
 01680   452   NtUserQueryWindow  (65728, 0, ... ) == 0x754
 01681   452   NtUserQueryWindow  (65728, 1, ... ) == 0x768
 01682   452   NtUserQueryWindow  (65708, 0, ... ) == 0x7cc
 01683   452   NtUserQueryWindow  (65708, 1, ... ) == 0x7d0
 01684   452   NtUserQueryWindow  (65644, 0, ... ) == 0x754
 01685   452   NtUserQueryWindow  (65644, 1, ... ) == 0x7a0
 01686   452   NtUserQueryWindow  (327760, 0, ... ) == 0x754
 01687   452   NtUserQueryWindow  (327760, 1, ... ) == 0x758
 01688   452   NtUserQueryWindow  (262228, 0, ... ) == 0x754
 01689   452   NtUserQueryWindow  (262228, 1, ... ) == 0x758
 01690   452   NtUserQueryWindow  (327758, 0, ... ) == 0x754
 01691   452   NtUserQueryWindow  (327758, 1, ... ) == 0x758
 01692   452   NtUserQueryWindow  (65666, 0, ... ) == 0x754
 01693   452   NtUserQueryWindow  (65666, 1, ... ) == 0x758
 01694   452   NtUserQueryWindow  (65654, 0, ... ) == 0x754
 01695   452   NtUserQueryWindow  (65654, 1, ... ) == 0x758
 01696   452   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 01697   452   NtUserQueryWindow  (65656, 0, ... ) == 0x754
 01698   452   NtUserQueryWindow  (65656, 1, ... ) == 0x758
 01699   452   NtUserQueryWindow  (65658, 0, ... ) == 0x754
 01700   452   NtUserQueryWindow  (65658, 1, ... ) == 0x758
 01701   452   NtUserCloseDesktop  (116, ...
 01702   452   NtClose  (116, ... ) == 0x0
 01701   452   NtUserCloseDesktop  ... ) == 0x1
 01703   452   NtUserGetProcessWindowStation  (... ) == 0x28
 01704   452   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01705   452   NtUserGetProcessWindowStation  (... ) == 0x28
 01706   452   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01707   452   NtGdiDeleteObjectApp  (134873873, ... ) == 0x1
 01708   452   NtGdiDeleteObjectApp  (151651140, ... ) == 0x1
 01709   452   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01710   452   NtClose  (104, ... ) == 0x0
 01711   452   NtClose  (12, ... ) == 0x0
 01712   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 01713   452   NtClose  (96, ... ) == 0x0
 01714   452   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 01715   452   NtClose  (100, ... ) == 0x0
 01716   452   NtClose  (92, ... ) == 0x0
 01717   452   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 262144, ) == 0x0
 01718   452   NtUserUnregisterClass  (1239600, 1991376896, 1239588, ... ) == 0x0
 01719   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc03b
 01720   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01721   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc03d
 01722   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01723   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc03f
 01724   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01725   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc041
 01726   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01727   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc043
 01728   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01729   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc045
 01730   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01731   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc047
 01732   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01733   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc049
 01734   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01735   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc04b
 01736   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01737   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc04d
 01738   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01739   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc04f
 01740   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01741   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc051
 01742   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01743   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc053
 01744   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01745   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc057
 01746   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01747   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc059
 01748   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01749   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc05b
 01750   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01751   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc05d
 01752   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01753   452   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc05f
 01754   452   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01755   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc03b
 01756   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01757   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc03d
 01758   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01759   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc03f
 01760   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01761   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc041
 01762   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01763   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc043
 01764   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01765   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc045
 01766   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01767   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc047
 01768   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01769   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc049
 01770   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01771   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc04b
 01772   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01773   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc04d
 01774   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01775   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc04f
 01776   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01777   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc051
 01778   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01779   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc053
 01780   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01781   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc057
 01782   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01783   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc059
 01784   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01785   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc05b
 01786   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01787   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc05d
 01788   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01789   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc05f
 01790   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01791   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc017
 01792   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01793   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc019
 01794   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01795   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc018
 01796   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01797   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc01a
 01798   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01799   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc01c
 01800   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01801   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc01e
 01802   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01803   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc01b
 01804   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01805   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc068
 01806   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01807   452   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc06a
 01808   452   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01809   452   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 01810   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 01811   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01812   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01813   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01814   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01815   452   NtClose  (112, ... ) == 0x0
 01816   452   NtFreeVirtualMemory  (-1, (0x890000), 4096, 32768, ... (0x890000), 4096, ) == 0x0
 01817   452   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1398559575, 1702130553, 1546793837, 1634956140}  (24, {20, 48, new_msg, 0, 1398559575, 1702130553, 1546793837, 1634956140} "\0\0\0\0\3\0\1\0$\354\22\0\342\363@\0\0\0\0\0" ... {20, 48, reply, 0, 444, 452, 2313, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\342\363@\0\0\0\0\0" )  ... {20, 48, reply, 0, 444, 452, 2313, 0}  (24, {20, 48, new_msg, 0, 1398559575, 1702130553, 1546793837, 1634956140} "\0\0\0\0\3\0\1\0$\354\22\0\342\363@\0\0\0\0\0" ... {20, 48, reply, 0, 444, 452, 2313, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\342\363@\0\0\0\0\0" )  ) == 0x0
 01818   452   NtTerminateProcess  (-1, 0, ...
 01819   452   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtUserCreateWindowEx(>)	1	NtUserGetWindowDC(>)	3	NtFlushInstructionCache(>)	18
NtCallbackReturn(>)	1	NtUserGetAtomName(>)	1	NtUserOpenDesktop(>)	3	NtQueryInformationFile(>)	21
NtConnectPort(>)	1	NtUserGetDC(>)	1	NtUserRegisterWindowMessage(>)	3	NtUnmapViewOfSection(>)	21
NtCreateMutant(>)	1	NtUserGetGUIThreadInfo(>)	1	NtCreateEvent(>)	4	NtCreateSection(>)	27
NtCreateProcessEx(>)	1	NtUserGetThreadDesktop(>)	1	NtWriteVirtualMemory(>)	4	NtOpenProcessTokenEx(>)	28
NtCreateThread(>)	1	NtAccessCheck(>)	2	NtGdiGetStockObject(>)	5	NtOpenSection(>)	28
NtDelayExecution(>)	1	NtEnumerateKey(>)	2	NtSetInformationProcess(>)	5	NtOpenThreadTokenEx(>)	28
NtDuplicateObject(>)	1	NtGdiCreateSolidBrush(>)	2	NtUserBuildHwndList(>)	5	NtQueryInformationToken(>)	35
NtDuplicateToken(>)	1	NtGdiDeleteObjectApp(>)	2	NtUserGetProcessWindowStation(>)	5	NtQueryDefaultLocale(>)	39
NtEnumerateValueKey(>)	1	NtGdiHfontCreate(>)	2	NtWriteFile(>)	5	NtOpenFile(>)	43
NtFsControlFile(>)	1	NtOpenDirectoryObject(>)	2	NtOpenProcessToken(>)	6	NtQueryAttributesFile(>)	46
NtGdiCreateBitmap(>)	1	NtOpenEvent(>)	2	NtQueryDefaultUILanguage(>)	8	NtUserUnregisterClass(>)	46
NtGdiInit(>)	1	NtOpenSymbolicLinkObject(>)	2	NtQueryVirtualMemory(>)	8	NtMapViewOfSection(>)	47
NtGdiQueryFontAssocInfo(>)	1	NtQueryInstallUILanguage(>)	2	NtSetInformationThread(>)	8	NtUserFindExistingCursorIcon(>)	48
NtGdiSelectBitmap(>)	1	NtQuerySymbolicLinkObject(>)	2	NtQueryDirectoryFile(>)	9	NtAllocateVirtualMemory(>)	53
NtNotifyChangeKey(>)	1	NtReadVirtualMemory(>)	2	NtQueryVolumeInformationFile(>)	9	NtQueryValueKey(>)	53
NtOpenKeyedEvent(>)	1	NtTerminateProcess(>)	2	NtSetValueKey(>)	9	NtUserRegisterClassExWOW(>)	64
NtOpenMutant(>)	1	NtUserCloseDesktop(>)	2	NtCreateKey(>)	10	NtReadFile(>)	68
NtOpenProcess(>)	1	NtUserGetObjectInformation(>)	2	NtUserSystemParametersInfo(>)	11	NtQuerySystemInformation(>)	79
NtQueryFullAttributesFile(>)	1	NtUserWaitForInputIdle(>)	2	NtQueryInformationProcess(>)	12	NtUserGetClassInfo(>)	82
NtQueryInformationJobObject(>)	1	NtContinue(>)	3	NtQuerySection(>)	12	NtOpenKey(>)	107
NtQueryObject(>)	1	NtCreateSemaphore(>)	3	NtRequestWaitReplyPort(>)	12	NtUserQueryWindow(>)	136
NtRegisterThreadTerminatePort(>)	1	NtGdiCreateCompatibleDC(>)	3	NtSetInformationFile(>)	12	NtClose(>)	196
NtResumeThread(>)	1	NtOpenThreadToken(>)	3	NtFreeVirtualMemory(>)	14	NtProtectVirtualMemory(>)	216
NtSecureConnectPort(>)	1	NtSetInformationObject(>)	3	NtCreateFile(>)	16
NtTestAlert(>)	1	NtUserCallNoParam(>)	3	NtDeviceIoControlFile(>)	16
NtUserBuildNameList(>)	1