Summary:


NtAccessCheck(>)  1 
NtSecureConnectPort(>)  1 
NtFsControlFile(>)  4 
NtFlushInstructionCache(>)  18 

NtAddAtom(>)  1 
NtSetInformationProcess(>)  1 
NtQueryVolumeInformationFile(>)  4 
NtOpenProcess(>)  18 

NtAdjustPrivilegesToken(>)  1 
NtTestAlert(>)  1 
NtCreateFile(>)  5 
NtCreateSection(>)  21 

NtCallbackReturn(>)  1 
NtUserCallNoParam(>)  1 
NtGdiGetStockObject(>)  5 
NtOpenFile(>)  25 

NtCreateMutant(>)  1 
NtUserCallOneParam(>)  1 
NtOpenProcessToken(>)  5 
NtQueryDefaultLocale(>)  29 

NtCreateThread(>)  1 
NtUserGetDC(>)  1 
NtQueryInformationProcess(>)  5 
NtQueryAttributesFile(>)  31 

NtDelayExecution(>)  1 
NtUserGetThreadDesktop(>)  1 
NtSetInformationFile(>)  7 
NtAllocateVirtualMemory(>)  37 

NtEnumerateValueKey(>)  1 
NtWriteFile(>)  1 
NtOpenProcessTokenEx(>)  8 
NtUnmapViewOfSection(>)  39 

NtGdiCreateBitmap(>)  1 
NtContinue(>)  2 
NtOpenThreadTokenEx(>)  8 
NtQueryValueKey(>)  40 

NtGdiInit(>)  1 
NtCreateIoCompletion(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtOpenSection(>)  45 

NtGdiQueryFontAssocInfo(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryVirtualMemory(>)  8 
NtUserUnregisterClass(>)  46 

NtGdiSelectBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtRequestWaitReplyPort(>)  8 
NtUserFindExistingCursorIcon(>)  48 

NtNotifyChangeKey(>)  1 
NtOpenEvent(>)  2 
NtSetInformationThread(>)  8 
NtOpenKey(>)  60 

NtOpenKeyedEvent(>)  1 
NtQueryInstallUILanguage(>)  2 
NtSetValueKey(>)  8 
NtUserRegisterClassExWOW(>)  63 

NtOpenMutant(>)  1 
NtTerminateProcess(>)  2 
NtCreateEvent(>)  9 
NtWriteVirtualMemory(>)  68 

NtOpenSymbolicLinkObject(>)  1 
NtCreateSemaphore(>)  3 
NtQueryInformationFile(>)  9 
NtReadFile(>)  69 

NtQueryFullAttributesFile(>)  1 
NtDuplicateObject(>)  3 
NtQuerySection(>)  9 
NtQuerySystemInformation(>)  78 

NtQueryObject(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtCreateKey(>)  10 
NtMapViewOfSection(>)  81 

NtQuerySymbolicLinkObject(>)  1 
NtOpenThreadToken(>)  3 
NtUserSystemParametersInfo(>)  10 
NtUserGetClassInfo(>)  82 

NtQuerySystemTime(>)  1 
NtSetInformationObject(>)  3 
NtQueryInformationToken(>)  12 
NtProtectVirtualMemory(>)  105 

NtRegisterThreadTerminatePort(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtQueryDebugFilterState(>)  15 
NtClose(>)  158 

NtResumeThread(>)  1 
NtFreeVirtualMemory(>)  4 
NtDeviceIoControlFile(>)  16 

Trace:
 00001   292   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   292   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   292   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   292   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   292   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   292   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   292   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   292   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   292   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   292   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   292   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   292   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   292   NtClose  (12, ... ) == 0x0
 00014   292   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   292   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   292   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   292   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   292   NtClose  (16, ... ) == 0x0
 00021   292   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   292   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   292   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   292   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   292   NtClose  (16, ... ) == 0x0
 00026   292   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   292   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   292   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   292   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   292   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   292   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 288, 292, 1423, 0} "\0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 288, 292, 1423, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 288, 292, 1423, 0} "\0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   292   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   292   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   292   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   292   NtClose  (16, ... ) == 0x0
 00036   292   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   292   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   292   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   292   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   292   NtClose  (28, ... ) == 0x0
 00041   292   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   292   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   292   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   292   NtClose  (28, ... ) == 0x0
 00045   292   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   292   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   292   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   292   NtClose  (28, ... ) == 0x0
 00049   292   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   292   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   292   NtClose  (28, ... ) == 0x0
 00052   292   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   292   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   292   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   292   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 288, 292, 1436, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 288, 292, 1436, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 288, 292, 1436, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   292   NtProtectVirtualMemory  (-1, (0x422000), 32768, 4, ... (0x422000), 32768, 128, ) == 0x0
 00057   292   NtProtectVirtualMemory  (-1, (0x422000), 32768, 128, ... (0x422000), 32768, 4, ) == 0x0
 00058   292   NtFlushInstructionCache  (-1, 4333568, 32768, ... ) == 0x0
 00059   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   292   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   292   NtClose  (28, ... ) == 0x0
 00062   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   292   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   292   NtClose  (28, ... ) == 0x0
 00065   292   NtProtectVirtualMemory  (-1, (0x422000), 32768, 4, ... (0x422000), 32768, 64, ) == 0x0
 00066   292   NtProtectVirtualMemory  (-1, (0x422000), 32768, 64, ... (0x422000), 32768, 4, ) == 0x0
 00067   292   NtFlushInstructionCache  (-1, 4333568, 32768, ... ) == 0x0
 00068   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   292   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   292   NtClose  (28, ... ) == 0x0
 00071   292   NtProtectVirtualMemory  (-1, (0x422000), 32768, 4, ... (0x422000), 32768, 64, ) == 0x0
 00072   292   NtProtectVirtualMemory  (-1, (0x422000), 32768, 64, ... (0x422000), 32768, 4, ) == 0x0
 00073   292   NtFlushInstructionCache  (-1, 4333568, 32768, ... ) == 0x0
 00074   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   292   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00076   292   NtClose  (28, ... ) == 0x0
 00077   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00078   292   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00079   292   NtClose  (28, ... ) == 0x0
 00080   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00081   292   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00082   292   NtClose  (28, ... ) == 0x0
 00083   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   292   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00085   292   NtClose  (28, ... ) == 0x0
 00086   292   NtProtectVirtualMemory  (-1, (0x422000), 32768, 4, ... (0x422000), 32768, 64, ) == 0x0
 00087   292   NtProtectVirtualMemory  (-1, (0x422000), 32768, 64, ... (0x422000), 32768, 4, ) == 0x0
 00088   292   NtFlushInstructionCache  (-1, 4333568, 32768, ... ) == 0x0
 00089   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   292   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00091   292   NtClose  (28, ... ) == 0x0
 00092   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   292   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00094   292   NtClose  (28, ... ) == 0x0
 00095   292   NtProtectVirtualMemory  (-1, (0x422000), 32768, 4, ... (0x422000), 32768, 64, ) == 0x0
 00096   292   NtProtectVirtualMemory  (-1, (0x422000), 32768, 64, ... (0x422000), 32768, 4, ) == 0x0
 00097   292   NtFlushInstructionCache  (-1, 4333568, 32768, ... ) == 0x0
 00098   292   NtProtectVirtualMemory  (-1, (0x422000), 32768, 4, ... (0x422000), 32768, 64, ) == 0x0
 00099   292   NtProtectVirtualMemory  (-1, (0x422000), 32768, 64, ... (0x422000), 32768, 4, ) == 0x0
 00100   292   NtFlushInstructionCache  (-1, 4333568, 32768, ... ) == 0x0
 00101   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102   292   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00103   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   292   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00106   292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00107   292   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00108   292   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00109   292   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00110   292   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00111   292   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112   292   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00113   292   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00114   292   NtClose  (40, ... ) == 0x0
 00115   292   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00116   292   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00117   292   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00118   292   NtClose  (40, ... ) == 0x0
 00119   292   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00120   292   NtClose  (36, ... ) == 0x0
 00121   292   NtClose  (28, ... ) == 0x0
 00122   292   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00123   292   NtClose  (32, ... ) == 0x0
 00124   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00125   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   292   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00128   292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00129   292   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00130   292   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00131   292   NtClose  (32, ... ) == 0x0
 00132   292   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00133   292   NtClose  (28, ... ) == 0x0
 00134   292   NtProtectVirtualMemory  (-1, (0x422000), 32768, 4, ... (0x422000), 32768, 64, ) == 0x0
 00135   292   NtProtectVirtualMemory  (-1, (0x422000), 32768, 64, ... (0x422000), 32768, 4, ) == 0x0
 00136   292   NtFlushInstructionCache  (-1, 4333568, 32768, ... ) == 0x0
 00137   292   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00138   292   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00139   292   NtClose  (28, ... ) == 0x0
 00140   292   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00141   292   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00142   292   NtClose  (28, ... ) == 0x0
 00143   292   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   292   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   292   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00146   292   NtClose  (28, ... ) == 0x0
 00147   292   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00148   292   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149   292   NtClose  (28, ... ) == 0x0
 00150   292   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00151   292   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00152   292   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00153   292   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00154   292   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00155   292   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00156   292   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00157   292   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00158   292   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00159   292   NtClose  (32, ... ) == 0x0
 00160   292   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00161   292   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00162   292   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 288, 292, 1445, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 288, 292, 1445, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 288, 292, 1445, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00163   292   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164   292   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00165   292   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00166   292   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00167   292   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00168   292   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00169   292   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00170   292   NtClose  (-2147482020, ... ) == 0x0
 00171   292   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00172   292   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00173   292   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00174   292   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00175   292   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   292   NtClose  (-2147482020, ... ) == 0x0
 00177   292   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00178   292   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   292   NtClose  (-2147482020, ... ) == 0x0
 00180   292   NtQueryDefaultLocale  (0, -136279540, ... ) == 0x0
 00181   292   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00182   292   NtUserCallNoParam  (24, ... ) == 0x0
 00183   292   NtGdiCreateCompatibleDC  (0, ...
 00184   292   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00183   292   NtGdiCreateCompatibleDC  ... ) == 0x50103e3
 00185   292   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00186   292   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00187   292   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x20503e6
 00188   292   NtGdiCreateSolidBrush  (0, 0, ...
 00189   292   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00188   292   NtGdiCreateSolidBrush  ... ) == 0x11003e7
 00190   292   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00191   292   NtGdiCreateCompatibleDC  (0, ... ) == 0x10103e8
 00192   292   NtGdiSelectBitmap  (16843752, 33883110, ... ) == 0x185000f
 00193   292   NtUserGetThreadDesktop  (292, 0, ... ) == 0x2c
 00194   292   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00195   292   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00196   292   NtClose  (52, ... ) == 0x0
 00197   292   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00198   292   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00199   292   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00200   292   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00201   292   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00202   292   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00203   292   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00204   292   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00205   292   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00206   292   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00207   292   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00208   292   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00209   292   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00210   292   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00211   292   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00212   292   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00213   292   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00214   292   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00215   292   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00216   292   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00217   292   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00218   292   NtAllocateVirtualMemory  (-1, 6451200, 0, 4096, 4096, 32, ... 6451200, 4096, ) == 0x0
 00217   292   NtUserRegisterClassExWOW  ... ) == 0x810dc023
 00219   292   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00220   292   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00221   292   NtCallbackReturn  (0, 0, 0, ...
 00222   292   NtGdiInit  (... ) == 0x1
 00223   292   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00224   292   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00225   292   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00226   292   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00227   292   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00228   292   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00229   292   NtClose  (52, ... ) == 0x0
 00230   292   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00231   292   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00232   292   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00233   292   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00234   292   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00235   292   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00236   292   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00237   292   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   292   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00239   292   NtClose  (52, ... ) == 0x0
 00240   292   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00241   292   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   292   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   292   NtClose  (52, ... ) == 0x0
 00244   292   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00245   292   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00246   292   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00247   292   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   292   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00249   292   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00250   292   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   292   NtClose  (56, ... ) == 0x0
 00252   292   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   292   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   292   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 56, ) }, ... 56, ) == 0x0
 00255   292   NtQueryValueKey  (56,  (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00256   292   NtClose  (56, ... ) == 0x0
 00257   292   NtQueryDefaultUILanguage  (1241756, ...
 00258   292   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00259   292   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00260   292   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00261   292   NtClose  (-2147482020, ... ) == 0x0
 00262   292   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00263   292   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   292   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00265   292   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266   292   NtClose  (-2147482024, ... ) == 0x0
 00267   292   NtClose  (-2147482020, ... ) == 0x0
 00257   292   NtQueryDefaultUILanguage  ... ) == 0x0
 00268   292   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00269   292   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00270   292   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00271   292   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 60, ) == 0x0
 00272   292   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x910000), 0x0, 8323072, ) == 0x0
 00273   292   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   292   NtQueryDefaultUILanguage  (2013024600, ...
 00275   292   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00276   292   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00277   292   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00278   292   NtClose  (-2147482020, ... ) == 0x0
 00279   292   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00280   292   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   292   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00282   292   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   292   NtClose  (-2147482024, ... ) == 0x0
 00284   292   NtClose  (-2147482020, ... ) == 0x0
 00274   292   NtQueryDefaultUILanguage  ... ) == 0x0
 00285   292   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00286   292   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00287   292   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00288   292   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   292   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 288, 292, 1453, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 288, 292, 1453, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 288, 292, 1453, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00290   292   NtClose  (56, ... ) == 0x0
 00291   292   NtClose  (60, ... ) == 0x0
 00292   292   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00293   292   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00294   292   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00295   292   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   292   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00297   292   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00298   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   292   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00300   292   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00301   292   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00302   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00303   292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 60, {status=0x0, info=1}, ) }, 3, 33, ... 60, {status=0x0, info=1}, ) == 0x0
 00304   292   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00305   292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00306   292   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00307   292   NtClose  (56, ... ) == 0x0
 00308   292   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x910000), 0x0, 921600, ) == 0x0
 00309   292   NtClose  (64, ... ) == 0x0
 00310   292   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00311   292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00312   292   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 56, ) == 0x0
 00313   292   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00314   292   NtClose  (64, ... ) == 0x0
 00315   292   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00316   292   NtClose  (56, ... ) == 0x0
 00317   292   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00318   292   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00319   292   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00320   292   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00321   292   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00322   292   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00323   292   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00324   292   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00325   292   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00326   292   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00327   292   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00328   292   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00329   292   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00330   292   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00331   292   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00332   292   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00333   292   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00334   292   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00335   292   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00336   292   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00337   292   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00338   292   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00339   292   NtQueryDefaultUILanguage  (1239368, ...
 00340   292   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00341   292   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00342   292   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00343   292   NtClose  (-2147482020, ... ) == 0x0
 00344   292   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00345   292   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00346   292   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00347   292   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00348   292   NtClose  (-2147482024, ... ) == 0x0
 00349   292   NtClose  (-2147482020, ... ) == 0x0
 00339   292   NtQueryDefaultUILanguage  ... ) == 0x0
 00350   292   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00351   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00352   292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00353   292   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00354   292   NtClose  (56, ... ) == 0x0
 00355   292   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x370000), 0x0, 4096, ) == 0x0
 00356   292   NtClose  (64, ... ) == 0x0
 00357   292   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00358   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00359   292   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00360   292   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00361   292   NtClose  (64, ... ) == 0x0
 00362   292   NtMapViewOfSection  (56, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x370000), {0, 0}, 4096, ) == 0x0
 00363   292   NtClose  (56, ... ) == 0x0
 00364   292   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00365   292   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00366   292   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 64, ) == 0x0
 00367   292   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x370000), 0x0, 4096, ) == 0x0
 00368   292   NtQueryInformationFile  (56, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00369   292   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00370   292   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\2405\37[\2319\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 288, 292, 1454, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2319\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 288, 292, 1454, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\2405\37[\2319\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 288, 292, 1454, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2319\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00371   292   NtClose  (56, ... ) == 0x0
 00372   292   NtClose  (64, ... ) == 0x0
 00373   292   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00374   292   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00375   292   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00376   292   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00377   292   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00378   292   NtUserGetDC  (0, ... ) == 0x1010052
 00379   292   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00380   292   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00381   292   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00382   292   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00383   292   NtAccessCheck  (1327448, 64, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00384   292   NtClose  (64, ... ) == 0x0
 00385   292   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00386   292   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00387   292   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00388   292   NtClose  (64, ... ) == 0x0
 00389   292   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00390   292   NtSetInformationObject  (64, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00391   292   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00392   292   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00393   292   NtClose  (56, ... ) == 0x0
 00394   292   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00395   292   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00396   292   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 56, ) }, ... 56, ) == 0x0
 00397   292   NtQueryValueKey  (56,  (56, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398   292   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00399   292   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400   292   NtClose  (68, ... ) == 0x0
 00401   292   NtClose  (56, ... ) == 0x0
 00402   292   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00403   292   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00404   292   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 56, ) }, ... 56, ) == 0x0
 00405   292   NtEnumerateValueKey  (56, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00406   292   NtClose  (56, ... ) == 0x0
 00407   292   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00408   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03b
 00409   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03d
 00410   292   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00411   292   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc03f
 00412   292   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00413   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc041
 00414   292   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00415   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc043
 00416   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc045
 00417   292   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00418   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc047
 00419   292   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00420   292   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc049
 00421   292   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00422   292   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00423   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04b
 00424   292   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00425   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04d
 00426   292   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00427   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04f
 00428   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc051
 00429   292   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00430   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc053
 00431   292   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00432   292   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc055
 00433   292   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc057
 00434   292   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00435   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc059
 00436   292   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00437   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05b
 00438   292   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00439   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05d
 00440   292   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00441   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05f
 00442   292   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00443   292   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc017
 00444   292   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00445   292   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc019
 00446   292   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00447   292   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc018
 00448   292   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00449   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01a
 00450   292   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00451   292   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc01c
 00452   292   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00453   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01e
 00454   292   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00455   292   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810dc01b
 00456   292   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00457   292   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ...
 00458   292   NtAllocateVirtualMemory  (-1, 6455296, 0, 4096, 4096, 32, ... 6455296, 4096, ) == 0x0
 00457   292   NtUserRegisterClassExWOW  ... ) == 0x810dc068
 00459   292   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00460   292   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc06a
 00461   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00462   292   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00463   292   NtClose  (56, ... ) == 0x0
 00464   292   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 56, ) == 0x0
 00465   292   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00466   292   NtClose  (56, ... ) == 0x0
 00467   292   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00468   292   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00469   292   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00470   292   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00471   292   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00472   292   NtClose  (56, ... ) == 0x0
 00473   292   NtUserSystemParametersInfo  (41, 500, 1241332, 0, ... ) == 0x1
 00474   292   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00475   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00476   292   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00477   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc03b
 00478   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00479   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc03d
 00480   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00481   292   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00482   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc03f
 00483   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00484   292   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00485   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc041
 00486   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00487   292   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00488   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc043
 00489   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00490   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc045
 00491   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00492   292   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00493   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc047
 00494   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00495   292   NtUserFindExistingCursorIcon  (1241120, 1241136, 1241704, ... ) == 0x10011
 00496   292   NtUserRegisterClassExWOW  (1241572, 1241652, 1241636, 1241668, 0, 384, 0, ... ) == 0x810dc049
 00497   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00498   292   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00499   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc04b
 00500   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00501   292   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00502   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc04d
 00503   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00504   292   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00505   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc04f
 00506   292   NtUserGetClassInfo  (1999896576, 1241744, 1241696, 1241772, 0, ... ) == 0x0
 00507   292   NtUserRegisterClassExWOW  (1241580, 1241660, 1241644, 1241676, 0, 384, 0, ... ) == 0x810dc051
 00508   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00509   292   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00510   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc053
 00511   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00512   292   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00513   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc055
 00514   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc057
 00515   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00516   292   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00517   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc059
 00518   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00519   292   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10013
 00520   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc05b
 00521   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00522   292   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00523   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc05d
 00524   292   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00525   292   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00526   292   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc05f
 00527   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03b
 00528   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03d
 00529   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03f
 00530   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc041
 00531   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc043
 00532   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc045
 00533   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc047
 00534   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc049
 00535   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04b
 00536   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04d
 00537   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04f
 00538   292   NtUserGetClassInfo  (1999896576, 1243496, 1243448, 1243524, 0, ... ) == 0xc051
 00539   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc053
 00540   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc055
 00541   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc059
 00542   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05b
 00543   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05d
 00544   292   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05f
 00545   292   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00546   292   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00547   292   NtTestAlert  (... ) == 0x0
 00548   292   NtContinue  (1244464, 1, ...
 00549   292   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x422200,}, 4, ... ) == 0x0
 00550   292   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1245092, 0,  (0x1f0003, {24, 52, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 56, ) }, 1, 0, ... 56, ) == 0x0
 00551   292   NtCreateSection  (0xe, {24, 0, 0x40, 1245092, 0,  (0xe, {24, 0, 0x40, 1245092, 0, "\BaseNamedObjects\W32_Virtu"}, {27086, 0}, 64, 134217728, 0, ... 68, ) }, {27086, 0}, 64, 134217728, 0, ... 68, ) == 0x0
 00552   292   NtMapViewOfSection  (68, -1, (0x0), 0, 27086, 0x0, 27086, 2, 0, 64, ... (0x370000), 0x0, 28672, ) == 0x0
 00553   292   NtOpenProcessToken  (-1, 0x20, ... 72, ) == 0x0
 00554   292   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00555   292   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00556   292   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 76, ) }, ... 76, ) == 0x0
 00557   292   NtQueryValueKey  (76,  (76, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00558   292   NtClose  (76, ... ) == 0x0
 00559   292   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00560   292   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 76, ) == 0x0
 00561   292   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 80, ) == 0x0
 00562   292   NtQuerySystemTime  (... {787804912, 29891078}, ) == 0x0
 00563   292   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00564   292   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00565   292   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00566   292   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00567   292   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00568   292   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00569   292   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 92, ) == 0x0
 00570   292   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 96, ) }, ... 96, ) == 0x0
 00571   292   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "ActiveComputerName"}, ... 100, ) }, ... 100, ) == 0x0
 00572   292   NtQueryValueKey  (100,  (100, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (100, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (100, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00573   292   NtClose  (100, ... ) == 0x0
 00574   292   NtClose  (96, ... ) == 0x0
 00575   292   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 96, ) == 0x0
 00576   292   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 100, ) == 0x0
 00577   292   NtDuplicateObject  (-1, 96, -1, 0x0, 0, 2, ... 104, ) == 0x0
 00578   292   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00579   292   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00580   292   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00581   292   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00582   292   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00583   292   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243268,  (0xc0100080, {24, 0, 0x40, 0, 1243268, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00584   292   NtSetInformationFile  (112, 1243324, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00585   292   NtSetInformationFile  (112, 1243316, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00586   292   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00587   292   NtWriteFile  (112, 89, 0, 0,  (112, 89, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00588   292   NtReadFile  (112, 89, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (112, 89, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\0 \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00589   292   NtFsControlFile  (112, 89, 0x0, 0x0, 0x11c017,  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\0 \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\0 \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00590   292   NtFsControlFile  (112, 89, 0x0, 0x0, 0x11c017,  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\344\346'l\371\205\334\21\261\310\0\14)\371\246\305 \0"\0\270G\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\344\346'l\371\205\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0\270G\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\344\346'l\371\205\334\21\261\310\0\14)\371\246\305 \0"\0\270G\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\344\346'l\371\205\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\344\346'l\371\205\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 00591   292   NtFsControlFile  (112, 89, 0x0, 0x0, 0x11c017,  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\344\346'l\371\205\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\344\346'l\371\205\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00592   292   NtClose  (108, ... ) == 0x0
 00593   292   NtClose  (112, ... ) == 0x0
 00594   292   NtAdjustPrivilegesToken  (72, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00595   292   NtClose  (72, ... ) == 0x0
 00596   292   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3735552, 65536, ) == 0x0
 00597   292   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00598   292   NtCreateSection  (0xf0007, 0x0, {11728, 0}, 4, 134217728, 0, ... 72, ) == 0x0
 00599   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 12288, ) == 0x0
 00600   292   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 00601   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 12288, ) == 0x0
 00602   292   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 65536, ) == 0x0
 00603   292   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 00604   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00605   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00606   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00607   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00608   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00609   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00610   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00611   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00612   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00613   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00614   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 112, ) == 0x0
 00615   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00616   292   NtMapViewOfSection  (108, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00617   292   NtClose  (108, ... ) == 0x0
 00618   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00619   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00620   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00621   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00622   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00623   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00624   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00625   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00626   292   NtAllocateVirtualMemory  (112, 0, 0, 1048576, 8192, 4, ... 21757952, 1048576, ) == 0x0
 00627   292   NtAllocateVirtualMemory  (112, 22798336, 0, 8192, 4096, 4, ... 22798336, 8192, ) == 0x0
 00628   292   NtProtectVirtualMemory  (112, (0x15be000), 4096, 260, ... (0x15be000), 4096, 4, ) == 0x0
 00629   292   NtCreateThread  (0x1f03ff, 0x0, 112, 1244008, 1244724, 1, ... 108, {616, 568}, ) == 0x0
 00630   292   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\24\0\0\0\0\0l\0\0\0h\2\0\08\2\0\0" ... {28, 56, reply, 0, 288, 292, 1457, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\0\0\0h\2\0\08\2\0\0" )  ... {28, 56, reply, 0, 288, 292, 1457, 0}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\24\0\0\0\0\0l\0\0\0h\2\0\08\2\0\0" ... {28, 56, reply, 0, 288, 292, 1457, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\0\0\0h\2\0\08\2\0\0" )  ) == 0x0
 00631   292   NtResumeThread  (108, ... 1, ) == 0x0
 00632   292   NtClose  (112, ... ) == 0x0
 00633   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00634   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00635   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {660, 0}, ... 112, ) == 0x0
 00636   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00637   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00638   292   NtClose  (116, ... ) == 0x0
 00639   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00640   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00641   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00642   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00643   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00644   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00645   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00646   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00647   292   NtClose  (112, ... ) == 0x0
 00648   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00649   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00650   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {672, 0}, ... 112, ) == 0x0
 00651   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00652   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00653   292   NtClose  (116, ... ) == 0x0
 00654   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00655   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00656   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00657   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00658   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00659   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00660   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00661   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00662   292   NtClose  (112, ... ) == 0x0
 00663   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00664   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00665   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {844, 0}, ... 112, ) == 0x0
 00666   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00667   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00668   292   NtClose  (116, ... ) == 0x0
 00669   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00670   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00671   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00672   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00673   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00674   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00675   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00676   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00677   292   NtClose  (112, ... ) == 0x0
 00678   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00679   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00680   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {972, 0}, ... 112, ) == 0x0
 00681   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00682   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff60000), 0x0, 28672, ) == 0x0
 00683   292   NtClose  (116, ... ) == 0x0
 00684   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00685   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\376\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00686   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00687   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\376\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00688   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00689   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\376\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00690   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00691   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\376\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00692   292   NtClose  (112, ... ) == 0x0
 00693   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00694   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00695   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1048, 0}, ... 112, ) == 0x0
 00696   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00697   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00698   292   NtClose  (116, ... ) == 0x0
 00699   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00700   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00701   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00702   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00703   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00704   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00705   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00706   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00707   292   NtClose  (112, ... ) == 0x0
 00708   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00709   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00710   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1072, 0}, ... 112, ) == 0x0
 00711   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00712   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00713   292   NtClose  (116, ... ) == 0x0
 00714   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00715   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00716   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00717   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00718   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00719   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00720   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00721   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00722   292   NtClose  (112, ... ) == 0x0
 00723   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00724   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00725   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1376, 0}, ... 112, ) == 0x0
 00726   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00727   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00728   292   NtClose  (116, ... ) == 0x0
 00729   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00730   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00731   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00732   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00733   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00734   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00735   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00736   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00737   292   NtClose  (112, ... ) == 0x0
 00738   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00739   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00740   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1648, 0}, ... 112, ) == 0x0
 00741   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00742   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00743   292   NtClose  (116, ... ) == 0x0
 00744   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00745   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00746   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00747   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00748   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00749   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00750   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00751   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00752   292   NtClose  (112, ... ) == 0x0
 00753   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00754   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00755   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1960, 0}, ... 112, ) == 0x0
 00756   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00757   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00758   292   NtClose  (116, ... ) == 0x0
 00759   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00760   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00761   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00762   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00763   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00764   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00765   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00766   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00767   292   NtClose  (112, ... ) == 0x0
 00768   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00769   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00770   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2020, 0}, ... 112, ) == 0x0
 00771   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00772   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00773   292   NtClose  (116, ... ) == 0x0
 00774   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00775   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00776   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00777   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00778   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00779   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00780   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00781   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00782   292   NtClose  (112, ... ) == 0x0
 00783   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00784   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00785   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {208, 0}, ... 112, ) == 0x0
 00786   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00787   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00788   292   NtClose  (116, ... ) == 0x0
 00789   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00790   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00791   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00792   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00793   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00794   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00795   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00796   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00797   292   NtClose  (112, ... ) == 0x0
 00798   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00799   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00800   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {220, 0}, ... 112, ) == 0x0
 00801   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00802   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00803   292   NtClose  (116, ... ) == 0x0
 00804   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00805   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00806   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00807   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00808   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00809   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00810   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00811   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00812   292   NtClose  (112, ... ) == 0x0
 00813   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00814   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00815   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {228, 0}, ... 112, ) == 0x0
 00816   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00817   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00818   292   NtClose  (116, ... ) == 0x0
 00819   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00820   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00821   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00822   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00823   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00824   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00825   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00826   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00827   292   NtClose  (112, ... ) == 0x0
 00828   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00829   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00830   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {240, 0}, ... 112, ) == 0x0
 00831   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00832   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00833   292   NtClose  (116, ... ) == 0x0
 00834   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00835   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00836   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00837   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00838   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00839   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00840   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00841   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00842   292   NtClose  (112, ... ) == 0x0
 00843   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00844   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00845   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {264, 0}, ... 112, ) == 0x0
 00846   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00847   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00848   292   NtClose  (116, ... ) == 0x0
 00849   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00850   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00851   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00852   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00853   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00854   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00855   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00856   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00857   292   NtClose  (112, ... ) == 0x0
 00858   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00859   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00860   292   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 112, ) == 0x0
 00861   292   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00862   292   NtMapViewOfSection  (116, 112, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00863   292   NtClose  (116, ... ) == 0x0
 00864   292   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00865   292   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00866   292   NtProtectVirtualMemory  (112, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00867   292   NtWriteVirtualMemory  (112, 0x77f7eaf3,  (112, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00868   292   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00869   292   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00870   292   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00871   292   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00872   292   NtClose  (112, ... ) == 0x0
 00873   292   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 12288, ) == 0x0
 00874   292   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00875   292   NtClose  (72, ... ) == 0x0
 00876   292   NtClose  (56, ... ) == 0x0
 00877   292   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00878   292   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00879   292   NtDelayExecution  (0, {-10000000, -1}, ... ) == 0x0
 00880   292   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "b1790f4c06f035c083b712e3f4f6a1a8c30c"}, 0, ... 56, ) }, 0, ... 56, ) == 0x0
 00881   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00883   292   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == 0x0
 00885   292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00886   292   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 112, ) == 0x0
 00887   292   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00888   292   NtClose  (72, ... ) == 0x0
 00889   292   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00890   292   NtClose  (112, ... ) == 0x0
 00891   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 112, ) }, ... 112, ) == 0x0
 00892   292   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00893   292   NtClose  (112, ... ) == 0x0
 00894   292   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 112, ) == 0x0
 00895   292   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00896   292   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 116, ) }, ... 116, ) == 0x0
 00897   292   NtNotifyChangeKey  (116, 72, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00898   292   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00899   292   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 120, ) == 0x0
 00900   292   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 124, ) == 0x0
 00901   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   292   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == 0x0
 00905   292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00906   292   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 132, ) == 0x0
 00907   292   NtQuerySection  (132, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00908   292   NtClose  (128, ... ) == 0x0
 00909   292   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 00910   292   NtClose  (132, ... ) == 0x0
 00911   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   292   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00913   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   292   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == 0x0
 00916   292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 00917   292   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 00918   292   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00919   292   NtClose  (132, ... ) == 0x0
 00920   292   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 00921   292   NtClose  (128, ... ) == 0x0
 00922   292   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00923   292   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 3735552, 262144, ) == 0x0
 00924   292   NtAllocateVirtualMemory  (-1, 3735552, 0, 4096, 4096, 4, ... 3735552, 4096, ) == 0x0
 00925   292   NtAllocateVirtualMemory  (-1, 3739648, 0, 8192, 4096, 4, ... 3739648, 8192, ) == 0x0
 00926   292   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00927   292   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00928   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 128, ) }, ... 128, ) == 0x0
 00929   292   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00930   292   NtClose  (128, ... ) == 0x0
 00931   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 128, ) }, ... 128, ) == 0x0
 00932   292   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00933   292   NtClose  (128, ... ) == 0x0
 00934   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 128, ) }, ... 128, ) == 0x0
 00935   292   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00936   292   NtClose  (128, ... ) == 0x0
 00937   292   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   292   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00939   292   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00940   292   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00941   292   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1238328, 0,  (0x1f0003, {24, 52, 0x80, 1238328, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00942   292   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 128, ) }, ... 128, ) == 0x0
 00943   292   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00944   292   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00945   292   NtCreateKey  (0xf003f, {24, 64, 0x40, 0, 0,  (0xf003f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 132, 2, ) }, 0, 0x0, 0, ... 132, 2, ) == 0x0
 00946   292   NtQueryDefaultUILanguage  (1236564, ...
 00947   292   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00948   292   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482036, ) == 0x0
 00949   292   NtQueryInformationToken  (-2147482036, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00950   292   NtClose  (-2147482036, ... ) == 0x0
 00951   292   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00952   292   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953   292   NtOpenKey  (0x80000000, {24, -2147482036, 0x640, 0, 0,  (0x80000000, {24, -2147482036, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00954   292   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955   292   NtClose  (-2147482032, ... ) == 0x0
 00956   292   NtClose  (-2147482036, ... ) == 0x0
 00946   292   NtQueryDefaultUILanguage  ... ) == 0x0
 00957   292   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   292   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 136, {status=0x0, info=1}, ) }, 1, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 00959   292   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 136, ... 140, ) == 0x0
 00960   292   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x910000), 0x0, 593920, ) == 0x0
 00961   292   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962   292   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00963   292   NtQueryDefaultLocale  (1, 1234600, ... ) == 0x0
 00964   292   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   292   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\210\0\0\0\377\377\377\377\0\0\0\0P\275\230\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" ... {128, 156, reply, 0, 288, 292, 1523, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\210\0\0\0\377\377\377\377\0\0\0\0P\275\230\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 288, 292, 1523, 0}  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\210\0\0\0\377\377\377\377\0\0\0\0P\275\230\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" ... {128, 156, reply, 0, 288, 292, 1523, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\210\0\0\0\377\377\377\377\0\0\0\0P\275\230\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" )  ) == 0x0
 00966   292   NtClose  (136, ... ) == 0x0
 00967   292   NtClose  (140, ... ) == 0x0
 00968   292   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00969   292   NtUnmapViewOfSection  (-1, 0x12e100, ... ) == STATUS_NOT_MAPPED_VIEW
 00970   292   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00971   292   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00972   292   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00973   292   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00974   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233140, ... ) }, 1233140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   292   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00976   292   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00977   292   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00978   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1233732, ... ) }, 1233732, ... ) == 0x0
 00979   292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 140, {status=0x0, info=1}, ) }, 3, 33, ... 140, {status=0x0, info=1}, ) == 0x0
 00980   292   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00981   292   NtCreateKey  (0x2001f, {24, 64, 0x40, 0, 0,  (0x2001f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 136, 2, ) }, 0, 0x0, 0, ... 136, 2, ) == 0x0
 00982   292   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984   292   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00985   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == 0x0
 00986   292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 144, {status=0x0, info=1}, ) }, 5, 96, ... 144, {status=0x0, info=1}, ) == 0x0
 00987   292   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 144, ... 148, ) == 0x0
 00988   292   NtQuerySection  (148, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00989   292   NtClose  (144, ... ) == 0x0
 00990   292   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 00991   292   NtClose  (148, ... ) == 0x0
 00992   292   NtAllocateVirtualMemory  (-1, 3293184, 0, 8192, 4096, 4, ... 3293184, 8192, ) == 0x0
 00993   292   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00994   292   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 148, ) == 0x0
 00995   292   NtQueryInformationToken  (148, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00996   292   NtClose  (148, ... ) == 0x0
 00997   292   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 148, ) }, ... 148, ) == 0x0
 00998   292   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00999   292   NtClose  (148, ... ) == 0x0
 01000   292   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 148, ) }, ... 148, ) == 0x0
 01001   292   NtQueryValueKey  (148,  (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01002   292   NtQueryValueKey  (148,  (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01003   292   NtQueryValueKey  (148,  (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01004   292   NtQueryValueKey  (148,  (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01005   292   NtClose  (148, ... ) == 0x0
 01006   292   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 148, ) }, ... 148, ) == 0x0
 01007   292   NtQueryValueKey  (148,  (148, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (148, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01008   292   NtQueryValueKey  (148,  (148, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01009   292   NtQueryValueKey  (148,  (148, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01010   292   NtQueryValueKey  (148,  (148, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01011   292   NtQueryValueKey  (148,  (148, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01012   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237776, ... ) }, 1237776, ... ) == 0x0
 01013   292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 144, {status=0x0, info=1}, ) }, 5, 96, ... 144, {status=0x0, info=1}, ) == 0x0
 01014   292   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 144, ... 152, ) == 0x0
 01015   292   NtClose  (144, ... ) == 0x0
 01016   292   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x910000), 0x0, 135168, ) == 0x0
 01017   292   NtClose  (152, ... ) == 0x0
 01018   292   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 01019   292   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 01020   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238664, ... ) }, 1238664, ... ) == 0x0
 01021   292   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1239332, ... ) }, 1239332, ... ) == 0x0
 01022   292   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239188,  (0x80100080, {24, 0, 0x40, 0, 1239188, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01023   292   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 152, ... 144, ) == 0x0
 01024   292   NtMapViewOfSection  (144, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x910000), {0, 0}, 135168, ) == 0x0
 01025   292   NtQueryDefaultLocale  (1, 1238996, ... ) == 0x0
 01026   292   NtQueryVirtualMemory  (-1, 0x910000, Basic, 28, ... {BaseAddress=0x910000,AllocationBase=0x910000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01027   292   NtQueryVirtualMemory  (-1, 0x910000, Basic, 28, ... {BaseAddress=0x910000,AllocationBase=0x910000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01028   292   NtReadFile  (152, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (152, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01029   292   NtQueryInformationFile  (152, 1239240, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01030   292   NtSetInformationFile  (152, 1239240, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01031   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01032   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01033   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01034   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01035   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01036   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01037   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01038   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01039   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01040   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01041   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01042   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01043   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01044   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01045   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01046   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01047   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01048   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01049   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01050   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01051   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01052   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01053   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01054   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01055   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01056   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01057   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01058   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01059   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01060   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01061   292   NtReadFile  (152, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (152, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01062   292   NtQueryInformationFile  (152, 1239240, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01063   292   NtSetInformationFile  (152, 1239240, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01064   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 01065   292   NtReadFile  (152, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (152, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 01066   292   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 01067   292   NtClose  (144, ... ) == 0x0
 01068   292   NtClose  (152, ... ) == 0x0
 01069   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237720, ... ) }, 1237720, ... ) == 0x0
 01070   292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01071   292   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 152, ... 144, ) == 0x0
 01072   292   NtClose  (152, ... ) == 0x0
 01073   292   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x910000), 0x0, 135168, ) == 0x0
 01074   292   NtClose  (144, ... ) == 0x0
 01075   292   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 01076   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238036, ... ) }, 1238036, ... ) == 0x0
 01077   292   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 144, {status=0x0, info=1}, ) }, 5, 96, ... 144, {status=0x0, info=1}, ) == 0x0
 01078   292   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 144, ... 152, ) == 0x0
 01079   292   NtQuerySection  (152, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01080   292   NtClose  (144, ... ) == 0x0
 01081   292   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 01082   292   NtClose  (152, ... ) == 0x0
 01083   292   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01084   292   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01085   292   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01086   292   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01087   292   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01088   292   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01089   292   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01090   292   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01091   292   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01092   292   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01093   292   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01094   292   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01095   292   NtAllocateVirtualMemory  (-1, 1368064, 0, 20480, 4096, 4, ... 1368064, 20480, ) == 0x0
 01096   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01097   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01098   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01099   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01100   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01101   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01102   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01103   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01104   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01105   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01106   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01107   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01108   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01109   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01110   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01111   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01112   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01113   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01114   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01115   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01116   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01117   292   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01118   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236988, ... ) }, 1236988, ... ) == 0x0
 01119   292   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237720,  (0x80100080, {24, 0, 0x40, 0, 1237720, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01120   292   NtQueryVolumeInformationFile  (152, 1237880, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01121   292   NtQueryInformationFile  (152, 1237772, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01122   292   NtQueryInformationFile  (152, 1238064, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01123   292   NtClose  (152, ... ) == 0x0
 01124   292   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236480, ... ) }, 1236480, ... ) == 0x0
 01125   292   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237212,  (0x80100080, {24, 0, 0x40, 0, 1237212, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01126   292   NtQueryVolumeInformationFile  (152, 1237372, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01127   292   NtQueryInformationFile  (152, 1237264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01128   292   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 152, ... 144, ) == 0x0
 01129   292   NtMapViewOfSection  (144, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x910000), {0, 0}, 135168, ) == 0x0
 01130   292   NtQueryDefaultLocale  (1, 1237352, ... ) == 0x0
 01131   292   NtQueryVirtualMemory  (-1, 0x910000, Basic, 28, ... {BaseAddress=0x910000,AllocationBase=0x910000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01132   292   NtQueryVirtualMemory  (-1, 0x910000, Basic, 28, ... {BaseAddress=0x910000,AllocationBase=0x910000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01133   292   NtQueryDefaultLocale  (1, 1237352, ... ) == 0x0
 01134   292   NtQueryVirtualMemory  (-1, 0x910000, Basic, 28, ... {BaseAddress=0x910000,AllocationBase=0x910000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01135   292   NtQueryVirtualMemory  (-1, 0x910000, Basic, 28, ... {BaseAddress=0x910000,AllocationBase=0x910000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01136   292   NtReadFile  (152, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (152, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01137   292   NtQueryInformationFile  (152, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01138   292   NtSetInformationFile  (152, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01139   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01140   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01141   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01142   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01143   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01144   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01145   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01146   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01147   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01148   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01149   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01150   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01151   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01152   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01153   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01154   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01155   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01156   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01157   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01158   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01159   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01160   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01161   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01162   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01163   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01164   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01165   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01166   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01167   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01168   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01169   292   NtReadFile  (152, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (152, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01170   292   NtQueryInformationFile  (152, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01171   292   NtSetInformationFile  (152, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01172   292   NtQueryInformationFile  (152, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01173   292   NtSetInformationFile  (152, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01174   292   NtReadFile  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (152, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 01175   292   NtReadFile  (152, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (152, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 01176   292   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 01177   292   NtClose  (144, ... ) == 0x0
 01178   292   NtClose  (152, ... ) == 0x0
 01179   292   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 152, ) }, ... 152, ) == 0x0
 01180   292   NtQueryValueKey  (152,  (152, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01181   292   NtQueryValueKey  (152,  (152, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01182   292   NtQueryValueKey  (152,  (152, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01183   292   NtQueryValueKey  (152,  (152, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01184   292   NtClose  (152, ... ) == 0x0
 01185   292   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01186   292   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01187   292   NtOpenProcessToken  (-1, 0x8, ... 152, ) == 0x0
 01188   292   NtQueryInformationToken  (152, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01189   292   NtClose  (152, ... ) == 0x0
 01190   292   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01191   292   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 152, {status=0x0, info=0}, ) }, 7, 16, ... 152, {status=0x0, info=0}, ) == 0x0
 01192   292   NtDeviceIoControlFile  (152, 0, 0x0, 0x0, 0x390008,  (152, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_\244(\36x\214C"Ys\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... Ys\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01193   292   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01194   292   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01195   292   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01196   292   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01197   292   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01198   292   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01199   292   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01200   292   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482036, 2, ) }, 0, 0x0, 0, ... -2147482036, 2, ) == 0x0
 01201   292   NtSetValueKey  (-2147482036,  (-2147482036, "Seed", 0, 3, "\366\377\311k\204\253\315M\211\361[\177\316Ll\252\377 \17@_\10\203wJ\375\273\300\211\2154\220\210^K]s\232\234\274\346\13L[\361qx\342\267@\14\217\314\312\302\252\321"\31\357^NY|\364,\6"\227P\254\332\313N';U\314\316\315", 80, ... ) , 0, 3,  (-2147482036, "Seed", 0, 3, "\366\377\311k\204\253\315M\211\361[\177\316Ll\252\377 \17@_\10\203wJ\375\273\300\211\2154\220\210^K]s\232\234\274\346\13L[\361qx\342\267@\14\217\314\312\302\252\321"\31\357^NY|\364,\6"\227P\254\332\313N';U\314\316\315", 80, ... ) \31\357^NY|\364,\6 (-2147482036, "Seed", 0, 3, "\366\377\311k\204\253\315M\211\361[\177\316Ll\252\377 \17@_\10\203wJ\375\273\300\211\2154\220\210^K]s\232\234\274\346\13L[\361qx\342\267@\14\217\314\312\302\252\321"\31\357^NY|\364,\6"\227P\254\332\313N';U\314\316\315", 80, ... ) , 80, ... ) == 0x0
 01202   292   NtClose  (-2147482036, ... ) == 0x0
 01192   292   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\270\330\316\205$-\304\271W\333\375\220\262aN\1\353I\26\323\352u\376R\5\350W'\2518\353\311~\177\273u\263\350c\266\336\362;\327\243\3123\20095=\201@\24\226\272\0\222\217[&S\33'\377\316\251{\25\200BV\354\277\316\4\242\232-\336\277\366\26\264\264\4|4\361\22dp7\0\234~\215\214\25\33K\311", ) c\266\336\362;\327\243\3123\20095=\201@\24\226\272\0\222\217[&S\33'\377\316\251{\25\200BV\354\277\316\4\242\232-\336\277\366\26\264\264\4|4\361\22dp7\0\234~\215\214\25\33K\311", ) == 0x0
 01203   292   NtClose  (148, ... ) == 0x0
 01204   292   NtDeviceIoControlFile  (152, 0, 0x0, 0x0, 0x390008,  (152, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_&F\245\215\31\356\327\251.\341z\364pM\324\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01205   292   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01206   292   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01207   292   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01208   292   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01209   292   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01210   292   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01211   292   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01212   292   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482036, 2, ) }, 0, 0x0, 0, ... -2147482036, 2, ) == 0x0
 01213   292   NtSetValueKey  (-2147482036,  (-2147482036, "Seed", 0, 3, "\316^]8F\2160@f\272-\345Q\234l\261\34\2407 \253\235]`\21\314\332\320\300\307\334\35\4J\207.t(\5\340\304\202\202\216mG\364^\373\31\2\7\370b\303~\243\34\257\227\207\256\330>\367\375\246\253C\342u\360\377\21\263\254\353s\373\314", 80, ... ) , 0, 3,  (-2147482036, "Seed", 0, 3, "\316^]8F\2160@f\272-\345Q\234l\261\34\2407 \253\235]`\21\314\332\320\300\307\334\35\4J\207.t(\5\340\304\202\202\216mG\364^\373\31\2\7\370b\303~\243\34\257\227\207\256\330>\367\375\246\253C\342u\360\377\21\263\254\353s\373\314", 80, ... ) , 80, ... ) == 0x0
 01214   292   NtClose  (-2147482036, ... ) == 0x0
 01204   292   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\377\235t\12;\255N\326\311\204\255R\254\205\355\247\262\5\214E\367\237\273\271r\220\362\274m\354v\204`\314l\317\13\326&M\365\36\17+\331j\300\235\366\241\16pV\243\37\246\234\366\30\330\212\236;\214\363\344s\270S\13\327\215\303/\243T\247\350\332k\354 n\22\321\34b\356\346\226a\301\20\207t\265\244*\357\375\35\217\301\220\365\373u)\200_\304*\202i2~vZ\3239\362\204\312t\243\323\10\15\265\252\364\244 \230\316\311\277\370\352\20\367\203*\303\12G0z4\246\255\201\3455\212\1]\323=\346\312\375\3447\4\205\217\335\300\246\203\245w\275\363\32S\261\370=(\373\225\277\335<_5W\30K40\224\276,\301N\1[va\344LT\334\220\207-0\31\342:\210N\241h\242h\33\261\346!\215`y\263\377,OG\17\224\14\4\226\13w!\35;`6\235\346\1\214h_\302\275\345\244WX", ) , ) == 0x0
 01215   292   NtDeviceIoControlFile  (152, 0, 0x0, 0x0, 0x390008,  (152, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_&F\245\215\31\356\327+@Z\217a\335\270$[\341z\364pM\324\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01216   292   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01217   292   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01218   292   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01219   292   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01220   292   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01221   292   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01222   292   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01223   292   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482036, 2, ) }, 0, 0x0, 0, ... -2147482036, 2, ) == 0x0
 01224   292   NtSetValueKey  (-2147482036,  (-2147482036, "Seed", 0, 3, "t}?\335\34\374\242\230\340\354\260\236\332dmDq\353\312s\315'\340T\303v0\326-=1Y\234e\375\237\341\325\34\305b\12\276eL\215w\273\201fr\277&~\14a\273N\14\372\204\313\255\202\324\243\3y\235\301\177\347H\263\345\22\37\254n\23", 80, ... ) , 0, 3,  (-2147482036, "Seed", 0, 3, "t}?\335\34\374\242\230\340\354\260\236\332dmDq\353\312s\315'\340T\303v0\326-=1Y\234e\375\237\341\325\34\305b\12\276eL\215w\273\201fr\277&~\14a\273N\14\372\204\313\255\202\324\243\3y\235\301\177\347H\263\345\22\37\254n\23", 80, ... ) , 80, ... ) == 0x0
 01225   292   NtClose  (-2147482036, ... ) == 0x0
 01215   292   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\325T\24\341 \277\324\344H;\35C[\312(\304\203\365b4\232:\323n\177\277\236{\314`x\225\311/\221\366"\264C\357\263\23\216C\0\244%/\7\231\16\211\237\367\37~\317\250\35\10\204\342\6\357T\12\2242\362\2!\246\247\301S\335\214\376\346\3T\11\245\232\353\323~C\367_yq\16\215\227\22/h[\247\245\325\314\302Tx\352\272\333\214\372p\3\310)l\260\25\23\331\223\370\257m\227\345o\22\342\316t\350\221\33\262\2261\11\203{q\363\202\305\361E=\377\222\211\2730R\350\351\361]\3614\233l1\205=\362\221\226\271\365,\306\33\301\215\321\261\364x\244\13\21o\362\274\325"7\333\310\1\252\316\275\216F\275\337\301tr\343|\204\36s>\214\270\21\346\234,31\311\232\332H1c\35\234\3777\32\17h\344&c\25\364\35\13\316\373RR`S\325\251\234\275\335\352$\271sg\22\374\200!@\276", ) \264C\357\263\23\216C\0\244%/\7\231\16\211\237\367\37~\317\250\35\10\204\342\6\357T\12\2242\362\2!\246\247\301S\335\214\376\346\3T\11\245\232\353\323~C\367_yq\16\215\227\22/h[\247\245\325\314\302Tx\352\272\333\214\372p\3\310)l\260\25\23\331\223\370\257m\227\345o\22\342\316t\350\221\33\262\2261\11\203{q\363\202\305\361E=\377\222\211\2730R\350\351\361]\3614\233l1\205=\362\221\226\271\365,\306\33\301\215\321\261\364x\244\13\21o\362\274\325 ... {status=0x0, info=256}, "\325T\24\341 \277\324\344H;\35C[\312(\304\203\365b4\232:\323n\177\277\236{\314`x\225\311/\221\366"\264C\357\263\23\216C\0\244%/\7\231\16\211\237\367\37~\317\250\35\10\204\342\6\357T\12\2242\362\2!\246\247\301S\335\214\376\346\3T\11\245\232\353\323~C\367_yq\16\215\227\22/h[\247\245\325\314\302Tx\352\272\333\214\372p\3\310)l\260\25\23\331\223\370\257m\227\345o\22\342\316t\350\221\33\262\2261\11\203{q\363\202\305\361E=\377\222\211\2730R\350\351\361]\3614\233l1\205=\362\221\226\271\365,\306\33\301\215\321\261\364x\244\13\21o\362\274\325"7\333\310\1\252\316\275\216F\275\337\301tr\343|\204\36s>\214\270\21\346\234,31\311\232\332H1c\35\234\3777\32\17h\344&c\25\364\35\13\316\373RR`S\325\251\234\275\335\352$\271sg\22\374\200!@\276", ) , ) == 0x0
 01226   292   NtDeviceIoControlFile  (152, 0, 0x0, 0x0, 0x390008,  (152, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_&F\245\215\31\356\327+@Z\217a\335\270\2465Z\217a\335\270$[\341z\364pM\324\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01227   292   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01228   292   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01229   292   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01230   292   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01231   292   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01232   292   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01233   292   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01234   292   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482036, 2, ) }, 0, 0x0, 0, ... -2147482036, 2, ) == 0x0
 01235   292   NtSetValueKey  (-2147482036,  (-2147482036, "Seed", 0, 3, "\325V=\201\340\342\362\26\11;\341\305\220\315\314\14~\31\336C\211T\214\365F\306>\363\14[\267\207\15l\373\335\215\16\10\254\342%`"\200@n\251\33\364\207\355P\217.x>\223`\231\343<%C\365\264\363Iz\225a\243i\320\350\367e\312\255\322", 80, ... ) , 0, 3,  (-2147482036, "Seed", 0, 3, "\325V=\201\340\342\362\26\11;\341\305\220\315\314\14~\31\336C\211T\214\365F\306>\363\14[\267\207\15l\373\335\215\16\10\254\342%`"\200@n\251\33\364\207\355P\217.x>\223`\231\343<%C\365\264\363Iz\225a\243i\320\350\367e\312\255\322", 80, ... ) \200@n\251\33\364\207\355P\217.x>\223`\231\343<%C\365\264\363Iz\225a\243i\320\350\367e\312\255\322", 80, ... ) == 0x0
 01236   292   NtClose  (-2147482036, ... ) == 0x0
 01226   292   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "8\245\3465\267`\215s9-\357!}\31\274\364\200F\341vJ\206R\326-\264L\317CQ\1v\201\330o\3278\2072\363\21_\226&x\331\3528\362\346\2260t\12\230B5\232\335\33\262\243\344\323'\25a_\370\356\260\2660\200\301G\347\201j\26\6(k\4\265\22\3537\305\321HW\274\345I\274\330\331Z\256A\217@\311\334\362\5c\304T\342\232\242\234\204,wb\13\375>\36\177\220\240I\21\255i/|$\250\24\24\212eZ\313\274\17\0\244Z\213N\213\365\320\357\271\363@\16\236\323B\345)\233\261h\323\373f\253\43!\345\1\314\363\315\0\355\355-~Ww\22-\212\272O\204\346\37\214\4\37R\335\226\2\202\200\222\271*~\17t\321\351\33\334\276\335\362\262A\253DP\230\311\24)\373\207`\264\255-\31\177'\307o\7Cz%m;\244\30G\5\253\356\22(\201\267\234i\232\274@zDz>", ) , ) == 0x0
 01237   292   NtDeviceIoControlFile  (152, 0, 0x0, 0x0, 0x390008,  (152, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_&F\245\215\31\356\327+@Z\217a\335\270\2465Z\217a\335\270\2465Z\217a\335\270$[\341z\364pM\324\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01238   292   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01239   292   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01240   292   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01241   292   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01242   292   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01243   292   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01244   292   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01245   292   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482036, 2, ) }, 0, 0x0, 0, ... -2147482036, 2, ) == 0x0
 01246   292   NtSetValueKey  (-2147482036,  (-2147482036, "Seed", 0, 3, "\363\246\353\271\3\263l\22.\234\\331\7\1\216<\248'J\376\260j\341\10<3jR=\256 \276\224\317\240|\11\275\317\367\331\274\2\325\331\203\14S\321\313\2\325\206\216\17\34\3\363\30\301|\241\351\371\266Z\211l!\267\305\227\234\267L'\263Kw", 80, ... ) , 0, 3,  (-2147482036, "Seed", 0, 3, "\363\246\353\271\3\263l\22.\234\\331\7\1\216<\248'J\376\260j\341\10<3jR=\256 \276\224\317\240|\11\275\317\367\331\274\2\325\331\203\14S\321\313\2\325\206\216\17\34\3\363\30\301|\241\351\371\266Z\211l!\267\305\227\234\267L'\263Kw", 80, ... ) , 80, ... ) == 0x0
 01247   292   NtClose  (-2147482036, ... ) == 0x0
 01237   292   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\21H4\256\14Y\257O\201\0\303\274p\263$\36\204\331\266\345\342\274\362\312\327R\221g\275_>\10\364q]{:\263m*\316<\277h\306\336]\250\33m&\207\213\260\357\\256p\364\360\212[\331\307P\1y\266I\263\376_L\262\7\17'Nx\2 \27\263\361\360\355\251k\345\303\200\33\322\265\226Jc\326\313\347\24\15A\223[\313\377\262O\262\0U\316\356\231\207\265\305\231\31\332\30qz\377\275\266:\365N1\230\31\273\325\370\225\330\272Q E\262\371\227\346)\363\325\317\17&\226\2\34\326{e\277\147\370\15?o\309^\230_\226\15z4\341\273\306\361\346\326\324\355\267\301\356`\216+.\206\207k/+\345\274\230\311\376\214\376\213\31\204\36\200\256\31\215\230\217\334\20\356;\234St\35\355\246\213\247%L\324z\315lp\177\315\205\214\250x\210_\356\207a\340e\333\306z8\207\31\363\333\376PV5", ) , ) == 0x0
 01248   292   NtDeviceIoControlFile  (152, 0, 0x0, 0x0, 0x390008,  (152, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_&F\245\215\31\356\327+@Z\217a\335\270\2465Z\217a\335\270\2465Z\217a\335\270\2465Z\217a\335\270$[\341z\364pM\324\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01249   292   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01250   292   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01251   292   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01252   292   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01253   292   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01254   292   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01255   292   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01256   292   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482036, 2, ) }, 0, 0x0, 0, ... -2147482036, 2, ) == 0x0
 01257   292   NtSetValueKey  (-2147482036,  (-2147482036, "Seed", 0, 3, "r\314\353\334\344\24\362\356\372\324i\273l\335\224G\324\361xV\240\341\256\333P\255\254Fi"\327\3\73o|\37\254\3126\2425n\4\2602\270\5\233\33\267W\255U\26\271\333&\5F*\204\277oV\5g\201\271U\300)>\334\320$\312te\365", 80, ... ) , 0, 3,  (-2147482036, "Seed", 0, 3, "r\314\353\334\344\24\362\356\372\324i\273l\335\224G\324\361xV\240\341\256\333P\255\254Fi"\327\3\73o|\37\254\3126\2425n\4\2602\270\5\233\33\267W\255U\26\271\333&\5F*\204\277oV\5g\201\271U\300)>\334\320$\312te\365", 80, ... ) \327\3\73o|\37\254\3126\2425n\4\2602\270\5\233\33\267W\255U\26\271\333&\5F*\204\277oV\5g\201\271U\300)>\334\320$\312te\365", 80, ... ) == 0x0
 01258   292   NtClose  (-2147482036, ... ) == 0x0
 01248   292   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\261\21`Q\301\2\321\357 \2564p\10\332\357\361\365\334\275\0tCa\257\22\31\376\26\25\301\3278#m~l?3T\13\327}]\217&\356\262\230\233\212#i\206O\337\322C%\357}\335\5*E\234w\33\201tNs\306O\354\5\3\212\314\207a\10\203\234\4d\364\321\35\316tM\177\217\367*\22\306 0j\340\223\3409\266\21\350\320\224b\320~\355g\303#\277\13\213\266\270R\300\265c>\303\312b\350 \315\245\233\0\353\360Q\337\220\370\250\23p\335\301\340HQx\310\366S\340\306\217\36N\302c\13\264c4\330\14\261xJ\301e\14!\326P\304)\216\14\30\233\237\\240\251r.a\370\314\221\324\371\300\370u\2704\247I\345\242\311\314\16{\321e\224-\257\32D"\250\L\264\332\216\1\265\342\212\25\232\177\13\226\251\217\330\24\360\230D\211\310H\355\316C1a\306\205\346{rd\247;\214\17\252\362", ) \250\L\264\332\216\1\265\342\212\25\232\177\13\226\251\217\330\24\360\230D\211\310H\355\316C1a\306\205\346{rd\247;\214\17\252\362", ) == 0x0
 01259   292   NtDeviceIoControlFile  (152, 0, 0x0, 0x0, 0x390008,  (152, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_&F\245\215\31\356\327+@Z\217a\335\270\2465Z\217a\335\270\2465Z\217a\335\270\2465Z\217a\335\270\2465Z\217a\335\270$[\341z\364pM\324\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01260   292   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01261   292   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01262   292   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01263   292   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01264   292   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01265   292   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01266   292   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01267   292   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482036, 2, ) }, 0, 0x0, 0, ... -2147482036, 2, ) == 0x0
 01268   292   NtSetValueKey  (-2147482036,  (-2147482036, "Seed", 0, 3, "\336_\364\204\223\273\335A\201\312z\215Je\270\267\1\17\20 \322\304\235\12\5\232?J\26\23\272\231\326\2620=\3236$\205\213_3\274\2417\24\217\377F\327\34\2V[\252\362\364R*\260\303\204\17T\275\231\27\302\320\372E\3\304\15\313\2524N", 80, ... ) , 0, 3,  (-2147482036, "Seed", 0, 3, "\336_\364\204\223\273\335A\201\312z\215Je\270\267\1\17\20 \322\304\235\12\5\232?J\26\23\272\231\326\2620=\3236$\205\213_3\274\2417\24\217\377F\327\34\2V[\252\362\364R*\260\303\204\17T\275\231\27\302\320\372E\3\304\15\313\2524N", 80, ... ) , 80, ... ) == 0x0
 01269   292   NtClose  (-2147482036, ... ) == 0x0
 01259   292   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "V\304\370\310\334(\341\350\230\302\275\344\20\347\241\351Q\34\272\217\247\12[?\21\3135\212\14F\250\317d\302$\36\264\301\320+\376D\326\325q\10\30t}\270\30008\217\255\2731\367\206g\255\210\315j\375#NhG\271\211eY\242\337\262\257\363~\202\177\3279@\215a\14z\202c'\372c\371W\255\224\323\225\314Q\273;\227\354?\31\3061^\347\3156k\216\12\313\2073\213\5\25-[\212\220\240\371\336[z7S\216[\265SZ\247Y\301KN\1\353\336\255TW\351\332\257D\0d^\6\372\14\350\25\14i\311\276\237H.\22A\276W\21:\373\343{w\235O|\4z\214\205jM\255Rh\365\4]Mf\260\363W"#\361z\13S?\267\36\23&\340y\277p\26Lv4\370\354\225\261\306\272}I\254\271\337\377\240\272\205\315\340\2268~\203V\345\353\27\235\213\344!\240\345BkL}\227}0", ) #\361z\13S?\267\36\23&\340y\277p\26Lv4\370\354\225\261\306\272}I\254\271\337\377\240\272\205\315\340\2268~\203V\345\353\27\235\213\344!\240\345BkL}\227}0", ) == 0x0
 01270   292   NtDeviceIoControlFile  (152, 0, 0x0, 0x0, 0x390008,  (152, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_&F\245\215\31\356\327+@Z\217a\335\270\2465Z\217a\335\270\2465Z\217a\335\270\2465Z\217a\335\270\2465Z\217a\335\270\2465Z\217a\335\270$[\341z\364pM\324\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01271   292   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01272   292   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01273   292   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01274   292   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01275   292   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01276   292   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01277   292   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01278   292   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482036, 2, ) }, 0, 0x0, 0, ... -2147482036, 2, ) == 0x0
 01279   292   NtSetValueKey  (-2147482036,  (-2147482036, "Seed", 0, 3, "\15\231z\252&I\242\21\265L\226z\322\347\246aH\345\301\2473\376\237\264\321p3\305\205\353\35\312Vf\216\25\250!b\323[\15\204<\306SP\370\307\30\361\204\361\3127\377\224z\322b\312\345\271"\330)\276o\246\241K\374\323\321}\232%\255\345\215", 80, ... ) , 0, 3,  (-2147482036, "Seed", 0, 3, "\15\231z\252&I\242\21\265L\226z\322\347\246aH\345\301\2473\376\237\264\321p3\305\205\353\35\312Vf\216\25\250!b\323[\15\204<\306SP\370\307\30\361\204\361\3127\377\224z\322b\312\345\271"\330)\276o\246\241K\374\323\321}\232%\255\345\215", 80, ... ) \330)\276o\246\241K\374\323\321}\232%\255\345\215", 80, ... ) == 0x0
 01280   292   NtClose  (-2147482036, ... ) == 0x0
 01270   292   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\350\367\344,YA\31W\34\326\336c0\305\32\265/\211\341\242 \365\251\325\307\270\246n\324ncJ\224\12\2602\242\337_[\26\251\3702N\347\36\201\251\353\26\355+\3531r\1\361\330d\250]{H\267\327H\341\3538wU\225\231\206\336TNy\336\27q7\316\265\363\2659\235\216\346H\201\35AX\206\301\12K\223\256*Mv@\320\223K1\256\365\220`\301\355\356\11Q\237BO\345\212\177\240\205a\275\233_\240\221;\355\221 \247\223)8\6\2432\343\324\13+\311h\274\271]\2225\14,\366\257\222\253\352\23\355\233L\212A\304\325}\137\266\323\230\2121&\265\357{\253\250\15\271\351\232\322\340`J\243\205\201+\275Qs\333\312\314\377\5\361\323Z\255`\2218X\236\237\342\3107\212\241X>\343}\317\15G\337m~~\207\363=\310_\35\372b\362\240\177r1E+\211\37\355Kr\316\7", ) , ) == 0x0
 01281   292   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 148, {status=0x0, info=1}, ) }, 3, 33, ... 148, {status=0x0, info=1}, ) == 0x0
 01282   292   NtQueryVolumeInformationFile  (148, 1238968, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01283   292   NtClose  (12, ... ) == 0x0
 01284   292   NtContinue  (1237420, 0, ...
 01285   292   NtTerminateProcess  (0, 0, ... ) == 0x0
 01286   292   NtClose  (136, ... ) == 0x0
 01287   292   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 01288   292   NtClose  (140, ... ) == 0x0
 01289   292   NtClose  (132, ... ) == 0x0
 01290   292   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 262144, ) == 0x0
 01291   292   NtUserUnregisterClass  (1239600, 1991376896, 1239588, ... ) == 0x0
 01292   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc03b
 01293   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01294   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc03d
 01295   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01296   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc03f
 01297   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01298   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc041
 01299   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01300   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc043
 01301   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01302   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc045
 01303   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01304   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc047
 01305   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01306   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc049
 01307   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01308   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc04b
 01309   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01310   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc04d
 01311   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01312   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc04f
 01313   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01314   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc051
 01315   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01316   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc053
 01317   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01318   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc057
 01319   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01320   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc059
 01321   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01322   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc05b
 01323   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01324   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc05d
 01325   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01326   292   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc05f
 01327   292   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01328   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc03b
 01329   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01330   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc03d
 01331   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01332   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc03f
 01333   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01334   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc041
 01335   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01336   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc043
 01337   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01338   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc045
 01339   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01340   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc047
 01341   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01342   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc049
 01343   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01344   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc04b
 01345   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01346   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc04d
 01347   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01348   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc04f
 01349   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01350   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc051
 01351   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01352   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc053
 01353   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01354   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc057
 01355   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01356   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc059
 01357   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01358   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc05b
 01359   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01360   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc05d
 01361   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01362   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc05f
 01363   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01364   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc017
 01365   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01366   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc019
 01367   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01368   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc018
 01369   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01370   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc01a
 01371   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01372   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc01c
 01373   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01374   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc01e
 01375   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01376   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc01b
 01377   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01378   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc068
 01379   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01380   292   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc06a
 01381   292   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01382   292   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 01383   292   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01384   292   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01385   292   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01386   292   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01387   292   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01388   292   NtClose  (152, ... ) == 0x0
 01389   292   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 01390   292   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1398559575, 1702130553, 1546793837, 0}  (24, {20, 48, new_msg, 0, 1398559575, 1702130553, 1546793837, 0} "\0\0\0\0\3\0\1\0$\354\22\0\342\363@\0\0\0\0\0" ... {20, 48, reply, 0, 288, 292, 1524, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\342\363@\0\0\0\0\0" )  ... {20, 48, reply, 0, 288, 292, 1524, 0}  (24, {20, 48, new_msg, 0, 1398559575, 1702130553, 1546793837, 0} "\0\0\0\0\3\0\1\0$\354\22\0\342\363@\0\0\0\0\0" ... {20, 48, reply, 0, 288, 292, 1524, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\342\363@\0\0\0\0\0" )  ) == 0x0
 01391   292   NtTerminateProcess  (-1, 0, ...
 01392   292   NtClose  (44, ... ) == 0x0
NtAccessCheck(>)	1	NtSecureConnectPort(>)	1	NtFsControlFile(>)	4	NtFlushInstructionCache(>)	18
NtAddAtom(>)	1	NtSetInformationProcess(>)	1	NtQueryVolumeInformationFile(>)	4	NtOpenProcess(>)	18
NtAdjustPrivilegesToken(>)	1	NtTestAlert(>)	1	NtCreateFile(>)	5	NtCreateSection(>)	21
NtCallbackReturn(>)	1	NtUserCallNoParam(>)	1	NtGdiGetStockObject(>)	5	NtOpenFile(>)	25
NtCreateMutant(>)	1	NtUserCallOneParam(>)	1	NtOpenProcessToken(>)	5	NtQueryDefaultLocale(>)	29
NtCreateThread(>)	1	NtUserGetDC(>)	1	NtQueryInformationProcess(>)	5	NtQueryAttributesFile(>)	31
NtDelayExecution(>)	1	NtUserGetThreadDesktop(>)	1	NtSetInformationFile(>)	7	NtAllocateVirtualMemory(>)	37
NtEnumerateValueKey(>)	1	NtWriteFile(>)	1	NtOpenProcessTokenEx(>)	8	NtUnmapViewOfSection(>)	39
NtGdiCreateBitmap(>)	1	NtContinue(>)	2	NtOpenThreadTokenEx(>)	8	NtQueryValueKey(>)	40
NtGdiInit(>)	1	NtCreateIoCompletion(>)	2	NtQueryDefaultUILanguage(>)	8	NtOpenSection(>)	45
NtGdiQueryFontAssocInfo(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryVirtualMemory(>)	8	NtUserUnregisterClass(>)	46
NtGdiSelectBitmap(>)	1	NtOpenDirectoryObject(>)	2	NtRequestWaitReplyPort(>)	8	NtUserFindExistingCursorIcon(>)	48
NtNotifyChangeKey(>)	1	NtOpenEvent(>)	2	NtSetInformationThread(>)	8	NtOpenKey(>)	60
NtOpenKeyedEvent(>)	1	NtQueryInstallUILanguage(>)	2	NtSetValueKey(>)	8	NtUserRegisterClassExWOW(>)	63
NtOpenMutant(>)	1	NtTerminateProcess(>)	2	NtCreateEvent(>)	9	NtWriteVirtualMemory(>)	68
NtOpenSymbolicLinkObject(>)	1	NtCreateSemaphore(>)	3	NtQueryInformationFile(>)	9	NtReadFile(>)	69
NtQueryFullAttributesFile(>)	1	NtDuplicateObject(>)	3	NtQuerySection(>)	9	NtQuerySystemInformation(>)	78
NtQueryObject(>)	1	NtGdiCreateCompatibleDC(>)	3	NtCreateKey(>)	10	NtMapViewOfSection(>)	81
NtQuerySymbolicLinkObject(>)	1	NtOpenThreadToken(>)	3	NtUserSystemParametersInfo(>)	10	NtUserGetClassInfo(>)	82
NtQuerySystemTime(>)	1	NtSetInformationObject(>)	3	NtQueryInformationToken(>)	12	NtProtectVirtualMemory(>)	105
NtRegisterThreadTerminatePort(>)	1	NtUserRegisterWindowMessage(>)	3	NtQueryDebugFilterState(>)	15	NtClose(>)	158
NtResumeThread(>)	1	NtFreeVirtualMemory(>)	4	NtDeviceIoControlFile(>)	16