Summary:


NtAccessCheck(>)  1 
NtSetInformationProcess(>)  1 
NtUserCallNoParam(>)  3 
NtQueryDebugFilterState(>)  15 

NtAddAtom(>)  1 
NtTestAlert(>)  1 
NtUserCallOneParam(>)  3 
NtDeviceIoControlFile(>)  16 

NtCallbackReturn(>)  1 
NtUserBuildNameList(>)  1 
NtUserGetWindowDC(>)  3 
NtQueryInformationFile(>)  17 

NtConnectPort(>)  1 
NtUserCreateWindowEx(>)  1 
NtUserOpenDesktop(>)  3 
NtFlushInstructionCache(>)  18 

NtCreateMutant(>)  1 
NtUserGetAtomName(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtUnmapViewOfSection(>)  19 

NtDelayExecution(>)  1 
NtUserGetDC(>)  1 
NtOpenProcessToken(>)  4 
NtCreateSection(>)  23 

NtDuplicateObject(>)  1 
NtUserGetGUIThreadInfo(>)  1 
NtGdiGetStockObject(>)  5 
NtOpenSection(>)  28 

NtEnumerateValueKey(>)  1 
NtUserGetThreadDesktop(>)  1 
NtUserBuildHwndList(>)  5 
NtQueryDefaultLocale(>)  29 

NtFsControlFile(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtOpenFile(>)  32 

NtGdiCreateBitmap(>)  1 
NtGdiDeleteObjectApp(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtQueryAttributesFile(>)  38 

NtGdiInit(>)  1 
NtGdiHfontCreate(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtQueryValueKey(>)  40 

NtGdiQueryFontAssocInfo(>)  1 
NtOpenDirectoryObject(>)  2 
NtQueryVirtualMemory(>)  8 
NtMapViewOfSection(>)  44 

NtGdiSelectBitmap(>)  1 
NtOpenEvent(>)  2 
NtSetInformationThread(>)  8 
NtAllocateVirtualMemory(>)  45 

NtNotifyChangeKey(>)  1 
NtQueryInstallUILanguage(>)  2 
NtSetValueKey(>)  8 
NtUserUnregisterClass(>)  46 

NtOpenKeyedEvent(>)  1 
NtTerminateProcess(>)  2 
NtCreateFile(>)  10 
NtUserFindExistingCursorIcon(>)  48 

NtOpenMutant(>)  1 
NtUserCloseDesktop(>)  2 
NtCreateKey(>)  10 
NtOpenKey(>)  59 

NtOpenProcess(>)  1 
NtUserGetObjectInformation(>)  2 
NtOpenProcessTokenEx(>)  10 
NtUserRegisterClassExWOW(>)  64 

NtOpenSymbolicLinkObject(>)  1 
NtWriteFile(>)  2 
NtOpenThreadTokenEx(>)  10 
NtReadFile(>)  68 

NtOpenThreadToken(>)  1 
NtContinue(>)  3 
NtQuerySection(>)  10 
NtQuerySystemInformation(>)  78 

NtQueryFullAttributesFile(>)  1 
NtCreateEvent(>)  3 
NtRequestWaitReplyPort(>)  10 
NtUserGetClassInfo(>)  82 

NtQueryObject(>)  1 
NtCreateSemaphore(>)  3 
NtSetInformationFile(>)  10 
NtUserQueryWindow(>)  128 

NtQuerySymbolicLinkObject(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUserSystemParametersInfo(>)  11 
NtClose(>)  140 

NtRegisterThreadTerminatePort(>)  1 
NtQueryInformationProcess(>)  3 
NtFreeVirtualMemory(>)  13 
NtProtectVirtualMemory(>)  215 

NtSecureConnectPort(>)  1 
NtSetInformationObject(>)  3 
NtQueryInformationToken(>)  14 

Trace:
 00001   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   408   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   408   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   408   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   408   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   408   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   408   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   408   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   408   NtClose  (12, ... ) == 0x0
 00014   408   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   408   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   408   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   408   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   408   NtClose  (16, ... ) == 0x0
 00021   408   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   408   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   408   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   408   NtClose  (16, ... ) == 0x0
 00026   408   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   408   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   408   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   408   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 404, 408, 1479, 0} " o\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 404, 408, 1479, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 404, 408, 1479, 0} " o\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   408   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   408   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   408   NtClose  (16, ... ) == 0x0
 00036   408   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   408   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   408   NtClose  (28, ... ) == 0x0
 00041   408   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   408   NtClose  (28, ... ) == 0x0
 00045   408   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   408   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   408   NtClose  (28, ... ) == 0x0
 00049   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   408   NtClose  (28, ... ) == 0x0
 00052   408   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 404, 408, 1484, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 404, 408, 1484, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 404, 408, 1484, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   408   NtProtectVirtualMemory  (-1, (0x438000), 6316, 4, ... (0x438000), 8192, 128, ) == 0x0
 00057   408   NtProtectVirtualMemory  (-1, (0x438000), 8192, 128, ... (0x438000), 8192, 4, ) == 0x0
 00058   408   NtFlushInstructionCache  (-1, 4423680, 6316, ... ) == 0x0
 00059   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   408   NtClose  (28, ... ) == 0x0
 00062   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   408   NtClose  (28, ... ) == 0x0
 00065   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   408   NtClose  (28, ... ) == 0x0
 00068   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   408   NtClose  (28, ... ) == 0x0
 00071   408   NtProtectVirtualMemory  (-1, (0x438000), 6316, 4, ... (0x438000), 8192, 64, ) == 0x0
 00072   408   NtProtectVirtualMemory  (-1, (0x438000), 8192, 64, ... (0x438000), 8192, 4, ) == 0x0
 00073   408   NtFlushInstructionCache  (-1, 4423680, 6316, ... ) == 0x0
 00074   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00076   408   NtClose  (28, ... ) == 0x0
 00077   408   NtProtectVirtualMemory  (-1, (0x438000), 6316, 4, ... (0x438000), 8192, 64, ) == 0x0
 00078   408   NtProtectVirtualMemory  (-1, (0x438000), 8192, 64, ... (0x438000), 8192, 4, ) == 0x0
 00079   408   NtFlushInstructionCache  (-1, 4423680, 6316, ... ) == 0x0
 00080   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081   408   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00082   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00084   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00085   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00086   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00087   408   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00088   408   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00089   408   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00090   408   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00092   408   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00093   408   NtClose  (40, ... ) == 0x0
 00094   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00095   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00096   408   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00097   408   NtClose  (40, ... ) == 0x0
 00098   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00099   408   NtClose  (36, ... ) == 0x0
 00100   408   NtClose  (28, ... ) == 0x0
 00101   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00102   408   NtClose  (32, ... ) == 0x0
 00103   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00107   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00108   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00109   408   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00110   408   NtClose  (32, ... ) == 0x0
 00111   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00112   408   NtClose  (28, ... ) == 0x0
 00113   408   NtProtectVirtualMemory  (-1, (0x438000), 6316, 4, ... (0x438000), 8192, 64, ) == 0x0
 00114   408   NtProtectVirtualMemory  (-1, (0x438000), 8192, 64, ... (0x438000), 8192, 4, ) == 0x0
 00115   408   NtFlushInstructionCache  (-1, 4423680, 6316, ... ) == 0x0
 00116   408   NtProtectVirtualMemory  (-1, (0x438000), 6316, 4, ... (0x438000), 8192, 64, ) == 0x0
 00117   408   NtProtectVirtualMemory  (-1, (0x438000), 8192, 64, ... (0x438000), 8192, 4, ) == 0x0
 00118   408   NtFlushInstructionCache  (-1, 4423680, 6316, ... ) == 0x0
 00119   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00120   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00121   408   NtClose  (28, ... ) == 0x0
 00122   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00123   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00124   408   NtClose  (28, ... ) == 0x0
 00125   408   NtProtectVirtualMemory  (-1, (0x438000), 6316, 4, ... (0x438000), 8192, 64, ) == 0x0
 00126   408   NtProtectVirtualMemory  (-1, (0x438000), 8192, 64, ... (0x438000), 8192, 4, ) == 0x0
 00127   408   NtFlushInstructionCache  (-1, 4423680, 6316, ... ) == 0x0
 00128   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00129   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00130   408   NtClose  (28, ... ) == 0x0
 00131   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00132   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00133   408   NtClose  (28, ... ) == 0x0
 00134   408   NtProtectVirtualMemory  (-1, (0x438000), 6316, 4, ... (0x438000), 8192, 64, ) == 0x0
 00135   408   NtProtectVirtualMemory  (-1, (0x438000), 8192, 64, ... (0x438000), 8192, 4, ) == 0x0
 00136   408   NtFlushInstructionCache  (-1, 4423680, 6316, ... ) == 0x0
 00137   408   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00138   408   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00139   408   NtClose  (28, ... ) == 0x0
 00140   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00141   408   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00142   408   NtClose  (28, ... ) == 0x0
 00143   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   408   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   408   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00146   408   NtClose  (28, ... ) == 0x0
 00147   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00148   408   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149   408   NtClose  (28, ... ) == 0x0
 00150   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00151   408   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00152   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00153   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00154   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 404, 408, 1491, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 404, 408, 1491, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 404, 408, 1491, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00155   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x440000), 0x0, 1060864, ) == 0x0
 00157   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00158   408   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00159   408   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482048, ) == 0x0
 00160   408   NtQueryInformationToken  (-2147482048, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00161   408   NtQueryInformationToken  (-2147482048, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00162   408   NtClose  (-2147482048, ... ) == 0x0
 00163   408   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00164   408   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00165   408   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00166   408   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482048, ) }, ... -2147482048, ) == 0x0
 00167   408   NtQueryValueKey  (-2147482048,  (-2147482048, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00168   408   NtClose  (-2147482048, ... ) == 0x0
 00169   408   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482048, ) }, ... -2147482048, ) == 0x0
 00170   408   NtQueryValueKey  (-2147482048,  (-2147482048, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00171   408   NtClose  (-2147482048, ... ) == 0x0
 00172   408   NtQueryDefaultLocale  (0, -130971124, ... ) == 0x0
 00173   408   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00174   408   NtUserCallNoParam  (24, ... ) == 0x0
 00175   408   NtGdiCreateCompatibleDC  (0, ...
 00176   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00175   408   NtGdiCreateCompatibleDC  ... ) == 0x1401031e
 00177   408   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00178   408   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00179   408   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x13050404
 00180   408   NtGdiCreateSolidBrush  (0, 0, ...
 00181   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8716288, 4096, ) == 0x0
 00180   408   NtGdiCreateSolidBrush  ... ) == 0xe10040a
 00182   408   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00183   408   NtGdiCreateCompatibleDC  (0, ... ) == 0x70010383
 00184   408   NtGdiSelectBitmap  (1879114627, 319095812, ... ) == 0x185000f
 00185   408   NtUserGetThreadDesktop  (408, 0, ... ) == 0x2c
 00186   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00187   408   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00188   408   NtClose  (52, ... ) == 0x0
 00189   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00190   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x8123c017
 00191   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00192   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x8123c01c
 00193   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00194   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x8123c01e
 00195   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00196   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x81238002
 00197   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00198   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x8123c018
 00199   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00200   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x8123c01a
 00201   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00202   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x8123c01d
 00203   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00204   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00205   408   NtAllocateVirtualMemory  (-1, 5664768, 0, 4096, 4096, 32, ... 5664768, 4096, ) == 0x0
 00204   408   NtUserRegisterClassExWOW  ... ) == 0x8123c026
 00206   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00207   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x8123c019
 00208   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x8123c020
 00209   408   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x8123c022
 00210   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x8123c023
 00211   408   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x8123c024
 00212   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x8123c025
 00213   408   NtCallbackReturn  (0, 0, 0, ...
 00214   408   NtGdiInit  (... ) == 0x1
 00215   408   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00216   408   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00217   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00219   408   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00220   408   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00221   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00222   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00223   408   NtClose  (52, ... ) == 0x0
 00224   408   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00225   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00226   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00227   408   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00228   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00229   408   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00230   408   NtClose  (52, ... ) == 0x0
 00231   408   NtQueryDefaultUILanguage  (1241756, ...
 00232   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00233   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482048, ) == 0x0
 00234   408   NtQueryInformationToken  (-2147482048, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00235   408   NtClose  (-2147482048, ... ) == 0x0
 00236   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482048, ) }, ... -2147482048, ) == 0x0
 00237   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   408   NtOpenKey  (0x80000000, {24, -2147482048, 0x640, 0, 0,  (0x80000000, {24, -2147482048, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482052, ) }, ... -2147482052, ) == 0x0
 00239   408   NtQueryValueKey  (-2147482052,  (-2147482052, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   408   NtClose  (-2147482052, ... ) == 0x0
 00241   408   NtClose  (-2147482048, ... ) == 0x0
 00231   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00242   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   408   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00244   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00245   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00246   408   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x880000), 0x0, 8323072, ) == 0x0
 00247   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   408   NtQueryDefaultUILanguage  (2013024600, ...
 00249   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00250   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482048, ) == 0x0
 00251   408   NtQueryInformationToken  (-2147482048, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00252   408   NtClose  (-2147482048, ... ) == 0x0
 00253   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482048, ) }, ... -2147482048, ) == 0x0
 00254   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255   408   NtOpenKey  (0x80000000, {24, -2147482048, 0x640, 0, 0,  (0x80000000, {24, -2147482048, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482052, ) }, ... -2147482052, ) == 0x0
 00256   408   NtQueryValueKey  (-2147482052,  (-2147482052, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00257   408   NtClose  (-2147482052, ... ) == 0x0
 00258   408   NtClose  (-2147482048, ... ) == 0x0
 00248   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00259   408   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00260   408   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00261   408   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00262   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1492, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 404, 408, 1492, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1492, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00264   408   NtClose  (52, ... ) == 0x0
 00265   408   NtClose  (56, ... ) == 0x0
 00266   408   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00267   408   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00268   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00269   408   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00270   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00271   408   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   408   NtClose  (56, ... ) == 0x0
 00273   408   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00275   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00276   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00277   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00278   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00279   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00280   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00281   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00282   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00283   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00284   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00285   408   NtClose  (52, ... ) == 0x0
 00286   408   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 921600, ) == 0x0
 00287   408   NtClose  (60, ... ) == 0x0
 00288   408   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00289   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00290   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00291   408   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00292   408   NtClose  (60, ... ) == 0x0
 00293   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00294   408   NtClose  (52, ... ) == 0x0
 00295   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00296   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00297   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00298   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00299   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00300   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00301   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00302   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00303   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00304   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00305   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00306   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00307   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00308   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00309   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00310   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00311   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00312   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00313   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00314   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00315   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00316   408   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00317   408   NtQueryDefaultUILanguage  (1239368, ...
 00318   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00319   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482048, ) == 0x0
 00320   408   NtQueryInformationToken  (-2147482048, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00321   408   NtClose  (-2147482048, ... ) == 0x0
 00322   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482048, ) }, ... -2147482048, ) == 0x0
 00323   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00324   408   NtOpenKey  (0x80000000, {24, -2147482048, 0x640, 0, 0,  (0x80000000, {24, -2147482048, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482060, ) }, ... -2147482060, ) == 0x0
 00325   408   NtQueryValueKey  (-2147482060,  (-2147482060, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00326   408   NtClose  (-2147482060, ... ) == 0x0
 00327   408   NtClose  (-2147482048, ... ) == 0x0
 00317   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00328   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00330   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00331   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00332   408   NtClose  (52, ... ) == 0x0
 00333   408   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 4096, ) == 0x0
 00334   408   NtClose  (60, ... ) == 0x0
 00335   408   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00336   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00337   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00338   408   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00339   408   NtClose  (60, ... ) == 0x0
 00340   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x880000), {0, 0}, 4096, ) == 0x0
 00341   408   NtClose  (52, ... ) == 0x0
 00342   408   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00343   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00344   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00345   408   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x880000), 0x0, 4096, ) == 0x0
 00346   408   NtQueryInformationFile  (52, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00347   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00348   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1495, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 404, 408, 1495, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1495, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00349   408   NtClose  (52, ... ) == 0x0
 00350   408   NtClose  (60, ... ) == 0x0
 00351   408   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00352   408   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00353   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00354   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00355   408   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00356   408   NtUserGetDC  (0, ... ) == 0x1010050
 00357   408   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00358   408   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00359   408   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00360   408   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00361   408   NtAccessCheck  (1329352, 60, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00362   408   NtClose  (60, ... ) == 0x0
 00363   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00364   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00365   408   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00366   408   NtClose  (60, ... ) == 0x0
 00367   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00368   408   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00369   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00370   408   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   408   NtClose  (52, ... ) == 0x0
 00372   408   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00373   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00374   408   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00375   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00376   408   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00377   408   NtClose  (64, ... ) == 0x0
 00378   408   NtClose  (52, ... ) == 0x0
 00379   408   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00380   408   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00381   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 52, ) }, ... 52, ) == 0x0
 00382   408   NtEnumerateValueKey  (52, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00383   408   NtClose  (52, ... ) == 0x0
 00384   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00385   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c03b
 00386   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c03d
 00387   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00388   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x8123c03f
 00389   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00390   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c041
 00391   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00392   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c043
 00393   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c045
 00394   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00395   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c047
 00396   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00397   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x8123c049
 00398   408   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00399   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00400   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c04b
 00401   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00402   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c04d
 00403   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00404   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c04f
 00405   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c051
 00406   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00407   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c053
 00408   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00409   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x8123c055
 00410   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x8123c057
 00411   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00412   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c059
 00413   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00414   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c05b
 00415   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00416   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c05d
 00417   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00418   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c05f
 00419   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00420   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x8123c017
 00421   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00422   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x8123c019
 00423   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00424   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x8123c018
 00425   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00426   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ...
 00427   408   NtAllocateVirtualMemory  (-1, 5668864, 0, 4096, 4096, 32, ... 5668864, 4096, ) == 0x0
 00426   408   NtUserRegisterClassExWOW  ... ) == 0x8123c01a
 00428   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00429   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x8123c01c
 00430   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00431   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c01e
 00432   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00433   408   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x8123c01b
 00434   408   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00435   408   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x8123c068
 00436   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00437   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x8123c06a
 00438   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00439   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00440   408   NtClose  (52, ... ) == 0x0
 00441   408   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {404, 0}, ... 52, ) == 0x0
 00442   408   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00443   408   NtClose  (52, ... ) == 0x0
 00444   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00445   408   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00446   408   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00447   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00448   408   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00449   408   NtClose  (52, ... ) == 0x0
 00450   408   NtUserSystemParametersInfo  (41, 500, 1241332, 0, ... ) == 0x1
 00451   408   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00452   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00453   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00454   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c03b
 00455   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00456   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c03d
 00457   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00458   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00459   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c03f
 00460   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00461   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00462   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c041
 00463   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00464   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00465   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c043
 00466   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00467   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c045
 00468   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00469   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00470   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c047
 00471   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00472   408   NtUserFindExistingCursorIcon  (1241120, 1241136, 1241704, ... ) == 0x10011
 00473   408   NtUserRegisterClassExWOW  (1241572, 1241652, 1241636, 1241668, 0, 384, 0, ... ) == 0x8123c049
 00474   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00475   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00476   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c04b
 00477   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00478   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00479   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c04d
 00480   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00481   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00482   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c04f
 00483   408   NtUserGetClassInfo  (1999896576, 1241744, 1241696, 1241772, 0, ... ) == 0x0
 00484   408   NtUserRegisterClassExWOW  (1241580, 1241660, 1241644, 1241676, 0, 384, 0, ... ) == 0x8123c051
 00485   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00486   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00487   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c053
 00488   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00489   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00490   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c055
 00491   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c057
 00492   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00493   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00494   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c059
 00495   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00496   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10013
 00497   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c05b
 00498   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00499   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00500   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c05d
 00501   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00502   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00503   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x8123c05f
 00504   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03b
 00505   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03d
 00506   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03f
 00507   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc041
 00508   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc043
 00509   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc045
 00510   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc047
 00511   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc049
 00512   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04b
 00513   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04d
 00514   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04f
 00515   408   NtUserGetClassInfo  (1999896576, 1243496, 1243448, 1243524, 0, ... ) == 0xc051
 00516   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc053
 00517   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc055
 00518   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc059
 00519   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05b
 00520   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05d
 00521   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05f
 00522   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00523   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00524   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00525   408   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00526   408   NtClose  (52, ... ) == 0x0
 00527   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00528   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00529   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00530   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00531   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00532   408   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00533   408   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00534   408   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00535   408   NtClose  (52, ... ) == 0x0
 00536   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00537   408   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538   408   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00539   408   NtClose  (52, ... ) == 0x0
 00540   408   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00541   408   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00542   408   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00543   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00544   408   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00545   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00546   408   NtTestAlert  (... ) == 0x0
 00547   408   NtContinue  (1244464, 1, ...
 00548   408   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x438a39,}, 4, ... ) == 0x0
 00549   408   NtAllocateVirtualMemory  (-1, 0, 0, 128, 4096, 4, ... 8912896, 4096, ) == 0x0
 00550   408   NtAllocateVirtualMemory  (-1, 0, 0, 260, 4096, 4, ... 9043968, 4096, ) == 0x0
 00551   408   NtAllocateVirtualMemory  (-1, 0, 0, 260, 4096, 4, ... 9109504, 4096, ) == 0x0
 00552   408   NtAllocateVirtualMemory  (-1, 0, 0, 176128, 4096, 4, ... 9175040, 176128, ) == 0x0
 00553   408   NtAllocateVirtualMemory  (-1, 0, 0, 28268, 4096, 4, ... 9371648, 28672, ) == 0x0
 00554   408   NtFreeVirtualMemory  (-1, (0x8f0000), 0, 32768, ... (0x8f0000), 28672, ) == 0x0
 00555   408   NtFreeVirtualMemory  (-1, (0x8c0000), 0, 32768, ... (0x8c0000), 176128, ) == 0x0
 00556   408   NtProtectVirtualMemory  (-1, (0x42b820), 20, 64, ... (0x42b000), 4096, 4, ) == 0x0
 00557   408   NtProtectVirtualMemory  (-1, (0x42a234), 4, 64, ... (0x42a000), 4096, 4, ) == 0x0
 00558   408   NtProtectVirtualMemory  (-1, (0x42a238), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00559   408   NtProtectVirtualMemory  (-1, (0x42a23c), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00560   408   NtProtectVirtualMemory  (-1, (0x42a240), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00561   408   NtProtectVirtualMemory  (-1, (0x42a244), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00562   408   NtProtectVirtualMemory  (-1, (0x42a248), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00563   408   NtProtectVirtualMemory  (-1, (0x42a24c), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00564   408   NtProtectVirtualMemory  (-1, (0x42a250), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00565   408   NtProtectVirtualMemory  (-1, (0x42a254), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00566   408   NtProtectVirtualMemory  (-1, (0x42b834), 20, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00567   408   NtProtectVirtualMemory  (-1, (0x42a25c), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00568   408   NtProtectVirtualMemory  (-1, (0x42a260), 4, 64, ... (0x42a000), 4096, 64, ) == 0x0
 00569   408   NtProtectVirtualMemory  (-1, (0x42b848), 20, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00570   408   NtProtectVirtualMemory  (-1, (0x42b8fc), 4, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00571   408   NtProtectVirtualMemory  (-1, (0x42b85c), 20, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00572   408   NtProtectVirtualMemory  (-1, (0x42b904), 4, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00573   408   NtProtectVirtualMemory  (-1, (0x42b870), 20, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00574   408   NtProtectVirtualMemory  (-1, (0x42b90c), 4, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00575   408   NtProtectVirtualMemory  (-1, (0x42b884), 20, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00576   408   NtProtectVirtualMemory  (-1, (0x42b914), 4, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00577   408   NtProtectVirtualMemory  (-1, (0x42b898), 20, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00578   408   NtProtectVirtualMemory  (-1, (0x42b91c), 4, 64, ... (0x42b000), 4096, 64, ) == 0x0
 00579   408   NtFreeVirtualMemory  (-1, (0x880000), 0, 32768, ... (0x880000), 4096, ) == 0x0
 00580   408   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 4096, ) == 0x0
 00581   408   NtFreeVirtualMemory  (-1, (0x8a0000), 0, 32768, ... (0x8a0000), 4096, ) == 0x0
 00582   408   NtContinue  (1244280, 0, ...
 00583   408   NtAllocateVirtualMemory  (-1, 0, 0, 128, 4096, 4, ... 8912896, 4096, ) == 0x0
 00584   408   NtAllocateVirtualMemory  (-1, 0, 0, 260, 4096, 4, ... 9043968, 4096, ) == 0x0
 00585   408   NtAllocateVirtualMemory  (-1, 0, 0, 260, 4096, 4, ... 9109504, 4096, ) == 0x0
 00586   408   NtAllocateVirtualMemory  (-1, 0, 0, 126976, 4096, 4, ... 9175040, 126976, ) == 0x0
 00587   408   NtAllocateVirtualMemory  (-1, 0, 0, 28268, 4096, 4, ... 9306112, 28672, ) == 0x0
 00588   408   NtFreeVirtualMemory  (-1, (0x8e0000), 0, 32768, ... (0x8e0000), 28672, ) == 0x0
 00589   408   NtFreeVirtualMemory  (-1, (0x8c0000), 0, 32768, ... (0x8c0000), 126976, ) == 0x0
 00590   408   NtProtectVirtualMemory  (-1, (0x4173c8), 20, 64, ... (0x417000), 4096, 4, ) == 0x0
 00591   408   NtProtectVirtualMemory  (-1, (0x417114), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00592   408   NtProtectVirtualMemory  (-1, (0x417118), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00593   408   NtProtectVirtualMemory  (-1, (0x41711c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00594   408   NtProtectVirtualMemory  (-1, (0x417120), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00595   408   NtProtectVirtualMemory  (-1, (0x417124), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00596   408   NtProtectVirtualMemory  (-1, (0x417128), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00597   408   NtProtectVirtualMemory  (-1, (0x41712c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00598   408   NtProtectVirtualMemory  (-1, (0x417130), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00599   408   NtProtectVirtualMemory  (-1, (0x417134), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00600   408   NtProtectVirtualMemory  (-1, (0x417138), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00601   408   NtProtectVirtualMemory  (-1, (0x41713c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00602   408   NtProtectVirtualMemory  (-1, (0x417140), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00603   408   NtProtectVirtualMemory  (-1, (0x417144), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00604   408   NtProtectVirtualMemory  (-1, (0x417148), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00605   408   NtProtectVirtualMemory  (-1, (0x41714c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00606   408   NtProtectVirtualMemory  (-1, (0x417150), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00607   408   NtProtectVirtualMemory  (-1, (0x417154), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00608   408   NtProtectVirtualMemory  (-1, (0x417158), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00609   408   NtProtectVirtualMemory  (-1, (0x41715c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00610   408   NtProtectVirtualMemory  (-1, (0x417160), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00611   408   NtProtectVirtualMemory  (-1, (0x417164), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00612   408   NtProtectVirtualMemory  (-1, (0x417168), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00613   408   NtProtectVirtualMemory  (-1, (0x41716c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00614   408   NtProtectVirtualMemory  (-1, (0x417170), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00615   408   NtProtectVirtualMemory  (-1, (0x417174), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00616   408   NtProtectVirtualMemory  (-1, (0x417178), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00617   408   NtProtectVirtualMemory  (-1, (0x41717c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00618   408   NtProtectVirtualMemory  (-1, (0x417180), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00619   408   NtProtectVirtualMemory  (-1, (0x417184), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00620   408   NtProtectVirtualMemory  (-1, (0x417188), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00621   408   NtProtectVirtualMemory  (-1, (0x41718c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00622   408   NtProtectVirtualMemory  (-1, (0x417190), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00623   408   NtProtectVirtualMemory  (-1, (0x417194), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00624   408   NtProtectVirtualMemory  (-1, (0x417198), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00625   408   NtProtectVirtualMemory  (-1, (0x41719c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00626   408   NtProtectVirtualMemory  (-1, (0x4171a0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00627   408   NtProtectVirtualMemory  (-1, (0x4171a4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00628   408   NtProtectVirtualMemory  (-1, (0x4171a8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00629   408   NtProtectVirtualMemory  (-1, (0x4171ac), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00630   408   NtProtectVirtualMemory  (-1, (0x4171b0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00631   408   NtProtectVirtualMemory  (-1, (0x4171b4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00632   408   NtProtectVirtualMemory  (-1, (0x4171b8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00633   408   NtProtectVirtualMemory  (-1, (0x4171bc), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00634   408   NtProtectVirtualMemory  (-1, (0x4171c0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00635   408   NtProtectVirtualMemory  (-1, (0x4173dc), 20, 64, ... (0x417000), 4096, 64, ) == 0x0
 00636   408   NtProtectVirtualMemory  (-1, (0x4171f4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00637   408   NtProtectVirtualMemory  (-1, (0x4171f8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00638   408   NtProtectVirtualMemory  (-1, (0x4171fc), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00639   408   NtProtectVirtualMemory  (-1, (0x417200), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00640   408   NtProtectVirtualMemory  (-1, (0x417204), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00641   408   NtProtectVirtualMemory  (-1, (0x417208), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00642   408   NtProtectVirtualMemory  (-1, (0x41720c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00643   408   NtProtectVirtualMemory  (-1, (0x417210), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00644   408   NtProtectVirtualMemory  (-1, (0x417214), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00645   408   NtProtectVirtualMemory  (-1, (0x417218), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00646   408   NtProtectVirtualMemory  (-1, (0x41721c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00647   408   NtProtectVirtualMemory  (-1, (0x417220), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00648   408   NtProtectVirtualMemory  (-1, (0x417224), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00649   408   NtProtectVirtualMemory  (-1, (0x417228), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00650   408   NtProtectVirtualMemory  (-1, (0x41722c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00651   408   NtProtectVirtualMemory  (-1, (0x417230), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00652   408   NtProtectVirtualMemory  (-1, (0x417234), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00653   408   NtProtectVirtualMemory  (-1, (0x417238), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00654   408   NtProtectVirtualMemory  (-1, (0x41723c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00655   408   NtProtectVirtualMemory  (-1, (0x417240), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00656   408   NtProtectVirtualMemory  (-1, (0x417244), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00657   408   NtProtectVirtualMemory  (-1, (0x417248), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00658   408   NtProtectVirtualMemory  (-1, (0x41724c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00659   408   NtProtectVirtualMemory  (-1, (0x417250), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00660   408   NtProtectVirtualMemory  (-1, (0x417254), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00661   408   NtProtectVirtualMemory  (-1, (0x417258), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00662   408   NtProtectVirtualMemory  (-1, (0x41725c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00663   408   NtProtectVirtualMemory  (-1, (0x417260), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00664   408   NtProtectVirtualMemory  (-1, (0x417264), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00665   408   NtProtectVirtualMemory  (-1, (0x417268), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00666   408   NtProtectVirtualMemory  (-1, (0x4173f0), 20, 64, ... (0x417000), 4096, 64, ) == 0x0
 00667   408   NtProtectVirtualMemory  (-1, (0x417030), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00668   408   NtProtectVirtualMemory  (-1, (0x417034), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00669   408   NtProtectVirtualMemory  (-1, (0x417038), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00670   408   NtProtectVirtualMemory  (-1, (0x41703c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00671   408   NtProtectVirtualMemory  (-1, (0x417040), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00672   408   NtProtectVirtualMemory  (-1, (0x417044), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00673   408   NtProtectVirtualMemory  (-1, (0x417048), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00674   408   NtProtectVirtualMemory  (-1, (0x41704c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00675   408   NtProtectVirtualMemory  (-1, (0x417050), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00676   408   NtProtectVirtualMemory  (-1, (0x417054), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00677   408   NtProtectVirtualMemory  (-1, (0x417058), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00678   408   NtProtectVirtualMemory  (-1, (0x41705c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00679   408   NtProtectVirtualMemory  (-1, (0x417060), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00680   408   NtProtectVirtualMemory  (-1, (0x417064), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00681   408   NtProtectVirtualMemory  (-1, (0x417068), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00682   408   NtProtectVirtualMemory  (-1, (0x41706c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00683   408   NtProtectVirtualMemory  (-1, (0x417070), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00684   408   NtProtectVirtualMemory  (-1, (0x417074), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00685   408   NtProtectVirtualMemory  (-1, (0x417078), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00686   408   NtProtectVirtualMemory  (-1, (0x41707c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00687   408   NtProtectVirtualMemory  (-1, (0x417080), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00688   408   NtProtectVirtualMemory  (-1, (0x417084), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00689   408   NtProtectVirtualMemory  (-1, (0x417088), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00690   408   NtProtectVirtualMemory  (-1, (0x41708c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00691   408   NtProtectVirtualMemory  (-1, (0x417090), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00692   408   NtProtectVirtualMemory  (-1, (0x417094), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00693   408   NtProtectVirtualMemory  (-1, (0x417098), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00694   408   NtProtectVirtualMemory  (-1, (0x41709c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00695   408   NtProtectVirtualMemory  (-1, (0x4170a0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00696   408   NtProtectVirtualMemory  (-1, (0x4170a4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00697   408   NtProtectVirtualMemory  (-1, (0x4170a8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00698   408   NtProtectVirtualMemory  (-1, (0x4170ac), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00699   408   NtProtectVirtualMemory  (-1, (0x4170b0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00700   408   NtProtectVirtualMemory  (-1, (0x4170b4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00701   408   NtProtectVirtualMemory  (-1, (0x4170b8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00702   408   NtProtectVirtualMemory  (-1, (0x4170bc), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00703   408   NtProtectVirtualMemory  (-1, (0x4170c0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00704   408   NtProtectVirtualMemory  (-1, (0x4170c4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00705   408   NtProtectVirtualMemory  (-1, (0x4170c8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00706   408   NtProtectVirtualMemory  (-1, (0x4170cc), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00707   408   NtProtectVirtualMemory  (-1, (0x4170d0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00708   408   NtProtectVirtualMemory  (-1, (0x4170d4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00709   408   NtProtectVirtualMemory  (-1, (0x4170d8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00710   408   NtProtectVirtualMemory  (-1, (0x4170dc), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00711   408   NtProtectVirtualMemory  (-1, (0x4170e0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00712   408   NtProtectVirtualMemory  (-1, (0x4170e4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00713   408   NtProtectVirtualMemory  (-1, (0x4170e8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00714   408   NtProtectVirtualMemory  (-1, (0x4170ec), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00715   408   NtProtectVirtualMemory  (-1, (0x4170f0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00716   408   NtProtectVirtualMemory  (-1, (0x4170f4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00717   408   NtProtectVirtualMemory  (-1, (0x4170f8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00718   408   NtProtectVirtualMemory  (-1, (0x4170fc), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00719   408   NtProtectVirtualMemory  (-1, (0x417100), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00720   408   NtProtectVirtualMemory  (-1, (0x417104), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00721   408   NtProtectVirtualMemory  (-1, (0x417108), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00722   408   NtProtectVirtualMemory  (-1, (0x41710c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00723   408   NtProtectVirtualMemory  (-1, (0x417404), 20, 64, ... (0x417000), 4096, 64, ) == 0x0
 00724   408   NtProtectVirtualMemory  (-1, (0x4171d8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00725   408   NtProtectVirtualMemory  (-1, (0x4171dc), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00726   408   NtProtectVirtualMemory  (-1, (0x4171e0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00727   408   NtProtectVirtualMemory  (-1, (0x4171e4), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00728   408   NtProtectVirtualMemory  (-1, (0x4171e8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00729   408   NtProtectVirtualMemory  (-1, (0x4171ec), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00730   408   NtProtectVirtualMemory  (-1, (0x417418), 20, 64, ... (0x417000), 4096, 64, ) == 0x0
 00731   408   NtProtectVirtualMemory  (-1, (0x417000), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00732   408   NtProtectVirtualMemory  (-1, (0x417004), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00733   408   NtProtectVirtualMemory  (-1, (0x417008), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00734   408   NtProtectVirtualMemory  (-1, (0x41700c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00735   408   NtProtectVirtualMemory  (-1, (0x417010), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00736   408   NtProtectVirtualMemory  (-1, (0x417014), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00737   408   NtProtectVirtualMemory  (-1, (0x417018), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00738   408   NtProtectVirtualMemory  (-1, (0x41701c), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00739   408   NtProtectVirtualMemory  (-1, (0x417020), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00740   408   NtProtectVirtualMemory  (-1, (0x417024), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00741   408   NtProtectVirtualMemory  (-1, (0x417028), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00742   408   NtProtectVirtualMemory  (-1, (0x41742c), 20, 64, ... (0x417000), 4096, 64, ) == 0x0
 00743   408   NtProtectVirtualMemory  (-1, (0x4171d0), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00744   408   NtProtectVirtualMemory  (-1, (0x417440), 20, 64, ... (0x417000), 4096, 64, ) == 0x0
 00745   408   NtProtectVirtualMemory  (-1, (0x4171c8), 4, 64, ... (0x417000), 4096, 64, ) == 0x0
 00746   408   NtFreeVirtualMemory  (-1, (0x880000), 0, 32768, ... (0x880000), 4096, ) == 0x0
 00747   408   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 4096, ) == 0x0
 00748   408   NtFreeVirtualMemory  (-1, (0x8a0000), 0, 32768, ... (0x8a0000), 4096, ) == 0x0
 00749   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00750   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00751   408   NtDelayExecution  (0, {-10000000, -1}, ... ) == 0x0
 00752   408   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "e3f44ac0094cfa2ba3b711b29a822b0ed8bc"}, 0, ... 64, ) }, 0, ... 64, ) == 0x0
 00753   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00754   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00755   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00756   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == 0x0
 00757   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00758   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 72, ) == 0x0
 00759   408   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00760   408   NtClose  (68, ... ) == 0x0
 00761   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00762   408   NtClose  (72, ... ) == 0x0
 00763   408   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00764   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00765   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00766   408   NtClose  (72, ... ) == 0x0
 00767   408   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 72, ) == 0x0
 00768   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00769   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 76, ) }, ... 76, ) == 0x0
 00770   408   NtNotifyChangeKey  (76, 68, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00771   408   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00772   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 80, ) == 0x0
 00773   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 84, ) == 0x0
 00774   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00775   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00777   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == 0x0
 00778   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00779   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 00780   408   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00781   408   NtClose  (88, ... ) == 0x0
 00782   408   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 00783   408   NtClose  (92, ... ) == 0x0
 00784   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00785   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00786   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00787   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == 0x0
 00788   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00789   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 00790   408   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00791   408   NtClose  (92, ... ) == 0x0
 00792   408   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 00793   408   NtClose  (88, ... ) == 0x0
 00794   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00795   408   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9043968, 262144, ) == 0x0
 00796   408   NtAllocateVirtualMemory  (-1, 9043968, 0, 4096, 4096, 4, ... 9043968, 4096, ) == 0x0
 00797   408   NtAllocateVirtualMemory  (-1, 9048064, 0, 8192, 4096, 4, ... 9048064, 8192, ) == 0x0
 00798   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00799   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00800   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00801   408   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00802   408   NtClose  (88, ... ) == 0x0
 00803   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00804   408   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00805   408   NtClose  (88, ... ) == 0x0
 00806   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00807   408   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00808   408   NtClose  (88, ... ) == 0x0
 00809   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00810   408   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00811   408   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00812   408   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00813   408   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1238328, 0,  (0x1f0003, {24, 52, 0x80, 1238328, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00814   408   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 88, ) }, ... 88, ) == 0x0
 00815   408   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00816   408   NtAllocateVirtualMemory  (-1, 1351680, 0, 8192, 4096, 4, ... 1351680, 8192, ) == 0x0
 00817   408   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 92, 2, ) }, 0, 0x0, 0, ... 92, 2, ) == 0x0
 00818   408   NtQueryDefaultUILanguage  (1236564, ...
 00819   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00820   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482068, ) == 0x0
 00821   408   NtQueryInformationToken  (-2147482068, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00822   408   NtClose  (-2147482068, ... ) == 0x0
 00823   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482068, ) }, ... -2147482068, ) == 0x0
 00824   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00825   408   NtOpenKey  (0x80000000, {24, -2147482068, 0x640, 0, 0,  (0x80000000, {24, -2147482068, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482072, ) }, ... -2147482072, ) == 0x0
 00826   408   NtQueryValueKey  (-2147482072,  (-2147482072, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00827   408   NtClose  (-2147482072, ... ) == 0x0
 00828   408   NtClose  (-2147482068, ... ) == 0x0
 00818   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00829   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00830   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00831   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00832   408   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8e0000), 0x0, 593920, ) == 0x0
 00833   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00834   408   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00835   408   NtQueryDefaultLocale  (1, 1234600, ... ) == 0x0
 00836   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\225\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1504, 0} " S\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\225\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 404, 408, 1504, 0}  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\225\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1504, 0} " S\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\225\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" )  ) == 0x0
 00838   408   NtClose  (96, ... ) == 0x0
 00839   408   NtClose  (100, ... ) == 0x0
 00840   408   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00841   408   NtUnmapViewOfSection  (-1, 0x12e100, ... ) == STATUS_NOT_MAPPED_VIEW
 00842   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00843   408   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00845   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00846   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233140, ... ) }, 1233140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00847   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00848   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00849   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00850   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1233732, ... ) }, 1233732, ... ) == 0x0
 00851   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00852   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00853   408   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00854   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00855   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00856   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00857   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == 0x0
 00858   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00859   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00860   408   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00861   408   NtClose  (104, ... ) == 0x0
 00862   408   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 00863   408   NtClose  (108, ... ) == 0x0
 00864   408   NtAllocateVirtualMemory  (-1, 8798208, 0, 8192, 4096, 4, ... 8798208, 8192, ) == 0x0
 00865   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00866   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00867   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00868   408   NtClose  (108, ... ) == 0x0
 00869   408   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 108, ) }, ... 108, ) == 0x0
 00870   408   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00871   408   NtClose  (108, ... ) == 0x0
 00872   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 108, ) }, ... 108, ) == 0x0
 00873   408   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00874   408   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00875   408   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00876   408   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00877   408   NtClose  (108, ... ) == 0x0
 00878   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 108, ) }, ... 108, ) == 0x0
 00879   408   NtQueryValueKey  (108,  (108, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00880   408   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00881   408   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00882   408   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00883   408   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00884   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237776, ... ) }, 1237776, ... ) == 0x0
 00885   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00886   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 112, ) == 0x0
 00887   408   NtClose  (104, ... ) == 0x0
 00888   408   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8e0000), 0x0, 135168, ) == 0x0
 00889   408   NtClose  (112, ... ) == 0x0
 00890   408   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00891   408   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 00892   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238664, ... ) }, 1238664, ... ) == 0x0
 00893   408   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1239332, ... ) }, 1239332, ... ) == 0x0
 00894   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239188,  (0x80100080, {24, 0, 0x40, 0, 1239188, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00895   408   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 104, ) == 0x0
 00896   408   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8e0000), {0, 0}, 135168, ) == 0x0
 00897   408   NtQueryDefaultLocale  (1, 1238996, ... ) == 0x0
 00898   408   NtQueryVirtualMemory  (-1, 0x8e0000, Basic, 28, ... {BaseAddress=0x8e0000,AllocationBase=0x8e0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00899   408   NtQueryVirtualMemory  (-1, 0x8e0000, Basic, 28, ... {BaseAddress=0x8e0000,AllocationBase=0x8e0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00900   408   NtReadFile  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 00901   408   NtQueryInformationFile  (112, 1239240, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00902   408   NtSetInformationFile  (112, 1239240, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00903   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00904   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 00905   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 00906   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 00907   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 00908   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 00909   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 00910   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 00911   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 00912   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 00913   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 00914   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 00915   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 00916   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 00917   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 00918   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 00919   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 00920   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 00921   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 00922   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 00923   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 00924   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 00925   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 00926   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 00927   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 00928   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 00929   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 00930   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 00931   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00932   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 00933   408   NtReadFile  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 00934   408   NtQueryInformationFile  (112, 1239240, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00935   408   NtSetInformationFile  (112, 1239240, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00936   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 00937   408   NtReadFile  (112, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (112, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 00938   408   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00939   408   NtClose  (104, ... ) == 0x0
 00940   408   NtClose  (112, ... ) == 0x0
 00941   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237720, ... ) }, 1237720, ... ) == 0x0
 00942   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00943   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 104, ) == 0x0
 00944   408   NtClose  (112, ... ) == 0x0
 00945   408   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8e0000), 0x0, 135168, ) == 0x0
 00946   408   NtClose  (104, ... ) == 0x0
 00947   408   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00948   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238036, ... ) }, 1238036, ... ) == 0x0
 00949   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00950   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 112, ) == 0x0
 00951   408   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00952   408   NtClose  (104, ... ) == 0x0
 00953   408   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 00954   408   NtClose  (112, ... ) == 0x0
 00955   408   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00956   408   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00957   408   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00958   408   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00959   408   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00960   408   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00961   408   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00962   408   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00963   408   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00964   408   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 00965   408   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 00966   408   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 00967   408   NtAllocateVirtualMemory  (-1, 1359872, 0, 20480, 4096, 4, ... 1359872, 20480, ) == 0x0
 00968   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00969   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00970   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00971   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00972   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00973   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00974   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00975   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00976   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00977   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00978   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00979   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00980   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00981   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00982   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00983   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00984   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00985   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00986   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00987   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00988   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00989   408   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 00990   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236988, ... ) }, 1236988, ... ) == 0x0
 00991   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237720,  (0x80100080, {24, 0, 0x40, 0, 1237720, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00992   408   NtQueryVolumeInformationFile  (112, 1237880, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00993   408   NtQueryInformationFile  (112, 1237772, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00994   408   NtQueryInformationFile  (112, 1238064, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00995   408   NtClose  (112, ... ) == 0x0
 00996   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236480, ... ) }, 1236480, ... ) == 0x0
 00997   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237212,  (0x80100080, {24, 0, 0x40, 0, 1237212, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00998   408   NtQueryVolumeInformationFile  (112, 1237372, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00999   408   NtQueryInformationFile  (112, 1237264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01000   408   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 104, ) == 0x0
 01001   408   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8e0000), {0, 0}, 135168, ) == 0x0
 01002   408   NtQueryDefaultLocale  (1, 1237352, ... ) == 0x0
 01003   408   NtQueryVirtualMemory  (-1, 0x8e0000, Basic, 28, ... {BaseAddress=0x8e0000,AllocationBase=0x8e0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01004   408   NtQueryVirtualMemory  (-1, 0x8e0000, Basic, 28, ... {BaseAddress=0x8e0000,AllocationBase=0x8e0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01005   408   NtQueryDefaultLocale  (1, 1237352, ... ) == 0x0
 01006   408   NtQueryVirtualMemory  (-1, 0x8e0000, Basic, 28, ... {BaseAddress=0x8e0000,AllocationBase=0x8e0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01007   408   NtQueryVirtualMemory  (-1, 0x8e0000, Basic, 28, ... {BaseAddress=0x8e0000,AllocationBase=0x8e0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01008   408   NtReadFile  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01009   408   NtQueryInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01010   408   NtSetInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01011   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01012   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01013   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01014   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01015   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01016   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01017   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01018   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01019   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01020   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01021   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01022   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01023   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01024   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01025   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01026   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01027   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01028   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01029   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01030   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01031   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01032   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01033   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01034   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01035   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01036   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01037   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01038   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01039   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01040   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01041   408   NtReadFile  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01042   408   NtQueryInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01043   408   NtSetInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01044   408   NtQueryInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01045   408   NtSetInformationFile  (112, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01046   408   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 01047   408   NtReadFile  (112, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (112, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 01048   408   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 01049   408   NtClose  (104, ... ) == 0x0
 01050   408   NtClose  (112, ... ) == 0x0
 01051   408   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 112, ) }, ... 112, ) == 0x0
 01052   408   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01053   408   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01054   408   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01055   408   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01056   408   NtClose  (112, ... ) == 0x0
 01057   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01058   408   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01059   408   NtOpenProcessToken  (-1, 0x8, ... 112, ) == 0x0
 01060   408   NtQueryInformationToken  (112, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01061   408   NtClose  (112, ... ) == 0x0
 01062   408   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 01063   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 112, {status=0x0, info=0}, ) }, 7, 16, ... 112, {status=0x0, info=0}, ) == 0x0
 01064   408   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\276\243\272>\7z\366\213\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01065   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01066   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01067   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01068   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01069   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01070   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01071   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01072   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482068, 2, ) }, 0, 0x0, 0, ... -2147482068, 2, ) == 0x0
 01073   408   NtSetValueKey  (-2147482068,  (-2147482068, "Seed", 0, 3, "\227<\274\362\251\247\362\350\255\2052E\3676\324\272\35V\274a{|\35\20\351\245\274X\334\370N=\301z\2001\353[\217\304Q(\272\204\37@\360U\33\33\263\322\177u\343\264G\247\236!\315\311\261\254\345\303<\352\353K\343e\233X\316\352\0*\3Y", 80, ... ) , 0, 3,  (-2147482068, "Seed", 0, 3, "\227<\274\362\251\247\362\350\255\2052E\3676\324\272\35V\274a{|\35\20\351\245\274X\334\370N=\301z\2001\353[\217\304Q(\272\204\37@\360U\33\33\263\322\177u\343\264G\247\236!\315\311\261\254\345\303<\352\353K\343e\233X\316\352\0*\3Y", 80, ... ) , 80, ... ) == 0x0
 01074   408   NtClose  (-2147482068, ... ) == 0x0
 01064   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "l\326\20\336c\225-\344\263\200\322\322L\10'g\334\240\326\222\37\15v\255(\300\21B\341?\260\321U\377!\33S\2753\3272\31I\232\222\265\312\355\200*\204\356\254\2317zZ\313O\34\332\26\3U\20\346E\251\336a\351{8L\311\215\264\311\213\32\7\227G\200g\226\233\315UZ\225\327i\276\340\13U\304\33\37\271F\346\26k\224\366d\320H\273M\342\253\271\7\350\243\313\331~\\271\335\25\245\360\347b(\337\247\26\313\37\6;\216Y\257\331\16\367)\222'\7?\23\343\331NL\313\310\5\215\344!^\217\270 \314{\376\370\11^TK\312\214\347\257[\216[\302\32389\254\2\323\246\204\34\326\322\351,\226Xy\211\212\264\241\361\3504\337)\357\277{+k\31\22\375\365;\264\341\345\236"(px\15i5\230}\220Q\340#_\360\305n\331\302\227\267\352\342\345O\4mz\20784\342MO\2\311\247", ) (px\15i5\230}\220Q\340#_\360\305n\331\302\227\267\352\342\345O\4mz\20784\342MO\2\311\247", ) == 0x0
 01075   408   NtClose  (108, ... ) == 0x0
 01076   408   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377a\201l\350\250kS\351.\35D\344\366\352\275\304\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01077   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01078   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01079   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01080   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01081   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01082   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01083   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01084   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482068, 2, ) }, 0, 0x0, 0, ... -2147482068, 2, ) == 0x0
 01085   408   NtSetValueKey  (-2147482068,  (-2147482068, "Seed", 0, 3, "\225\335\202vMA\341G\304\204>\234|T\262\246\367\221\345\230O;\243\332\354+\247\353~\213Y\201S\5\327\231\210;\16\274[\24\251\270\217x\34\301\21\365\264\304\356\324~\220W\232\31\203G)\235t\203*\314A\213\351_\26m\37\10\335\306\26t\254", 80, ... ) , 0, 3,  (-2147482068, "Seed", 0, 3, "\225\335\202vMA\341G\304\204>\234|T\262\246\367\221\345\230O;\243\332\354+\247\353~\213Y\201S\5\327\231\210;\16\274[\24\251\270\217x\34\301\21\365\264\304\356\324~\220W\232\31\203G)\235t\203*\314A\213\351_\26m\37\10\335\306\26t\254", 80, ... ) , 80, ... ) == 0x0
 01086   408   NtClose  (-2147482068, ... ) == 0x0
 01076   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "~}\252\32i\254\337\220\13\325\342X\337:?g\356\33-\2404q\343\356^\260\24Y\254\311C>\3255\233|\361\271\327\234\366\307\17\17%\207\324l2\353\2519\352\375\202\371\14a\215}\14\11h\243\353\325@\227\217S\241\202\7{\20kw\23f\216\267\242$\374\217\1S\237\252\235\257\231\2708\3547v\27\303\177\214\304VW\346\353\33\217p\5gb\376%\210\205\34,\273\366\200\204\206\361WG\212z\213\312\6\4\227\340m\270(\250@\252\325\372\210MW\355\12\300|\321\27\272[\33\317\7vuj;\20\344\311\322\217\355\16A\314\14Y\265g\354\374x\332\301\223\35 |%\302J\205\347\200\2711fo\12p-\274\207\245\307`\323\312"\314\25*9\351\3a\17@,\23O\2756*U\221L\225\347\15\254\260\317\332\10\352j,\371\205\212%\260\343\364\310\357oPB\300\305\202\325\350\270\352\264Z@f", ) \314\25*9\351\3a\17@,\23O\2756*U\221L\225\347\15\254\260\317\332\10\352j,\371\205\212%\260\343\364\310\357oPB\300\305\202\325\350\270\352\264Z@f", ) == 0x0
 01087   408   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377a\201l\350\250kS6\14\313\222K\347O\337J\35D\344\366\352\275\304\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01088   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01089   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01090   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01091   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01092   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01093   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01094   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01095   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482068, 2, ) }, 0, 0x0, 0, ... -2147482068, 2, ) == 0x0
 01096   408   NtSetValueKey  (-2147482068,  (-2147482068, "Seed", 0, 3, "\255=\307\23\201\200\241xD\10M\4\346\34\306\357\351\262\253\33\271[!y\177J\22OY\2&\247\2p\314\270^>AP\306}\250\36\4B\343\3[\212NL\201\216\211V1\322J\5pA\334gP\\231\362\353\345\17A\310\23\373\300}\303\264", 80, ... ) , 0, 3,  (-2147482068, "Seed", 0, 3, "\255=\307\23\201\200\241xD\10M\4\346\34\306\357\351\262\253\33\271[!y\177J\22OY\2&\247\2p\314\270^>AP\306}\250\36\4B\343\3[\212NL\201\216\211V1\322J\5pA\334gP\\231\362\353\345\17A\310\23\373\300}\303\264", 80, ... ) , 80, ... ) == 0x0
 01097   408   NtClose  (-2147482068, ... ) == 0x0
 01087   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\241\30\274-\11\213\177\4\35\313}\337\265\352\310\253N3\33\364\271\3706\245B2\11;\325p\310\260z\311'\323\343\233\14\221'\311m\241\351\233(\34FFqI\10%\204\34`[L[\336\340\13\364~\257\256J]\205\202\30m\336"\204V\24\3[\2479\247_\340\267z\353=\15\227\325\221\207m\235\213o}\23\36Z\376\225\214\237\303\311jD\250\246L_\264k\224\342\0\267\205\254\24{\360j\256*\22\226\343\2653\254bv\246\371\303\257\332\367\203\247\332g),\267\217\25!\257\20P\243\260?\331\321g\361\265\26\2419\10+\206-TG\333\200_r"lrO\21\316\345a"\261\202q\11\240\225\240@\340Q\240\337\7T\334\234\272"\15s-\246\312\231]$q\320\275\262\314\264Y\220S\10\235\257$\214\374\336\361$\202\13\360\312\224\373\221q\235\3302\301\221\312(\342W\211\23\261\26\343\212\303\245\212\312", ) \204V\24\3[\2479\247_\340\267z\353=\15\227\325\221\207m\235\213o}\23\36Z\376\225\214\237\303\311jD\250\246L_\264k\224\342\0\267\205\254\24{\360j\256*\22\226\343\2653\254bv\246\371\303\257\332\367\203\247\332g),\267\217\25!\257\20P\243\260?\331\321g\361\265\26\2419\10+\206-TG\333\200_r ... {status=0x0, info=256}, "\241\30\274-\11\213\177\4\35\313}\337\265\352\310\253N3\33\364\271\3706\245B2\11;\325p\310\260z\311'\323\343\233\14\221'\311m\241\351\233(\34FFqI\10%\204\34`[L[\336\340\13\364~\257\256J]\205\202\30m\336"\204V\24\3[\2479\247_\340\267z\353=\15\227\325\221\207m\235\213o}\23\36Z\376\225\214\237\303\311jD\250\246L_\264k\224\342\0\267\205\254\24{\360j\256*\22\226\343\2653\254bv\246\371\303\257\332\367\203\247\332g),\267\217\25!\257\20P\243\260?\331\321g\361\265\26\2419\10+\206-TG\333\200_r"lrO\21\316\345a"\261\202q\11\240\225\240@\340Q\240\337\7T\334\234\272"\15s-\246\312\231]$q\320\275\262\314\264Y\220S\10\235\257$\214\374\336\361$\202\13\360\312\224\373\221q\235\3302\301\221\312(\342W\211\23\261\26\343\212\303\245\212\312", ) \261\202q\11\240\225\240@\340Q\240\337\7T\334\234\272 ... {status=0x0, info=256}, "\241\30\274-\11\213\177\4\35\313}\337\265\352\310\253N3\33\364\271\3706\245B2\11;\325p\310\260z\311'\323\343\233\14\221'\311m\241\351\233(\34FFqI\10%\204\34`[L[\336\340\13\364~\257\256J]\205\202\30m\336"\204V\24\3[\2479\247_\340\267z\353=\15\227\325\221\207m\235\213o}\23\36Z\376\225\214\237\303\311jD\250\246L_\264k\224\342\0\267\205\254\24{\360j\256*\22\226\343\2653\254bv\246\371\303\257\332\367\203\247\332g),\267\217\25!\257\20P\243\260?\331\321g\361\265\26\2419\10+\206-TG\333\200_r"lrO\21\316\345a"\261\202q\11\240\225\240@\340Q\240\337\7T\334\234\272"\15s-\246\312\231]$q\320\275\262\314\264Y\220S\10\235\257$\214\374\336\361$\202\13\360\312\224\373\221q\235\3302\301\221\312(\342W\211\23\261\26\343\212\303\245\212\312", ) , ) == 0x0
 01098   408   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377a\201l\350\250kS6\14\313\222K\347O\0h\313\222K\347O\337J\35D\344\366\352\275\304\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01099   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01100   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01101   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01102   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01103   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01104   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01105   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01106   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482068, 2, ) }, 0, 0x0, 0, ... -2147482068, 2, ) == 0x0
 01107   408   NtSetValueKey  (-2147482068,  (-2147482068, "Seed", 0, 3, "6\14\7\337\223H\364\310\341<\363<\325n\332\364T\23\332Z\215\246?\351\314\224r?\377\366\232\1M`\327\221\15\237f\31h\241\344\30\355\260o\306\325\273i\300\354\275\13(\341\34\331\354\312\12\20,8\220\20\346mZ"\306\10\7\211:\251\33(\262", 80, ... ) , 0, 3,  (-2147482068, "Seed", 0, 3, "6\14\7\337\223H\364\310\341<\363<\325n\332\364T\23\332Z\215\246?\351\314\224r?\377\366\232\1M`\327\221\15\237f\31h\241\344\30\355\260o\306\325\273i\300\354\275\13(\341\34\331\354\312\12\20,8\220\20\346mZ"\306\10\7\211:\251\33(\262", 80, ... ) \306\10\7\211:\251\33(\262", 80, ... ) == 0x0
 01108   408   NtClose  (-2147482068, ... ) == 0x0
 01098   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\352\326\25\217\200@\307\15\345\26\320G\246,\326\332\266\24\222&\342\226wR\311\331(\350\323\206\271$\224\350P\336\351\364X\333u\215\30p\24\333z\255E\300\211\306\2327wHy\342 \335\250i\212a>p\340\346\250\375\241&\315o$T2\216\26]\264\333*\347$/\364\17\305\375\355+\363[\334\373\332H\30>\325y\16\310\345me\7g\326k\205b\245O\3dl\335\30\376\244\344;W^\3338\3@\251\336\277\210\363 \7\240?%\217Cjf\374\361B,\342\26O\3\221\322$\5+\367`\12=\273\322\240)\346\334\210\246]\374a)\254o\302-\252B\241\37\323`\354\252N]\17o\207\10\251\240\253\323v\213R\234%\'\366r\240\37d\253\317d\306\2141.\240H\373\310\243\316\5*<\265\23\244\331\351M\316\0\215vl\355V\246Q\17\320\342\317uB\352\315\231\360\245\232\321\330\26\212\215\27", ) , ) == 0x0
 01109   408   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377a\201l\350\250kS6\14\313\222K\347O\0h\313\222K\347O\0h\313\222K\347O\337J\35D\344\366\352\275\304\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01110   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01111   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01112   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01113   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01114   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01115   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01116   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01117   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482068, 2, ) }, 0, 0x0, 0, ... -2147482068, 2, ) == 0x0
 01118   408   NtSetValueKey  (-2147482068,  (-2147482068, "Seed", 0, 3, ",\10\361"\32\0\237`\271\331\251E\356l\235I\246\353\316\366#>\371sjSp\230-\340\333\15=\367\267\22Z\265\333}\340\25;:\256\335\244\341\233\305\313\245\314\202Bzf)\277\273l\344\31\327\322\212\24\260kE\34\225\340K=\312X\363C", 80, ... ) , 0, 3,  (-2147482068, "Seed", 0, 3, ",\10\361"\32\0\237`\271\331\251E\356l\235I\246\353\316\366#>\371sjSp\230-\340\333\15=\367\267\22Z\265\333}\340\25;:\256\335\244\341\233\305\313\245\314\202Bzf)\277\273l\344\31\327\322\212\24\260kE\34\225\340K=\312X\363C", 80, ... ) \32\0\237`\271\331\251E\356l\235I\246\353\316\366#>\371sjSp\230-\340\333\15=\367\267\22Z\265\333}\340\25;:\256\335\244\341\233\305\313\245\314\202Bzf)\277\273l\344\31\327\322\212\24\260kE\34\225\340K=\312X\363C", 80, ... ) == 0x0
 01119   408   NtClose  (-2147482068, ... ) == 0x0
 01109   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "*-\226\335d:}K\2)\322\35\222\312\16\2531\354\373\11\26@/\211\312\223U\247 \377\25|\343\370\300\256.:\274?\211R\17\0]zD\20\310/\260u\26%i\343\310\320\323\361F\362\304X\346c\23\307\316Mw\362\334\332\16&\373\243N*\231\347\275\224\30A\261\204:F\17r\227\310\270\317\215a\364~\304Wv\274xo\343\303\221\270\363N\306%F5\334\31\37\20#\367\37\26\221\316\245/ |\323\354Q\321,1\22or'"\216:\14\214n<\266\300Z\363\36\275\326\330\372D\362\13\214aL\255\240\375\236\325\311|L\214\2251\252\305\221t\223\364\214\203 }\333\25<\177\370=\4Vf\255\265\324(\277\16d\316I\23\255\250__xT6\345V\205\253qWs\232\223\200X\252\320\3611r\374\254\305\265m\232\211\253mn\320\342R\236\260!u>\351@\353\236=216:\14\214n<\266\300Z\363\36\275\326\330\372D\362\13\214aL\255\240\375\236\325\311|L\214\2251\252\305\221t\223\364\214\203 }\333\25<\177\370=\4Vf\255\265\324(\277\16d\316I\23\255\250__xT6\345V\205\253qWs\232\223\200X\252\320\3611r\374\254\305\265m\232\211\253mn\320\342R\236\260!u>\351@\353\236=271\1\255\12KF", ) == 0x0
 01120   408   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377a\201l\350\250kS6\14\313\222K\347O\0h\313\222K\347O\0h\313\222K\347O\0h\313\222K\347O\337J\35D\344\366\352\275\304\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01121   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01122   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01123   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01124   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01125   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01126   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01127   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01128   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482068, 2, ) }, 0, 0x0, 0, ... -2147482068, 2, ) == 0x0
 01129   408   NtSetValueKey  (-2147482068,  (-2147482068, "Seed", 0, 3, "\246j5\277\11\202\5%>!\27\347K\232\361\332s\26R\272\242\267\233]\311\276\225\350\211!\277\271M;\325\275\351\206\17\3119\210\223\2\31\364\277\344B%\226sy\262\352\334, 80, ... ) , 0, 3,  (-2147482068, "Seed", 0, 3, "\246j5\277\11\202\5%>!\27\347K\232\361\332s\26R\272\242\267\233]\311\276\225\350\211!\277\271M;\325\275\351\206\17\3119\210\223\2\31\364\277\344B%\226sy\262\352\334, 80, ... ) , 80, ... ) == 0x0
 01130   408   NtClose  (-2147482068, ... ) == 0x0
 01120   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\260\341\341@\25\277;1\233\307 \303\13\212=\36\264\300h\22\347\326r\33\362\372F\300\266\345\263\227\246\314\216\37W\221hK\7O\257m\377\252\311\250\330Ck\247\332\275\300if\247E\10\262\15\331j\242<\15\202\214%G\202\301'\355\3756\374\360\215\2531\306%\377PE\214\\261\300)B0\265;\302\257\244\330=T\256\337\31x\25s\2\276\347\264Y\245\334u\325\230=\337\252\69\201\33+R\330\236\16]\322\271\333\365\227\230BxF}\30\375h)\275C\212\256\306X\376y5\312\27\323\363\331\2534\34\361\301OO\3007X#\343\204\211\245\272\12\371OP\257\317\351\316\270\330\234\216\247\321z\35\30\254n\2603\343H\325\272,\237\22\354\158\244\241\1\211\335FIm\247DXG.V+e\255\247e\354\333\327H\315*\377\333\370{k;\352\371$n\222\26XGa\230\320\256\307\265\3125\14\372\237", ) , ) == 0x0
 01131   408   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377a\201l\350\250kS6\14\313\222K\347O\0h\313\222K\347O\0h\313\222K\347O\0h\313\222K\347O\0h\313\222K\347O\337J\35D\344\366\352\275\304\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01132   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01133   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01134   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01135   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01136   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01137   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01138   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01139   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482068, 2, ) }, 0, 0x0, 0, ... -2147482068, 2, ) == 0x0
 01140   408   NtSetValueKey  (-2147482068,  (-2147482068, "Seed", 0, 3, "\336\375x\2F\353Bw>um\27\5\204\322\201\25\206<\326\373*\206\353\237\237\237\\277\363\340\314\365\350\14{^\263\272\246\5\304\250F\375\22\316I$\364\276g\263F\210\213\221\251\352\233+\317\247\226o\216\325\326\2072\353\224\263\333\252\344LF\340", 80, ... ) , 0, 3,  (-2147482068, "Seed", 0, 3, "\336\375x\2F\353Bw>um\27\5\204\322\201\25\206<\326\373*\206\353\237\237\237\\277\363\340\314\365\350\14{^\263\272\246\5\304\250F\375\22\316I$\364\276g\263F\210\213\221\251\352\233+\317\247\226o\216\325\326\2072\353\224\263\333\252\344LF\340", 80, ... ) , 80, ... ) == 0x0
 01141   408   NtClose  (-2147482068, ... ) == 0x0
 01131   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\314\222U\350l\32\264\335p`l\352l\201\12\277\267\255f\326\345\346\266\321\215m'\205j\367!\360\321\301]\264\374$$\250\355\3607\215\37\271\247\322B\266\227&KW\340\235\235\266\330-/4\264\270\22\12G\227\346\340\\314 \3406\262<,\343\257-\362iT\327SR\353j\37\3565\12\221w\372\270R\275.\371v\37\373'\2353\276\341\22 \32,\255\20L\311@9S\2\216\223B\211\376O\353\1\35bo\277}i\6\360\35\231w\227\260]W&\345\255\250\25\57Dm\206\356\311\4\374:H\233\325\1\251\374\33X\211\2'\22\0Q{\266\331\14Ux\274\212\340~j3Z\363T\245\321\205}"l\376\14\336\204\213\343,\213L\15{\202.\20\230\243yx\302\16\@v\365%~\340K0\341\270\357\2\222\216\346\330\351.", ) \374:H\233\325\1\251\374\33X\211\2'\22\0Q{\266\331\14Ux\274\212\340~j3Z\363T\245\321\205} ... {status=0x0, info=256}, "\314\222U\350l\32\264\335p`l\352l\201\12\277\267\255f\326\345\346\266\321\215m'\205j\367!\360\321\301]\264\374$$\250\355\3607\215\37\271\247\322B\266\227&KW\340\235\235\266\330-/4\264\270\22\12G\227\346\340\\314 \3406\262<,\343\257-\362iT\327SR\353j\37\3565\12\221w\372\270R\275.\371v\37\373'\2353\276\341\22 \32,\255\20L\311@9S\2\216\223B\211\376O\353\1\35bo\277}i\6\360\35\231w\227\260]W&\345\255\250\25\57Dm\206\356\311\4\374:H\233\325\1\251\374\33X\211\2'\22\0Q{\266\331\14Ux\274\212\340~j3Z\363T\245\321\205}"l\376\14\336\204\213\343,\213L\15{\202.\20\230\243yx\302\16\@v\365%~\340K0\341\270\357\2\222\216\346\330\351.", ) , ) == 0x0
 01142   408   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377a\201l\350\250kS6\14\313\222K\347O\0h\313\222K\347O\0h\313\222K\347O\0h\313\222K\347O\0h\313\222K\347O\0h\313\222K\347O\337J\35D\344\366\352\275\304\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01143   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01144   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01145   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01146   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01147   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01148   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01149   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01150   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482068, 2, ) }, 0, 0x0, 0, ... -2147482068, 2, ) == 0x0
 01151   408   NtSetValueKey  (-2147482068,  (-2147482068, "Seed", 0, 3, "\330\273\372x\224\200\322\353\31?\4\331\215a\373lS\243}(|\347=/{\261\312\175\33p\4\271\371\236`\36\206Q\322d=\315\361D\214hO*\262r\311\217\372;\34\264W\270\233>P"\24x\311\2\31\254\332d9\201\302/\6\213?\0", 80, ... ) , 0, 3,  (-2147482068, "Seed", 0, 3, "\330\273\372x\224\200\322\353\31?\4\331\215a\373lS\243}(|\347=/{\261\312\175\33p\4\271\371\236`\36\206Q\322d=\315\361D\214hO*\262r\311\217\372;\34\264W\270\233>P"\24x\311\2\31\254\332d9\201\302/\6\213?\0", 80, ... ) \24x\311\2\31\254\332d9\201\302/\6\213?\0", 80, ... ) == 0x0
 01152   408   NtClose  (-2147482068, ... ) == 0x0
 01142   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\335\320\263s|\311\37\7\3369*\300\370\225\324G3\333\327Z\363'\272C\314F\252"\233\307i\15H\235Z\313F\363\214M\17\3661L\32&\316\327U\0\234\323\250J_\330WKT\3\201\223\257\275\227\353\226\245\15\275^bN0\200\217&\2\34J\367\263\12\367\243D\267\200{\322\226\340\313\252)F\366z[\3467Y\3377\303R\335\334_\2419\365\306\361D\251\302\367\317\14;@\13P\366\24Qo\363s`3\210\271\321N\330\333\252\304\366uf\255\26\0\321\\14\254[\250y\371\210\36\0\266\264\27}\205\341\201\370\314\256\311\252\225#\375\241x\353\214GBd2\326\306.\26\251\211\261E\262#+n\200\17u\2512L\216t\310wf\263\247\340\361J\236^\300\222\311|\33\211jr\274\300i\325\254\240~\222\6\243\250\273\236\334\261,\336J\237\260=\343+\201Z\34v\14l\307\3f\247\274H\210\330\331", ) \233\307i\15H\235Z\313F\363\214M\17\3661L\32&\316\327U\0\234\323\250J_\330WKT\3\201\223\257\275\227\353\226\245\15\275^bN0\200\217&\2\34J\367\263\12\367\243D\267\200{\322\226\340\313\252)F\366z[\3467Y\3377\303R\335\334_\2419\365\306\361D\251\302\367\317\14;@\13P\366\24Qo\363s`3\210\271\321N\330\333\252\304\366uf\255\26\0\321\\14\254[\250y\371\210\36\0\266\264\27}\205\341\201\370\314\256\311\252\225#\375\241x\353\214GBd2\326\306.\26\251\211\261E\262#+n\200\17u\2512L\216t\310wf\263\247\340\361J\236^\300\222\311|\33\211jr\274\300i\325\254\240~\222\6\243\250\273\236\334\261,\336J\237\260=\343+\201Z\34v\14l\307\3f\247\274H\210\330\331", ) == 0x0
 01153   408   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 108, {status=0x0, info=1}, ) }, 3, 33, ... 108, {status=0x0, info=1}, ) == 0x0
 01154   408   NtQueryVolumeInformationFile  (108, 1238968, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01155   408   NtClose  (12, ... ) == 0x0
 01156   408   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01157   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238188,  (0x80100080, {24, 0, 0x40, 0, 1238188, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 01158   408   NtQueryInformationFile  (12, 1239124, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01159   408   NtQueryInformationFile  (12, 1239096, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01160   408   NtQueryInformationFile  (12, 1239048, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01161   408   NtAllocateVirtualMemory  (-1, 1384448, 0, 8192, 4096, 4, ... 1384448, 8192, ) == 0x0
 01162   408   NtQueryInformationFile  (12, 1382552, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01163   408   NtQueryInformationFile  (12, 1237592, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01164   408   NtQueryInformationFile  (12, 1237436, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01165   408   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1237444,  (0x40110080, {24, 0, 0x40, 0, 1237444, "\??\C:\WINDOWS\System32\lssas.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01166   408   NtClose  (-2147482068, ... ) == 0x0
 01165   408   NtCreateFile  ... 104, {status=0x0, info=2}, ) == 0x0
 01167   408   NtQueryVolumeInformationFile  (104, 1236816, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01168   408   NtQueryInformationFile  (104, 1236776, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01169   408   NtQueryVolumeInformationFile  (12, 1236816, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01170   408   NtSetInformationFile  (104, 1236604, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01171   408   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 116, ) == 0x0
 01172   408   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8e0000), {0, 0}, 53248, ) == 0x0
 01173   408   NtClose  (116, ... ) == 0x0
 01174   408   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0PE\0\0L\1\3\0a}\307F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\0\0\0\0\0\00\30\0\0\0\0\0\09\212\3\0\0\200\3\0\14\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\254\230\3\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\226\3\0,\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\08\230\3\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.data\0\0\0\0\260\2\0\0\20\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\300.pdata\0\0,\262\0\0\0\300\2\0,\262\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\300.ex_cod\0\254\30\0\0\0\200\3\0\250\30\0\0\0\266\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 52904, 0x0, 0, ... {status=0x0, info=52904}, ) , 52904, 0x0, 0, ... {status=0x0, info=52904}, ) == 0x0
 01175   408   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 01176   408   NtSetInformationFile  (104, 1239048, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01177   408   NtClose  (12, ... ) == 0x0
 01178   408   NtClose  (104, ... ) == 0x0
 01179   408   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 01180   408   NtSetInformationFile  (104, 1239248, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01181   408   NtClose  (104, ... ) == 0x0
 01182   408   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lssas.exe"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 01183   408   NtSetInformationFile  (104, 1239248, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01184   408   NtClose  (104, ... ) == 0x0
 01185   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238952,  (0x80100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 01186   408   NtQueryInformationFile  (104, 1239004, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01187   408   NtClose  (104, ... ) == 0x0
 01188   408   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1238952,  (0x40100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\System32\lssas.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 01189   408   NtSetInformationFile  (104, 1239004, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01190   408   NtClose  (104, ... ) == 0x0
 01191   408   NtOpenFile  (0x10080, {24, 108, 0x40, 0, 0,  (0x10080, {24, 108, 0x40, 0, 0, "kpyijvsq.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01192   408   NtCreateFile  (0x40100080, {24, 108, 0x40, 0, 1239200,  (0x40100080, {24, 108, 0x40, 0, 1239200, "kpyijvsq.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=2}, ) == 0x0
 01193   408   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del kpyijvsq.bat\15\12", 124, 0x0, 0, ... {status=0x0, info=124}, ) , 124, 0x0, 0, ... {status=0x0, info=124}, ) == 0x0
 01194   408   NtClose  (104, ... ) == 0x0
 01195   408   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01196   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1232540, ... ) }, 1232540, ... ) == 0x0
 01197   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01198   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 12, ) == 0x0
 01199   408   NtClose  (104, ... ) == 0x0
 01200   408   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8e0000), 0x0, 262144, ) == 0x0
 01201   408   NtClose  (12, ... ) == 0x0
 01202   408   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 01203   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01204   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01205   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01206   408   NtAllocateVirtualMemory  (-1, 1392640, 0, 16384, 4096, 4, ... 1392640, 16384, ) == 0x0
 01207   408   NtUserRegisterClassExWOW  (1234624, 1234704, 1234688, 1234720, 0, 384, 0, ... ) == 0x8123c038
 01208   408   NtUserGetAtomName  (49208, 1233388, ... ) == 0x15
 01209   408   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 01210   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230912, ... ) }, 1230912, ... ) == 0x0
 01211   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 01212   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 104, ) == 0x0
 01213   408   NtClose  (12, ... ) == 0x0
 01214   408   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8e0000), 0x0, 204800, ) == 0x0
 01215   408   NtClose  (104, ... ) == 0x0
 01216   408   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 01217   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1231228, ... ) }, 1231228, ... ) == 0x0
 01218   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01219   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 12, ) == 0x0
 01220   408   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01221   408   NtClose  (104, ... ) == 0x0
 01222   408   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01223   408   NtClose  (12, ... ) == 0x0
 01224   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01225   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01226   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01227   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01228   408   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01229   408   NtClose  (12, ... ) == 0x0
 01230   408   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01231   408   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01232   408   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 104, ) }, ... 104, ) == 0x0
 01233   408   NtQueryValueKey  (104,  (104, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01234   408   NtClose  (104, ... ) == 0x0
 01235   408   NtClose  (12, ... ) == 0x0
 01236   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01237   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01238   408   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01239   408   NtClose  (12, ... ) == 0x0
 01240   408   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01241   408   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 104, ) }, ... 104, ) == 0x0
 01242   408   NtQueryValueKey  (104,  (104, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01243   408   NtClose  (104, ... ) == 0x0
 01244   408   NtClose  (12, ... ) == 0x0
 01245   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1230728, ... ) }, 1230728, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01246   408   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "UxTheme.dll"}, 1230728, ... ) }, 1230728, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1230728, ... ) }, 1230728, ... ) == 0x0
 01248   408   NtUserGetProcessWindowStation  (... ) == 0x28
 01249   408   NtUserGetObjectInformation  (40, 2, 0, 0, 1233024, ... ) == 0x0
 01250   408   NtUserGetObjectInformation  (40, 2, 1346872, 16, 1233024, ... ) == 0x1
 01251   408   NtUserGetGUIThreadInfo  (408, 1232980, ... ) == 0x1
 01252   408   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1232800, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1232800, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 01253   408   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 404, 408, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 404, 408, 1573, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 404, 408, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01254   408   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 404, 408, 1574, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 404, 408, 1574, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 404, 408, 1574, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01255   408   NtUserCallNoParam  (29, ...
 01256   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230272, ... ) }, 1230272, ... ) == 0x0
 01255   408   NtUserCallNoParam  ... ) == 0x0
 01257   408   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01258   408   NtGdiHfontCreate  (1232352, 356, 0, 0, 1355952, ... ) == 0x1d0a0435
 01259   408   NtGdiHfontCreate  (1232352, 356, 0, 0, 1355944, ... ) == 0x180a043d
 01260   408   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 404, 408, 1575, 0} "\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 404, 408, 1575, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 404, 408, 1575, 0} "\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01261   408   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8e0000), {0, 0}, 331776, ) == 0x0
 01262   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01263   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01264   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01265   408   NtContinue  (1230888, 0, ...
 01266   408   NtTerminateProcess  (0, 0, ... ) == 0x0
 01267   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01268   408   NtUserGetProcessWindowStation  (... ) == 0x28
 01269   408   NtUserBuildNameList  (40, 256, 1331608, 1239640, ... ) == 0x0
 01270   408   NtUserGetProcessWindowStation  (... ) == 0x28
 01271   408   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x74
 01272   408   NtUserBuildHwndList  (116, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x8002a, 0x20064, 0x100a0, 0x10080, 0x10074, 0x10068, 0x30044, 0x10066, 0x30046, 0x30036, 0x10098, 0x1008a, 0x1007c, 0x10026, 0x100d2, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x2005c, 0x100d0, 0x100c6, 0x200b2, 0x100ac, 0x100a6, 0x1006c, 0x5004a, 0x4004e, 0x50048, 0x1007e, 0x10076, 0x1, ), 38, ) == 0x0
 01273   408   NtUserQueryWindow  (65706, 0, ... ) == 0x78
 01274   408   NtUserQueryWindow  (65706, 1, ... ) == 0x7c
 01275   408   NtUserQueryWindow  (65704, 0, ... ) == 0x78
 01276   408   NtUserQueryWindow  (65704, 1, ... ) == 0x7c
 01277   408   NtUserQueryWindow  (524330, 0, ... ) == 0x78
 01278   408   NtUserQueryWindow  (524330, 1, ... ) == 0x7c
 01279   408   NtUserQueryWindow  (131172, 0, ... ) == 0x78
 01280   408   NtUserQueryWindow  (131172, 1, ... ) == 0x7c
 01281   408   NtUserQueryWindow  (65696, 0, ... ) == 0x790
 01282   408   NtUserQueryWindow  (65696, 1, ... ) == 0x7a0
 01283   408   NtUserQueryWindow  (65664, 0, ... ) == 0x790
 01284   408   NtUserQueryWindow  (65664, 1, ... ) == 0x7a0
 01285   408   NtUserBuildHwndList  (0, 65664, 1, 0, 64, ... (0x10082, 0x10084, 0x10086, 0x10088, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0
 01286   408   NtUserQueryWindow  (65666, 0, ... ) == 0x790
 01287   408   NtUserQueryWindow  (65666, 1, ... ) == 0x7a0
 01288   408   NtUserQueryWindow  (65668, 0, ... ) == 0x790
 01289   408   NtUserQueryWindow  (65668, 1, ... ) == 0x7a0
 01290   408   NtUserQueryWindow  (65670, 0, ... ) == 0x790
 01291   408   NtUserQueryWindow  (65670, 1, ... ) == 0x7a0
 01292   408   NtUserQueryWindow  (65672, 0, ... ) == 0x790
 01293   408   NtUserQueryWindow  (65672, 1, ... ) == 0x7a0
 01294   408   NtUserQueryWindow  (65678, 0, ... ) == 0x790
 01295   408   NtUserQueryWindow  (65678, 1, ... ) == 0x7a0
 01296   408   NtUserQueryWindow  (65680, 0, ... ) == 0x790
 01297   408   NtUserQueryWindow  (65680, 1, ... ) == 0x7a0
 01298   408   NtUserQueryWindow  (65682, 0, ... ) == 0x790
 01299   408   NtUserQueryWindow  (65682, 1, ... ) == 0x7a0
 01300   408   NtUserQueryWindow  (65684, 0, ... ) == 0x790
 01301   408   NtUserQueryWindow  (65684, 1, ... ) == 0x7a0
 01302   408   NtUserQueryWindow  (65686, 0, ... ) == 0x790
 01303   408   NtUserQueryWindow  (65686, 1, ... ) == 0x7a0
 01304   408   NtUserQueryWindow  (65690, 0, ... ) == 0x790
 01305   408   NtUserQueryWindow  (65690, 1, ... ) == 0x7a0
 01306   408   NtUserQueryWindow  (65692, 0, ... ) == 0x790
 01307   408   NtUserQueryWindow  (65692, 1, ... ) == 0x7a0
 01308   408   NtUserQueryWindow  (65694, 0, ... ) == 0x790
 01309   408   NtUserQueryWindow  (65694, 1, ... ) == 0x7a0
 01310   408   NtUserQueryWindow  (65652, 0, ... ) == 0x790
 01311   408   NtUserQueryWindow  (65652, 1, ... ) == 0x7a0
 01312   408   NtUserQueryWindow  (65640, 0, ... ) == 0x790
 01313   408   NtUserQueryWindow  (65640, 1, ... ) == 0x7a0
 01314   408   NtUserQueryWindow  (196676, 0, ... ) == 0x790
 01315   408   NtUserQueryWindow  (196676, 1, ... ) == 0x7a0
 01316   408   NtUserQueryWindow  (65638, 0, ... ) == 0x790
 01317   408   NtUserQueryWindow  (65638, 1, ... ) == 0x7a0
 01318   408   NtUserQueryWindow  (196678, 0, ... ) == 0x790
 01319   408   NtUserQueryWindow  (196678, 1, ... ) == 0x7a0
 01320   408   NtUserQueryWindow  (196662, 0, ... ) == 0x790
 01321   408   NtUserQueryWindow  (196662, 1, ... ) == 0x7a0
 01322   408   NtUserBuildHwndList  (0, 196662, 1, 0, 64, ... (0x30038, 0x3003c, 0x3003a, 0x3003e, 0x30040, 0x30042, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 01323   408   NtUserQueryWindow  (196664, 0, ... ) == 0x790
 01324   408   NtUserQueryWindow  (196664, 1, ... ) == 0x7a0
 01325   408   NtUserQueryWindow  (196668, 0, ... ) == 0x790
 01326   408   NtUserQueryWindow  (196668, 1, ... ) == 0x7a0
 01327   408   NtUserQueryWindow  (196666, 0, ... ) == 0x790
 01328   408   NtUserQueryWindow  (196666, 1, ... ) == 0x7a0
 01329   408   NtUserQueryWindow  (196670, 0, ... ) == 0x790
 01330   408   NtUserQueryWindow  (196670, 1, ... ) == 0x7a0
 01331   408   NtUserQueryWindow  (196672, 0, ... ) == 0x790
 01332   408   NtUserQueryWindow  (196672, 1, ... ) == 0x7a0
 01333   408   NtUserQueryWindow  (196674, 0, ... ) == 0x790
 01334   408   NtUserQueryWindow  (196674, 1, ... ) == 0x7a0
 01335   408   NtUserQueryWindow  (65642, 0, ... ) == 0x790
 01336   408   NtUserQueryWindow  (65642, 1, ... ) == 0x7a0
 01337   408   NtUserQueryWindow  (65646, 0, ... ) == 0x790
 01338   408   NtUserQueryWindow  (65646, 1, ... ) == 0x7a0
 01339   408   NtUserQueryWindow  (65650, 0, ... ) == 0x790
 01340   408   NtUserQueryWindow  (65650, 1, ... ) == 0x7a0
 01341   408   NtUserQueryWindow  (65688, 0, ... ) == 0x790
 01342   408   NtUserQueryWindow  (65688, 1, ... ) == 0x7a0
 01343   408   NtUserQueryWindow  (65674, 0, ... ) == 0x790
 01344   408   NtUserQueryWindow  (65674, 1, ... ) == 0x7a0
 01345   408   NtUserQueryWindow  (65660, 0, ... ) == 0x790
 01346   408   NtUserQueryWindow  (65660, 1, ... ) == 0x794
 01347   408   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 01348   408   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 01349   408   NtUserQueryWindow  (65746, 0, ... ) == 0x2e8
 01350   408   NtUserQueryWindow  (65746, 1, ... ) == 0x134
 01351   408   NtUserQueryWindow  (65726, 0, ... ) == 0x70
 01352   408   NtUserQueryWindow  (65726, 1, ... ) == 0x90
 01353   408   NtUserQueryWindow  (65724, 0, ... ) == 0x70
 01354   408   NtUserQueryWindow  (65724, 1, ... ) == 0x90
 01355   408   NtUserQueryWindow  (65722, 0, ... ) == 0x70
 01356   408   NtUserQueryWindow  (65722, 1, ... ) == 0x90
 01357   408   NtUserQueryWindow  (65720, 0, ... ) == 0x70
 01358   408   NtUserQueryWindow  (65720, 1, ... ) == 0x90
 01359   408   NtUserQueryWindow  (65718, 0, ... ) == 0x70
 01360   408   NtUserQueryWindow  (65718, 1, ... ) == 0x90
 01361   408   NtUserQueryWindow  (65716, 0, ... ) == 0x70
 01362   408   NtUserQueryWindow  (65716, 1, ... ) == 0x90
 01363   408   NtUserQueryWindow  (65712, 0, ... ) == 0x70
 01364   408   NtUserQueryWindow  (65712, 1, ... ) == 0x90
 01365   408   NtUserQueryWindow  (65710, 0, ... ) == 0x70
 01366   408   NtUserQueryWindow  (65710, 1, ... ) == 0x90
 01367   408   NtUserQueryWindow  (131164, 0, ... ) == 0xa0
 01368   408   NtUserQueryWindow  (131164, 1, ... ) == 0xa8
 01369   408   NtUserQueryWindow  (65744, 0, ... ) == 0x790
 01370   408   NtUserQueryWindow  (65744, 1, ... ) == 0x2a4
 01371   408   NtUserQueryWindow  (65734, 0, ... ) == 0x790
 01372   408   NtUserQueryWindow  (65734, 1, ... ) == 0x2a4
 01373   408   NtUserBuildHwndList  (0, 65734, 1, 0, 64, ... (0x100c8, 0x100ca, 0x100cc, 0x100ce, 0x1, ), 5, ) == 0x0
 01374   408   NtUserQueryWindow  (65736, 0, ... ) == 0x790
 01375   408   NtUserQueryWindow  (65736, 1, ... ) == 0x2a4
 01376   408   NtUserQueryWindow  (65738, 0, ... ) == 0x790
 01377   408   NtUserQueryWindow  (65738, 1, ... ) == 0x2a4
 01378   408   NtUserQueryWindow  (65740, 0, ... ) == 0x790
 01379   408   NtUserQueryWindow  (65740, 1, ... ) == 0x2a4
 01380   408   NtUserQueryWindow  (65742, 0, ... ) == 0x790
 01381   408   NtUserQueryWindow  (65742, 1, ... ) == 0x2a4
 01382   408   NtUserQueryWindow  (131250, 0, ... ) == 0x790
 01383   408   NtUserQueryWindow  (131250, 1, ... ) == 0x7a0
 01384   408   NtUserQueryWindow  (65708, 0, ... ) == 0x78
 01385   408   NtUserQueryWindow  (65708, 1, ... ) == 0x7c
 01386   408   NtUserQueryWindow  (65702, 0, ... ) == 0x7ec
 01387   408   NtUserQueryWindow  (65702, 1, ... ) == 0x7f0
 01388   408   NtUserQueryWindow  (65644, 0, ... ) == 0x790
 01389   408   NtUserQueryWindow  (65644, 1, ... ) == 0x7c0
 01390   408   NtUserQueryWindow  (327754, 0, ... ) == 0x790
 01391   408   NtUserQueryWindow  (327754, 1, ... ) == 0x794
 01392   408   NtUserQueryWindow  (262222, 0, ... ) == 0x790
 01393   408   NtUserQueryWindow  (262222, 1, ... ) == 0x794
 01394   408   NtUserQueryWindow  (327752, 0, ... ) == 0x790
 01395   408   NtUserQueryWindow  (327752, 1, ... ) == 0x794
 01396   408   NtUserQueryWindow  (65662, 0, ... ) == 0x790
 01397   408   NtUserQueryWindow  (65662, 1, ... ) == 0x794
 01398   408   NtUserQueryWindow  (65654, 0, ... ) == 0x790
 01399   408   NtUserQueryWindow  (65654, 1, ... ) == 0x794
 01400   408   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 01401   408   NtUserQueryWindow  (65656, 0, ... ) == 0x790
 01402   408   NtUserQueryWindow  (65656, 1, ... ) == 0x794
 01403   408   NtUserQueryWindow  (65658, 0, ... ) == 0x790
 01404   408   NtUserQueryWindow  (65658, 1, ... ) == 0x794
 01405   408   NtUserCloseDesktop  (116, ...
 01406   408   NtClose  (116, ... ) == 0x0
 01405   408   NtUserCloseDesktop  ... ) == 0x1
 01407   408   NtUserGetProcessWindowStation  (... ) == 0x28
 01408   408   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01409   408   NtUserGetProcessWindowStation  (... ) == 0x28
 01410   408   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01411   408   NtGdiDeleteObjectApp  (487195701, ... ) == 0x1
 01412   408   NtGdiDeleteObjectApp  (403309629, ... ) == 0x1
 01413   408   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 01414   408   NtClose  (104, ... ) == 0x0
 01415   408   NtClose  (12, ... ) == 0x0
 01416   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 01417   408   NtClose  (96, ... ) == 0x0
 01418   408   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 01419   408   NtClose  (100, ... ) == 0x0
 01420   408   NtClose  (92, ... ) == 0x0
 01421   408   NtFreeVirtualMemory  (-1, (0x8a0000), 0, 32768, ... (0x8a0000), 262144, ) == 0x0
 01422   408   NtUserUnregisterClass  (1239600, 1991376896, 1239588, ... ) == 0x0
 01423   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc03b
 01424   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01425   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc03d
 01426   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01427   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc03f
 01428   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01429   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc041
 01430   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01431   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc043
 01432   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01433   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc045
 01434   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01435   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc047
 01436   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01437   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc049
 01438   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01439   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc04b
 01440   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01441   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc04d
 01442   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01443   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc04f
 01444   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01445   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc051
 01446   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01447   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc053
 01448   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01449   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc057
 01450   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01451   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc059
 01452   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01453   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc05b
 01454   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01455   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc05d
 01456   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01457   408   NtUserGetClassInfo  (1999896576, 1239688, 1239640, 1239716, 0, ... ) == 0xc05f
 01458   408   NtUserUnregisterClass  (1239692, 1999896576, 1239680, ... ) == 0x1
 01459   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc03b
 01460   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01461   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc03d
 01462   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01463   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc03f
 01464   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01465   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc041
 01466   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01467   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc043
 01468   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01469   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc045
 01470   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01471   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc047
 01472   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01473   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc049
 01474   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01475   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc04b
 01476   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01477   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc04d
 01478   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01479   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc04f
 01480   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01481   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc051
 01482   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01483   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc053
 01484   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01485   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc057
 01486   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01487   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc059
 01488   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01489   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc05b
 01490   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01491   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc05d
 01492   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01493   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc05f
 01494   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01495   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc017
 01496   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01497   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc019
 01498   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01499   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc018
 01500   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01501   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc01a
 01502   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01503   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc01c
 01504   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01505   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc01e
 01506   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01507   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc01b
 01508   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01509   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc068
 01510   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01511   408   NtUserGetClassInfo  (1905590272, 1239688, 1239640, 1239716, 0, ... ) == 0xc06a
 01512   408   NtUserUnregisterClass  (1239692, 1905590272, 1239680, ... ) == 0x1
 01513   408   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 01514   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 01515   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01516   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01517   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01518   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01519   408   NtClose  (112, ... ) == 0x0
 01520   408   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 01521   408   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1398559575, 1702130553, 1546793837, 1634956140}  (24, {20, 48, new_msg, 0, 1398559575, 1702130553, 1546793837, 1634956140} "\0\0\0\0\3\0\1\0$\354\22\0\342\363@\0\0\0\0\0" ... {20, 48, reply, 0, 404, 408, 1577, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\342\363@\0\0\0\0\0" )  ... {20, 48, reply, 0, 404, 408, 1577, 0}  (24, {20, 48, new_msg, 0, 1398559575, 1702130553, 1546793837, 1634956140} "\0\0\0\0\3\0\1\0$\354\22\0\342\363@\0\0\0\0\0" ... {20, 48, reply, 0, 404, 408, 1577, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\342\363@\0\0\0\0\0" )  ) == 0x0
 01522   408   NtTerminateProcess  (-1, 0, ...
 01523   408   NtClose  (44, ... ) == 0x0
NtAccessCheck(>)	1	NtSetInformationProcess(>)	1	NtUserCallNoParam(>)	3	NtQueryDebugFilterState(>)	15
NtAddAtom(>)	1	NtTestAlert(>)	1	NtUserCallOneParam(>)	3	NtDeviceIoControlFile(>)	16
NtCallbackReturn(>)	1	NtUserBuildNameList(>)	1	NtUserGetWindowDC(>)	3	NtQueryInformationFile(>)	17
NtConnectPort(>)	1	NtUserCreateWindowEx(>)	1	NtUserOpenDesktop(>)	3	NtFlushInstructionCache(>)	18
NtCreateMutant(>)	1	NtUserGetAtomName(>)	1	NtUserRegisterWindowMessage(>)	3	NtUnmapViewOfSection(>)	19
NtDelayExecution(>)	1	NtUserGetDC(>)	1	NtOpenProcessToken(>)	4	NtCreateSection(>)	23
NtDuplicateObject(>)	1	NtUserGetGUIThreadInfo(>)	1	NtGdiGetStockObject(>)	5	NtOpenSection(>)	28
NtEnumerateValueKey(>)	1	NtUserGetThreadDesktop(>)	1	NtUserBuildHwndList(>)	5	NtQueryDefaultLocale(>)	29
NtFsControlFile(>)	1	NtGdiCreateSolidBrush(>)	2	NtUserGetProcessWindowStation(>)	5	NtOpenFile(>)	32
NtGdiCreateBitmap(>)	1	NtGdiDeleteObjectApp(>)	2	NtQueryVolumeInformationFile(>)	6	NtQueryAttributesFile(>)	38
NtGdiInit(>)	1	NtGdiHfontCreate(>)	2	NtQueryDefaultUILanguage(>)	8	NtQueryValueKey(>)	40
NtGdiQueryFontAssocInfo(>)	1	NtOpenDirectoryObject(>)	2	NtQueryVirtualMemory(>)	8	NtMapViewOfSection(>)	44
NtGdiSelectBitmap(>)	1	NtOpenEvent(>)	2	NtSetInformationThread(>)	8	NtAllocateVirtualMemory(>)	45
NtNotifyChangeKey(>)	1	NtQueryInstallUILanguage(>)	2	NtSetValueKey(>)	8	NtUserUnregisterClass(>)	46
NtOpenKeyedEvent(>)	1	NtTerminateProcess(>)	2	NtCreateFile(>)	10	NtUserFindExistingCursorIcon(>)	48
NtOpenMutant(>)	1	NtUserCloseDesktop(>)	2	NtCreateKey(>)	10	NtOpenKey(>)	59
NtOpenProcess(>)	1	NtUserGetObjectInformation(>)	2	NtOpenProcessTokenEx(>)	10	NtUserRegisterClassExWOW(>)	64
NtOpenSymbolicLinkObject(>)	1	NtWriteFile(>)	2	NtOpenThreadTokenEx(>)	10	NtReadFile(>)	68
NtOpenThreadToken(>)	1	NtContinue(>)	3	NtQuerySection(>)	10	NtQuerySystemInformation(>)	78
NtQueryFullAttributesFile(>)	1	NtCreateEvent(>)	3	NtRequestWaitReplyPort(>)	10	NtUserGetClassInfo(>)	82
NtQueryObject(>)	1	NtCreateSemaphore(>)	3	NtSetInformationFile(>)	10	NtUserQueryWindow(>)	128
NtQuerySymbolicLinkObject(>)	1	NtGdiCreateCompatibleDC(>)	3	NtUserSystemParametersInfo(>)	11	NtClose(>)	140
NtRegisterThreadTerminatePort(>)	1	NtQueryInformationProcess(>)	3	NtFreeVirtualMemory(>)	13	NtProtectVirtualMemory(>)	215
NtSecureConnectPort(>)	1	NtSetInformationObject(>)	3	NtQueryInformationToken(>)	14