Summary:


NtAddAtom(>)  1 
NtUserGetObjectInformation(>)  1 
NtContinue(>)  4 
NtSetInformationFile(>)  24 

NtAdjustPrivilegesToken(>)  1 
NtUserGetThreadDesktop(>)  1 
NtCreateSemaphore(>)  4 
NtDeviceIoControlFile(>)  26 

NtCallbackReturn(>)  1 
NtCreateIoCompletion(>)  2 
NtDuplicateObject(>)  4 
NtCreateSection(>)  30 

NtConnectPort(>)  1 
NtCreateThread(>)  2 
NtFsControlFile(>)  4 
NtOpenProcess(>)  30 

NtCreateMutant(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtOpenThreadToken(>)  4 
NtQueryDefaultLocale(>)  30 

NtDuplicateToken(>)  1 
NtGdiDeleteObjectApp(>)  2 
NtSetEvent(>)  4 
NtQueryVirtualMemory(>)  36 

NtEnumerateValueKey(>)  1 
NtGdiHfontCreate(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenFile(>)  44 

NtGdiCreateBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtUserBuildHwndList(>)  5 
NtUserUnregisterClass(>)  47 

NtGdiInit(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtUserGetAtomName(>)  48 

NtGdiQueryFontAssocInfo(>)  1 
NtResumeThread(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtQueryValueKey(>)  49 

NtGdiSelectBitmap(>)  1 
NtSetEventBoostPriority(>)  2 
NtFreeVirtualMemory(>)  8 
NtAllocateVirtualMemory(>)  50 

NtNotifyChangeKey(>)  1 
NtSetInformationProcess(>)  2 
NtOpenProcessToken(>)  8 
NtUserFindExistingCursorIcon(>)  50 

NtOpenEvent(>)  1 
NtTestAlert(>)  2 
NtSetValueKey(>)  8 
NtUnmapViewOfSection(>)  58 

NtOpenKeyedEvent(>)  1 
NtWaitForSingleObject(>)  2 
NtCreateKey(>)  9 
NtOpenSection(>)  59 

NtOpenSymbolicLinkObject(>)  1 
NtDelayExecution(>)  3 
NtQueryDefaultUILanguage(>)  10 
NtQueryAttributesFile(>)  61 

NtQueryFullAttributesFile(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQuerySection(>)  10 
NtUserRegisterClassExWOW(>)  62 

NtQueryInformationThread(>)  1 
NtQueryPerformanceCounter(>)  3 
NtQueryInformationProcess(>)  11 
NtReadFile(>)  79 

NtQueryInstallUILanguage(>)  1 
NtSetInformationObject(>)  3 
NtSetInformationThread(>)  11 
NtQuerySystemInformation(>)  81 

NtQueryObject(>)  1 
NtTerminateProcess(>)  3 
NtUserSystemParametersInfo(>)  12 
NtOpenKey(>)  97 

NtQuerySymbolicLinkObject(>)  1 
NtUserCallNoParam(>)  3 
NtOpenProcessTokenEx(>)  13 
NtFlushInstructionCache(>)  103 

NtQuerySystemTime(>)  1 
NtUserCallOneParam(>)  3 
NtOpenThreadTokenEx(>)  13 
NtWriteVirtualMemory(>)  116 

NtSecureConnectPort(>)  1 
NtUserGetWindowDC(>)  3 
NtRequestWaitReplyPort(>)  14 
NtMapViewOfSection(>)  117 

NtUserBuildNameList(>)  1 
NtUserOpenDesktop(>)  3 
NtCreateEvent(>)  15 
NtUserValidateHandleSecure(>)  130 

NtUserCloseDesktop(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtQueryDebugFilterState(>)  16 
NtUserQueryWindow(>)  160 

NtUserCreateWindowEx(>)  1 
NtWaitForMultipleObjects(>)  3 
NtQueryInformationToken(>)  17 
NtClose(>)  245 

NtUserGetDC(>)  1 
NtWriteFile(>)  3 
NtCreateFile(>)  19 
NtProtectVirtualMemory(>)  334 

NtUserGetGUIThreadInfo(>)  1 
NtAccessCheck(>)  4 
NtQueryInformationFile(>)  24 

Trace:
 00001   464   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   464   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   464   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   464   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   464   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010   464   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011   464   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012   464   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013   464   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014   464   NtClose  (12, ... ) == 0x0
 00015   464   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016   464   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   464   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020   464   NtClose  (16, ... ) == 0x0
 00021   464   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022   464   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023   464   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024   464   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025   464   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027   464   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028   464   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029   464   NtClose  (16, ... ) == 0x0
 00030   464   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031   464   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033   464   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034   464   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1036, 464, 57928, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 1036, 464, 57928, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1036, 464, 57928, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036   464   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037   464   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039   464   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040   464   NtClose  (16, ... ) == 0x0
 00041   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042   464   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043   464   NtClose  (16, ... ) == 0x0
 00044   464   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046   464   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047   464   NtClose  (16, ... ) == 0x0
 00048   464   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049   464   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050   464   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051   464   NtClose  (16, ... ) == 0x0
 00052   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053   464   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054   464   NtClose  (16, ... ) == 0x0
 00055   464   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   464   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059   464   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1036, 464, 57929, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 1036, 464, 57929, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1036, 464, 57929, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1036, 464, 57930, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 1036, 464, 57930, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1036, 464, 57930, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061   464   NtProtectVirtualMemory  (-1, (0x422000), 78437, 4, ... (0x422000), 81920, 128, ) == 0x0
 00062   464   NtProtectVirtualMemory  (-1, (0x422000), 81920, 128, ... (0x422000), 81920, 8, ) == 0x0
 00063   464   NtFlushInstructionCache  (-1, 4333568, 78437, ... ) == 0x0
 00064   464   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065   464   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066   464   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067   464   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068   464   NtClose  (16, ... ) == 0x0
 00069   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070   464   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071   464   NtClose  (16, ... ) == 0x0
 00072   464   NtTestAlert  (... ) == 0x0
 00073   464   NtContinue  (1244464, 1, ...
 00074   464   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x42e265,}, 4, ... ) == 0x0
 00075   464   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00076   464   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00077   464   NtClose  (16, ... ) == 0x0
 00078   464   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00079   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, ".dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081   464   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00082   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00084   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00085   464   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, ".dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00088   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\drvfast\scripts\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00089   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\site\bin\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\bin\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00092   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00093   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kktools\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00095   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00097   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\VC98\bin\.dll"}, 1242936, ... ) }, 1242936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00099   464   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 16, ) }, ... 16, ) == 0x0
 00100   464   NtCreateEvent  (0x1f0003, {24, 16, 0x80, 1245092, 0,  (0x1f0003, {24, 16, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 28, ) }, 1, 0, ... 28, ) == 0x0
 00101   464   NtCreateSection  (0xe, {24, 0, 0x40, 1245092, 0,  (0xe, {24, 0, 0x40, 1245092, 0, "\BaseNamedObjects\W32_Virtu"}, {27086, 0}, 64, 134217728, 0, ... 32, ) }, {27086, 0}, 64, 134217728, 0, ... 32, ) == 0x0
 00102   464   NtMapViewOfSection  (32, -1, (0x0), 0, 27086, 0x0, 27086, 2, 0, 64, ... (0x320000), 0x0, 28672, ) == 0x0
 00103   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00104   464   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00105   464   NtClose  (36, ... ) == 0x0
 00106   464   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00107   464   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00108   464   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00109   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00110   464   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00111   464   NtClose  (36, ... ) == 0x0
 00112   464   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00113   464   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00114   464   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00115   464   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00116   464   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00117   464   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00118   464   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00119   464   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00120   464   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00121   464   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00122   464   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00123   464   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00124   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00125   464   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00126   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 36, ) }, ... 36, ) == 0x0
 00128   464   NtQueryValueKey  (36,  (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00129   464   NtQueryValueKey  (36,  (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00130   464   NtClose  (36, ... ) == 0x0
 00131   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 36, ) }, ... 36, ) == 0x0
 00132   464   NtQueryValueKey  (36,  (36, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00133   464   NtClose  (36, ... ) == 0x0
 00134   464   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 36, ) }, ... 36, ) == 0x0
 00135   464   NtSetInformationObject  (36, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00136   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00137   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139   464   NtOpenProcessToken  (-1, 0x20, ... 40, ) == 0x0
 00140   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00141   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00142   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 44, ) }, ... 44, ) == 0x0
 00143   464   NtQueryValueKey  (44,  (44, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00144   464   NtClose  (44, ... ) == 0x0
 00145   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00146   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 44, ) == 0x0
 00147   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
 00148   464   NtQuerySystemTime  (... {-618754578, 29915142}, ) == 0x0
 00149   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00150   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00151   464   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00152   464   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00153   464   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00154   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00155   464   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 60, ) == 0x0
 00156   464   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00157   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 64, ) }, ... 64, ) == 0x0
 00158   464   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "ActiveComputerName"}, ... 68, ) }, ... 68, ) == 0x0
 00159   464   NtQueryValueKey  (68,  (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00160   464   NtClose  (68, ... ) == 0x0
 00161   464   NtClose  (64, ... ) == 0x0
 00162   464   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 64, ) == 0x0
 00163   464   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 68, ) == 0x0
 00164   464   NtDuplicateObject  (-1, 64, -1, 0x0, 0, 2, ... 72, ) == 0x0
 00165   464   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00166   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 76, ) == 0x0
 00167   464   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00168   464   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00169   464   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243252,  (0xc0100080, {24, 0, 0x40, 0, 1243252, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0
 00170   464   NtSetInformationFile  (80, 1243308, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00171   464   NtSetInformationFile  (80, 1243296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00172   464   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00173   464   NtWriteFile  (80, 57, 0, 0,  (80, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00174   464   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00175   464   NtReadFile  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00176   464   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00177   464   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse \0"\0PD\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) \0PD\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse \0"\0PD\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) == 0x103
 00178   464   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00179   464   NtClose  (76, ... ) == 0x0
 00180   464   NtClose  (80, ... ) == 0x0
 00181   464   NtAdjustPrivilegesToken  (40, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00182   464   NtClose  (40, ... ) == 0x0
 00183   464   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3342336, 65536, ) == 0x0
 00184   464   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00185   464   NtCreateSection  (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 40, ) == 0x0
 00186   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00187   464   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00188   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00189   464   NtFreeVirtualMemory  (-1, (0x330000), 0, 32768, ... (0x330000), 65536, ) == 0x0
 00190   464   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00191   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00192   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00193   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00194   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00195   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00196   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00197   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00198   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00199   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00200   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00201   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {580, 0}, ... 80, ) == 0x0
 00202   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 76, ) }, ... 76, ) == 0x0
 00203   464   NtMapViewOfSection  (76, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00204   464   NtClose  (76, ... ) == 0x0
 00205   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00206   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00207   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00208   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00209   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00210   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00211   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00212   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00213   464   NtAllocateVirtualMemory  (80, 0, 0, 1048576, 8192, 4, ... 27852800, 1048576, ) == 0x0
 00214   464   NtAllocateVirtualMemory  (80, 28893184, 0, 8192, 4096, 4, ... 28893184, 8192, ) == 0x0
 00215   464   NtProtectVirtualMemory  (80, (0x1b8e000), 4096, 260, ... (0x1b8e000), 4096, 4, ) == 0x0
 00216   464   NtCreateThread  (0x1f03ff, 0x0, 80, 1243840, 1243784, 1, ... 76, {580, 860}, ) == 0x0
 00217   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\\3\0\0" ... {28, 56, reply, 0, 1036, 464, 57931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\\3\0\0" )  ... {28, 56, reply, 0, 1036, 464, 57931, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\\3\0\0" ... {28, 56, reply, 0, 1036, 464, 57931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\\3\0\0" )  ) == 0x0
 00218   464   NtResumeThread  (76, ... 1, ) == 0x0
 00219   464   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00220   464   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00221   464   NtClose  (80, ... ) == 0x0
 00222   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00223   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00224   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {640, 0}, ... 80, ) == 0x0
 00225   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00226   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00227   464   NtClose  (84, ... ) == 0x0
 00228   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00229   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00230   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00231   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00232   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00233   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00234   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00235   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00236   464   NtClose  (80, ... ) == 0x0
 00237   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00238   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00239   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {652, 0}, ... 80, ) == 0x0
 00240   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00241   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00242   464   NtClose  (84, ... ) == 0x0
 00243   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00244   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00245   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00246   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00247   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00248   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00249   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00250   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00251   464   NtClose  (80, ... ) == 0x0
 00252   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00253   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00254   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {816, 0}, ... 80, ) == 0x0
 00255   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00256   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00257   464   NtClose  (84, ... ) == 0x0
 00258   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00259   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00260   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00261   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00262   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00263   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00264   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00265   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00266   464   NtClose  (80, ... ) == 0x0
 00267   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00268   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00269   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {904, 0}, ... 80, ) == 0x0
 00270   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00271   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00272   464   NtClose  (84, ... ) == 0x0
 00273   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00274   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00275   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00276   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00277   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00278   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00279   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00280   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00281   464   NtClose  (80, ... ) == 0x0
 00282   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00283   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00284   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1000, 0}, ... 80, ) == 0x0
 00285   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00286   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff50000), 0x0, 28672, ) == 0x0
 00287   464   NtClose  (84, ... ) == 0x0
 00288   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00289   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Md\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00290   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00291   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00292   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00293   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00294   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00295   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00296   464   NtClose  (80, ... ) == 0x0
 00297   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00298   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00299   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1044, 0}, ... 80, ) == 0x0
 00300   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00301   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00302   464   NtClose  (84, ... ) == 0x0
 00303   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00304   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00305   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00306   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00307   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00308   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00309   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00310   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00311   464   NtClose  (80, ... ) == 0x0
 00312   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00313   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00314   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1196, 0}, ... 80, ) == 0x0
 00315   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00316   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00317   464   NtClose  (84, ... ) == 0x0
 00318   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00319   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00320   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00321   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00322   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00323   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00324   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00325   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00326   464   NtClose  (80, ... ) == 0x0
 00327   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00328   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00329   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1468, 0}, ... 80, ) == 0x0
 00330   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00331   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00332   464   NtClose  (84, ... ) == 0x0
 00333   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00334   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00335   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00336   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00337   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00338   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00339   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00340   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00341   464   NtClose  (80, ... ) == 0x0
 00342   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00343   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00344   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1720, 0}, ... 80, ) == 0x0
 00345   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00346   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00347   464   NtClose  (84, ... ) == 0x0
 00348   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00349   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00350   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00351   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00352   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00353   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00354   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00355   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00356   464   NtClose  (80, ... ) == 0x0
 00357   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00358   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00359   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1888, 0}, ... 80, ) == 0x0
 00360   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00361   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00362   464   NtClose  (84, ... ) == 0x0
 00363   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00364   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00365   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00366   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00367   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00368   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00369   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00370   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00371   464   NtClose  (80, ... ) == 0x0
 00372   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00373   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00374   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 80, ) == 0x0
 00375   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00376   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00377   464   NtClose  (84, ... ) == 0x0
 00378   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00379   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00380   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00381   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00382   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00383   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00384   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00385   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00386   464   NtClose  (80, ... ) == 0x0
 00387   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00388   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00389   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {180, 0}, ... 80, ) == 0x0
 00390   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00391   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00392   464   NtClose  (84, ... ) == 0x0
 00393   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00394   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00395   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00396   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00397   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00398   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00399   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00400   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00401   464   NtClose  (80, ... ) == 0x0
 00402   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00403   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00404   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {196, 0}, ... 80, ) == 0x0
 00405   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00406   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00407   464   NtClose  (84, ... ) == 0x0
 00408   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00409   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00410   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00411   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00412   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00413   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00414   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00415   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00416   464   NtClose  (80, ... ) == 0x0
 00417   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00418   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00419   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {160, 0}, ... 80, ) == 0x0
 00420   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00421   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00422   464   NtClose  (84, ... ) == 0x0
 00423   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00424   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00425   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00426   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00427   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00428   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00429   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00430   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00431   464   NtClose  (80, ... ) == 0x0
 00432   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00433   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00434   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 80, ) == 0x0
 00435   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00436   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00437   464   NtClose  (84, ... ) == 0x0
 00438   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00439   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00440   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00441   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00442   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00443   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00444   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00445   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00446   464   NtClose  (80, ... ) == 0x0
 00447   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00448   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00449   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 80, ) == 0x0
 00450   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00451   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00452   464   NtClose  (84, ... ) == 0x0
 00453   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00454   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00455   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00456   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00457   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00458   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00459   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00460   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00461   464   NtClose  (80, ... ) == 0x0
 00462   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00463   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00464   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 80, ) == 0x0
 00465   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00466   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00467   464   NtClose  (84, ... ) == 0x0
 00468   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00469   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00470   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00471   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00472   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00473   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00474   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00475   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00476   464   NtClose  (80, ... ) == 0x0
 00477   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00478   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00479   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1408, 0}, ... 80, ) == 0x0
 00480   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00481   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00482   464   NtClose  (84, ... ) == 0x0
 00483   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00484   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00485   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00486   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00487   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00488   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00489   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00490   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00491   464   NtClose  (80, ... ) == 0x0
 00492   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00493   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00494   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {556, 0}, ... 80, ) == 0x0
 00495   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00496   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00497   464   NtClose  (84, ... ) == 0x0
 00498   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00499   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00500   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00501   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00502   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00503   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00504   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00505   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00506   464   NtClose  (80, ... ) == 0x0
 00507   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00508   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00509   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1204, 0}, ... 80, ) == 0x0
 00510   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00511   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00512   464   NtClose  (84, ... ) == 0x0
 00513   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00514   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00515   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00516   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00517   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00518   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00519   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00520   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00521   464   NtClose  (80, ... ) == 0x0
 00522   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00523   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00524   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1452, 0}, ... 80, ) == 0x0
 00525   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00526   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00527   464   NtClose  (84, ... ) == 0x0
 00528   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00529   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00530   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00531   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00532   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00533   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00534   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00535   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00536   464   NtClose  (80, ... ) == 0x0
 00537   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00538   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00539   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1708, 0}, ... 80, ) == 0x0
 00540   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00541   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00542   464   NtClose  (84, ... ) == 0x0
 00543   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00544   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00545   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00546   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00547   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00548   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00549   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00550   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00551   464   NtClose  (80, ... ) == 0x0
 00552   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00553   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00554   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1180, 0}, ... 80, ) == 0x0
 00555   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00556   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00557   464   NtClose  (84, ... ) == 0x0
 00558   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00559   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00560   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00561   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00562   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00563   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00564   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00565   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00566   464   NtClose  (80, ... ) == 0x0
 00567   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00568   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00569   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1512, 0}, ... 80, ) == 0x0
 00570   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00571   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00572   464   NtClose  (84, ... ) == 0x0
 00573   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00574   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00575   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00576   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00577   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00578   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00579   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00580   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00581   464   NtClose  (80, ... ) == 0x0
 00582   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00583   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00584   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1028, 0}, ... 80, ) == 0x0
 00585   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00586   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00587   464   NtClose  (84, ... ) == 0x0
 00588   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00589   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00590   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00591   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00592   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00593   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00594   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00595   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00596   464   NtClose  (80, ... ) == 0x0
 00597   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00598   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00599   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1228, 0}, ... 80, ) == 0x0
 00600   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00601   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00602   464   NtClose  (84, ... ) == 0x0
 00603   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00604   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00605   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00606   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00607   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00608   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00609   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00610   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00611   464   NtClose  (80, ... ) == 0x0
 00612   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00613   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00614   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {928, 0}, ... 80, ) == 0x0
 00615   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00616   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00617   464   NtClose  (84, ... ) == 0x0
 00618   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00619   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00620   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00621   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00622   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00623   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00624   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00625   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00626   464   NtClose  (80, ... ) == 0x0
 00627   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00628   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00629   464   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1036, 0}, ... 80, ) == 0x0
 00630   464   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00631   464   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00632   464   NtClose  (84, ... ) == 0x0
 00633   464   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00634   464   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00635   464   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00636   464   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00637   464   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00638   464   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00639   464   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00640   464   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00641   464   NtClose  (80, ... ) == 0x0
 00642   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00643   464   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00644   464   NtClose  (40, ... ) == 0x0
 00645   464   NtClose  (28, ... ) == 0x0
 00646   464   NtProtectVirtualMemory  (-1, (0x400000), 512, 64, ... (0x400000), 4096, 2, ) == 0x0
 00647   464   NtProtectVirtualMemory  (-1, (0x401000), 135168, 64, ... (0x401000), 135168, 32, ) == 0x0
 00648   464   NtAllocateVirtualMemory  (-1, 0, 0, 181, 4096, 64, ... 3342336, 4096, ) == 0x0
 00649   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00650   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00651   464   NtClose  (28, ... ) == 0x0
 00652   464   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00653   464   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00654   464   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00655   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCRT.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00656   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00657   464   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3407872, 65536, ) == 0x0
 00658   464   NtAllocateVirtualMemory  (-1, 3407872, 0, 4096, 4096, 4, ... 3407872, 4096, ) == 0x0
 00659   464   NtAllocateVirtualMemory  (-1, 3411968, 0, 8192, 4096, 4, ... 3411968, 8192, ) == 0x0
 00660   464   NtAllocateVirtualMemory  (-1, 3420160, 0, 4096, 4096, 4, ... 3420160, 4096, ) == 0x0
 00661   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 28, ) }, ... 28, ) == 0x0
 00662   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x350000), 0x0, 12288, ) == 0x0
 00663   464   NtClose  (28, ... ) == 0x0
 00664   464   NtAllocateVirtualMemory  (-1, 3424256, 0, 4096, 4096, 4, ... 3424256, 4096, ) == 0x0
 00665   464   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00666   464   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00667   464   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00668   464   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00669   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00670   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242996, ... ) }, 1242996, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00671   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242996, ... ) }, 1242996, ... ) == 0x0
 00672   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00673   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 40, ) == 0x0
 00674   464   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00675   464   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00676   464   NtQueryInformationToken  (80, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00677   464   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678   464   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 84, ) }, ... 84, ) == 0x0
 00679   464   NtQueryValueKey  (84,  (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00680   464   NtClose  (84, ... ) == 0x0
 00681   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00682   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00683   464   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00684   464   NtClose  (84, ... ) == 0x0
 00685   464   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00686   464   NtClose  (80, ... ) == 0x0
 00687   464   NtClose  (28, ... ) == 0x0
 00688   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00689   464   NtClose  (40, ... ) == 0x0
 00690   464   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00691   464   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00692   464   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00693   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00694   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242180, ... ) }, 1242180, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00695   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242180, ... ) }, 1242180, ... ) == 0x0
 00696   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00697   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 40, ... 28, ) == 0x0
 00698   464   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00699   464   NtClose  (40, ... ) == 0x0
 00700   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00701   464   NtClose  (28, ... ) == 0x0
 00702   464   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00703   464   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00704   464   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00705   464   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00706   464   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00707   464   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00708   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00709   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00710   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00711   464   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00712   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00713   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00714   464   NtClose  (28, ... ) == 0x0
 00715   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00716   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00717   464   NtClose  (28, ... ) == 0x0
 00718   464   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00719   464   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00720   464   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00721   464   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00722   464   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00723   464   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00724   464   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00725   464   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00726   464   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00727   464   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00728   464   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00729   464   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00730   464   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00731   464   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00732   464   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00733   464   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00734   464   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00735   464   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00736   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00737   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00738   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00739   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241664}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241664} "\210\6\31\1\0\0\0\0\270d\24\0h\1\24\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1036, 464, 57990, 0} "\320G\26\0\0\0\0\0\0\0\0\0h\1\24\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 1036, 464, 57990, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241664} "\210\6\31\1\0\0\0\0\270d\24\0h\1\24\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1036, 464, 57990, 0} "\320G\26\0\0\0\0\0\0\0\0\0h\1\24\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00740   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239056, ... ) }, 1239056, ... ) == 0x0
 00741   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00742   464   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 40, ) == 0x0
 00743   464   NtClose  (28, ... ) == 0x0
 00744   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x360000), 0x0, 110592, ) == 0x0
 00745   464   NtClose  (40, ... ) == 0x0
 00746   464   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 00747   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238964, ... ) }, 1238964, ... ) == 0x0
 00748   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00749   464   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 40, ... 28, ) == 0x0
 00750   464   NtClose  (40, ... ) == 0x0
 00751   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x360000), 0x0, 110592, ) == 0x0
 00752   464   NtClose  (28, ... ) == 0x0
 00753   464   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 00754   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239272, ... ) }, 1239272, ... ) == 0x0
 00755   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00756   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 40, ) == 0x0
 00757   464   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00758   464   NtClose  (28, ... ) == 0x0
 00759   464   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00760   464   NtClose  (40, ... ) == 0x0
 00761   464   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00762   464   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00763   464   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00764   464   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00765   464   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00766   464   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00767   464   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00768   464   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00769   464   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00770   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00771   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00772   464   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00773   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236188, ... ) }, 1236188, ... ) == 0x0
 00774   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239592, ... ) }, 1239592, ... ) == 0x0
 00775   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 40, ) }, ... 40, ) == 0x0
 00777   464   NtQueryValueKey  (40,  (40, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778   464   NtClose  (40, ... ) == 0x0
 00779   464   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x510000), 0x0, 1060864, ) == 0x0
 00780   464   NtClose  (-2147482740, ... ) == 0x0
 00781   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 40, ) == 0x0
 00782   464   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00783   464   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00784   464   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00785   464   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00786   464   NtClose  (-2147482740, ... ) == 0x0
 00787   464   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3538944, 4096, ) == 0x0
 00788   464   NtFreeVirtualMemory  (-1, (0x360000), 4096, 32768, ... (0x360000), 4096, ) == 0x0
 00789   464   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 84, ) == 0x0
 00790   464   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00791   464   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00792   464   NtClose  (-2147482740, ... ) == 0x0
 00793   464   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00794   464   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00795   464   NtClose  (-2147482740, ... ) == 0x0
 00796   464   NtQueryDefaultLocale  (0, -142562996, ... ) == 0x0
 00797   464   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00798   464   NtUserCallNoParam  (24, ... ) == 0x0
 00799   464   NtGdiCreateCompatibleDC  (0, ...
 00800   464   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3538944, 4096, ) == 0x0
 00799   464   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00801   464   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00802   464   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00803   464   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00804   464   NtGdiCreateSolidBrush  (0, 0, ...
 00805   464   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3604480, 4096, ) == 0x0
 00804   464   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00806   464   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00807   464   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00808   464   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00809   464   NtUserGetThreadDesktop  (464, 0, ... ) == 0x50
 00810   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 88, ) }, ... 88, ) == 0x0
 00811   464   NtQueryValueKey  (88,  (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00812   464   NtClose  (88, ... ) == 0x0
 00813   464   NtUserFindExistingCursorIcon  (1240768, 1240784, 1240832, ... ) == 0x10011
 00814   464   NtUserRegisterClassExWOW  (1240780, 1240848, 1240864, 1240880, 673, 128, 0, ... ) == 0x8173c017
 00815   464   NtUserFindExistingCursorIcon  (1240768, 1240784, 1240832, ... ) == 0x10011
 00816   464   NtUserRegisterClassExWOW  (1240780, 1240848, 1240864, 1240880, 674, 128, 0, ... ) == 0x8173c01c
 00817   464   NtUserFindExistingCursorIcon  (1240768, 1240784, 1240832, ... ) == 0x10011
 00818   464   NtUserRegisterClassExWOW  (1240780, 1240848, 1240864, 1240880, 675, 128, 0, ... ) == 0x8173c01e
 00819   464   NtUserFindExistingCursorIcon  (1240768, 1240784, 1240832, ... ) == 0x10011
 00820   464   NtUserRegisterClassExWOW  (1240780, 1240848, 1240864, 1240880, 676, 128, 0, ... ) == 0x81738002
 00821   464   NtUserFindExistingCursorIcon  (1240768, 1240784, 1240832, ... ) == 0x10013
 00822   464   NtUserRegisterClassExWOW  (1240780, 1240848, 1240864, 1240880, 677, 128, 0, ... ) == 0x8173c018
 00823   464   NtUserFindExistingCursorIcon  (1240768, 1240784, 1240832, ... ) == 0x10011
 00824   464   NtUserRegisterClassExWOW  (1240780, 1240848, 1240864, 1240880, 678, 128, 0, ... ) == 0x8173c01a
 00825   464   NtUserFindExistingCursorIcon  (1240768, 1240784, 1240832, ... ) == 0x10011
 00826   464   NtUserRegisterClassExWOW  (1240780, 1240848, 1240864, 1240880, 679, 128, 0, ... ) == 0x8173c01d
 00827   464   NtUserFindExistingCursorIcon  (1240768, 1240784, 1240832, ... ) == 0x10011
 00828   464   NtUserRegisterClassExWOW  (1240780, 1240848, 1240864, 1240880, 681, 128, 0, ... ) == 0x8173c026
 00829   464   NtUserFindExistingCursorIcon  (1240768, 1240784, 1240832, ... ) == 0x10011
 00830   464   NtUserRegisterClassExWOW  (1240780, 1240848, 1240864, 1240880, 680, 128, 0, ... ) == 0x8173c019
 00831   464   NtUserRegisterClassExWOW  (1240732, 1240800, 1240816, 1240832, 0, 128, 0, ... ) == 0x8173c020
 00832   464   NtUserRegisterClassExWOW  (1240988, 1241084, 1241068, 1241056, 0, 130, 0, ... ) == 0x8173c022
 00833   464   NtUserRegisterClassExWOW  (1240732, 1240800, 1240816, 1240832, 0, 128, 0, ... ) == 0x8173c023
 00834   464   NtUserRegisterClassExWOW  (1240988, 1241084, 1241068, 1241056, 0, 130, 0, ... ) == 0x8173c024
 00835   464   NtUserRegisterClassExWOW  (1240732, 1240800, 1240816, 1240832, 0, 128, 0, ... ) == 0x8173c025
 00836   464   NtCallbackReturn  (0, 0, 0, ...
 00837   464   NtGdiInit  (... ) == 0x1
 00838   464   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00839   464   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00840   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00841   464   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 00842   464   NtClose  (88, ... ) == 0x0
 00843   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00844   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00845   464   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00846   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00847   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00848   464   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00849   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00850   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00851   464   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00852   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00853   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00854   464   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00855   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00856   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00857   464   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00858   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00859   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00860   464   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00861   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00862   464   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00863   464   NtClose  (88, ... ) == 0x0
 00864   464   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00865   464   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00866   464   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00867   464   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00868   464   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00869   464   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00870   464   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00871   464   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00872   464   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00873   464   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00874   464   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00875   464   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00876   464   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00877   464   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00878   464   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00879   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00880   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00881   464   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00882   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00883   464   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00884   464   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00885   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00886   464   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00887   464   NtCreateSemaphore  (0x1f0003, {24, 16, 0x80, 1339272, 0,  (0x1f0003, {24, 16, 0x80, 1339272, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 88, ) }, 0, 2147483647, ... 88, ) == STATUS_OBJECT_NAME_EXISTS
 00888   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00889   464   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SYSTEM\Setup"}, ... 92, ) }, ... 92, ) == 0x0
 00890   464   NtQueryValueKey  (92,  (92, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00891   464   NtClose  (92, ... ) == 0x0
 00892   464   NtQueryDefaultUILanguage  (1241328, ...
 00893   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00894   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00895   464   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00896   464   NtClose  (-2147482740, ... ) == 0x0
 00897   464   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00898   464   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   464   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00900   464   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00901   464   NtClose  (-2147481328, ... ) == 0x0
 00902   464   NtClose  (-2147482740, ... ) == 0x0
 00892   464   NtQueryDefaultUILanguage  ... ) == 0x0
 00903   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 92, {status=0x0, info=1}, ) }, 1, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00904   464   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 92, ... 96, ) == 0x0
 00905   464   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x920000), 0x0, 8462336, ) == 0x0
 00906   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00907   464   NtQueryDefaultUILanguage  (2090319928, ...
 00908   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00909   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00910   464   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00911   464   NtClose  (-2147482740, ... ) == 0x0
 00912   464   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00913   464   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   464   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00915   464   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   464   NtClose  (-2147481328, ... ) == 0x0
 00917   464   NtClose  (-2147482740, ... ) == 0x0
 00907   464   NtQueryDefaultUILanguage  ... ) == 0x0
 00918   464   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00919   464   NtQueryDefaultLocale  (1, 1239424, ... ) == 0x0
 00920   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921   464   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240460, 1179817, 1240184}  (24, {128, 156, new_msg, 0, 2088850039, 1240460, 1179817, 1240184} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0@ \265\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\200\361\22\0\0\0\0\0" ... {128, 156, reply, 0, 1036, 464, 57991, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0@ \265\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\200\361\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1036, 464, 57991, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240460, 1179817, 1240184} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0@ \265\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\200\361\22\0\0\0\0\0" ... {128, 156, reply, 0, 1036, 464, 57991, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0@ \265\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\200\361\22\0\0\0\0\0" )  ) == 0x0
 00922   464   NtClose  (92, ... ) == 0x0
 00923   464   NtClose  (96, ... ) == 0x0
 00924   464   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00925   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00926   464   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00927   464   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00929   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00930   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238616, ... ) }, 1238616, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00932   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00933   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00934   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1238680, ... ) }, 1238680, ... ) == 0x0
 00935   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 96, {status=0x0, info=1}, ) }, 3, 33, ... 96, {status=0x0, info=1}, ) == 0x0
 00936   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00937   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00938   464   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 100, ) == 0x0
 00939   464   NtClose  (92, ... ) == 0x0
 00940   464   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x920000), 0x0, 1056768, ) == 0x0
 00941   464   NtClose  (100, ... ) == 0x0
 00942   464   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00943   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00944   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 92, ) == 0x0
 00945   464   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00946   464   NtClose  (100, ... ) == 0x0
 00947   464   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 00948   464   NtClose  (92, ... ) == 0x0
 00949   464   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00950   464   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00951   464   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00952   464   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00953   464   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00954   464   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00955   464   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00956   464   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00957   464   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00958   464   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00959   464   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00960   464   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00961   464   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00962   464   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00963   464   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00964   464   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00965   464   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00966   464   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00967   464   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00968   464   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00969   464   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00970   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   464   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240160, ... ) , 42, 1240160, ... ) == 0x0
 00972   464   NtQueryDefaultUILanguage  (1238844, ...
 00973   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00974   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00975   464   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00976   464   NtClose  (-2147482740, ... ) == 0x0
 00977   464   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00978   464   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979   464   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00980   464   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   464   NtClose  (-2147481328, ... ) == 0x0
 00982   464   NtClose  (-2147482740, ... ) == 0x0
 00972   464   NtQueryDefaultUILanguage  ... ) == 0x0
 00983   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237684, ... ) }, 1237684, ... ) == 0x0
 00984   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00985   464   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 100, ) == 0x0
 00986   464   NtClose  (92, ... ) == 0x0
 00987   464   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 4096, ) == 0x0
 00988   464   NtClose  (100, ... ) == 0x0
 00989   464   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00990   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237280, ... ) }, 1237280, ... ) == 0x0
 00991   464   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238024,  (0x80100080, {24, 0, 0x40, 0, 1238024, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) == 0x0
 00992   464   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 100, ... 92, ) == 0x0
 00993   464   NtClose  (100, ... ) == 0x0
 00994   464   NtMapViewOfSection  (92, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x390000), {0, 0}, 4096, ) == 0x0
 00995   464   NtClose  (92, ... ) == 0x0
 00996   464   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00997   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 92, {status=0x0, info=1}, ) }, 1, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00998   464   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 92, ... 100, ) == 0x0
 00999   464   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x390000), 0x0, 4096, ) == 0x0
 01000   464   NtQueryInformationFile  (92, 1237676, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01001   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002   464   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1237976, 1179817, 1237700}  (24, {128, 156, new_msg, 0, 2088850039, 1237976, 1179817, 1237700} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\314\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 1036, 464, 57992, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\314\347\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1036, 464, 57992, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1237976, 1179817, 1237700} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\314\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 1036, 464, 57992, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\314\347\22\0\0\0\0\0" )  ) == 0x0
 01003   464   NtClose  (92, ... ) == 0x0
 01004   464   NtClose  (100, ... ) == 0x0
 01005   464   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01006   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01007   464   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01008   464   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 01009   464   NtUserGetDC  (0, ... ) == 0x1010051
 01010   464   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01011   464   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 01012   464   NtUserSystemParametersInfo  (66, 12, 1239676, 0, ... ) == 0x1
 01013   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01014   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 01015   464   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01016   464   NtClose  (100, ... ) == 0x0
 01017   464   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 100, ) }, ... 100, ) == 0x0
 01018   464   NtOpenProcessToken  (-1, 0x8, ... 92, ) == 0x0
 01019   464   NtAccessCheck  (1341904, 92, 0x1, 1239508, 1239560, 56, 1239540, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01020   464   NtClose  (92, ... ) == 0x0
 01021   464   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Control Panel\Desktop"}, ... 92, ) }, ... 92, ) == 0x0
 01022   464   NtQueryValueKey  (92,  (92, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01023   464   NtClose  (92, ... ) == 0x0
 01024   464   NtUserSystemParametersInfo  (41, 500, 1239704, 0, ... ) == 0x1
 01025   464   NtOpenProcessToken  (-1, 0x8, ... 92, ) == 0x0
 01026   464   NtAccessCheck  (1341904, 92, 0x1, 1239508, 1239560, 56, 1239540, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01027   464   NtClose  (92, ... ) == 0x0
 01028   464   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 92, ) }, ... 92, ) == 0x0
 01029   464   NtQueryValueKey  (92,  (92, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01030   464   NtClose  (92, ... ) == 0x0
 01031   464   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 01032   464   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 01033   464   NtClose  (100, ... ) == 0x0
 01034   464   NtUserSystemParametersInfo  (4130, 0, 1240208, 0, ... ) == 0x1
 01035   464   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 100, ) }, ... 100, ) == 0x0
 01036   464   NtEnumerateValueKey  (100, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01037   464   NtClose  (100, ... ) == 0x0
 01038   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01039   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c03b
 01040   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c03d
 01041   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01042   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c03f
 01043   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01044   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c041
 01045   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01046   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c043
 01047   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c045
 01048   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01049   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c047
 01050   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01051   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c049
 01052   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01053   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c04b
 01054   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01055   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c04d
 01056   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01057   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c04f
 01058   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c051
 01059   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01060   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c053
 01061   464   NtUserFindExistingCursorIcon  (1239452, 1239468, 1239516, ... ) == 0x10011
 01062   464   NtUserRegisterClassExWOW  (1239396, 1239464, 1239480, 1239496, 0, 384, 0, ... ) == 0x8173c055
 01063   464   NtUserFindExistingCursorIcon  (1239452, 1239468, 1239516, ... ) == 0x10011
 01064   464   NtUserRegisterClassExWOW  (1239396, 1239464, 1239480, 1239496, 0, 384, 0, ... ) == 0x8173c057
 01065   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01066   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c059
 01067   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10013
 01068   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c05b
 01069   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01070   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c05d
 01071   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01072   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c05f
 01073   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01074   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c017
 01075   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01076   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c019
 01077   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10013
 01078   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c018
 01079   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01080   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c01a
 01081   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01082   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c01c
 01083   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01084   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c01e
 01085   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1239512, ... ) == 0x10011
 01086   464   NtUserRegisterClassExWOW  (1239448, 1239516, 1239532, 1239548, 0, 384, 0, ... ) == 0x8173c01b
 01087   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01088   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c068
 01089   464   NtUserFindExistingCursorIcon  (1239456, 1239472, 1239520, ... ) == 0x10011
 01090   464   NtUserRegisterClassExWOW  (1239400, 1239468, 1239484, 1239500, 0, 384, 0, ... ) == 0x8173c06a
 01091   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 100, ) }, ... 100, ) == 0x0
 01092   464   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 01093   464   NtClose  (100, ... ) == 0x0
 01094   464   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01095   464   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01096   464   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01097   464   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01098   464   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01099   464   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01100   464   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01101   464   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01102   464   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01103   464   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01104   464   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01105   464   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01106   464   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01107   464   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01108   464   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01109   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01110   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01111   464   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3735552, 65536, ) == 0x0
 01112   464   NtAllocateVirtualMemory  (-1, 3735552, 0, 4096, 4096, 4, ... 3735552, 4096, ) == 0x0
 01113   464   NtAllocateVirtualMemory  (-1, 3739648, 0, 8192, 4096, 4, ... 3739648, 8192, ) == 0x0
 01114   464   NtAllocateVirtualMemory  (-1, 3747840, 0, 4096, 4096, 4, ... 3747840, 4096, ) == 0x0
 01115   464   NtAllocateVirtualMemory  (-1, 3751936, 0, 4096, 4096, 4, ... 3751936, 4096, ) == 0x0
 01116   464   NtQueryDefaultUILanguage  (1239456, ...
 01117   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01118   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01119   464   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01120   464   NtClose  (-2147482740, ... ) == 0x0
 01121   464   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01122   464   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01123   464   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 01124   464   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01125   464   NtClose  (-2147481328, ... ) == 0x0
 01126   464   NtClose  (-2147482740, ... ) == 0x0
 01116   464   NtQueryDefaultUILanguage  ... ) == 0x0
 01127   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll"}, 1, 96, ... 100, {status=0x0, info=1}, ) }, 1, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 01128   464   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 100, ... 92, ) == 0x0
 01129   464   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x920000), 0x0, 618496, ) == 0x0
 01130   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01131   464   NtQueryDefaultLocale  (1, 1237552, ... ) == 0x0
 01132   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01133   464   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238588, 1179817, 1238312}  (24, {128, 156, new_msg, 0, 2088850039, 1238588, 1179817, 1238312} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1d\0\0\0\377\377\377\377\0\0\0\0\340q\231\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\00\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 1036, 464, 57993, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1d\0\0\0\377\377\377\377\0\0\0\0\340q\231\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\00\352\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1036, 464, 57993, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238588, 1179817, 1238312} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1d\0\0\0\377\377\377\377\0\0\0\0\340q\231\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\00\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 1036, 464, 57993, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1d\0\0\0\377\377\377\377\0\0\0\0\340q\231\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\00\352\22\0\0\0\0\0" )  ) == 0x0
 01134   464   NtClose  (100, ... ) == 0x0
 01135   464   NtClose  (92, ... ) == 0x0
 01136   464   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 01137   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01138   464   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1036, 0}, ... 92, ) == 0x0
 01139   464   NtQueryInformationProcess  (92, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01140   464   NtClose  (92, ... ) == 0x0
 01141   464   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01142   464   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 01143   464   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 01144   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01145   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 01146   464   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01147   464   NtClose  (92, ... ) == 0x0
 01148   464   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 92, ) }, ... 92, ) == 0x0
 01149   464   NtOpenProcessToken  (-1, 0x8, ... 100, ) == 0x0
 01150   464   NtAccessCheck  (1341904, 100, 0x1, 1240648, 1240700, 56, 1240680, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01151   464   NtClose  (100, ... ) == 0x0
 01152   464   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "Control Panel\Desktop"}, ... 100, ) }, ... 100, ) == 0x0
 01153   464   NtQueryValueKey  (100,  (100, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01154   464   NtClose  (100, ... ) == 0x0
 01155   464   NtUserSystemParametersInfo  (41, 500, 1240828, 0, ... ) == 0x1
 01156   464   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 01157   464   NtClose  (92, ... ) == 0x0
 01158   464   NtUserFindExistingCursorIcon  (1240580, 1240596, 1240644, ... ) == 0x10011
 01159   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c03b
 01160   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c03d
 01161   464   NtUserFindExistingCursorIcon  (1240580, 1240596, 1240644, ... ) == 0x10011
 01162   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c03f
 01163   464   NtUserFindExistingCursorIcon  (1240580, 1240596, 1240644, ... ) == 0x10011
 01164   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c041
 01165   464   NtUserFindExistingCursorIcon  (1240580, 1240596, 1240644, ... ) == 0x10011
 01166   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c043
 01167   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c045
 01168   464   NtUserFindExistingCursorIcon  (1240580, 1240596, 1240644, ... ) == 0x10011
 01169   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c047
 01170   464   NtUserFindExistingCursorIcon  (1240580, 1240596, 1240644, ... ) == 0x10011
 01171   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c049
 01172   464   NtUserFindExistingCursorIcon  (1240580, 1240596, 1240644, ... ) == 0x10011
 01173   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c04b
 01174   464   NtUserFindExistingCursorIcon  (1240580, 1240596, 1240644, ... ) == 0x10011
 01175   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c04d
 01176   464   NtUserFindExistingCursorIcon  (1240580, 1240596, 1240644, ... ) == 0x10011
 01177   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c04f
 01178   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c051
 01179   464   NtUserFindExistingCursorIcon  (1240580, 1240596, 1240644, ... ) == 0x10011
 01180   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c053
 01181   464   NtUserFindExistingCursorIcon  (1240576, 1240592, 1240640, ... ) == 0x10011
 01182   464   NtUserRegisterClassExWOW  (1240520, 1240588, 1240604, 1240620, 0, 384, 0, ... ) == 0x8173c055
 01183   464   NtUserFindExistingCursorIcon  (1240576, 1240592, 1240640, ... ) == 0x10011
 01184   464   NtUserRegisterClassExWOW  (1240520, 1240588, 1240604, 1240620, 0, 384, 0, ... ) == 0x8173c057
 01185   464   NtUserFindExistingCursorIcon  (1240580, 1240596, 1240644, ... ) == 0x10011
 01186   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c059
 01187   464   NtUserFindExistingCursorIcon  (1240580, 1240596, 1240644, ... ) == 0x10013
 01188   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c05b
 01189   464   NtUserFindExistingCursorIcon  (1240580, 1240596, 1240644, ... ) == 0x10011
 01190   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c05d
 01191   464   NtUserFindExistingCursorIcon  (1240580, 1240596, 1240644, ... ) == 0x10011
 01192   464   NtUserRegisterClassExWOW  (1240524, 1240592, 1240608, 1240624, 0, 384, 0, ... ) == 0x8173c05f
 01193   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 01194   464   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 01195   464   NtClose  (92, ... ) == 0x0
 01196   464   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01197   464   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01198   464   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 01199   464   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01200   464   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01201   464   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 01202   464   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01203   464   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01204   464   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 01205   464   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01206   464   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01207   464   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 01208   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 01209   464   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 01210   464   NtClose  (92, ... ) == 0x0
 01211   464   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 01212   464   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 01213   464   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 01214   464   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 01215   464   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 01216   464   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 01217   464   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 01218   464   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 01219   464   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 01220   464   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 01221   464   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 01222   464   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 01223   464   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 01224   464   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 01225   464   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 01226   464   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 01227   464   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 01228   464   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 01229   464   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 01230   464   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 01231   464   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 01232   464   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01233   464   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01234   464   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 01235   464   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01236   464   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01237   464   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 01238   464   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01239   464   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01240   464   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 01241   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01242   464   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 01243   464   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 92, {status=0x0, info=0}, ) }, 7, 16, ... 92, {status=0x0, info=0}, ) == 0x0
 01244   464   NtDeviceIoControlFile  (92, 0, 0x0, 0x0, 0x390008,  (92, 0, 0x0, 0x0, 0x390008, "\3\350\212\325\,\340d\275\302\37\0\301\210\277\263\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01245   464   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01246   464   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01247   464   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01248   464   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01249   464   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01250   464   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01251   464   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01252   464   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01253   464   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\277\202\15\255\139\37\32\373}{!\357\214\355\177L\316\237\251\256?\270w\23\253R\256\206O\377\355[ \12\30\244\257\345\323\237\240d\202A\301\316\277\16\357\243\373^\10\0\35\373o\367\251+W\3356m\316w\23\33\232\33\10.\261([)\232!\326", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\277\202\15\255\139\37\32\373}{!\357\214\355\177L\316\237\251\256?\270w\23\253R\256\206O\377\355[ \12\30\244\257\345\323\237\240d\202A\301\316\277\16\357\243\373^\10\0\35\373o\367\251+W\3356m\316w\23\33\232\33\10.\261([)\232!\326", 80, ... ) , 80, ... ) == 0x0
 01254   464   NtClose  (-2147482740, ... ) == 0x0
 01244   464   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\\250Q\377\273o\367t\365\24A\307\327\203\11\2707Q\350\23V\273\256\221\24\206c\355:\3636\357hO\271\205(\334\354\30\346\364\213\334.\317\217(\353\203m`u*\357\23\3031\332;\361\324W\272~i\23Z<\362\202\233\222(G\3371i?\243\356\372\305t$Z\327\247M\357\213?=\26\221\250\300\11\311\363\11VR&\261\43\237\361\22\242Tg\355W\370\322O\344\233c\23\266{\332\276aGnr\344\320\363v\37\376\311\342,I\266\226Qid\20\7\344\232:\320}6{\360\300)\310\35X\277h\215\326\241\344q\4\226\260\324vm\336\324w\254\273O\316\247\250g\\340\327\242\304\272\30e\223\243\334\274\377\252\337\327\327@\27\364\177A\256\252\335\24*\227\203\27\261\24\22\34\310Q\3218\313\361\10.\333\341^^$:\376<{[%\275_0\266\235V\37\302W\202\353K\251\262\346\302\374\230\241\323", ) , ) == 0x0
 01255   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01256   464   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01257   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 100, ) }, ... 100, ) == 0x0
 01258   464   NtQueryValueKey  (100,  (100, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 01259   464   NtClose  (100, ... ) == 0x0
 01260   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 100, ) }, ... 100, ) == 0x0
 01261   464   NtQueryValueKey  (100,  (100, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01262   464   NtClose  (100, ... ) == 0x0
 01263   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01264   464   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01265   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01266   464   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01267   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 100, ) }, ... 100, ) == 0x0
 01268   464   NtQueryValueKey  (100,  (100, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01269   464   NtQueryValueKey  (100,  (100, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01270   464   NtQueryValueKey  (100,  (100, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01271   464   NtClose  (100, ... ) == 0x0
 01272   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 100, ) }, ... 100, ) == 0x0
 01273   464   NtQueryValueKey  (100,  (100, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01274   464   NtQueryValueKey  (100,  (100, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01275   464   NtClose  (100, ... ) == 0x0
 01276   464   NtOpenEvent  (0x1f0003, {24, 16, 0x0, 0, 0,  (0x1f0003, {24, 16, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01277   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01278   464   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 01279   464   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01280   464   NtOpenKey  (0x9, {24, 36, 0x40, 0, 0,  (0x9, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   464   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01282   464   NtFreeVirtualMemory  (-1, (0x330000), 181, 16384, ... (0x330000), 4096, ) == 0x0
 01283   464   NtFreeVirtualMemory  (-1, (0x330000), 0, 32768, ... (0x330000), 4096, ) == 0x0
 01284   464   NtQueryVirtualMemory  (-1, 0x420dbc, Basic, 28, ... {BaseAddress=0x420000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 01285   464   NtContinue  (1244400, 0, ...
 01286   464   NtAllocateVirtualMemory  (-1, 0, 0, 5728, 4096, 64, ... 3342336, 8192, ) == 0x0
 01287   464   NtAllocateVirtualMemory  (-1, 0, 0, 122072, 4096, 64, ... 3932160, 122880, ) == 0x0
 01288   464   NtAllocateVirtualMemory  (-1, 0, 0, 78688, 4096, 4, ... 4063232, 81920, ) == 0x0
 01289   464   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 81920, ) == 0x0
 01290   464   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 128, ) == 0x0
 01291   464   NtProtectVirtualMemory  (-1, (0x400000), 4096, 128, ... (0x400000), 4096, 4, ) == 0x0
 01292   464   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 64, ) == 0x0
 01293   464   NtProtectVirtualMemory  (-1, (0x400000), 4096, 64, ... (0x400000), 4096, 4, ) == 0x0
 01294   464   NtFreeVirtualMemory  (-1, (0x3c0000), 0, 32768, ... (0x3c0000), 122880, ) == 0x0
 01295   464   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01296   464   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01297   464   NtDelayExecution  (0, {-10000000, -1}, ... ) == 0x0
 01298   464   NtCreateMutant  (0x1f0001, {24, 16, 0x80, 0, 0,  (0x1f0001, {24, 16, 0x80, 0, 0, "2aacbfa20df37146c3b7fd4bb5120566c6c0"}, 0, ... 100, ) }, 0, ... 100, ) == 0x0
 01299   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... 104, ) }, ... 104, ) == 0x0
 01300   464   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 01301   464   NtClose  (104, ... ) == 0x0
 01302   464   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01303   464   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01304   464   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01305   464   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01306   464   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01307   464   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01308   464   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01309   464   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01310   464   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01311   464   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01312   464   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01313   464   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01314   464   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01315   464   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01316   464   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01317   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01318   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 104, ) }, ... 104, ) == 0x0
 01319   464   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 73728, ) == 0x0
 01320   464   NtClose  (104, ... ) == 0x0
 01321   464   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 01322   464   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 01323   464   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 01324   464   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 01325   464   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 01326   464   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 01327   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01328   464   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 104, ) == 0x0
 01329   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 108, ) == 0x0
 01330   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 112, ) }, ... 112, ) == 0x0
 01331   464   NtNotifyChangeKey  (112, 108, 0, 0, 2011455960, 4, 0, 0, 0, 1, ... ) == 0x103
 01332   464   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 01333   464   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 116, ) == 0x0
 01334   464   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 120, ) == 0x0
 01335   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01336   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1238128, ... ) }, 1238128, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01337   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\pstorec.dll"}, 1238128, ... ) }, 1238128, ... ) == 0x0
 01338   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\pstorec.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 01339   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 124, ... 128, ) == 0x0
 01340   464   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01341   464   NtClose  (124, ... ) == 0x0
 01342   464   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 53248, ) == 0x0
 01343   464   NtClose  (128, ... ) == 0x0
 01344   464   NtProtectVirtualMemory  (-1, (0x5e0c1000), 432, 4, ... (0x5e0c1000), 4096, 32, ) == 0x0
 01345   464   NtProtectVirtualMemory  (-1, (0x5e0c1000), 4096, 32, ... (0x5e0c1000), 4096, 4, ) == 0x0
 01346   464   NtFlushInstructionCache  (-1, 1577848832, 432, ... ) == 0x0
 01347   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237312, ... ) }, 1237312, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ATL.DLL"}, 1237312, ... ) }, 1237312, ... ) == 0x0
 01350   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ATL.DLL"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01351   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 124, ) == 0x0
 01352   464   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01353   464   NtClose  (128, ... ) == 0x0
 01354   464   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 69632, ) == 0x0
 01355   464   NtClose  (124, ... ) == 0x0
 01356   464   NtProtectVirtualMemory  (-1, (0x76b21000), 556, 4, ... (0x76b21000), 4096, 32, ) == 0x0
 01357   464   NtProtectVirtualMemory  (-1, (0x76b21000), 4096, 32, ... (0x76b21000), 4096, 4, ) == 0x0
 01358   464   NtFlushInstructionCache  (-1, 1991380992, 556, ... ) == 0x0
 01359   464   NtProtectVirtualMemory  (-1, (0x76b21000), 556, 4, ... (0x76b21000), 4096, 32, ) == 0x0
 01360   464   NtProtectVirtualMemory  (-1, (0x76b21000), 4096, 32, ... (0x76b21000), 4096, 4, ) == 0x0
 01361   464   NtFlushInstructionCache  (-1, 1991380992, 556, ... ) == 0x0
 01362   464   NtProtectVirtualMemory  (-1, (0x76b21000), 556, 4, ... (0x76b21000), 4096, 32, ) == 0x0
 01363   464   NtProtectVirtualMemory  (-1, (0x76b21000), 4096, 32, ... (0x76b21000), 4096, 4, ) == 0x0
 01364   464   NtFlushInstructionCache  (-1, 1991380992, 556, ... ) == 0x0
 01365   464   NtProtectVirtualMemory  (-1, (0x76b21000), 556, 4, ... (0x76b21000), 4096, 32, ) == 0x0
 01366   464   NtProtectVirtualMemory  (-1, (0x76b21000), 4096, 32, ... (0x76b21000), 4096, 4, ) == 0x0
 01367   464   NtFlushInstructionCache  (-1, 1991380992, 556, ... ) == 0x0
 01368   464   NtProtectVirtualMemory  (-1, (0x5e0c1000), 432, 4, ... (0x5e0c1000), 4096, 32, ) == 0x0
 01369   464   NtProtectVirtualMemory  (-1, (0x5e0c1000), 4096, 32, ... (0x5e0c1000), 4096, 4, ) == 0x0
 01370   464   NtFlushInstructionCache  (-1, 1577848832, 432, ... ) == 0x0
 01371   464   NtProtectVirtualMemory  (-1, (0x5e0c1000), 432, 4, ... (0x5e0c1000), 4096, 32, ) == 0x0
 01372   464   NtProtectVirtualMemory  (-1, (0x5e0c1000), 4096, 32, ... (0x5e0c1000), 4096, 4, ) == 0x0
 01373   464   NtFlushInstructionCache  (-1, 1577848832, 432, ... ) == 0x0
 01374   464   NtProtectVirtualMemory  (-1, (0x5e0c1000), 432, 4, ... (0x5e0c1000), 4096, 32, ) == 0x0
 01375   464   NtProtectVirtualMemory  (-1, (0x5e0c1000), 4096, 32, ... (0x5e0c1000), 4096, 4, ) == 0x0
 01376   464   NtFlushInstructionCache  (-1, 1577848832, 432, ... ) == 0x0
 01377   464   NtProtectVirtualMemory  (-1, (0x5e0c1000), 432, 4, ... (0x5e0c1000), 4096, 32, ) == 0x0
 01378   464   NtProtectVirtualMemory  (-1, (0x5e0c1000), 4096, 32, ... (0x5e0c1000), 4096, 4, ) == 0x0
 01379   464   NtFlushInstructionCache  (-1, 1577848832, 432, ... ) == 0x0
 01380   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01381   464   NtQueryPerformanceCounter  (... {930902936, 10}, {3579545, 0}, ) == 0x0
 01382   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01383   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 124, ) }, ... 124, ) == 0x0
 01384   464   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42c10000), 0x0, 847872, ) == 0x0
 01385   464   NtClose  (124, ... ) == 0x0
 01386   464   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01387   464   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01388   464   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01389   464   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01390   464   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01391   464   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01392   464   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01393   464   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01394   464   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01395   464   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01396   464   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01397   464   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01398   464   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01399   464   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01400   464   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01401   464   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01402   464   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01403   464   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01404   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Normaliz.dll"}, ... 124, ) }, ... 124, ) == 0x0
 01405   464   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x3c0000), 0x0, 36864, ) == STATUS_IMAGE_NOT_AT_BASE
 01406   464   NtProtectVirtualMemory  (-1, (0x3c1000), 18944, 4, ... (0x3c1000), 20480, 32, ) == 0x0
 01407   464   NtProtectVirtualMemory  (-1, (0x3c7000), 1024, 4, ... (0x3c7000), 4096, 2, ) == 0x0
 01408   464   NtProtectVirtualMemory  (-1, (0x3c8000), 1536, 4, ... (0x3c8000), 4096, 2, ) == 0x0
 01409   464   NtMapViewOfSection  (124, -1, (0x3c0000), 0, 0, 0x0, 36864, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 01410   464   NtProtectVirtualMemory  (-1, (0x3c1000), 18944, 16, ... (0x3c1000), 20480, 4, ) == 0x0
 01411   464   NtProtectVirtualMemory  (-1, (0x3c7000), 1024, 2, ... (0x3c7000), 4096, 8, ) == 0x0
 01412   464   NtProtectVirtualMemory  (-1, (0x3c8000), 1536, 2, ... (0x3c8000), 4096, 8, ) == 0x0
 01413   464   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 01414   464   NtClose  (124, ... ) == 0x0
 01415   464   NtProtectVirtualMemory  (-1, (0x3c1000), 160, 4, ... (0x3c1000), 4096, 16, ) == 0x0
 01416   464   NtProtectVirtualMemory  (-1, (0x3c1000), 4096, 16, ... (0x3c1000), 4096, 4, ) == 0x0
 01417   464   NtFlushInstructionCache  (-1, 3936256, 160, ... ) == 0x0
 01418   464   NtProtectVirtualMemory  (-1, (0x3c1000), 160, 4, ... (0x3c1000), 4096, 16, ) == 0x0
 01419   464   NtProtectVirtualMemory  (-1, (0x3c1000), 4096, 16, ... (0x3c1000), 4096, 4, ) == 0x0
 01420   464   NtFlushInstructionCache  (-1, 3936256, 160, ... ) == 0x0
 01421   464   NtProtectVirtualMemory  (-1, (0x3c1000), 160, 4, ... (0x3c1000), 4096, 16, ) == 0x0
 01422   464   NtProtectVirtualMemory  (-1, (0x3c1000), 4096, 16, ... (0x3c1000), 4096, 4, ) == 0x0
 01423   464   NtFlushInstructionCache  (-1, 3936256, 160, ... ) == 0x0
 01424   464   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01425   464   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01426   464   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01427   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iertutil.dll"}, ... 124, ) }, ... 124, ) == 0x0
 01428   464   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0
 01429   464   NtClose  (124, ... ) == 0x0
 01430   464   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01431   464   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01432   464   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01433   464   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01434   464   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01435   464   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01436   464   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01437   464   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01438   464   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01439   464   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01440   464   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01441   464   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01442   464   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01443   464   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01444   464   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01445   464   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01446   464   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01447   464   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01448   464   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01449   464   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01450   464   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01451   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01453   464   NtQueryPerformanceCounter  (... {930910766, 10}, {3579545, 0}, ) == 0x0
 01454   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininet.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455   464   NtQueryPerformanceCounter  (... {930911051, 10}, {3579545, 0}, ) == 0x0
 01456   464   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 01457   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01458   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9568256, 1048576, ) == 0x0
 01459   464   NtAllocateVirtualMemory  (-1, 9568256, 0, 4096, 4096, 4, ... 9568256, 4096, ) == 0x0
 01460   464   NtAllocateVirtualMemory  (-1, 9572352, 0, 8192, 4096, 4, ... 9572352, 8192, ) == 0x0
 01461   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 01462   464   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237568,  (0xc0100080, {24, 0, 0x40, 0, 1237568, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 128, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 128, {status=0x0, info=0}, ) == 0x0
 01463   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0
 01464   464   NtDeviceIoControlFile  (128, 132, 0x0, 0x12e2a0, 0x22414c,  (128, 132, 0x0, 0x12e2a0, 0x22414c, "\350\342\22\0\0\0\0\0\1\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\0\0\0\0\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 01465   464   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01466   464   NtQueryValueKey  (-2147482740,  (-2147482740, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01467   464   NtQueryValueKey  (-2147482740,  (-2147482740, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468   464   NtClose  (-2147482740, ... ) == 0x0
 01469   464   NtClose  (908, ... ) == 0x0
 01464   464   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\230\250\265\341\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\310<\373\341\250\266C\0\0\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01470   464   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237784,  (0xc0100080, {24, 0, 0x40, 0, 1237784, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 140, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 140, {status=0x0, info=0}, ) == 0x0
 01471   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 01472   464   NtDuplicateObject  (-1, -1, -1, 0x0, 0, 2, ... 148, ) == 0x0
 01473   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01474   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 01475   464   NtAllocateVirtualMemory  (-1, 9580544, 0, 8192, 4096, 4, ... 9580544, 8192, ) == 0x0
 01476   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10616832, 1048576, ) == 0x0
 01477   464   NtAllocateVirtualMemory  (-1, 11657216, 0, 8192, 4096, 4, ... 11657216, 8192, ) == 0x0
 01478   464   NtProtectVirtualMemory  (-1, (0xb1e000), 4096, 260, ... (0xb1e000), 4096, 4, ) == 0x0
 01479   464   NtCreateThread  (0x1f03ff, 0x0, -1, 1236868, 1236812, 1, ... 160, {1036, 888}, ) == 0x0
 01480   464   NtQueryInformationThread  (160, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1036,Tid=888,}, 0x0, ) == 0x0
 01481   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 17, 1237636, 1319072, 9568632}  (24, {28, 56, new_msg, 0, 17, 1237636, 1319072, 9568632} "\0\0\0\0\1\0\1\0\200\0\0\0(\2\0\0\240\0\0\0\14\4\0\0x\3\0\0" ... {28, 56, reply, 0, 1036, 464, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\240\0\0\0\14\4\0\0x\3\0\0" )  ... {28, 56, reply, 0, 1036, 464, 57996, 0}  (24, {28, 56, new_msg, 0, 17, 1237636, 1319072, 9568632} "\0\0\0\0\1\0\1\0\200\0\0\0(\2\0\0\240\0\0\0\14\4\0\0x\3\0\0" ... {28, 56, reply, 0, 1036, 464, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\240\0\0\0\14\4\0\0x\3\0\0" )  ) == 0x0
 01482   464   NtResumeThread  (160, ... 1, ) == 0x0
 01483   464   NtClose  (160, ... ) == 0x0
 01484   888   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 160, ) == 0x0
 01485   888   NtWaitForSingleObject  (160, 0, 0x0, ...
 01486   464   NtSetEvent  (144, ... 0x0, ) == 0x0
 01487   464   NtSetEvent  (124, ... 0x0, ) == 0x0
 01488   464   NtClose  (124, ... ) == 0x0
 01489   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 01490   464   NtAllocateVirtualMemory  (-1, 9588736, 0, 4096, 4096, 4, ... 9588736, 4096, ) == 0x0
 01491   464   NtDeviceIoControlFile  (128, 132, 0x0, 0x12e2a0, 0x22414c,  (128, 132, 0x0, 0x12e2a0, 0x22414c, "\350\342\22\0\0\0\0\0\2\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\0\0\0\0\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 01492   464   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01493   464   NtQueryValueKey  (-2147482740,  (-2147482740, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494   464   NtQueryValueKey  (-2147482740,  (-2147482740, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01495   464   NtClose  (-2147482740, ... ) == 0x0
 01496   464   NtClose  (908, ... ) == 0x0
 01491   464   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\300;\266\341\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\260C\261\341gs\25\0\0\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\244\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01497   464   NtSetEvent  (144, ... 0x0, ) == 0x0
 01498   464   NtSetEvent  (124, ... 0x0, ) == 0x0
 01499   464   NtClose  (124, ... ) == 0x0
 01500   464   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01501   464   NtOpenProcessToken  (-1, 0xa, ... 124, ) == 0x0
 01502   464   NtDuplicateToken  (124, 0xc, {24, 0, 0x0, 0, 1238052, 0x0}, 0, 2, ... 168, ) == 0x0
 01503   464   NtClose  (124, ... ) == 0x0
 01504   464   NtAccessCheck  (1341904, 168, 0x1, 1238128, 1238180, 56, 1238160, ... (0x1), ) == 0x0
 01505   464   NtClose  (168, ... ) == 0x0
 01506   464   NtQueryDefaultUILanguage  (1236932, ...
 01507   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01508   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01509   464   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01510   464   NtClose  (-2147482740, ... ) == 0x0
 01511   464   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01512   464   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01513   464   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 01514   464   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01515   464   NtClose  (-2147481328, ... ) == 0x0
 01516   464   NtClose  (-2147482740, ... ) == 0x0
 01506   464   NtQueryDefaultUILanguage  ... ) == 0x0
 01517   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01518   464   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01519   464   NtQueryDefaultLocale  (1, 1235028, ... ) == 0x0
 01520   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01521   464   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1236064, 1179817, 1235788}  (24, {128, 156, new_msg, 0, 2088850039, 1236064, 1179817, 1235788} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\340\22\0\0\0\0\0" ... {128, 156, reply, 0, 1036, 464, 57997, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\340\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1036, 464, 57997, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1236064, 1179817, 1235788} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\340\22\0\0\0\0\0" ... {128, 156, reply, 0, 1036, 464, 57997, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\340\22\0\0\0\0\0" )  ) == 0x0
 01522   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01523   464   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01525   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01526   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1234256, ... ) }, 1234256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01527   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01528   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01529   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01530   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1234320, ... ) }, 1234320, ... ) == 0x0
 01531   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 168, {status=0x0, info=1}, ) }, 3, 33, ... 168, {status=0x0, info=1}, ) == 0x0
 01532   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01533   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01534   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01535   464   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01536   464   NtClose  (124, ... ) == 0x0
 01537   464   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 124, ) }, ... 124, ) == 0x0
 01538   464   NtSetInformationObject  (124, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01539   464   NtCreateKey  (0x2001f, {24, 124, 0x40, 0, 0,  (0x2001f, {24, 124, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 172, 2, ) }, 0, 0x0, 0, ... 172, 2, ) == 0x0
 01540   464   NtSetEventBoostPriority  (160, ...
 01485   888   NtWaitForSingleObject  ... ) == 0x0
 01541   888   NtTestAlert  (... ) == 0x0
 01542   888   NtContinue  (11664688, 1, ...
 01543   888   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01544   888   NtDeviceIoControlFile  (140, 152, 0x0, 0x77e466a0, 0x228144,  (140, 152, 0x0, 0x77e466a0, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0\224\0\0\0\0\0\0\0\244\0\0\0\0\0\0\0\210\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01540   464   NtSetEventBoostPriority  ... ) == 0x0
 01545   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01546   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1238148, ... }, 1238148, ...
 01547   888   NtWaitForMultipleObjects  (2, (144, 152, ), 1, 1, {1294967296, -1}, ... ) == 0x0
 01548   888   NtDeviceIoControlFile  (140, 156, 0x0, 0x77e46680, 0x228144,  (140, 156, 0x0, 0x77e46680, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0\224\0\0\0\0\0\0\0\244\0\0\0\0\0\0\0\210\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01549   888   NtWaitForMultipleObjects  (2, (144, 156, ), 1, 1, {1294967296, -1}, ...
 01546   464   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01550   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\psapi.dll"}, 1238148, ... ) }, 1238148, ... ) == 0x0
 01551   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\psapi.dll"}, 5, 96, ... 176, {status=0x0, info=1}, ) }, 5, 96, ... 176, {status=0x0, info=1}, ) == 0x0
 01552   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 176, ... 180, ) == 0x0
 01553   464   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01554   464   NtClose  (176, ... ) == 0x0
 01555   464   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 01556   464   NtClose  (180, ... ) == 0x0
 01557   464   NtProtectVirtualMemory  (-1, (0x76bf1000), 236, 4, ... (0x76bf1000), 4096, 32, ) == 0x0
 01558   464   NtProtectVirtualMemory  (-1, (0x76bf1000), 4096, 32, ... (0x76bf1000), 4096, 4, ) == 0x0
 01559   464   NtFlushInstructionCache  (-1, 1992232960, 236, ... ) == 0x0
 01560   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01561   464   NtAllocateVirtualMemory  (-1, 3428352, 0, 8192, 4096, 4, ... 3428352, 8192, ) == 0x0
 01562   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01563   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01564   464   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01565   464   NtClose  (180, ... ) == 0x0
 01566   464   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 180, ) }, ... 180, ) == 0x0
 01567   464   NtOpenKey  (0x20019, {24, 180, 0x40, 0, 0,  (0x20019, {24, 180, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568   464   NtClose  (180, ... ) == 0x0
 01569   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 180, ) }, ... 180, ) == 0x0
 01570   464   NtQueryValueKey  (180,  (180, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01571   464   NtQueryValueKey  (180,  (180, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01572   464   NtQueryValueKey  (180,  (180, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01573   464   NtQueryValueKey  (180,  (180, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01574   464   NtClose  (180, ... ) == 0x0
 01575   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 180, ) }, ... 180, ) == 0x0
 01576   464   NtQueryValueKey  (180,  (180, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (180, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01577   464   NtQueryValueKey  (180,  (180, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) }, 34, ) == 0x0
 01578   464   NtQueryValueKey  (180,  (180, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) }, 34, ) == 0x0
 01579   464   NtQueryValueKey  (180,  (180, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) }, 34, ) == 0x0
 01580   464   NtQueryValueKey  (180,  (180, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) }, 34, ) == 0x0
 01581   464   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, -1, ) == 0x0
 01582   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rsaenh.dll"}, 1238568, ... ) }, 1238568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01583   464   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rsaenh.dll"}, 1238568, ... ) }, 1238568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 1238568, ... ) }, 1238568, ... ) == 0x0
 01585   464   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239076,  (0x80100080, {24, 0, 0x40, 0, 1239076, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01586   464   NtQueryInformationFile  (176, 1239056, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01587   464   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 176, ... 184, ) == 0x0
 01588   464   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xb20000), {0, 0}, 155648, ) == 0x0
 01589   464   NtClose  (184, ... ) == 0x0
 01590   464   NtClose  (176, ... ) == 0x0
 01591   464   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 01592   464   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 1239304, ... ) }, 1239304, ... ) == 0x0
 01593   464   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239140,  (0x80100080, {24, 0, 0x40, 0, 1239140, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01594   464   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 176, ... 184, ) == 0x0
 01595   464   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xb20000), {0, 0}, 155648, ) == 0x0
 01596   464   NtQueryDefaultLocale  (1, 1239032, ... ) == 0x0
 01597   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x26000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01598   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x26000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01599   464   NtReadFile  (176, 0, 0, 0, 328, 0x0, 0, ... {status=0x0, info=328},  (176, 0, 0, 0, 328, 0x0, 0, ... {status=0x0, info=328}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\267\232\34C\326\364OC\326\364OC\326\364O\200\331\373OJ\326\364OC\326\365O\320\326\364O\200\331\251OH\326\364O\200\331\250OB\326\364O\200\331\252OB\326\364O\200\331\224OB\326\364O\200\331\253Oj\326\364O\200\331\256OB\326\364ORichC\326\364O\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0(]\353@\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0\14\2\0\0F\0\0\0\0\0\0\3414\1\0\0\20\0\0\0 \2\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\200\2\0\0\4\0\0", ) , ) == 0x0
 01600   464   NtQueryInformationFile  (176, 1239192, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01601   464   NtSetInformationFile  (176, 1239192, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01602   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\10\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\200\30\2\0\273\2\0\08\14\2\0x\0\0\0\0P\2\0P\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\354\16\0\00\22\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200`\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\00\2\0\00\12\2\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0;\13\2\0\0\20\0\0\0\14\2\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\210%\0\0\0 \2\0\0$\0\0\0\20\2\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\0P\14\0\0\0P\2\0\0\16\0\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0r\20\0\0\0`\2\0\0\22\0\0\0B\2\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01603   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0 \0\0@ \0\200\0\0 \0@ \0\0@  \200\0  \0\0\0\0\200\0 \0\200@\0\0\200\0\0 \200@  \0\0\0 \0@ \0\200@\0 \200\0\0\0\0\0 \0\0@\0\0\0\0  \200@\0 \200@  \200\0\0 \200\0\0\0\200@ \0\0@\0\0\0\0  \0@  \0\0 \0\200@ \0\0\0\0\0\200\0 \0\200@  \0\0  \200@\0 \0\0\0\0\0\0 \0\200\0\0\0\200\0 \0\0@\0 \200\0\0 \0@\0 \0@  \200\0  \0@\0\0\0@  \200\0  \0\0\0 \0@ \0\200@\0\0\200\0\0 \200@  \0\0\0\0\0\0 \0\0@\0\0\200@ \0\200\0  \200\0\0 \200@ \0\0@\0\0\0@\0 \200\0@\0\0\0\2\0\0\0\2\0\1\4\0\0\1\4B\0\1\4@\0\0\0B\0\0\0\0\0\0\0\0\0\1\4\2\0\1\4\2\0\0\0@\0\1\4\0\0\0\0B\0\1\0@\0\1\4\2\0\0\4\2\0\1\0@\0\0\4@\0\0\4B\0\1\0\0\0\0\0\2\0\1\4\0\0\1\0B\0\0\4@\0\1\4B\0\0\0B\0\1\4\0\0\0\4B\0\0\4@\0\1\0\2\0\0\0\0\0\1\4B\0\0\0@\0\1\4@\0\1\4\2\0\0\0@\0\0\0\2\0\0\0\0\0\1\4@\0\1\4\2\0\1\4B\0\0\0B\0\0\0\0\0\0\0\2\0\0\4\0\0\1\4\0\0\0\0\2\0\1\0\0\0\0\4\2\0\1\0\2\0\1\0B\0\0\4\2\0\0\0@\0\0\4B\0\1\0\0\0\1\0B\0\1\4\0\0\0\4@\0\0\4B\0\1\4\0\0\1\0B\0\1\0@\0\1\4@\0\0\200\0\200 \0\0\202 ", ) , ) == 0x0
 01604   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\250TT\374m\273\273\326,\26\26:\245\306cc\204\370||\231\356ww\215\366{{\15\377\362\362\275\326kk\261\336ooT\221\305\305P`00\3\2\1\1\251\316gg}V++\31\347\376\376b\265\327\327\346M\253\253\232\354vvE\217\312\312\235\37\202\202@\211\311\311\207\372}}\25\357\372\372\353\262YY\311\216GG\13\373\360\360\354A\255\255g\263\324\324\375_\242\242\352E\257\257\277#\234\234\367S\244\244\226\344rr[\233\300\300\302u\267\267\34\341\375\375\256=\223\223jL&&Zl66A~??\2\365\367\367O\203\314\314\h44\364Q\245\2454\321\345\345\10\371\361\361\223\342qqs\253\330\330Sb11?*\25\25\14\10\4\4R\225\307\307eF##^\235\303\303(0\30\30\2417\226\226\17\12\5\5\265/\232\232\11\16\7\76$\22\22\233\33\200\200=\337\342\342&\315\353\353iN''\315\177\262\262\237\352uu\33\22\11\11\236\35\203\203tX,,.4\32\32-6\33\33\262\334nn\356\264ZZ\373[\240\240\366\244RRMv;;a\267\326\326\316}\263\263{R))>\335\343\343q^//\227\23\204\204\365\246SSh\271\321\321\0\0\0\0,\301\355\355`@  \37\343\374\374\310y\261\261\355\266[[\276\324jjF\215\313\313\331g\276\276Kr99\336\224JJ\324\230LL\350\260XXJ\205\317\317k\273\320\320*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266", ) , ) == 0x0
 01605   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3252\266pHl\t\320\270WBPQ\364\247S~Ae\303\32\27\244\226:'^\313;\253k\361\37\235E\253\254\372X\223K\343\3U 0\372\366\255vm\221\210\314v%\365\2L\374O\345\327\327\305*\313\200&5D\217\265b\243I\336\261Zg%\272\33\230E\352\16\341]\376\300\2\303/u\22\201L\360\243\215F\227\306k\323\371\347\3\217_\225\25\222\234\353\277mz\332\225RY-\324\276\203\323Xt!)I\340iD\216\311\310ju\302\211x\364\216yk\231X>\335'\271q\266\276\341O\27\360\210\255f\311 \254\264}\316:\30c\337J\202\345\321`\227Q3EbS\177\340\261dw\204\273k\256\34\376\201\240\224\371\10+XpHh\31\217E\375\207\224\336l\267R{\370#\253s\323\342rK\2W\343\37\217*fU\253\7\262\353(\3/\265\302\232\206\305{\245\3237\10\3620(\207\262#\277\245\272\2\3j\\355\26\202+\212\317\34\222\247y\264\360\363\7\362\241Ni\342\315e\332\364\325\6\5\276\37\3214b\212\304\246\376\2354.S\240\242\363U2\5\212\341u\244\366\3539\13\203\354\252@`\357\6^q\237Q\275n\20\371>!\212=\226\335\6\256\335>\5FM\346\275\265\221T\215\5q\304]o\4\6\324\377`P\25$\31\230\373\227\326\275\351\314\211@Cwg\331\236\275\260\350B\210\7\211\2138\347\31[\333y\310\356G\241|\12\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*", ) , ) == 0x0
 01606   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "<"\340C.9\367^ 0\372U\354\232\267\1\342\223\272\12\360\210\255\27\376\201\240\34\324\276\203-\332\267\216&\310\254\231;\306\245\2240\234\322\337Y\222\333\322R\200\300\305O\216\311\310D\244\366\353u\252\377\346~\270\344\361c\266\355\374h\14\12g\261\2\3j\272\20\30}\247\36\21p\2544.S\235:'^\226("@\35\236/KG\351d"I\340i)[\373~4U\362s?\177\315P\16q\304]\5c\337J\30m\326G\23\3271\334\312\3318\321\301\313#\306\334\305*\313\327\357\25\350\346\341\34\345\355\363\7\362\360\375\16\377\373\247y\264\222\251p\271\231\273k\256\204\265b\243\217\237]\200\276\221T\215\265\203O\232\250\215F\227\243\0\0\0\0\13\16\11\15\26\34\22\32\35\22\33\27,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS\177tHl\\177FeQbT~FiZwK\260\340\220\320\273\356\231\335\246\374\202\312\255\362\213\307\234\330\264\344\227\326\275\351\212\304\246\376\201\312\257\363\350\220\330\270\343\236\321\265\376\214\312\242\365\202\303\257\304\250\374\214\317\246\365\201\322\264\356\226\331\272\347\233{\333;\273p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16", ) \340C.9\367^ 0\372U\354\232\267\1\342\223\272\12\360\210\255\27\376\201\240\34\324\276\203-\332\267\216&\310\254\231;\306\245\2240\234\322\337Y\222\333\322R\200\300\305O\216\311\310D\244\366\353u\252\377\346~\270\344\361c\266\355\374h\14\12g\261\2\3j\272\20\30}\247\36\21p\2544.S\235:'^\226(213&5D\200|B\17\351rK\2\342`P\25\377nY\30\364Df;\305Jo6\316Xt!\323V},\3307\241\14z9\250\1q+\263\26l%\272\33g\17\2058V\1\2145]\23\227 (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "<"\340C.9\367^ 0\372U\354\232\267\1\342\223\272\12\360\210\255\27\376\201\240\34\324\276\203-\332\267\216&\310\254\231;\306\245\2240\234\322\337Y\222\333\322R\200\300\305O\216\311\310D\244\366\353u\252\377\346~\270\344\361c\266\355\374h\14\12g\261\2\3j\272\20\30}\247\36\21p\2544.S\235:'^\226("@\35\236/KG\351d"I\340i)[\373~4U\362s?\177\315P\16q\304]\5c\337J\30m\326G\23\3271\334\312\3318\321\301\313#\306\334\305*\313\327\357\25\350\346\341\34\345\355\363\7\362\360\375\16\377\373\247y\264\222\251p\271\231\273k\256\204\265b\243\217\237]\200\276\221T\215\265\203O\232\250\215F\227\243\0\0\0\0\13\16\11\15\26\34\22\32\35\22\33\27,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS\177tHl\\177FeQbT~FiZwK\260\340\220\320\273\356\231\335\246\374\202\312\255\362\213\307\234\330\264\344\227\326\275\351\212\304\246\376\201\312\257\363\350\220\330\270\343\236\321\265\376\214\312\242\365\202\303\257\304\250\374\214\317\246\365\201\322\264\356\226\331\272\347\233{\333;\273p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16", ) I\340i)[\373~4U\362s?\177\315P\16q\304]\5c\337J\30m\326G\23\3271\334\312\3318\321\301\313#\306\334\305*\313\327\357\25\350\346\341\34\345\355\363\7\362\360\375\16\377\373\247y\264\222\251p\271\231\273k\256\204\265b\243\217\237]\200\276\221T\215\265\203O\232\250\215F\227\243\0\0\0\0\13\16\11\15\26\34\22\32\35\22\33\27,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS\177tHl\\177FeQbT~FiZwK\260\340\220\320\273\356\231\335\246\374\202\312\255\362\213\307\234\330\264\344\227\326\275\351\212\304\246\376\201\312\257\363\350\220\330\270\343\236\321\265\376\214\312\242\365\202\303\257\304\250\374\214\317\246\365\201\322\264\356\226\331\272\347\233{\333;\273p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16", ) == 0x0
 01607   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "M\0a\0c\0h\0i\0n\0e\0K\0e\0y\0s\0\0\0-%lu\0\0\0\00x%02hx%02hx%02hx%02hx%02hx%02hx\0\0\0\0%lu\0S-%lu-\0\0-\0%\0l\0u\0\0\0\0\00\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModEx", ) , ) == 0x0
 01608   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\300@\213M\374_^\350\317\305\0\0\311\302\14\0\314\314\314\314\314\213\377U\213\354\213E\10\203x\4\14u\26\201}\14\1\200\0\0t\11\201}\14\2\200\0\0u\43\300\353\33\300@]\302\10\0\314\314\314\314\314\213\377U\213\354\213E\10-\1\200\0\0VW\17\204\211\0\0\0HtWHt9Ht\12\270\10\0\11\200\351\235\0\0\0jt_W\350\324G\1\0\213\360\205\366u\10j\10X\351\206\0\0\0V\350\311\310\0\0\203&\0\213E\14\2110\213E\20\2118\353ojl_W\350\250G\1\0\213\360\205\366t\324\203fh\0V\350}\310\0\0\353\331jd\350\217G\1\0\213\360\205\366t\273j\31Y3\300\213\376\363\253!F\34V\350\220\24\1\0\213E\20\307\0d\0\0\0\213E\14\2110\353%j8^V\350^G\1\0\213\320\205\322t\2123\300j\16Y\213\372\363\253!B4\213E\20\2110\213E\14\211\203\300_^]\302\14\0\314\314\314\314\314\213\377U\213\354S3\3339]\24VWt\12\277\11\0\11\200\351\243\0\0\0S\377u\10\350[\223\0\0;\303u\12\277\1\0\11\200\351\214\0\0\0\213u\14VP\350\306\376\377\377\205\300u\7\277\10\0\11\200\353wj8\350\351F\1\0\213\3303\322;\332\17\204\361\0\0\0j\163\300Y\213\373\363\253\213M\10\213\306-\2L\0\0\211s\4\211\13\17\204\254\1\0\0-\34\0\0\17\204F\1\0\0\203\350\3\17\204%\1\0\0H\17\204\366\0\0\0Ht\9U\20\17\205\250\1\0\0\215C\10P\215C\14PV\350\205\376\377\377\205\300u\13Sj\1\377u\30\3503\223\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\236F\1\0S\350\230F", ) , ) == 0x0
 01609   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\253\2533\300@S\211s<\211s@\211C\\211C`\211sd\350P\377\377\377\213E\30;\306\213M\20\211K\14t"9u\34t\5\211C\20\353\30\213{\20\213\360\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\203\366\201\352\1f\0\0tuJtTJt3\203\352\6t\37\203\352\5t\21Jt\16Jt\13\211s`\211sx\351\200\0\0\0\307Cx\20\0\0\0\353w\203{\14\20uM9u u\31j\20\353\15\203{\14\30u>9u u\12j\30\377s\20\350T\17\1\0\307Cx\10\0\0\0\353J\213E\249\260\204\1\0\0u\11\307Cl(\0\0\0\353\343\213\301\301\340\3\211Cl\353\331j\10_9{\14t\23\277\11\0\11\200;\336t\6S\350\2607\1\0\213\307\353\309u u\11W\377s\20\350\4\17\1\0\211{x\213E$\211\303\300_^[]\302 \0\314\314\314\314\314\213\377U\213\354V\213u\10\213F\20\205\300t\6P\350r7\1\0\213F\30\205\300t\6P\350e7\1\0V\350_7\1\0^]\302\4\0\314\314\314\314\314\213\377U\213\354\213E\14\213M\30W3\3223\377-\0$\0\0\211\21t\31-\1B\0\0tlHtUHtF\203\350\6t5-\367=\0\0u\6\307\1\1\0\0\0\213E\20R\301\340\3P\377u\14\213E\10\3774\205HB\377\17\350\204\207\1\0\205\300t\33\377G\213\307_]\302\24\0\203}\20\20t\360\203}\20\16\353*\203}\20\30t\344\203}\20\25\353\369U\24u\331\213E\20R\301\340\3Ph\2f\0\0\353\267\203}\20\10t\304\203}\20\7u\301\353\274\314\314\314\314\314\213\377U\213\354\213E\14V3\366\205\300t \215M\14Q\377u\20\377p\14\377p\4", ) 9u\34t\5\211C\20\353\30\213{\20\213\360\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\203\366\201\352\1f\0\0tuJtTJt3\203\352\6t\37\203\352\5t\21Jt\16Jt\13\211s`\211sx\351\200\0\0\0\307Cx\20\0\0\0\353w\203{\14\20uM9u u\31j\20\353\15\203{\14\30u>9u u\12j\30\377s\20\350T\17\1\0\307Cx\10\0\0\0\353J\213E\249\260\204\1\0\0u\11\307Cl(\0\0\0\353\343\213\301\301\340\3\211Cl\353\331j\10_9{\14t\23\277\11\0\11\200;\336t\6S\350\2607\1\0\213\307\353\309u u\11W\377s\20\350\4\17\1\0\211{x\213E$\211\303\300_^[]\302 \0\314\314\314\314\314\213\377U\213\354V\213u\10\213F\20\205\300t\6P\350r7\1\0\213F\30\205\300t\6P\350e7\1\0V\350_7\1\0^]\302\4\0\314\314\314\314\314\213\377U\213\354\213E\14\213M\30W3\3223\377-\0$\0\0\211\21t\31-\1B\0\0tlHtUHtF\203\350\6t5-\367=\0\0u\6\307\1\1\0\0\0\213E\20R\301\340\3P\377u\14\213E\10\3774\205HB\377\17\350\204\207\1\0\205\300t\33\377G\213\307_]\302\24\0\203}\20\20t\360\203}\20\16\353*\203}\20\30t\344\203}\20\25\353\369U\24u\331\213E\20R\301\340\3Ph\2f\0\0\353\267\203}\20\10t\304\203}\20\7u\301\353\274\314\314\314\314\314\213\377U\213\354\213E\14V3\366\205\300t \215M\14Q\377u\20\377p\14\377p\4", ) == 0x0
 01610   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\1\0\11\200\351\325\0\0\0\215E\10Pj\2V\377u\14\350\237t\0\0\205\300t;\215E\10Pj\3V\377u\14\350\214t\0\0\205\300t(\215E\10Pj\4V\377u\14\350yt\0\0\205\300t\25= \0\11\200\17\205\221\0\0\0\270\3\0\11\200\351\207\0\0\0\213E\20\203\370\12\17\207\313\1\0\0\17\204u\1\0\0H\17\204]\1\0\0H\17\204\342\0\0\0H\17\204\316\0\0\0H\17\204\213\0\0\0HtrH\17\205\317\2\0\0\213E\24\213\20\367\302\300\376\377\377t\7\270\11\0\11\200\353;\367\302\4\0\0\0\213E\10t\20\367@h\4\0\0\0u\7\270\5\0\11\200\353 \271\0\1\0\0\205\321t\5\205Hht\353\213Hh3\312\201\341\4\1\0\03\312\211Hh3\300_3\311\205\300\17\224\301\213\361\205\366u\7P\377\25\304\21\375\17\213\306^]\302\24\0\213E\24\213\0\205\300t\264\203\370@w\257\213M\10\211Ad\353\314\213U\10\213B\4=\0$\0\0\17\204,\377\377\377=\0\244\0\0\17\204!\377\377\377\213M\24\212\1<\1t\20<\2t\14<\4t\10<\3\17\205r\377\377\377\213\1\211B`\353\220\213E\24\2038\1t\210\351^\377\377\377\213M\10\213A\4=\2f\0\0t\13=\1h\0\0\17\205\334\376\377\377\213u\24\205\366u\10jWX\351^\377\377\377\213\207\204\1\0\0\205\300t\13\203\370\1t\6\203a@\0\353\7\307A@\13\0\0\0\213E\10\213H@\205\311t\24\215xD\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213E\10P\350\307\371\377\377\205\300\17\204\24\377\377\377\351\21\377\377\377\213E\10\213Hx\213u\24\215x\34\351g\1\0\0\213M\10\213A\4=\2f\0\0t\13=\1h\0\0\17\205W\376", ) , ) == 0x0
 01611   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "j\10X\351\264\1\0\0\213E\309{\10\213H$\213\372u\25\213\361\301\351\2\2706666\363\253\213\316\203\341\3\363\252\353\21\213s\4\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213E\30\213@ \205\300t\11P\350C\30\1\0\213U\24\213E\30\211P \213C\20\205\300u\14\213E\30\307@,@\0\0\0\353\6\213M\30\211A,\213E\30\377p,\350\323\27\1\0\213\320\205\322\213E\30\211U\24u\24\377p \350\2\30\1\0\213E\30\203` \0\351h\377\377\377\203{\20\0\213H,\213\372u\25\213\361\301\351\2\270\\\\\363\253\213\316\203\341\3\363\252\353\21\213s\14\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213E\30\213@(\205\300t\11P\350\265\27\1\0\213U\24\213E\30\211P(\351\323\0\0\0\213E\30\213H\4\201\351\1\200\0\0\17\204\236\0\0\0I\17\204\217\0\0\0It\177ItnIt\37\203\351\3t\12\270\10\0\11\200\351\244\0\0\0\213x\14j\11\213u\24Y\363\245\351\200\0\0\0\213p\14\215M\374Qj\2\377u\10\377p\20\350{c\0\0;\307t\14= \0\11\200uu\203\300\343\353p9^$u\7\270\14\0\11\200\353d\213E\374\213Hx\213u\24\215x,\213\301\301\351\2\363\245\213\310\203\341\3\363\244\3534\213@\149\30t\326\215x\4j\5\353\233\213@\149Xht\307\215xX\353\22\213@\149X\34\353\6\213@\149X4t\262\213\370\213u\24\245\245\245\245\213E\30\11X0\203}\20\2u\6\213E\30\11X\243\300[3\311\205\300\17\224\301\213\361\205\366u\7P\377\25\304\21\375\17_\213\306^\311\302\24\0\314\314\314\314\314\213\377U\213\354\213E\10-\1\200\0\0SVW\17\204\324\0\0\0", ) , ) == 0x0
 01612   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\304\215\226d\1\0\0\211U\300\215U\314R\215F8\215NXPQ\377u\300\211E\260\211M\264\350\5\35\0\0\205\300\17\205q\377\377\377;\337t3\201\373\11f\0\0t+\201\373\3f\0\0t#\201\373\1L\0\0u\11\306E\314\3\210E\315\353\34\201\373\6L\0\0u\24\306E\314\3\306E\315\1\353\12\366E\20\4\17\205\303\376\377\377\366E\20\1t\7\307E\274\1\0\0\0\215E\310Pj\0j\0\215E\314P\377u\10\377u\304\377u\274S\350\365\316\377\377\205\300\17\205\0\377\377\377\213]\20\203\343\4tA\213\266\204\1\0\0\205\366t\15\203\376\1t\10\213}\310!G@\353\14\213E\310\307@@\13\0\0\0\213\370\377w@\215GDP\377u\260\377u\264\377u\300\350L\34\0\0\205\300t\10\351\267\376\377\377\213}\310\213u\270Wj\2V\350\16T\0\0\205\300\17\205\240\376\377\377\203}\304\5u;\366E\20\20u5\205\333u1\213E\14=\1L\0\0t'=\6L\0\0t =\4L\0\0t\31=\5L\0\0t\22\3776\377u\10\350S\375\377\377\205\300\17\205_\376\377\3773\366[3\300\205\366\17\224\300\213\370\205\377u\249E\310t\10\377u\310\350\253\317\377\377V\377\25\304\21\375\17\213M\374\213\307_^\350n\204\0\0\311\302\20\0\314\314\314\314\314\213\377U\213\354\201\354<\1\0\0\241\244B\377\17S3\333f\367E\24\352\373V\213u\30\211E\374W\211\265\304\376\377\377\211\235\324\376\377\377\211\235\360\376\377\377\211\235\314\376\377\377\211\235\350\376\377\377\211\235\344\376\377\377\211\235\320\376\377\377t\12\276\11\0\11\200\351\271\3\0\0S\377u\10\350\274R\0\0\213\370;\373\211\275\324\376\377\377u\12\276\1\0\11\200\351\232\3\0\0\213]\14SW\350\216", ) , ) == 0x0
 01613   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "M\14u\25\213\35\324D\377\17\213G@\213O(\307E\30\1\0\0\0\353\30:\301\17\205C\2\0\0\203e\30\0\213\35\330D\377\17\213GL\213O0\205\300\17\204+\2\0\0\213U\374;J\14\17\205\37\2\0\0\213z\20\213\3603\322\363\246t\5\33\322\203\332\377\205\322\17\205\7\2\0\0\215M\364QP\350U\302\377\3773\3669u\20t"V\215E\14P\215E\24Pj\10\377u\20\377u\10\350:\323\377\377\205\300\17\204\330\1\0\0\301m\24\39u\34\213M\24\213E\364\215D\1\10\213M u\7\211\1\351R\2\0\09\1s\14\211\1\276\352\0\0\0\351B\2\0\0\213}\344\366G\3\360u\24j\1\377u\30SW\350?\35\0\0;\306\17\205h\376\377\3779u\30t\13\213\207<\1\0\0\213\177H\353\11\213\2074\1\0\0\213\177T;\306\211E\30\17\204~\1\0\0;\376u\15\213E\374\366@\11@\17\204Y\1\0\0\215E\364PV\377u\30\350\307\301\377\377\205\300\17\204D\1\0\09u\360\213E\364\213M\24\215<\1u\27W\350\27\367\0\0\213\330;\336\211]\354u\21j\10^\351\266\1\0\0\213]\370\203\303\10\211]\354\215E\364PS\377u\30\350\204\301\377\377\205\300\17\204\1\1\0\09u\20t\36VW\215E\364PSVj\1V\377u\20\377u\10\350D\246\377\377;\306\17\205\270\375\377\377\203}\360\0\213M\364\215Y\10\17\205<\1\0\0\213}\34\213u\354\203\307\10\3516\1\0\0\212\6<\3t\10<\4\17\205\262\0\0\0\213E\374\213@\20\205\300\17\204\270\0\0\0\213X\10\213u\34\203\303\7\301\353\3\203\303\24\205\366\17\204\25\1\0\0\213M 9\31\17\202\12\1\0\0\213\10\213U\370\211J\10\213H\10\211J\14\213H\20\211", ) V\215E\14P\215E\24Pj\10\377u\20\377u\10\350:\323\377\377\205\300\17\204\330\1\0\0\301m\24\39u\34\213M\24\213E\364\215D\1\10\213M u\7\211\1\351R\2\0\09\1s\14\211\1\276\352\0\0\0\351B\2\0\0\213}\344\366G\3\360u\24j\1\377u\30SW\350?\35\0\0;\306\17\205h\376\377\3779u\30t\13\213\207<\1\0\0\213\177H\353\11\213\2074\1\0\0\213\177T;\306\211E\30\17\204~\1\0\0;\376u\15\213E\374\366@\11@\17\204Y\1\0\0\215E\364PV\377u\30\350\307\301\377\377\205\300\17\204D\1\0\09u\360\213E\364\213M\24\215<\1u\27W\350\27\367\0\0\213\330;\336\211]\354u\21j\10^\351\266\1\0\0\213]\370\203\303\10\211]\354\215E\364PS\377u\30\350\204\301\377\377\205\300\17\204\1\1\0\09u\20t\36VW\215E\364PSVj\1V\377u\20\377u\10\350D\246\377\377;\306\17\205\270\375\377\377\203}\360\0\213M\364\215Y\10\17\205<\1\0\0\213}\34\213u\354\203\307\10\3516\1\0\0\212\6<\3t\10<\4\17\205\262\0\0\0\213E\374\213@\20\205\300\17\204\270\0\0\0\213X\10\213u\34\203\303\7\301\353\3\203\303\24\205\366\17\204\25\1\0\0\213M 9\31\17\202\12\1\0\0\213\10\213U\370\211J\10\213H\10\211J\14\213H\20\211", ) == 0x0
 01614   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\26\0\11\200\351\314\1\0\0\213^\10\203\303\7\301\353\3\205\377\17\204\245\1\0\0\213E\2749\30\17\202\232\1\0\0\215E\314PQ\377u\10\377u\14\350\2024\0\0\205\300\17\205b\1\0\0\213\313\213\321\301\351\2\363\253\213\312\203\341\3\363\252\213M\314\213A\4-\1\200\0\0t"Ht\37Ht\34Ht\31\203\350\4\17\205d\1\0\0\366A\24\1u\12\277\14\0\11\200\351Y\1\0\03\3779}\300t-W\377u\300\377\25\254\21\375\17\321\340P\377u\300\377u\14\377u\10\350,\250\377\377\205\300u\13\377\25\310\21\375\17\351\362\0\0\0\213M\314\366A0\1t\7\307E\264\1\0\0\0\213F\4W\211E\310\215E\310P\215E\330Pj\2\377u\14\377u\10\350r\322\377\377\205\300t\305\377v\4\350f\347\0\0;\307\211E\320tS\366E\30\4t#\213M\314\201y\4\4\200\0\0\17\205\316\0\0\0P\377u\264\215E\330\377u\310PS\350\342\375\377\377\353\33P\377u\30\215E\330\377u\310P\213E\314\377p\4V\350\313\374\377\377;\307uo\377v\4\350\23\347\0\0;\307\211E\324u\10j\10_\351\216\0\0\0W\377u\304\213}\254\377u\270W\350\266\14\0\0\205\300uD9E\304t\10\213\207<\1\0\0\353\6\213\2074\1\0\0\205\300u\7\277\15\0\11\200\353\\213N\4;H\4t\7\277\32\0\11\200\353M\213u\324V\377u\320P\377\267\200\1\0\0\350O\37\0\0\205\300t\4\213\370\3532\213}\260\213\313\213\301\301\351\2\363\245\213\310\213E\274\203\341\3\363\244\211\303\377\353\26\213E\274\367\337\33\377\211\30\201\347\352\0\0\0\353\5\277\10\0\11\2003\300\205\377\17\224\300\203}\324\0\213\360t\10\377u\324\350\242\346\0\0\203}\320\0t\10\377u", ) Ht\37Ht\34Ht\31\203\350\4\17\205d\1\0\0\366A\24\1u\12\277\14\0\11\200\351Y\1\0\03\3779}\300t-W\377u\300\377\25\254\21\375\17\321\340P\377u\300\377u\14\377u\10\350,\250\377\377\205\300u\13\377\25\310\21\375\17\351\362\0\0\0\213M\314\366A0\1t\7\307E\264\1\0\0\0\213F\4W\211E\310\215E\310P\215E\330Pj\2\377u\14\377u\10\350r\322\377\377\205\300t\305\377v\4\350f\347\0\0;\307\211E\320tS\366E\30\4t#\213M\314\201y\4\4\200\0\0\17\205\316\0\0\0P\377u\264\215E\330\377u\310PS\350\342\375\377\377\353\33P\377u\30\215E\330\377u\310P\213E\314\377p\4V\350\313\374\377\377;\307uo\377v\4\350\23\347\0\0;\307\211E\324u\10j\10_\351\216\0\0\0W\377u\304\213}\254\377u\270W\350\266\14\0\0\205\300uD9E\304t\10\213\207<\1\0\0\353\6\213\2074\1\0\0\205\300u\7\277\15\0\11\200\353\\213N\4;H\4t\7\277\32\0\11\200\353M\213u\324V\377u\320P\377\267\200\1\0\0\350O\37\0\0\205\300t\4\213\370\3532\213}\260\213\313\213\301\301\351\2\363\245\213\310\213E\274\203\341\3\363\244\211\303\377\353\26\213E\274\367\337\33\377\211\30\201\347\352\0\0\0\353\5\277\10\0\11\2003\300\205\377\17\224\300\203}\324\0\213\360t\10\377u\324\350\242\346\0\0\203}\320\0t\10\377u", ) == 0x0
 01615   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\12\213U\334\211\2\203\301\354Q\203\300\24P\350\241\330\0\0\211E\304\205\300\17\205[\377\377\377\213u\334\213E\340\3770\3776\203}\20\1u\15j\1\377s\\377s(\377s@\353\13j\0\377s\\377s0\377sL\350F'\1\0\211E\344\205\300u\36\367E\310\10\0\0\0t\25\377u\20\377u\310\3775\310D\377\17S\350\263\372\377\377\211E\304\203M\374\377\353\36\307E\344\32\0\11\200\353\3613\300@\303\213e\350\307E\344W\0\0\0\203M\374\377\213]\10\203}\300\0t\15\201\303h\1\0\0S\377\25\270\21\375\17\213}\264\205\377t\34\213M\2603\300\213\321\301\351\2\363\253\213\312\203\341\3\363\252\377u\264\377\25\250\21\375\17\213E\344\350\361W\0\0\302\20\0\314\314\314\314\314\213\377U\213\354\203\354L\241\244B\377\17S3\333V\213u\10\211E\374\213E\14W\211u\314\211E\320\211]\334\211]\324\211]\340\307E\264\20\0\0\0\306E\354p\306E\355\362\306E\356\205\306E\357\36\306E\360N\210]\361\210]\362\210]\363\210]\364\210]\365\210]\366\210]\367\210]\370\210]\371\210]\372\210]\373\215x\1\212\10@:\313u\371+\307\203\300\6\211E\310\350\262\343\0\0\205\300\17\205\27\1\0\0h\320\23\375\17\377\25\230\21\375\17;\303\211E\334\17\204\1\1\0\0\213=\234\21\375\17h\274\23\375\17P\377\327h\244\23\375\17\377u\334\211E\304\377\327\367E\20 \0\0\0\211E\270\17\205\326\0\0\09]\304\17\204\315\0\0\0;\303\17\204\305\0\0\0\213E\310@P\350\220\326\0\0;\303\211E\324\17\204\240\0\0\0\213M\320\276\234\23\375\17\213\370\245f\245\244\213\361\212\21A:\323u\371+\316\213\370\213\321O\212O\1G:\313u\370\213\312\301\351\2\363\245j", ) , ) == 0x0
 01616   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2r\3\213p\14\203\371\3r\3\213P\30RV\377u\10\215E\24P\377u\20\377u\14\350\226\373\377\377\205\300u\22\367E\20\20\0\0\0u\7\213E\24\203`\10\03\3003\311\205\300\17\224\301\213\361\205\366u\7P\377\25\304\21\375\17\213\306^]\302\20\0\314\314\314\314\314\213\377U\213\3543\3223\3119U\14v\22\213E\10\3\301\210\20A;M\14\306\0\377\210\20r\356]\302\10\0\314\314\314\314\314\213\377U\213\354\203}\10\0V\213u\14t9\201>RSA1t\7\270\3\0\11\200\353A\213F\10j\0j\0\377u\24\203\300\7\301\350\3P\215F\24Pj\4\215F\20P\377u\20\377u\10\350\260\1\1\0\205\300u\25\377u\24\377u\20V\350\377\257\0\0\205\300u\5j\10X\353\23\300^]\302\20\0\314\314\314\314\314\213\377U\213\354\203\354\30\213E\14\213@\10SVW\215P\7j\10\301\352\3^\203\342\7\213\316+\312;\316t\2\3\316\203\300\17\301\350\4\321\351\3\301\215<\200\321\347\213\307\203\340\7t\6\213\316+\310\3\371\203\307\24;=xE\377\17\211}\374w6\241|E\377\17\3\307;\307r+\203\300\10P\350\311\30\1\0\205\300t\36\215G\10\203\300\3\203\340\374\350\343F\0\0\213\334\205\333t\12\307\3Stck\3\336u"\215G\10P\377\25\200E\377\17\213\330\205\333\17\204\355\0\0\0\307\3Heap\3\336\17\204\265\0\0\0\213u\14\213\317\213\301\301\351\2\213\373\363\245\213\310\213E\374\203\341\3\203\300\354\363\244P\215{\24W\350\36\307\0\0\213\360\205\366\17\205\203\0\0\09E\10tg\201;RSA2t\7\276\3\0\11\200\353o\213K\10\213E\14\213@\4\203\301\7\301\351\3@\321\350\215tC\24j\0\215Q\1\321\352\211", ) \215G\10P\377\25\200E\377\17\213\330\205\333\17\204\355\0\0\0\307\3Heap\3\336\17\204\265\0\0\0\213u\14\213\317\213\301\301\351\2\213\373\363\245\213\310\213E\374\203\341\3\203\300\354\363\244P\215{\24W\350\36\307\0\0\213\360\205\366\17\205\203\0\0\09E\10tg\201;RSA2t\7\276\3\0\11\200\353o\213K\10\213E\14\213@\4\203\301\7\301\351\3@\321\350\215tC\24j\0\215Q\1\321\352\211", ) == 0x0
 01617   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\340\350\304\374\377\377\211E\334\205\300t\13\211E\344\211]\374\351W\1\0\0\203}\20\0u2\215~@\211}\244\215\236<\1\0\0\211]\240\215F(\211E\274\215\2068\1\0\0\211E\304\215FH\211E\270\307E\264\1\0\0\0\241\234D\377\17\353-\215~L\211}\244\215\2364\1\0\0\211]\240\215F0\211E\274\215\2060\1\0\0\211E\304\215FT\211E\270\203e\264\0\241\240D\377\17\211E\260\213\7\205\300t\15P\350\2\270\0\0\3773\350\373\267\0\0\203e\314\0\213E\320\213M\304\211\1\213E\300\213M\274\211\1\213E\324\211\3\213E\340\211\7\17\266E\14\203\340\1\213M\270\211\1\366F\3\360u\26\377u\264\377u\14\377u\260V\350N\332\377\377\211E\334\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\21\216\377\377\205\300u\10\377\25\310\21\375\17\3537\215E\330Pj\3\353\24j\1\377u\10\350\363\215\377\377\205\300t\342\215E\330Pj\4\377u\10\3777\350\230\3\0\0\211E\334\205\300t\23= \0\11\200u\3\203\300\343\211E\344\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\330\11A\10\213E\330\200Hi\1\203M\374\377\203e\344\0\353\253\300@\303\213e\350\307E\344W\0\0\0\203M\374\377\213u\2343\3779}\254t\15\201\306h\1\0\0V\377\25\270\21\375\179}\314t\329}\324t\10\377u\324\350\371\266\0\09}\340t\10\377u\340\350\354\266\0\0\213E\344\350\317\0\0\302\24\0\314\314\314\314\314\213\377U\213\354\203}\14\0\213E\10SVWt\16\213\260<\1\0\0\215H(\215x@\353\14\213\2604\1\0\0\215H0\215xL\213^\10\321\353\203\303?\301\353\5\215\34\335\24\0\0\0\213\301;\30\211", ) , ) == 0x0
 01618   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\377u$\213\310\213E\374\377u \203\341\3\363\244\213M\34\213u\30\215<\20\213\321\301\351\2\363\245h\3\200\0\0\377u\370\213\312\203\341\3\363\244\213u\364\213}\10P\3\336SW\350?\376\377\377\205\300u\36\377u$\3\367\377u\14h\4\200\0\0\377u\370\377u\374SV\350!\376\377\377\205\300t\4\213\360\353\32\213u$\205\366v\21\213E \213M\14+\310\212\24\10\20@Nu\3673\366\203}\14\0t\10\377u\14\350\1\250\0\0\377u\374\350\371\247\0\0_\213\306^[\311\302 \0\314\314\314\314\314\213\377U\213\354\213E\10\213\200$\2\0\0\205\300t\6P\350\323\247\0\0]\302\4\0\314\314\314\314\314\213\377U\213\354\213E\10\213\200<\2\0\0\205\300t\6P\350\262\247\0\0]\302\4\0\314\314\314\314\314\213\377U\213\354Q\203e\374\0S\213]\14\213C\4=\1L\0\0t\37=\4L\0\0t\30=\6L\0\0t\21=\5L\0\0t\12\270\12\0\11\200\351_\2\0\0\203{\30\0VWu$\276h\3\0\0V\350\34\247\0\0\213\370\205\377\211{\30\17\204\342\1\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\205:\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\246\0\0\0H\17\205\335\1\0\0\213F\10\250\7\17\205\322\1\0\0\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\204\1\0\0\350\234o\377\377\205\300u\12\270\11\0\11\200\351\316\1\0\0\213F\4-\1f\0\0t\37Ht\34Ht\31\203\350\6t\24-\370\1\0\0\17\205\211\1\0\0\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3", ) , ) == 0x0
 01619   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\20\0\314\314\314\314\314\213\377U\213\354\203\354\30\213E\10S\213X\14\213E\20V3\3663\3119u\24W\211u\364t0\213M\14%\0\4\0\0\211E\360t\23\307E\370\254\26\375\17\307E\20\3\0\0\0\215\14I\353D\307E\370\250\26\375\17\307E\20\2\0\0\0\353+%\0\4\0\0\211E\360t\20\307E\370\240\26\375\17\307E\20\5\0\0\0\353\32\213M\14\307E\370\230\26\375\17\307E\20\4\0\0\0\213\203(\2\0\0\215\14\210\213E\20\17\257E\14\215\4@\3\2030\4\0\0\3\203 \2\0\0\3\203\34\1\0\0\215D\1\1P\211E\354\350\225\227\0\0\213\370;\376\211}\374u\10j\10^\351\323\1\0\0\213M\143\300@9u\24\210\17t';\316v#\211M\24\213M\20\213u\370\213\321\3\370\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244\213}\374u\340\213\2130\4\0\0\213\321\301\351\2\3\370\215\2630\3\0\0\363\245\213\312\203\341\3\363\244\213M\14\3\2030\4\0\0\205\311v$\211M\24\213U\374\213M\20\213u\370\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244u\337\213\213 \2\0\0\213U\374\215<\20\213\321\301\351\2\215\263 \1\0\0\363\245\213\312\203\341\3\363\244\213M\14\3\203 \2\0\0\205\311v$\211M\24\213U\374\213M\20\213u\370\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244u\337\203}\360\0uS\213\213(\2\0\0\213U\374\213\263$\2\0\0\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\363\244\3\203(\2\0\0\203}\14\0v'\213M\14\211M\24\213U\374\213M\20\213u\370\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244u\337\213\213", ) , ) == 0x0
 01620   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "E\10P\245\215E\374Ph\364\26\375\17\245\377\263@\1\0\0\350,\246\377\377\205\300t\4\213\360\353nj\1\215E\364P\215E\370Ph\344\26\375\17\377\263@\1\0\0\350\12\246\377\377\205\300u\336\213u\374\205\366t \213\273X\1\0\0\203\307\10\245\245\245\245\213u\374\213\273X\1\0\0\203\306\20\203\307\30\245\245\245\245\213u\370\205\366t \213\273X\1\0\0\203\307(\245\245\245\245\213u\370\213\273X\1\0\0\203\306\20\203\3078\245\245\245\2453\366\203}\374\0t\10\377u\374\350\361\207\0\0\203}\370\0t\10\377u\370\350\343\207\0\0_\213\306^[\311\302\4\0\314\314\314\314\314\213\377U\213\354SV\213u\10W3\3333\3779\236X\1\0\0u\7\270\26\0\11\200\353T9]\14t(\377u\14\377\25\254\21\375\17\215|\0\2W\350\\207\0\0\213\330\205\333u\5j\10X\3531\377u\14S\377\25x\21\375\17\213\206X\1\0\0\213@H\205\300t\6P\350w\207\0\0\213\206X\1\0\0\211xL\213\206X\1\0\0\211XH3\300_^[]\302\10\0\314\314\314\314\314\213\377U\213\354SV\213u\10\205\366WtE\213\6\213M\14\213]\20\213}\24\211\1\213F\4\211\3\213\7\205\300t\6P\350*\207\0\0\3773\350\340\206\0\0\205\300\211\7u\5j\10X\353\27\213\13\213\370\213\301\301\351\2\203\306\10\363\245\213\310\203\341\3\363\2443\300_^[]\302\20\0\314\314\314\314\314\213\377U\213\354\203\354\24\213M\10\213\201X\1\0\0S3\3339] V\211]\374\213p\4\213E$W\211]\10\211\30t\7\307E\10\1\0\0\03\3009]\34\215}\354\253\253\253\253\307E\354\20\0\0\0t\329Y(\17\204\213\0\0\0\213\201X\1\0\0\215P\10\203\300\30\215", ) , ) == 0x0
 01621   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\213\2338\36\375\173\373\213\2318\37\375\173\373\213\2308\34\375\173\373\213\2328\35\375\173\373\213E\103\333\213U\143\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\365\213\2518\32\375\173\365\212\316\301\350\20\213\2538\31\375\173\365\212\334\301\352\20\213\2518\33\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\173\363\213\2318\37\375\173\363\213\2308\34\375\173\363\213\2328\35\375\173\363\213E\203\333\213U\243\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\375\213\2518\32\375\173\375\212\316\301\350\20\213\2538\31\375\173\375\212\334\301\352\20\213\2518\33\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\173\373\213\2318\37\375\173\373\213\2308\34\375\173\373\213\2328\35\375\173\373\213E\303\333\213U\343\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\365\213\2518\32\375\173\365\212\316\301\350\20\213\2538\31\375\173\365\212\334\301\352\20\213\2518\33\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\173\363\213\2318\37\375\173\363\213\2308\34\375\173\363\213\2328\35\375\173\363\213E 3\333\213U$3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\375\213\2518\32\375\173\375\212\316\301\350\20\213\2538\31\375\173\375\212\334\301\352\20\213\2518\33\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\17", ) , ) == 0x0
 01622   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "D$ \205\300\17\204\31\7\0\0\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320", ) , ) == 0x0
 01623   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\213M\14\203\371\1\17\216\346\0\0\0\213E\10V\203\300\26IW\215\233\0\0\0\0\17\266p\374\213<\265XR\375\17\17\266P\375\213\24\225XV\375\17\17\266p\3733\327\213<\265XN\375\17\17\266p\3723\3273\24\265XJ\375\17\211P\372\17\266p\377\213<\265XN\375\17\17\266P\1\213\24\225XV\375\17\17\26603\327\213<\265XR\375\17\17\266p\3763\3273\24\265XJ\375\17\211P\376\17\266p\4\213<\265XR\375\17\17\266P\5\213\24\225XV\375\17\17\266p\33\327\213<\265XN\375\17\17\266p\23\3273\24\265XJ\375\17\211P\2\17\266p\10\17\266P\11\213<\265XR\375\17\17\266p\7\213\24\225XV\375\173\327\213<\265XN\375\17\17\266p\63\3273\24\265XJ\375\17\211P\6\203\300\20I\17\205+\377\377\377_^]\302\10\0\314\314\314\314\314\213\377U\213\354\203\354\30SV\213u\10\213\16W\213}\20\213\27\213_\4\213~\103\312\213V\4\213v\143\323\213]\203{\10\241\244B\377\17\211}\364\213\373\213_\14\17\266}\3663\363\213\34\275X1\375\17\211u\370\301\356\30\2134\265X5\375\173\363\17\266\37634\275X-\375\17\17\266\371\213\34\275X)\375\17\17\266}\3723\363\211E\374\213E\14\2110\213\34\275X1\375\17\213\361\301\356\30\2134\265X5\375\173\363\213]\364\211U\360\17\266\37734\275X-\375\17\17\266\322\213<\225X)\375\17\17\266U\3633\367\211p\4\213<\225X5\375\17\211M\354\17\266u\3563<\265X1\375\17\213U\370\17\266\3663<\265X-\375\17\17\266\363\213\34\265X)\375\17\17\266u\3673\373", ) , ) == 0x0
 01624   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "]\370\301\353\10\17\266\33334\235X-\375\17\17\266]\36434\235X)\375\17\17\266]\362\211p\10\17\266u\367\2134\265X5\375\1734\235X1\375\17\17\266\326\213\34\225X-\375\17\17\266U\3703\363\213\34\225X)\375\17\213U\3503\363\203\301@J\211p\14\211U\350\17\205\365\373\377\377\213\217\220\0\0\0\213\227\224\0\0\0\213\303P\4\213\267\230\0\0\03\3133p\10\213X\14\211u\364\213\267\234\0\0\03\363\211u\370\17\266\361\212\34\265Y)\375\17\210\30\17\266\366\212\34\265Y)\375\17\17\266u\366\210X\1\212\34\265Y)\375\17\213u\370\210X\2\211U\360\17\266\322\301\356\30\212\34\265Y)\375\17\210X\3\212\24\225Y)\375\17\210P\4\213U\364\17\266\366\212\34\265Y)\375\17\17\266u\372\210X\5\212\34\265Y)\375\17\210X\6\211M\354\17\266u\357\212\34\265Y)\375\17\210X\7\17\266\322\212\24\225Y)\375\17\210P\10\213U\370\17\266\366\212\34\265Y)\375\17\17\266u\356\210X\11\212\34\265Y)\375\17\17\266u\363\210X\12\212\34\265Y)\375\17\210X\13\213\30\213p\4\17\266\322\212\24\225Y)\375\17\210P\14\17\266\315\212\24\215Y)\375\17\17\266M\362\210P\15\212\24\215Y)\375\17\17\266M\367\210P\16\212\24\215Y)\375\17\210P\17\213\217\240\0\0\03\331\211\30\213\227\244\0\0\03\362\213P\10\211p\4\213\217\250\0\0\03\321\213H\14\211P\10\213\227\254\0\0\03\312_\211H\14\213M\374^[\350*\304\377\377\213\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\203\354\30\213U\24\213M\20\301\342\4S\213\34\12V\2154\12\213U\10\213\22W\213~\43\323\213]\103{\4\241\244B\377\17\211", ) , ) == 0x0
 01625   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\17\17\266\326\213<\225X=\375\17\213U\3643\367\17\266\37234\275X9\375\17\17\266}\362\211p\10\17\266u\357\2134\265XE\375\1734\275XA\375\17\17\266\326\213<\225X=\375\17\17\266\3233\36734\225X9\375\17\213U\350\203\351@J\211p\14\211U\350\17\205G\374\377\377\213M\20\213q\24\213Q\20\213x\43\20\213X\103\367\213x\14\211u\360\213q\303\363\211u\364\213q\343\367\211u\370\17\266\362\212\236XI\375\17\17\266u\371\210\30\212\236XI\375\17\17\266u\366\210X\1\212\236XI\375\17\213u\360\210X\2\211U\354\301\356\30\212\236XI\375\17\17\266u\360\210X\3\212\236XI\375\17\210X\4\17\266\326\212\222XI\375\17\210P\5\213U\370\301\352\20\17\266\322\212\222XI\375\17\210P\6\213U\364\301\352\30\212\222XI\375\17\210P\7\213U\364\17\266\362\212\236XI\375\17\17\266u\361\210X\10\212\236XI\375\17\17\266u\356\210X\11\212\236XI\375\17\17\266u\373\210X\12\212\236XI\375\17\17\266u\370\210X\13\212\236XI\375\17\213x\4\17\266\326\210X\14\212\222XI\375\17\213\30\213p\10\210P\15\17\266U\362\212\222XI\375\17\210P\16\17\266U\357\212\222XI\375\17\210P\17\213\213\332\211\30\213Q\43\372\211x\4\213Q\103\362\213P\14\211p\10\213I\14_3\321\213M\374^\211P\14[\350H\264\377\377\213\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\203}\24\1\213M\20\213\1uD\203\301\4\203\370\16u\22\213E\10Q\213M\14PQ\350\332\342\377\377]\302\20\0\203\370\12u\22\213U\10\213E\14QRP\350S\351\377\377]\302\20\0\213U\14PQ\213M\10QR\350 \337\377\377", ) , ) == 0x0
 01626   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\377v?SV\213u\10\212\142\17\266\301\213\330\301\353\4\17\266\233H(\375\17\203\340\17\17\266\200H(\375\17\3\330\201\343\1\0\0\200y\5K\203\313\376Cu\6\200\361\1\210\142B;\327r\310^[_]\302\10\0\314\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354V\213u\10W\213}\14WV\350\254\371\377\377\203\307\10W\215\206\200\0\0\0P\350\234\371\377\377\215\276\0\1\0\0\271 \0\0\0\363\245_^]\302\10\0\314\314\314\314\314\314\314\314\314\213\377U\213\354V\213u\14W\213}\10VW\350l\371\377\377\215F\10P\215\217\200\0\0\0Q\350\\371\377\377\203\306\20V\201\307\0\1\0\0W\350L\371\377\377_^]\302\10\0\314\314\314\314\314\314\213\377U\213\354\213E\24\215P\7\301\352\3\215\14\325\0\0\0\0+\310\270\377\0\0\0\323\370S\213]\20V\213u\14\213\313W\213}\10\210E\27\213\301\301\351\2\363\245\213\310\203\341\3\201\373\200\0\0\0\363\244}9\213M\10\277\1\0\0\0\276\200\0\0\0+\373\215D\31\377+\363\215\233\0\0\0\03\311\212\14\73\333\212\30\3\313\201\341\377\0\0\0\212\211 \27\375\17\210H\1@Nu\342\213u\10\17\266M\27\213\306+\302\17\266\270\200\0\0\0\5\200\0\0\0#\317\212\211 \27\375\17\210\10\271\177\0\0\0+\312x\37\215D1\1\215q\1\220\17\266L\2\377\17\26683\317\212\211 \27\375\17\210H\377HNu\351_^3\300[]\302\20\0\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\213L$\203\300\205\311v7W\213|$\14V\213t$\24SU\213\$\24+\376+\336\213\24>\213.\3\320\270\0\0\0\0\23\300\3\325\203\320\0\211\24\36\203\340\1\203\306\4Iu\341][^", ) , ) == 0x0
 01627   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\213\313\215\4\23\213\321\301\351\2\213\360\363\245\213\312\203\341\3\363\244\213u\370\213}\10\213\313\301\351\2\363\245\213\312\213U\360\203\341\3\363\244\213}\374\2154\23\213\313\213\321\301\351\2\363\245\213\312\213U\364\203\341\3\363\244\213\313\213\370\213\301\301\351\2\213\362\363\245\213\310\203\341\3\363\244\213}\370\3\323\213\362\213\313\213\321\301\351\2\363\245\213\312\213U\370\351\317\376\377\377\213E\14\213L\3\374\277\0\0\0\200\205\317t\14\213M\30VQPP\350%\361\377\377\213E\20\205|\3\374t\14\213U\24VRPP\350\20\361\377\377\213E\350\205\300^t\7P\377\25\250\21\375\17_\270\1\0\0\0[\213\345]\302\30\0_3\300[\213\345]\302\30\0\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\201\354\220\0\0\0S\213]\10\213\3W3\377=RSA1\211}\374t\12_3\300[\213\345]\302\14\0\213C\10\321\350V\213\360\301\356\5F\250\37t\1F\213K\20\270\1\0\0\0;\310\215\146u\21\213u\14\213}\20\363\245^_[\213\345]\302\14\0\215C\24QP\211E\370\213E\14P\211M\10\350\223\363\377\377\205\300}b\301\346\3\201\376\210\0\0\0v\24Vj\0\377\25\364\20\375\17\205\300\211E\374tG\213\320\353\6\215\225p\377\377\3773\300\213\316\301\351\2\213\372\363\253\213\316\203\341\3\363\252\213K\20\213E\10P\213E\20\211\12\213M\370QR\213U\14RP\350\355\20\0\0\213\370\213E\374\205\300t\7P\377\25\250\21\375\17^\213\307_[\213\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\203\354(V\213u\10\201>RSA2u\16\215E\330PV\350\22\6\0\0\205\300u\113\300^\213\345]\302\14\0\213N\10\321\351", ) , ) == 0x0
 01628   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "u\325_^[]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354Q\213E\20\205\300VW\17\204\374\0\0\0\213}\14\2154\205\0\0\0\0\213L>\374\205\311\17\204\346\0\0\0\215\14v\215T\301\4Rj\0\377\25\364\20\375\17\205\300\211E\374\17\204\313\0\0\0\215\140S\213]\10\211K\10\3\316\211K\14\3\316\211K\20\213\316\211C\4\213\367\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\20\213K\4\301\346\2\213D\16\374\277\0\0\0\200\205\307u\30\213C\4\213U\20RPPP\350\14\341\377\377\213C\4\205|\6\374t\350\213{\20\215N\4\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213C\20\213}\14\307D0\4\1\0\0\0\213u\20\213S\10\213C\20V\215N\2QRWP\350\351\345\377\377\205\300u\25\213M\374Q\377\25\250\21\375\17[_3\300^\213\345]\302\14\0\213S\10\213C\14VRWP\350\345\340\377\377\2113[_\270\1\0\0\0^\213\345]\302\14\0_3\300^\213\345]\302\14\0\314\314\314\314\314\314\314\213\377U\213\354\203\354\10\213E\10\213H\10\213P\14SV\213u\14W\2138\213@\4\211E\10\215\\276\3703\300;\336\211M\374\211U\370r'\220\213L\273\4;\310Ws\11\213U\374R+\301P\353\7\213U\370R+\310QS\350a\375\377\377\203\353\4;\336s\332\215\34\275\0\0\0\0\213\143;\310s!+\310\211\143\215\244$\0\0\0\0\213E\10WP\215F\4PP\350\1\340\377\377\205\300t\355\353&+\310\211\143\213M\10W\215F\4QP\350\10\343\377\377\205\300|\17\213U\10WR\215F\4PP\350\31\340\377\377\213E\10\213L3\374\213\243WP\213D\3\374PQR\350E", ) , ) == 0x0
 01629   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\253\253\2533\300\203e\374\0\215}\364\253\2533\300\215}\354\253\253\215E\374\211E\370\215E\354Pj\0\215E\324Pj\0\215E\344Ph4]\375\17\215E\364P\307E\324\20\0\0\0\307E\364\4\0\0\0\307E\344\21\0\0\0\307E\350 ]\375\17\350\273\371\377\377\203}\360\0\213\370t\11\377u\360\377\25\250\21\375\17\213\307_\311\303\314\314\314\314\314\213\377U\213\354\203\354(3\300VW\215}\330\253\253\253\2533\300\215}\360\253\2533\300\215}\370\2533\3119M\14j\4\253Xt\2\213\310\211E\360\215E\10\211E\364\215E\370PQ\215E\330Pj\0\215E\350Ph4]\375\17\215E\360P\307E\330\20\0\0\0\307E\350\21\0\0\0\307E\354 ]\375\17\3508\371\377\377\205\300t\4\213\360\3533\377u\370\350b\367\377\377\205\300\213U\20\211\2u\5j\10^\353\35\213M\370\213E\24\213u\374\211\10\213:\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\203}\374\0t\11\377u\374\377\25\250\21\375\17_\213\306^\311\302\20\0\314\314\314\314\314\213\377U\213\354\203\354(W3\300\215}\330\253\253\253\2533\300\215}\360\253\2533\300\215}\350\253\2533\300\215}\370\2533\3119M\10\253t\3j\4Y\213E\20\211E\360\213E\14j\0\211E\364\215E\350PQ\215E\330Pj\0\215E\370Pj\0\215E\360P\307E\330\20\0\0\0\307E\370\21\0\0\0\307E\374 ]\375\17\350\343\370\377\377\205\300\213M\354t\4\213\370\353\26\203}\350\4t\7\277\26\0\11\200\353\11\213\1\213U\24\211\23\377\205\311t\7Q\377\25\250\21\375\17\213\307_\311\302\20\0\314\314\314\314\314\213\377U\213\354\203\354 \241\244B\377\17S3\333VW\2135D\20\375\17\213}\10\211E\374", ) , ) == 0x0
 01630   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\363\2443\300_^[\311\302\14\0\314\314\314\314\314\213\377U\213\354\203\3548\241\244B\377\17\213M S\213]\34V\2135 \21\375\17W3\377WS\377u\30\211E\374\213E\14W\377u\24\211E\320\377u\20\211M\314P\211}\330\211}\324\377\326\203\370\377\17\205\246\0\0\0\377\25\310\21\375\179}\10\17\204\223\0\0\0\211E\310\215E\330Pj\10\3508\351\377\377;\307uxj\103\300\366E\23\200Y\215}\334\363\253\215E\344\307E\334\1\0\0\0Pt\7hx^\375\17\353\5hd^\375\17j\0\377\25p\20\375\173\377;\307t=\215E\324P\215E\334P\377u\330\307E\354\2\0\0\0\377\25l\20\375\17\205\300t!9}\324t&W\201\313\0\0\0\2S\377u\30W\377u\24\377u\20\377u\320\377\326\203\370\377u\23\377\25\310\21\375\17\213\360\353\20\213u\310\353\13\213\360\353\26\213M\314\211\13\366\203}\330\0t\11\377u\330\377\25\370\20\375\17\213M\374_\213\306^[\350\273d\377\377\311\302\34\0\314\314\314\314\314\213\377U\213\354QQSV\213u\30\203\16\377Wj\33\3773\333\366E\17\200X\211}\374\211E\370t\4C\211E\370\366E\17@t\12j\4X3\333\211E\370\213\370\215E\374P\377u\24\377u\20\350&\376\377\377\205\300ufV\201\317\0\0\0\10W\377u\370S\377u\14\377u\374\377u\10\350\202\376\377\377\205\300t:3\366\203\370 t\5\203\370\5u2\203\376\30s-\377\266\364B\377\17\377\25\20\21\375\17\377u\30\203\306\4W\377u\370S\377u\14\377u\374\377u\10\350H\376\377\377\205\300u\3103\366\353\14\203\370\2\276\26\0\11\200t\2\213\360\203}\374\0t\10\377u\374\350\244\346\377\377_\213\306^[\311\302\24\0\314", ) , ) == 0x0
 01631   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "6\377\327\205\300\17\204\316\0\0\09]\14u\109\235\234\375\377\377tL\215\205\244\375\377\377P\350\14\335\377\377;\303\17\205\277\0\0\09\235\244\375\377\377u\32\276 \0\11\200\353g\215\205\254\375\377\377P\3776\377\327\205\300\17\204\213\0\0\0\377\265\244\375\377\377\215\205\330\375\377\377P\350"\376\377\377\205\300t\327\377\265\224\375\377\377\215\205\330\375\377\377\377\265\230\375\377\377\377\265\250\375\377\377P\377u\14\350\345\373\377\377;\303\17\205k\377\377\3773\3669\235\244\375\377\377t\13\377\265\244\375\377\377\350\354\327\377\3779\235\250\375\377\377t\13\377\265\250\375\377\377\350\331\327\377\3779\235\240\375\377\377t\13\377\265\240\375\377\377\350\306\327\377\377\213M\374_\213\306^[\350\7U\377\377\311\302\30\0\377\25\310\21\375\17\203\370\22u\7\276\3\1\0\0\353\244\213\360\353\240\314\314\314\314\314\213\377U\213\354\201\354(\4\0\0\241\244B\377\17S\213]\14V\2135\24\21\375\17W3\322RR\211E\374\213E\10j\377\211\205\330\373\377\377\213E\30S\211\205\334\373\377\377j\23\300\271\5\1\0\0\215\275\350\373\377\377R\211\225\340\373\377\377\363\253\377\326\213\370\205\377u\15\377\25\310\21\375\17\213\360\351\251\0\0\0\215G\1=\12\2\0\0v(\215D?\2P\350\336\326\377\377\205\300\211\205\344\373\377\377u\10j\10^\351\203\0\0\0\307\205\340\373\377\377\1\0\0\0\353\14\215\205\350\373\377\377\211\205\344\373\377\377W\377\265\344\373\377\377j\377Sj\2j\0\377\326\205\300u\12\377\25\310\21\375\17\213\360\3530\377\265\334\373\377\377\377u\24\377u\20\377\265\344\373\377\377\377\265\330\373\377\377\377\25t\20\375\17\205\300t\14\203\370\2u\325\276\26\0\11\200\353\23\366\203\275\340\373\377\377\0t\24\203\275\344\373\377\377", ) \376\377\377\205\300t\327\377\265\224\375\377\377\215\205\330\375\377\377\377\265\230\375\377\377\377\265\250\375\377\377P\377u\14\350\345\373\377\377;\303\17\205k\377\377\3773\3669\235\244\375\377\377t\13\377\265\244\375\377\377\350\354\327\377\3779\235\250\375\377\377t\13\377\265\250\375\377\377\350\331\327\377\3779\235\240\375\377\377t\13\377\265\240\375\377\377\350\306\327\377\377\213M\374_\213\306^[\350\7U\377\377\311\302\30\0\377\25\310\21\375\17\203\370\22u\7\276\3\1\0\0\353\244\213\360\353\240\314\314\314\314\314\213\377U\213\354\201\354(\4\0\0\241\244B\377\17S\213]\14V\2135\24\21\375\17W3\322RR\211E\374\213E\10j\377\211\205\330\373\377\377\213E\30S\211\205\334\373\377\377j\23\300\271\5\1\0\0\215\275\350\373\377\377R\211\225\340\373\377\377\363\253\377\326\213\370\205\377u\15\377\25\310\21\375\17\213\360\351\251\0\0\0\215G\1=\12\2\0\0v(\215D?\2P\350\336\326\377\377\205\300\211\205\344\373\377\377u\10j\10^\351\203\0\0\0\307\205\340\373\377\377\1\0\0\0\353\14\215\205\350\373\377\377\211\205\344\373\377\377W\377\265\344\373\377\377j\377Sj\2j\0\377\326\205\300u\12\377\25\310\21\375\17\213\360\3530\377\265\334\373\377\377\377u\24\377u\20\377\265\344\373\377\377\377\265\330\373\377\377\377\25t\20\375\17\205\300t\14\203\370\2u\325\276\26\0\11\200\353\23\366\203\275\340\373\377\377\0t\24\203\275\344\373\377\377", ) == 0x0
 01632   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\353U\215E\10P\215E\374PS\350\11\375\377\377\205\300t\4\213\360\3531\213}\30\205\377\213M\10\213E\34u\4\211\10\353\369\10\211\10s\7\276\352\0\0\0\353\23\213u\374\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\203}\374\0t\10\377u\374\3507\310\377\377\205\333t\6S\350-\310\377\377[\203}\370\0t\10\377u\370\350\36\310\377\377\203}\364\0t\10\377u\364\350\20\310\377\377_\213\306^\311\302\30\0\314\314\314\314\314\213\377U\213\354V\213u\10\205\366t\24\213F\4\205\300t\7P\377\25\244\21\375\17V\350\342\307\377\377^]\302\4\0\314\314\314\314\314h4\1\0\0hx_\375\17\350\303G\377\377\241\244B\377\17\211E\344\213E\10\211\205\274\376\377\3773\333\211\235\330\376\377\377\211\235\304\376\377\377\211\235\300\376\377\377\211\235\324\376\377\377\211\235\314\376\377\377\211]\374\215\205\324\376\377\377Ph\31\0\2\0ShP_\375\17h\2\0\0\200\377\25\224\20\375\17\211\205\310\376\377\377;\303\17\205\341\0\0\0\307\205\320\376\377\377\5\1\0\0\215\205\320\376\377\377P\215\205\334\376\377\377PSS\277D_\375\17W\377\265\324\376\377\377\2135\300\20\375\17\377\326\211\205\310\376\377\377;\303tL=\352\0\0\0\17\205\236\0\0\0\377\265\320\376\377\377\350\331\306\377\377\211\205\330\376\377\377;\303\17\204\205\0\0\0\307\205\304\376\377\377\1\0\0\0\215\215\320\376\377\377QPSSWh\2\0\0\200\377\326\211\205\310\376\377\377;\303t\16\353]\215\205\334\376\377\377\211\205\330\376\377\377j\14_W\350\216\306\377\377\213\360\211\265\300\376\377\377;\363t<\211>SS\377\265\330\376\377\377\377\25H\21\375\17\211F\4;\303t%h4_\375\17P\377\25\234\21\375\17\211F\10;\303t\22\213", ) , ) == 0x0
 01633   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\350\307E\334\10\0\0\0\377u\330\350~\270\377\377\203M\374\3773\3779}\340t\11\377u\340\377\25\304\20\375\17\213E\334\350\2278\377\377\303\314\314\314\314\314\213\377U\213\354\213M\20\205\311\213E\14V\213u\10u\10\213H$\211N\30\353\6\213P$\211Q$P\350\310\375\377\377\377N$^]\302\14\0\314\314\314\314\314\213\377U\213\354\213U\10\213B\30VW3\3663\3113\377\205\300t#S\205\311t\10\213X ;Y s\4\213\310\213\376\213\360\213@$\205\300u\347WQR\350\223\377\377\377[_^]\302\4\0\314\314\314\314\314\213\377U\213\354VW\377\25l\21\375\17\213U\10\213J,\213u\14\213\3703\300@\203\371\377t\27S\213\337+^ ;\331[v\14\377u\20VR\350R\377\377\3773\300\211~ _^]\302\14\0\314\314\314\314\314\213\377U\213\354QQ\213E\10S\213X\30W3\300\215}\370\253\253\213E\24\203 \0\215E\370P\350\235\266\377\377\205\300t\43\300\353}\205\333twV\213C\24;E\20uI\213s\20\213}\14\212\17\212\301:\16u\32\204\300t\22\212O\1\212\301:N\1u\14GGFF\204\300u\3423\300\353\5\33\300\203\330\377\205\300u\30j\10Y\215{\30\215u\3703\300\363\246t\5\33\300\203\330\377\205\300t\14\213E\24\211\30\213[$\205\333u\243\205\333^t\24\213E\24\3770S\377u\10\350\31\377\377\377\205\300u\23\333\213\303_[\311\302\20\0\314\314\314\314\314\213\377U\213\354QVW\213}\10\213w\30\203e\10\0\377\25l\21\375\17\211E\374+G\349G(w2\205\366t(S\213E\374+F 9G(s\21\377u\10\213^$VW\350M\376\377\377\213\363\353\6\211u\10\213v$\205\366u\332[", ) , ) == 0x0
 01634   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "D\22\2\0\236\21\2\0\252\21\2\0\266\21\2\0\300\21\2\0\316\21\2\0\334\21\2\0\350\21\2\0\372\21\2\0\16\22\2\0"\22\2\00\22\2\0<\26\2\0\0\0\0\0r\21\2\0V\21\2\0B\21\2\0.\21\2\0\24\21\2\0\376\20\2\0\272\22\2\0\322\22\2\0\342\22\2\0\360\22\2\0\376\22\2\0\22\23\2\0\36\23\2\00\23\2\0>\23\2\0J\23\2\0R\23\2\0h\23\2\0x\23\2\0\216\23\2\0\234\23\2\0\260\23\2\0\274\23\2\0\312\23\2\0\330\23\2\0\352\23\2\0\372\23\2\0\20\24\2\0&\24\2\06\24\2\0H\24\2\0Z\24\2\0j\24\2\0z\24\2\0\206\24\2\0\220\24\2\0\242\24\2\0\350\20\2\0\330\20\2\0\276\20\2\0\240\20\2\0\224\20\2\0x\20\2\0b\20\2\0J\20\2\0:\20\2\0.\20\2\0"\20\2\0\6\20\2\0\366\17\2\0\344\17\2\0\330\17\2\0\312\17\2\0\276\17\2\0\262\17\2\0\240\17\2\0\210\17\2\0p\17\2\0d\17\2\0X\17\2\0H\17\2\08\17\2\0\0\0\0\0\216\25\2\0\202\25\2\0v\25\2\0\0\0\0\0\364\16\2\0\376\16\2\0\6\17\2\0\22\17\2\0\34\17\2\0\326\24\2\0\314\24\2\0\302\24\2\0\270\24\2\0\256\24\2\0\340\16\2\0\0\0\0\0\376\24\2\0\10\25\2\0\26\25\2\0&\25\2\0F\25\2\0X\25\2\0\346\24\2\0\0\0\0\0\355\0_except_handler3\0\0\372\1_strlwr\0\245\2free\0\0;\1_initterm\0\330\2malloc\0\0\266\0_adjust_fdiv\0\0msvcrt.dll\0\0h\1GetLas", ) \22\2\00\22\2\0<\26\2\0\0\0\0\0r\21\2\0V\21\2\0B\21\2\0.\21\2\0\24\21\2\0\376\20\2\0\272\22\2\0\322\22\2\0\342\22\2\0\360\22\2\0\376\22\2\0\22\23\2\0\36\23\2\00\23\2\0>\23\2\0J\23\2\0R\23\2\0h\23\2\0x\23\2\0\216\23\2\0\234\23\2\0\260\23\2\0\274\23\2\0\312\23\2\0\330\23\2\0\352\23\2\0\372\23\2\0\20\24\2\0&\24\2\06\24\2\0H\24\2\0Z\24\2\0j\24\2\0z\24\2\0\206\24\2\0\220\24\2\0\242\24\2\0\350\20\2\0\330\20\2\0\276\20\2\0\240\20\2\0\224\20\2\0x\20\2\0b\20\2\0J\20\2\0:\20\2\0.\20\2\0 (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "D\22\2\0\236\21\2\0\252\21\2\0\266\21\2\0\300\21\2\0\316\21\2\0\334\21\2\0\350\21\2\0\372\21\2\0\16\22\2\0"\22\2\00\22\2\0<\26\2\0\0\0\0\0r\21\2\0V\21\2\0B\21\2\0.\21\2\0\24\21\2\0\376\20\2\0\272\22\2\0\322\22\2\0\342\22\2\0\360\22\2\0\376\22\2\0\22\23\2\0\36\23\2\00\23\2\0>\23\2\0J\23\2\0R\23\2\0h\23\2\0x\23\2\0\216\23\2\0\234\23\2\0\260\23\2\0\274\23\2\0\312\23\2\0\330\23\2\0\352\23\2\0\372\23\2\0\20\24\2\0&\24\2\06\24\2\0H\24\2\0Z\24\2\0j\24\2\0z\24\2\0\206\24\2\0\220\24\2\0\242\24\2\0\350\20\2\0\330\20\2\0\276\20\2\0\240\20\2\0\224\20\2\0x\20\2\0b\20\2\0J\20\2\0:\20\2\0.\20\2\0"\20\2\0\6\20\2\0\366\17\2\0\344\17\2\0\330\17\2\0\312\17\2\0\276\17\2\0\262\17\2\0\240\17\2\0\210\17\2\0p\17\2\0d\17\2\0X\17\2\0H\17\2\08\17\2\0\0\0\0\0\216\25\2\0\202\25\2\0v\25\2\0\0\0\0\0\364\16\2\0\376\16\2\0\6\17\2\0\22\17\2\0\34\17\2\0\326\24\2\0\314\24\2\0\302\24\2\0\270\24\2\0\256\24\2\0\340\16\2\0\0\0\0\0\376\24\2\0\10\25\2\0\26\25\2\0&\25\2\0F\25\2\0X\25\2\0\346\24\2\0\0\0\0\0\355\0_except_handler3\0\0\372\1_strlwr\0\245\2free\0\0;\1_initterm\0\330\2malloc\0\0\266\0_adjust_fdiv\0\0msvcrt.dll\0\0h\1GetLas", ) , ) == 0x0
 01635   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\225\13#\305r\230\235IzFN\341\346/\306c!\217f\334\233\314\342'\3'\205\360:\2\373@\0\0\0\0Qt\366\362#\354\241vUX\7q\277\177\12\36kHH\273\222\266*\261\7\244!\321\306\313_@\316\335\272\333\374\27\373\247\275\341\364c\330\236\211\342\335z\354\21\326\251\234\272\307^5\226\246o\177,\0\0\0\0\0\0\0\0RSA1H\0\0\0\0\2\0\0?\0\0\0\1\0\1\0\357L\154\317D\17\261s\254\324\233\276\314-\21*+\275!\4\216\254\255\325\374\322P\245\33C\25bg\217^\0\271%\33\342O\276\241P\241D;\27\330\221\365(\371\372\256\347\300\375\271\315vO\0\0\0\0\0\0\0\0\270/k\211\310\354\364\376\13\360m*\332?\303\350\226\202\205\353\256\1\24s\371\10E\300jm>i\200j\14a\212c\322\373\0\0\0\334\356L\371,\0\0\0\3618)\311\336\0\0\0\224Vx\220\253\315\357YE\232\371'\204t\312\325Xu\22\316\357w\223{\230\337\235\242\334{z\235\223\216\366|\1^\353\1#\4g\10\253\15\357Now is t\254\227M\331\2\23\210,G\334\360\23\177\245\3262\1#Eg\211\253\315\357Now is t?\244\16\212\230MH\25\345\307\315\336\207+\362|\1#Eg\211\253\315\357#Eg\211\253\315\357\1Eg\211\253\315\357\1#Now is t1O\203'\372z\11\250\363\300\377\2l\20\211\1#Eg\211\253\315\357#Eg\211\253\315\357\1Now is t\267\203Wy\356&\254\267\23K\230\370\356\263\366\7\0\1\2\3\4\5\6\7\10\11\12\13\14\15\16\17\0\1\2\3\4\5\6\7\10\11\12\13\14\15\16\17\12\224\13\265An\360E\361\303\224X\306S\352Z", ) , ) == 0x0
 01636   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "age Authentication Code\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\0\0\4\0\0\200\1\0\0\0@\0\00\0\0\0\11\0\0\0RSA_SIGN\0\0\0\0\0\0\0\0\0\0\0\0\16\0\0\0RSA Signature\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\0\0\0\4\0\0\200\1\0\0\0@\0\00\0\0\0\11\0\0\0RSA_KEYX\0\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0RSA Key Exchange\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\11\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0HMAC\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\22\0\0\0Hugo's MAC (HMAC)\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0", ) , ) == 0x0
 01637   464   NtReadFile  (176, 0, 0, 0, 1924, 0x0, 0, ... {status=0x0, info=1924},  (176, 0, 0, 0, 1924, 0x0, 0, ... {status=0x0, info=1924}, " \1\0\0\0\0\0\0\14\0\0\0SSL3 SHAMD5\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 SHAMD5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\0\0\4\0\0\200\1\0\0\0@\0\0 \0\0\0\11\0\0\0RSA_SIGN\0\0\0\0\0\0\0\0\0\0\0\0\16\0\0\0RSA Signature\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10$\377\17\200(\377\17\250-\377\17\09\377\17\340?\377\17\3202\377\17\20\244\37M\331o\320\21\214X\0\300O\331\22k\21\244\37M\331o\320\21\214X\0\300O\331\22k\22\244\37M\331o\320\21\214X\0\300O\331\22k0\214\7\212U7\320\21\240\275\0\252\0aBj\277D\377\377@\273\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320[\375\17\324[\375\17\330[\375\17\334[\375\17\340[\375\17\350[\375\17\360[\375\17\370[\375\17\0\\375\17\14\\375\17\30\\375\17$\\375\170\\375\17@\\375\17P\\375\17`\\375\17\1\0\0\0\12\0\0\0d\0\0\0\364\1\0\0\350\3\0\0\210\23\0\0\0\0\0\0\355\11\377\17\10\12\377\17\0\0\0\0\357\6\377\17\0\0\0\0\333\6\377\17\300\6\377\17\345\6\377\17\0\0\0\0\22\12\377\17\0\0\0\0\310\11\377\17", ) , ) == 0x0
 01638   464   NtQueryInformationFile  (176, 1239192, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01639   464   NtSetInformationFile  (176, 1239192, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01640   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0H\1\0\0\217-l#\214\27<\361\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 01641   464   NtReadFile  (176, 0, 0, 0, 2720, 0x0, 0, ... {status=0x0, info=2720},  (176, 0, 0, 0, 2720, 0x0, 0, ... {status=0x0, info=2720}, "\3047\3247\3427\3607\28\178\358+8\2208\3138\3258\3378\3518\09\79\279$9=9D9Q9\9n9u9\1779\2119\3129\3279\3479\3619\10:\17:\37:*:A:H:X:c:u:|:\206:\223:\316:\333:\353:\365:\14;\23;#;.;B;I;Y;d;v;};\207;\224;\317;\331;\351;\363;\7<\24<$\30>(>6>G>T>d>r>\200>\222>\237>\255>\273>;?]?j?t?~?\226?\247?\256?\275?\323?\332?\341?\360?\0p\1\0\324\1\0\0\20\110\230\370q0x0\2020\2140\2360\2570\2660\3050\3330\3420\3510\3700\121\211\331'1n1z1\2071\2311\2461\2621\3041\3231\3421\3571\3741\112\262%272D2\2732\3422\3512\3632\3752\303&3-373E3R3a3o3\2033\2123\2263\2403\3533\3623\3743\64\304&404?4R4Y4c4r4\2044\2134\2254\2374\3324\3474\3614\3734\165\255\375,5B5I5P5]5o5v5\2005\2125\3035\3125\3245\3365\3645\3735\106\276&616;6H6Z6a6k6u6\2546\2636\2756\3076\3316\3526\3616\07\237\327$737E7L7V7b7\2477\2637\3007\3227\3377\3537\3757\148\338(858", ) , ) == 0x0
 01642   464   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 01643   464   NtClose  (184, ... ) == 0x0
 01644   464   NtClose  (176, ... ) == 0x0
 01645   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rsaenh.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01646   464   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01647   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rsaenh.dll"}, 1237944, ... ) }, 1237944, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01648   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 1237944, ... ) }, 1237944, ... ) == 0x0
 01649   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 5, 96, ... 176, {status=0x0, info=1}, ) }, 5, 96, ... 176, {status=0x0, info=1}, ) == 0x0
 01650   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 176, ... 184, ) == 0x0
 01651   464   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01652   464   NtClose  (176, ... ) == 0x0
 01653   464   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 163840, ) == 0x0
 01654   464   NtClose  (184, ... ) == 0x0
 01655   464   NtProtectVirtualMemory  (-1, (0xffd1000), 560, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01656   464   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01657   464   NtFlushInstructionCache  (-1, 268242944, 560, ... ) == 0x0
 01658   464   NtProtectVirtualMemory  (-1, (0xffd1000), 560, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01659   464   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01660   464   NtFlushInstructionCache  (-1, 268242944, 560, ... ) == 0x0
 01661   464   NtProtectVirtualMemory  (-1, (0xffd1000), 560, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01662   464   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01663   464   NtFlushInstructionCache  (-1, 268242944, 560, ... ) == 0x0
 01664   464   NtProtectVirtualMemory  (-1, (0xffd1000), 560, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01665   464   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01666   464   NtFlushInstructionCache  (-1, 268242944, 560, ... ) == 0x0
 01667   464   NtProtectVirtualMemory  (-1, (0xffd1000), 560, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01668   464   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01669   464   NtFlushInstructionCache  (-1, 268242944, 560, ... ) == 0x0
 01670   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsaenh.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01671   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\crypt32.dll"}, 1236576, ... ) }, 1236576, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01672   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\crypt32.dll"}, 1236576, ... ) }, 1236576, ... ) == 0x0
 01673   464   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237344,  (0x80100080, {24, 0, 0x40, 0, 1237344, "\??\C:\WINDOWS\system32\crypt32.dll"}, 0x0, 0, 5, 1, 96, 0, 0, ... 184, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 184, {status=0x0, info=1}, ) == 0x0
 01674   464   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 184, ... 176, ) == 0x0
 01675   464   NtClose  (184, ... ) == 0x0
 01676   464   NtMapViewOfSection  (176, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xb20000), {0, 0}, 598016, ) == 0x0
 01677   464   NtClose  (176, ... ) == 0x0
 01678   464   NtAllocateVirtualMemory  (-1, 1359872, 0, 20480, 4096, 4, ... 1359872, 20480, ) == 0x0
 01679   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01680   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01681   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01682   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01683   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01684   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01685   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01686   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01687   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01688   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01689   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01690   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01691   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01692   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01693   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01694   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01695   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01696   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01697   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01698   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01699   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01700   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01701   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01702   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01703   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01704   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01705   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01706   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01707   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01708   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01709   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01710   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01711   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01712   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01713   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01714   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01715   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01716   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01717   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01718   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01719   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01720   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01721   464   NtQueryDefaultLocale  (1, 1236828, ... ) == 0x0
 01722   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x92000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01723   464   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 01724   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 1236804, ... ) }, 1236804, ... ) == 0x0
 01725   464   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237580,  (0x80100080, {24, 0, 0x40, 0, 1237580, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01726   464   NtQueryVolumeInformationFile  (176, 1237764, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01727   464   NtQueryInformationFile  (176, 1237632, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01728   464   NtQueryInformationFile  (176, 1237936, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01729   464   NtClose  (176, ... ) == 0x0
 01730   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 1236284, ... ) }, 1236284, ... ) == 0x0
 01731   464   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237060,  (0x80100080, {24, 0, 0x40, 0, 1237060, "\??\C:\WINDOWS\system32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01732   464   NtQueryVolumeInformationFile  (176, 1237244, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01733   464   NtQueryInformationFile  (176, 1237112, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01734   464   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 176, ... 184, ) == 0x0
 01735   464   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xb20000), {0, 0}, 155648, ) == 0x0
 01736   464   NtQueryDefaultLocale  (1, 1237296, ... ) == 0x0
 01737   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x26000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01738   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x26000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01739   464   NtQueryDefaultLocale  (1, 1237296, ... ) == 0x0
 01740   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x26000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01741   464   NtQueryVirtualMemory  (-1, 0xb20000, Basic, 28, ... {BaseAddress=0xb20000,AllocationBase=0xb20000,AllocationProtect=0x2,RegionSize=0x26000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01742   464   NtReadFile  (176, 0, 0, 0, 328, 0x0, 0, ... {status=0x0, info=328},  (176, 0, 0, 0, 328, 0x0, 0, ... {status=0x0, info=328}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\267\232\34C\326\364OC\326\364OC\326\364O\200\331\373OJ\326\364OC\326\365O\320\326\364O\200\331\251OH\326\364O\200\331\250OB\326\364O\200\331\252OB\326\364O\200\331\224OB\326\364O\200\331\253Oj\326\364O\200\331\256OB\326\364ORichC\326\364O\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0(]\353@\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0\14\2\0\0F\0\0\0\0\0\0\3414\1\0\0\20\0\0\0 \2\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\200\2\0\0\4\0\0", ) , ) == 0x0
 01743   464   NtQueryInformationFile  (176, 1237460, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01744   464   NtSetInformationFile  (176, 1237460, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01745   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\10\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\200\30\2\0\273\2\0\08\14\2\0x\0\0\0\0P\2\0P\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\354\16\0\00\22\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200`\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\00\2\0\00\12\2\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0;\13\2\0\0\20\0\0\0\14\2\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\210%\0\0\0 \2\0\0$\0\0\0\20\2\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\0P\14\0\0\0P\2\0\0\16\0\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0r\20\0\0\0`\2\0\0\22\0\0\0B\2\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01746   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0 \0\0@ \0\200\0\0 \0@ \0\0@  \200\0  \0\0\0\0\200\0 \0\200@\0\0\200\0\0 \200@  \0\0\0 \0@ \0\200@\0 \200\0\0\0\0\0 \0\0@\0\0\0\0  \200@\0 \200@  \200\0\0 \200\0\0\0\200@ \0\0@\0\0\0\0  \0@  \0\0 \0\200@ \0\0\0\0\0\200\0 \0\200@  \0\0  \200@\0 \0\0\0\0\0\0 \0\200\0\0\0\200\0 \0\0@\0 \200\0\0 \0@\0 \0@  \200\0  \0@\0\0\0@  \200\0  \0\0\0 \0@ \0\200@\0\0\200\0\0 \200@  \0\0\0\0\0\0 \0\0@\0\0\200@ \0\200\0  \200\0\0 \200@ \0\0@\0\0\0@\0 \200\0@\0\0\0\2\0\0\0\2\0\1\4\0\0\1\4B\0\1\4@\0\0\0B\0\0\0\0\0\0\0\0\0\1\4\2\0\1\4\2\0\0\0@\0\1\4\0\0\0\0B\0\1\0@\0\1\4\2\0\0\4\2\0\1\0@\0\0\4@\0\0\4B\0\1\0\0\0\0\0\2\0\1\4\0\0\1\0B\0\0\4@\0\1\4B\0\0\0B\0\1\4\0\0\0\4B\0\0\4@\0\1\0\2\0\0\0\0\0\1\4B\0\0\0@\0\1\4@\0\1\4\2\0\0\0@\0\0\0\2\0\0\0\0\0\1\4@\0\1\4\2\0\1\4B\0\0\0B\0\0\0\0\0\0\0\2\0\0\4\0\0\1\4\0\0\0\0\2\0\1\0\0\0\0\4\2\0\1\0\2\0\1\0B\0\0\4\2\0\0\0@\0\0\4B\0\1\0\0\0\1\0B\0\1\4\0\0\0\4@\0\0\4B\0\1\4\0\0\1\0B\0\1\0@\0\1\4@\0\0\200\0\200 \0\0\202 ", ) , ) == 0x0
 01747   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\250TT\374m\273\273\326,\26\26:\245\306cc\204\370||\231\356ww\215\366{{\15\377\362\362\275\326kk\261\336ooT\221\305\305P`00\3\2\1\1\251\316gg}V++\31\347\376\376b\265\327\327\346M\253\253\232\354vvE\217\312\312\235\37\202\202@\211\311\311\207\372}}\25\357\372\372\353\262YY\311\216GG\13\373\360\360\354A\255\255g\263\324\324\375_\242\242\352E\257\257\277#\234\234\367S\244\244\226\344rr[\233\300\300\302u\267\267\34\341\375\375\256=\223\223jL&&Zl66A~??\2\365\367\367O\203\314\314\h44\364Q\245\2454\321\345\345\10\371\361\361\223\342qqs\253\330\330Sb11?*\25\25\14\10\4\4R\225\307\307eF##^\235\303\303(0\30\30\2417\226\226\17\12\5\5\265/\232\232\11\16\7\76$\22\22\233\33\200\200=\337\342\342&\315\353\353iN''\315\177\262\262\237\352uu\33\22\11\11\236\35\203\203tX,,.4\32\32-6\33\33\262\334nn\356\264ZZ\373[\240\240\366\244RRMv;;a\267\326\326\316}\263\263{R))>\335\343\343q^//\227\23\204\204\365\246SSh\271\321\321\0\0\0\0,\301\355\355`@  \37\343\374\374\310y\261\261\355\266[[\276\324jjF\215\313\313\331g\276\276Kr99\336\224JJ\324\230LL\350\260XXJ\205\317\317k\273\320\320*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266", ) , ) == 0x0
 01748   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3252\266pHl\t\320\270WBPQ\364\247S~Ae\303\32\27\244\226:'^\313;\253k\361\37\235E\253\254\372X\223K\343\3U 0\372\366\255vm\221\210\314v%\365\2L\374O\345\327\327\305*\313\200&5D\217\265b\243I\336\261Zg%\272\33\230E\352\16\341]\376\300\2\303/u\22\201L\360\243\215F\227\306k\323\371\347\3\217_\225\25\222\234\353\277mz\332\225RY-\324\276\203\323Xt!)I\340iD\216\311\310ju\302\211x\364\216yk\231X>\335'\271q\266\276\341O\27\360\210\255f\311 \254\264}\316:\30c\337J\202\345\321`\227Q3EbS\177\340\261dw\204\273k\256\34\376\201\240\224\371\10+XpHh\31\217E\375\207\224\336l\267R{\370#\253s\323\342rK\2W\343\37\217*fU\253\7\262\353(\3/\265\302\232\206\305{\245\3237\10\3620(\207\262#\277\245\272\2\3j\\355\26\202+\212\317\34\222\247y\264\360\363\7\362\241Ni\342\315e\332\364\325\6\5\276\37\3214b\212\304\246\376\2354.S\240\242\363U2\5\212\341u\244\366\3539\13\203\354\252@`\357\6^q\237Q\275n\20\371>!\212=\226\335\6\256\335>\5FM\346\275\265\221T\215\5q\304]o\4\6\324\377`P\25$\31\230\373\227\326\275\351\314\211@Cwg\331\236\275\260\350B\210\7\211\2138\347\31[\333y\310\356G\241|\12\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*", ) , ) == 0x0
 01749   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "<"\340C.9\367^ 0\372U\354\232\267\1\342\223\272\12\360\210\255\27\376\201\240\34\324\276\203-\332\267\216&\310\254\231;\306\245\2240\234\322\337Y\222\333\322R\200\300\305O\216\311\310D\244\366\353u\252\377\346~\270\344\361c\266\355\374h\14\12g\261\2\3j\272\20\30}\247\36\21p\2544.S\235:'^\226("@\35\236/KG\351d"I\340i)[\373~4U\362s?\177\315P\16q\304]\5c\337J\30m\326G\23\3271\334\312\3318\321\301\313#\306\334\305*\313\327\357\25\350\346\341\34\345\355\363\7\362\360\375\16\377\373\247y\264\222\251p\271\231\273k\256\204\265b\243\217\237]\200\276\221T\215\265\203O\232\250\215F\227\243\0\0\0\0\13\16\11\15\26\34\22\32\35\22\33\27,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS\177tHl\\177FeQbT~FiZwK\260\340\220\320\273\356\231\335\246\374\202\312\255\362\213\307\234\330\264\344\227\326\275\351\212\304\246\376\201\312\257\363\350\220\330\270\343\236\321\265\376\214\312\242\365\202\303\257\304\250\374\214\317\246\365\201\322\264\356\226\331\272\347\233{\333;\273p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16", ) \340C.9\367^ 0\372U\354\232\267\1\342\223\272\12\360\210\255\27\376\201\240\34\324\276\203-\332\267\216&\310\254\231;\306\245\2240\234\322\337Y\222\333\322R\200\300\305O\216\311\310D\244\366\353u\252\377\346~\270\344\361c\266\355\374h\14\12g\261\2\3j\272\20\30}\247\36\21p\2544.S\235:'^\226(213&5D\200|B\17\351rK\2\342`P\25\377nY\30\364Df;\305Jo6\316Xt!\323V},\3307\241\14z9\250\1q+\263\26l%\272\33g\17\2058V\1\2145]\23\227 (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "<"\340C.9\367^ 0\372U\354\232\267\1\342\223\272\12\360\210\255\27\376\201\240\34\324\276\203-\332\267\216&\310\254\231;\306\245\2240\234\322\337Y\222\333\322R\200\300\305O\216\311\310D\244\366\353u\252\377\346~\270\344\361c\266\355\374h\14\12g\261\2\3j\272\20\30}\247\36\21p\2544.S\235:'^\226("@\35\236/KG\351d"I\340i)[\373~4U\362s?\177\315P\16q\304]\5c\337J\30m\326G\23\3271\334\312\3318\321\301\313#\306\334\305*\313\327\357\25\350\346\341\34\345\355\363\7\362\360\375\16\377\373\247y\264\222\251p\271\231\273k\256\204\265b\243\217\237]\200\276\221T\215\265\203O\232\250\215F\227\243\0\0\0\0\13\16\11\15\26\34\22\32\35\22\33\27,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS\177tHl\\177FeQbT~FiZwK\260\340\220\320\273\356\231\335\246\374\202\312\255\362\213\307\234\330\264\344\227\326\275\351\212\304\246\376\201\312\257\363\350\220\330\270\343\236\321\265\376\214\312\242\365\202\303\257\304\250\374\214\317\246\365\201\322\264\356\226\331\272\347\233{\333;\273p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16", ) I\340i)[\373~4U\362s?\177\315P\16q\304]\5c\337J\30m\326G\23\3271\334\312\3318\321\301\313#\306\334\305*\313\327\357\25\350\346\341\34\345\355\363\7\362\360\375\16\377\373\247y\264\222\251p\271\231\273k\256\204\265b\243\217\237]\200\276\221T\215\265\203O\232\250\215F\227\243\0\0\0\0\13\16\11\15\26\34\22\32\35\22\33\27,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS\177tHl\\177FeQbT~FiZwK\260\340\220\320\273\356\231\335\246\374\202\312\255\362\213\307\234\330\264\344\227\326\275\351\212\304\246\376\201\312\257\363\350\220\330\270\343\236\321\265\376\214\312\242\365\202\303\257\304\250\374\214\317\246\365\201\322\264\356\226\331\272\347\233{\333;\273p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16", ) == 0x0
 01750   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "M\0a\0c\0h\0i\0n\0e\0K\0e\0y\0s\0\0\0-%lu\0\0\0\00x%02hx%02hx%02hx%02hx%02hx%02hx\0\0\0\0%lu\0S-%lu-\0\0-\0%\0l\0u\0\0\0\0\00\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModEx", ) , ) == 0x0
 01751   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\300@\213M\374_^\350\317\305\0\0\311\302\14\0\314\314\314\314\314\213\377U\213\354\213E\10\203x\4\14u\26\201}\14\1\200\0\0t\11\201}\14\2\200\0\0u\43\300\353\33\300@]\302\10\0\314\314\314\314\314\213\377U\213\354\213E\10-\1\200\0\0VW\17\204\211\0\0\0HtWHt9Ht\12\270\10\0\11\200\351\235\0\0\0jt_W\350\324G\1\0\213\360\205\366u\10j\10X\351\206\0\0\0V\350\311\310\0\0\203&\0\213E\14\2110\213E\20\2118\353ojl_W\350\250G\1\0\213\360\205\366t\324\203fh\0V\350}\310\0\0\353\331jd\350\217G\1\0\213\360\205\366t\273j\31Y3\300\213\376\363\253!F\34V\350\220\24\1\0\213E\20\307\0d\0\0\0\213E\14\2110\353%j8^V\350^G\1\0\213\320\205\322t\2123\300j\16Y\213\372\363\253!B4\213E\20\2110\213E\14\211\203\300_^]\302\14\0\314\314\314\314\314\213\377U\213\354S3\3339]\24VWt\12\277\11\0\11\200\351\243\0\0\0S\377u\10\350[\223\0\0;\303u\12\277\1\0\11\200\351\214\0\0\0\213u\14VP\350\306\376\377\377\205\300u\7\277\10\0\11\200\353wj8\350\351F\1\0\213\3303\322;\332\17\204\361\0\0\0j\163\300Y\213\373\363\253\213M\10\213\306-\2L\0\0\211s\4\211\13\17\204\254\1\0\0-\34\0\0\17\204F\1\0\0\203\350\3\17\204%\1\0\0H\17\204\366\0\0\0Ht\9U\20\17\205\250\1\0\0\215C\10P\215C\14PV\350\205\376\377\377\205\300u\13Sj\1\377u\30\3503\223\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\236F\1\0S\350\230F", ) , ) == 0x0
 01752   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\253\2533\300@S\211s<\211s@\211C\\211C`\211sd\350P\377\377\377\213E\30;\306\213M\20\211K\14t"9u\34t\5\211C\20\353\30\213{\20\213\360\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\203\366\201\352\1f\0\0tuJtTJt3\203\352\6t\37\203\352\5t\21Jt\16Jt\13\211s`\211sx\351\200\0\0\0\307Cx\20\0\0\0\353w\203{\14\20uM9u u\31j\20\353\15\203{\14\30u>9u u\12j\30\377s\20\350T\17\1\0\307Cx\10\0\0\0\353J\213E\249\260\204\1\0\0u\11\307Cl(\0\0\0\353\343\213\301\301\340\3\211Cl\353\331j\10_9{\14t\23\277\11\0\11\200;\336t\6S\350\2607\1\0\213\307\353\309u u\11W\377s\20\350\4\17\1\0\211{x\213E$\211\303\300_^[]\302 \0\314\314\314\314\314\213\377U\213\354V\213u\10\213F\20\205\300t\6P\350r7\1\0\213F\30\205\300t\6P\350e7\1\0V\350_7\1\0^]\302\4\0\314\314\314\314\314\213\377U\213\354\213E\14\213M\30W3\3223\377-\0$\0\0\211\21t\31-\1B\0\0tlHtUHtF\203\350\6t5-\367=\0\0u\6\307\1\1\0\0\0\213E\20R\301\340\3P\377u\14\213E\10\3774\205HB\377\17\350\204\207\1\0\205\300t\33\377G\213\307_]\302\24\0\203}\20\20t\360\203}\20\16\353*\203}\20\30t\344\203}\20\25\353\369U\24u\331\213E\20R\301\340\3Ph\2f\0\0\353\267\203}\20\10t\304\203}\20\7u\301\353\274\314\314\314\314\314\213\377U\213\354\213E\14V3\366\205\300t \215M\14Q\377u\20\377p\14\377p\4", ) 9u\34t\5\211C\20\353\30\213{\20\213\360\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\203\366\201\352\1f\0\0tuJtTJt3\203\352\6t\37\203\352\5t\21Jt\16Jt\13\211s`\211sx\351\200\0\0\0\307Cx\20\0\0\0\353w\203{\14\20uM9u u\31j\20\353\15\203{\14\30u>9u u\12j\30\377s\20\350T\17\1\0\307Cx\10\0\0\0\353J\213E\249\260\204\1\0\0u\11\307Cl(\0\0\0\353\343\213\301\301\340\3\211Cl\353\331j\10_9{\14t\23\277\11\0\11\200;\336t\6S\350\2607\1\0\213\307\353\309u u\11W\377s\20\350\4\17\1\0\211{x\213E$\211\303\300_^[]\302 \0\314\314\314\314\314\213\377U\213\354V\213u\10\213F\20\205\300t\6P\350r7\1\0\213F\30\205\300t\6P\350e7\1\0V\350_7\1\0^]\302\4\0\314\314\314\314\314\213\377U\213\354\213E\14\213M\30W3\3223\377-\0$\0\0\211\21t\31-\1B\0\0tlHtUHtF\203\350\6t5-\367=\0\0u\6\307\1\1\0\0\0\213E\20R\301\340\3P\377u\14\213E\10\3774\205HB\377\17\350\204\207\1\0\205\300t\33\377G\213\307_]\302\24\0\203}\20\20t\360\203}\20\16\353*\203}\20\30t\344\203}\20\25\353\369U\24u\331\213E\20R\301\340\3Ph\2f\0\0\353\267\203}\20\10t\304\203}\20\7u\301\353\274\314\314\314\314\314\213\377U\213\354\213E\14V3\366\205\300t \215M\14Q\377u\20\377p\14\377p\4", ) == 0x0
 01753   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\1\0\11\200\351\325\0\0\0\215E\10Pj\2V\377u\14\350\237t\0\0\205\300t;\215E\10Pj\3V\377u\14\350\214t\0\0\205\300t(\215E\10Pj\4V\377u\14\350yt\0\0\205\300t\25= \0\11\200\17\205\221\0\0\0\270\3\0\11\200\351\207\0\0\0\213E\20\203\370\12\17\207\313\1\0\0\17\204u\1\0\0H\17\204]\1\0\0H\17\204\342\0\0\0H\17\204\316\0\0\0H\17\204\213\0\0\0HtrH\17\205\317\2\0\0\213E\24\213\20\367\302\300\376\377\377t\7\270\11\0\11\200\353;\367\302\4\0\0\0\213E\10t\20\367@h\4\0\0\0u\7\270\5\0\11\200\353 \271\0\1\0\0\205\321t\5\205Hht\353\213Hh3\312\201\341\4\1\0\03\312\211Hh3\300_3\311\205\300\17\224\301\213\361\205\366u\7P\377\25\304\21\375\17\213\306^]\302\24\0\213E\24\213\0\205\300t\264\203\370@w\257\213M\10\211Ad\353\314\213U\10\213B\4=\0$\0\0\17\204,\377\377\377=\0\244\0\0\17\204!\377\377\377\213M\24\212\1<\1t\20<\2t\14<\4t\10<\3\17\205r\377\377\377\213\1\211B`\353\220\213E\24\2038\1t\210\351^\377\377\377\213M\10\213A\4=\2f\0\0t\13=\1h\0\0\17\205\334\376\377\377\213u\24\205\366u\10jWX\351^\377\377\377\213\207\204\1\0\0\205\300t\13\203\370\1t\6\203a@\0\353\7\307A@\13\0\0\0\213E\10\213H@\205\311t\24\215xD\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213E\10P\350\307\371\377\377\205\300\17\204\24\377\377\377\351\21\377\377\377\213E\10\213Hx\213u\24\215x\34\351g\1\0\0\213M\10\213A\4=\2f\0\0t\13=\1h\0\0\17\205W\376", ) , ) == 0x0
 01754   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "j\10X\351\264\1\0\0\213E\309{\10\213H$\213\372u\25\213\361\301\351\2\2706666\363\253\213\316\203\341\3\363\252\353\21\213s\4\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213E\30\213@ \205\300t\11P\350C\30\1\0\213U\24\213E\30\211P \213C\20\205\300u\14\213E\30\307@,@\0\0\0\353\6\213M\30\211A,\213E\30\377p,\350\323\27\1\0\213\320\205\322\213E\30\211U\24u\24\377p \350\2\30\1\0\213E\30\203` \0\351h\377\377\377\203{\20\0\213H,\213\372u\25\213\361\301\351\2\270\\\\\363\253\213\316\203\341\3\363\252\353\21\213s\14\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213E\30\213@(\205\300t\11P\350\265\27\1\0\213U\24\213E\30\211P(\351\323\0\0\0\213E\30\213H\4\201\351\1\200\0\0\17\204\236\0\0\0I\17\204\217\0\0\0It\177ItnIt\37\203\351\3t\12\270\10\0\11\200\351\244\0\0\0\213x\14j\11\213u\24Y\363\245\351\200\0\0\0\213p\14\215M\374Qj\2\377u\10\377p\20\350{c\0\0;\307t\14= \0\11\200uu\203\300\343\353p9^$u\7\270\14\0\11\200\353d\213E\374\213Hx\213u\24\215x,\213\301\301\351\2\363\245\213\310\203\341\3\363\244\3534\213@\149\30t\326\215x\4j\5\353\233\213@\149Xht\307\215xX\353\22\213@\149X\34\353\6\213@\149X4t\262\213\370\213u\24\245\245\245\245\213E\30\11X0\203}\20\2u\6\213E\30\11X\243\300[3\311\205\300\17\224\301\213\361\205\366u\7P\377\25\304\21\375\17_\213\306^\311\302\24\0\314\314\314\314\314\213\377U\213\354\213E\10-\1\200\0\0SVW\17\204\324\0\0\0", ) , ) == 0x0
 01755   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\304\215\226d\1\0\0\211U\300\215U\314R\215F8\215NXPQ\377u\300\211E\260\211M\264\350\5\35\0\0\205\300\17\205q\377\377\377;\337t3\201\373\11f\0\0t+\201\373\3f\0\0t#\201\373\1L\0\0u\11\306E\314\3\210E\315\353\34\201\373\6L\0\0u\24\306E\314\3\306E\315\1\353\12\366E\20\4\17\205\303\376\377\377\366E\20\1t\7\307E\274\1\0\0\0\215E\310Pj\0j\0\215E\314P\377u\10\377u\304\377u\274S\350\365\316\377\377\205\300\17\205\0\377\377\377\213]\20\203\343\4tA\213\266\204\1\0\0\205\366t\15\203\376\1t\10\213}\310!G@\353\14\213E\310\307@@\13\0\0\0\213\370\377w@\215GDP\377u\260\377u\264\377u\300\350L\34\0\0\205\300t\10\351\267\376\377\377\213}\310\213u\270Wj\2V\350\16T\0\0\205\300\17\205\240\376\377\377\203}\304\5u;\366E\20\20u5\205\333u1\213E\14=\1L\0\0t'=\6L\0\0t =\4L\0\0t\31=\5L\0\0t\22\3776\377u\10\350S\375\377\377\205\300\17\205_\376\377\3773\366[3\300\205\366\17\224\300\213\370\205\377u\249E\310t\10\377u\310\350\253\317\377\377V\377\25\304\21\375\17\213M\374\213\307_^\350n\204\0\0\311\302\20\0\314\314\314\314\314\213\377U\213\354\201\354<\1\0\0\241\244B\377\17S3\333f\367E\24\352\373V\213u\30\211E\374W\211\265\304\376\377\377\211\235\324\376\377\377\211\235\360\376\377\377\211\235\314\376\377\377\211\235\350\376\377\377\211\235\344\376\377\377\211\235\320\376\377\377t\12\276\11\0\11\200\351\271\3\0\0S\377u\10\350\274R\0\0\213\370;\373\211\275\324\376\377\377u\12\276\1\0\11\200\351\232\3\0\0\213]\14SW\350\216", ) , ) == 0x0
 01756   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "M\14u\25\213\35\324D\377\17\213G@\213O(\307E\30\1\0\0\0\353\30:\301\17\205C\2\0\0\203e\30\0\213\35\330D\377\17\213GL\213O0\205\300\17\204+\2\0\0\213U\374;J\14\17\205\37\2\0\0\213z\20\213\3603\322\363\246t\5\33\322\203\332\377\205\322\17\205\7\2\0\0\215M\364QP\350U\302\377\3773\3669u\20t"V\215E\14P\215E\24Pj\10\377u\20\377u\10\350:\323\377\377\205\300\17\204\330\1\0\0\301m\24\39u\34\213M\24\213E\364\215D\1\10\213M u\7\211\1\351R\2\0\09\1s\14\211\1\276\352\0\0\0\351B\2\0\0\213}\344\366G\3\360u\24j\1\377u\30SW\350?\35\0\0;\306\17\205h\376\377\3779u\30t\13\213\207<\1\0\0\213\177H\353\11\213\2074\1\0\0\213\177T;\306\211E\30\17\204~\1\0\0;\376u\15\213E\374\366@\11@\17\204Y\1\0\0\215E\364PV\377u\30\350\307\301\377\377\205\300\17\204D\1\0\09u\360\213E\364\213M\24\215<\1u\27W\350\27\367\0\0\213\330;\336\211]\354u\21j\10^\351\266\1\0\0\213]\370\203\303\10\211]\354\215E\364PS\377u\30\350\204\301\377\377\205\300\17\204\1\1\0\09u\20t\36VW\215E\364PSVj\1V\377u\20\377u\10\350D\246\377\377;\306\17\205\270\375\377\377\203}\360\0\213M\364\215Y\10\17\205<\1\0\0\213}\34\213u\354\203\307\10\3516\1\0\0\212\6<\3t\10<\4\17\205\262\0\0\0\213E\374\213@\20\205\300\17\204\270\0\0\0\213X\10\213u\34\203\303\7\301\353\3\203\303\24\205\366\17\204\25\1\0\0\213M 9\31\17\202\12\1\0\0\213\10\213U\370\211J\10\213H\10\211J\14\213H\20\211", ) V\215E\14P\215E\24Pj\10\377u\20\377u\10\350:\323\377\377\205\300\17\204\330\1\0\0\301m\24\39u\34\213M\24\213E\364\215D\1\10\213M u\7\211\1\351R\2\0\09\1s\14\211\1\276\352\0\0\0\351B\2\0\0\213}\344\366G\3\360u\24j\1\377u\30SW\350?\35\0\0;\306\17\205h\376\377\3779u\30t\13\213\207<\1\0\0\213\177H\353\11\213\2074\1\0\0\213\177T;\306\211E\30\17\204~\1\0\0;\376u\15\213E\374\366@\11@\17\204Y\1\0\0\215E\364PV\377u\30\350\307\301\377\377\205\300\17\204D\1\0\09u\360\213E\364\213M\24\215<\1u\27W\350\27\367\0\0\213\330;\336\211]\354u\21j\10^\351\266\1\0\0\213]\370\203\303\10\211]\354\215E\364PS\377u\30\350\204\301\377\377\205\300\17\204\1\1\0\09u\20t\36VW\215E\364PSVj\1V\377u\20\377u\10\350D\246\377\377;\306\17\205\270\375\377\377\203}\360\0\213M\364\215Y\10\17\205<\1\0\0\213}\34\213u\354\203\307\10\3516\1\0\0\212\6<\3t\10<\4\17\205\262\0\0\0\213E\374\213@\20\205\300\17\204\270\0\0\0\213X\10\213u\34\203\303\7\301\353\3\203\303\24\205\366\17\204\25\1\0\0\213M 9\31\17\202\12\1\0\0\213\10\213U\370\211J\10\213H\10\211J\14\213H\20\211", ) == 0x0
 01757   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\26\0\11\200\351\314\1\0\0\213^\10\203\303\7\301\353\3\205\377\17\204\245\1\0\0\213E\2749\30\17\202\232\1\0\0\215E\314PQ\377u\10\377u\14\350\2024\0\0\205\300\17\205b\1\0\0\213\313\213\321\301\351\2\363\253\213\312\203\341\3\363\252\213M\314\213A\4-\1\200\0\0t"Ht\37Ht\34Ht\31\203\350\4\17\205d\1\0\0\366A\24\1u\12\277\14\0\11\200\351Y\1\0\03\3779}\300t-W\377u\300\377\25\254\21\375\17\321\340P\377u\300\377u\14\377u\10\350,\250\377\377\205\300u\13\377\25\310\21\375\17\351\362\0\0\0\213M\314\366A0\1t\7\307E\264\1\0\0\0\213F\4W\211E\310\215E\310P\215E\330Pj\2\377u\14\377u\10\350r\322\377\377\205\300t\305\377v\4\350f\347\0\0;\307\211E\320tS\366E\30\4t#\213M\314\201y\4\4\200\0\0\17\205\316\0\0\0P\377u\264\215E\330\377u\310PS\350\342\375\377\377\353\33P\377u\30\215E\330\377u\310P\213E\314\377p\4V\350\313\374\377\377;\307uo\377v\4\350\23\347\0\0;\307\211E\324u\10j\10_\351\216\0\0\0W\377u\304\213}\254\377u\270W\350\266\14\0\0\205\300uD9E\304t\10\213\207<\1\0\0\353\6\213\2074\1\0\0\205\300u\7\277\15\0\11\200\353\\213N\4;H\4t\7\277\32\0\11\200\353M\213u\324V\377u\320P\377\267\200\1\0\0\350O\37\0\0\205\300t\4\213\370\3532\213}\260\213\313\213\301\301\351\2\363\245\213\310\213E\274\203\341\3\363\244\211\303\377\353\26\213E\274\367\337\33\377\211\30\201\347\352\0\0\0\353\5\277\10\0\11\2003\300\205\377\17\224\300\203}\324\0\213\360t\10\377u\324\350\242\346\0\0\203}\320\0t\10\377u", ) Ht\37Ht\34Ht\31\203\350\4\17\205d\1\0\0\366A\24\1u\12\277\14\0\11\200\351Y\1\0\03\3779}\300t-W\377u\300\377\25\254\21\375\17\321\340P\377u\300\377u\14\377u\10\350,\250\377\377\205\300u\13\377\25\310\21\375\17\351\362\0\0\0\213M\314\366A0\1t\7\307E\264\1\0\0\0\213F\4W\211E\310\215E\310P\215E\330Pj\2\377u\14\377u\10\350r\322\377\377\205\300t\305\377v\4\350f\347\0\0;\307\211E\320tS\366E\30\4t#\213M\314\201y\4\4\200\0\0\17\205\316\0\0\0P\377u\264\215E\330\377u\310PS\350\342\375\377\377\353\33P\377u\30\215E\330\377u\310P\213E\314\377p\4V\350\313\374\377\377;\307uo\377v\4\350\23\347\0\0;\307\211E\324u\10j\10_\351\216\0\0\0W\377u\304\213}\254\377u\270W\350\266\14\0\0\205\300uD9E\304t\10\213\207<\1\0\0\353\6\213\2074\1\0\0\205\300u\7\277\15\0\11\200\353\\213N\4;H\4t\7\277\32\0\11\200\353M\213u\324V\377u\320P\377\267\200\1\0\0\350O\37\0\0\205\300t\4\213\370\3532\213}\260\213\313\213\301\301\351\2\363\245\213\310\213E\274\203\341\3\363\244\211\303\377\353\26\213E\274\367\337\33\377\211\30\201\347\352\0\0\0\353\5\277\10\0\11\2003\300\205\377\17\224\300\203}\324\0\213\360t\10\377u\324\350\242\346\0\0\203}\320\0t\10\377u", ) == 0x0
 01758   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\12\213U\334\211\2\203\301\354Q\203\300\24P\350\241\330\0\0\211E\304\205\300\17\205[\377\377\377\213u\334\213E\340\3770\3776\203}\20\1u\15j\1\377s\\377s(\377s@\353\13j\0\377s\\377s0\377sL\350F'\1\0\211E\344\205\300u\36\367E\310\10\0\0\0t\25\377u\20\377u\310\3775\310D\377\17S\350\263\372\377\377\211E\304\203M\374\377\353\36\307E\344\32\0\11\200\353\3613\300@\303\213e\350\307E\344W\0\0\0\203M\374\377\213]\10\203}\300\0t\15\201\303h\1\0\0S\377\25\270\21\375\17\213}\264\205\377t\34\213M\2603\300\213\321\301\351\2\363\253\213\312\203\341\3\363\252\377u\264\377\25\250\21\375\17\213E\344\350\361W\0\0\302\20\0\314\314\314\314\314\213\377U\213\354\203\354L\241\244B\377\17S3\333V\213u\10\211E\374\213E\14W\211u\314\211E\320\211]\334\211]\324\211]\340\307E\264\20\0\0\0\306E\354p\306E\355\362\306E\356\205\306E\357\36\306E\360N\210]\361\210]\362\210]\363\210]\364\210]\365\210]\366\210]\367\210]\370\210]\371\210]\372\210]\373\215x\1\212\10@:\313u\371+\307\203\300\6\211E\310\350\262\343\0\0\205\300\17\205\27\1\0\0h\320\23\375\17\377\25\230\21\375\17;\303\211E\334\17\204\1\1\0\0\213=\234\21\375\17h\274\23\375\17P\377\327h\244\23\375\17\377u\334\211E\304\377\327\367E\20 \0\0\0\211E\270\17\205\326\0\0\09]\304\17\204\315\0\0\0;\303\17\204\305\0\0\0\213E\310@P\350\220\326\0\0;\303\211E\324\17\204\240\0\0\0\213M\320\276\234\23\375\17\213\370\245f\245\244\213\361\212\21A:\323u\371+\316\213\370\213\321O\212O\1G:\313u\370\213\312\301\351\2\363\245j", ) , ) == 0x0
 01759   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2r\3\213p\14\203\371\3r\3\213P\30RV\377u\10\215E\24P\377u\20\377u\14\350\226\373\377\377\205\300u\22\367E\20\20\0\0\0u\7\213E\24\203`\10\03\3003\311\205\300\17\224\301\213\361\205\366u\7P\377\25\304\21\375\17\213\306^]\302\20\0\314\314\314\314\314\213\377U\213\3543\3223\3119U\14v\22\213E\10\3\301\210\20A;M\14\306\0\377\210\20r\356]\302\10\0\314\314\314\314\314\213\377U\213\354\203}\10\0V\213u\14t9\201>RSA1t\7\270\3\0\11\200\353A\213F\10j\0j\0\377u\24\203\300\7\301\350\3P\215F\24Pj\4\215F\20P\377u\20\377u\10\350\260\1\1\0\205\300u\25\377u\24\377u\20V\350\377\257\0\0\205\300u\5j\10X\353\23\300^]\302\20\0\314\314\314\314\314\213\377U\213\354\203\354\30\213E\14\213@\10SVW\215P\7j\10\301\352\3^\203\342\7\213\316+\312;\316t\2\3\316\203\300\17\301\350\4\321\351\3\301\215<\200\321\347\213\307\203\340\7t\6\213\316+\310\3\371\203\307\24;=xE\377\17\211}\374w6\241|E\377\17\3\307;\307r+\203\300\10P\350\311\30\1\0\205\300t\36\215G\10\203\300\3\203\340\374\350\343F\0\0\213\334\205\333t\12\307\3Stck\3\336u"\215G\10P\377\25\200E\377\17\213\330\205\333\17\204\355\0\0\0\307\3Heap\3\336\17\204\265\0\0\0\213u\14\213\317\213\301\301\351\2\213\373\363\245\213\310\213E\374\203\341\3\203\300\354\363\244P\215{\24W\350\36\307\0\0\213\360\205\366\17\205\203\0\0\09E\10tg\201;RSA2t\7\276\3\0\11\200\353o\213K\10\213E\14\213@\4\203\301\7\301\351\3@\321\350\215tC\24j\0\215Q\1\321\352\211", ) \215G\10P\377\25\200E\377\17\213\330\205\333\17\204\355\0\0\0\307\3Heap\3\336\17\204\265\0\0\0\213u\14\213\317\213\301\301\351\2\213\373\363\245\213\310\213E\374\203\341\3\203\300\354\363\244P\215{\24W\350\36\307\0\0\213\360\205\366\17\205\203\0\0\09E\10tg\201;RSA2t\7\276\3\0\11\200\353o\213K\10\213E\14\213@\4\203\301\7\301\351\3@\321\350\215tC\24j\0\215Q\1\321\352\211", ) == 0x0
 01760   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\340\350\304\374\377\377\211E\334\205\300t\13\211E\344\211]\374\351W\1\0\0\203}\20\0u2\215~@\211}\244\215\236<\1\0\0\211]\240\215F(\211E\274\215\2068\1\0\0\211E\304\215FH\211E\270\307E\264\1\0\0\0\241\234D\377\17\353-\215~L\211}\244\215\2364\1\0\0\211]\240\215F0\211E\274\215\2060\1\0\0\211E\304\215FT\211E\270\203e\264\0\241\240D\377\17\211E\260\213\7\205\300t\15P\350\2\270\0\0\3773\350\373\267\0\0\203e\314\0\213E\320\213M\304\211\1\213E\300\213M\274\211\1\213E\324\211\3\213E\340\211\7\17\266E\14\203\340\1\213M\270\211\1\366F\3\360u\26\377u\264\377u\14\377u\260V\350N\332\377\377\211E\334\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\21\216\377\377\205\300u\10\377\25\310\21\375\17\3537\215E\330Pj\3\353\24j\1\377u\10\350\363\215\377\377\205\300t\342\215E\330Pj\4\377u\10\3777\350\230\3\0\0\211E\334\205\300t\23= \0\11\200u\3\203\300\343\211E\344\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\330\11A\10\213E\330\200Hi\1\203M\374\377\203e\344\0\353\253\300@\303\213e\350\307E\344W\0\0\0\203M\374\377\213u\2343\3779}\254t\15\201\306h\1\0\0V\377\25\270\21\375\179}\314t\329}\324t\10\377u\324\350\371\266\0\09}\340t\10\377u\340\350\354\266\0\0\213E\344\350\317\0\0\302\24\0\314\314\314\314\314\213\377U\213\354\203}\14\0\213E\10SVWt\16\213\260<\1\0\0\215H(\215x@\353\14\213\2604\1\0\0\215H0\215xL\213^\10\321\353\203\303?\301\353\5\215\34\335\24\0\0\0\213\301;\30\211", ) , ) == 0x0
 01761   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\377u$\213\310\213E\374\377u \203\341\3\363\244\213M\34\213u\30\215<\20\213\321\301\351\2\363\245h\3\200\0\0\377u\370\213\312\203\341\3\363\244\213u\364\213}\10P\3\336SW\350?\376\377\377\205\300u\36\377u$\3\367\377u\14h\4\200\0\0\377u\370\377u\374SV\350!\376\377\377\205\300t\4\213\360\353\32\213u$\205\366v\21\213E \213M\14+\310\212\24\10\20@Nu\3673\366\203}\14\0t\10\377u\14\350\1\250\0\0\377u\374\350\371\247\0\0_\213\306^[\311\302 \0\314\314\314\314\314\213\377U\213\354\213E\10\213\200$\2\0\0\205\300t\6P\350\323\247\0\0]\302\4\0\314\314\314\314\314\213\377U\213\354\213E\10\213\200<\2\0\0\205\300t\6P\350\262\247\0\0]\302\4\0\314\314\314\314\314\213\377U\213\354Q\203e\374\0S\213]\14\213C\4=\1L\0\0t\37=\4L\0\0t\30=\6L\0\0t\21=\5L\0\0t\12\270\12\0\11\200\351_\2\0\0\203{\30\0VWu$\276h\3\0\0V\350\34\247\0\0\213\370\205\377\211{\30\17\204\342\1\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\205:\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\246\0\0\0H\17\205\335\1\0\0\213F\10\250\7\17\205\322\1\0\0\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\204\1\0\0\350\234o\377\377\205\300u\12\270\11\0\11\200\351\316\1\0\0\213F\4-\1f\0\0t\37Ht\34Ht\31\203\350\6t\24-\370\1\0\0\17\205\211\1\0\0\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3", ) , ) == 0x0
 01762   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\20\0\314\314\314\314\314\213\377U\213\354\203\354\30\213E\10S\213X\14\213E\20V3\3663\3119u\24W\211u\364t0\213M\14%\0\4\0\0\211E\360t\23\307E\370\254\26\375\17\307E\20\3\0\0\0\215\14I\353D\307E\370\250\26\375\17\307E\20\2\0\0\0\353+%\0\4\0\0\211E\360t\20\307E\370\240\26\375\17\307E\20\5\0\0\0\353\32\213M\14\307E\370\230\26\375\17\307E\20\4\0\0\0\213\203(\2\0\0\215\14\210\213E\20\17\257E\14\215\4@\3\2030\4\0\0\3\203 \2\0\0\3\203\34\1\0\0\215D\1\1P\211E\354\350\225\227\0\0\213\370;\376\211}\374u\10j\10^\351\323\1\0\0\213M\143\300@9u\24\210\17t';\316v#\211M\24\213M\20\213u\370\213\321\3\370\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244\213}\374u\340\213\2130\4\0\0\213\321\301\351\2\3\370\215\2630\3\0\0\363\245\213\312\203\341\3\363\244\213M\14\3\2030\4\0\0\205\311v$\211M\24\213U\374\213M\20\213u\370\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244u\337\213\213 \2\0\0\213U\374\215<\20\213\321\301\351\2\215\263 \1\0\0\363\245\213\312\203\341\3\363\244\213M\14\3\203 \2\0\0\205\311v$\211M\24\213U\374\213M\20\213u\370\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244u\337\203}\360\0uS\213\213(\2\0\0\213U\374\213\263$\2\0\0\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\363\244\3\203(\2\0\0\203}\14\0v'\213M\14\211M\24\213U\374\213M\20\213u\370\215<\20\213\321\301\351\2\363\245\213\312\203\341\3\3\302\377M\24\363\244u\337\213\213", ) , ) == 0x0
 01763   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "E\10P\245\215E\374Ph\364\26\375\17\245\377\263@\1\0\0\350,\246\377\377\205\300t\4\213\360\353nj\1\215E\364P\215E\370Ph\344\26\375\17\377\263@\1\0\0\350\12\246\377\377\205\300u\336\213u\374\205\366t \213\273X\1\0\0\203\307\10\245\245\245\245\213u\374\213\273X\1\0\0\203\306\20\203\307\30\245\245\245\245\213u\370\205\366t \213\273X\1\0\0\203\307(\245\245\245\245\213u\370\213\273X\1\0\0\203\306\20\203\3078\245\245\245\2453\366\203}\374\0t\10\377u\374\350\361\207\0\0\203}\370\0t\10\377u\370\350\343\207\0\0_\213\306^[\311\302\4\0\314\314\314\314\314\213\377U\213\354SV\213u\10W3\3333\3779\236X\1\0\0u\7\270\26\0\11\200\353T9]\14t(\377u\14\377\25\254\21\375\17\215|\0\2W\350\\207\0\0\213\330\205\333u\5j\10X\3531\377u\14S\377\25x\21\375\17\213\206X\1\0\0\213@H\205\300t\6P\350w\207\0\0\213\206X\1\0\0\211xL\213\206X\1\0\0\211XH3\300_^[]\302\10\0\314\314\314\314\314\213\377U\213\354SV\213u\10\205\366WtE\213\6\213M\14\213]\20\213}\24\211\1\213F\4\211\3\213\7\205\300t\6P\350*\207\0\0\3773\350\340\206\0\0\205\300\211\7u\5j\10X\353\27\213\13\213\370\213\301\301\351\2\203\306\10\363\245\213\310\203\341\3\363\2443\300_^[]\302\20\0\314\314\314\314\314\213\377U\213\354\203\354\24\213M\10\213\201X\1\0\0S3\3339] V\211]\374\213p\4\213E$W\211]\10\211\30t\7\307E\10\1\0\0\03\3009]\34\215}\354\253\253\253\253\307E\354\20\0\0\0t\329Y(\17\204\213\0\0\0\213\201X\1\0\0\215P\10\203\300\30\215", ) , ) == 0x0
 01764   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\213\2338\36\375\173\373\213\2318\37\375\173\373\213\2308\34\375\173\373\213\2328\35\375\173\373\213E\103\333\213U\143\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\365\213\2518\32\375\173\365\212\316\301\350\20\213\2538\31\375\173\365\212\334\301\352\20\213\2518\33\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\173\363\213\2318\37\375\173\363\213\2308\34\375\173\363\213\2328\35\375\173\363\213E\203\333\213U\243\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\375\213\2518\32\375\173\375\212\316\301\350\20\213\2538\31\375\173\375\212\334\301\352\20\213\2518\33\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\173\373\213\2318\37\375\173\373\213\2308\34\375\173\373\213\2328\35\375\173\373\213E\303\333\213U\343\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\365\213\2518\32\375\173\365\212\316\301\350\20\213\2538\31\375\173\365\212\334\301\352\20\213\2518\33\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\173\363\213\2318\37\375\173\363\213\2308\34\375\173\363\213\2328\35\375\173\363\213E 3\333\213U$3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538\30\375\17\212\3323\375\213\2518\32\375\173\375\212\316\301\350\20\213\2538\31\375\173\375\212\334\301\352\20\213\2518\33\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338\36\375\17", ) , ) == 0x0
 01765   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "D$ \205\300\17\204\31\7\0\0\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320\301\350\20\3\325\3\3703\300f\301\302\3f\213\302\213\350\203\360\377#\303#\351\3\370\3\375\203\306\10f\301\307\5\213\307\367\320\213\357#\301#\352\3\330\213\6\3\335\3\330\301\350\20\213\357\3\3103\300f\321\303f\213\303#\350\203\360\377#\302\3\315\3\3103\300f\301\301\2f\213\301\213\350\203\360\377#\353#\307\3\320\213F\4\3\320", ) , ) == 0x0
 01766   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\213M\14\203\371\1\17\216\346\0\0\0\213E\10V\203\300\26IW\215\233\0\0\0\0\17\266p\374\213<\265XR\375\17\17\266P\375\213\24\225XV\375\17\17\266p\3733\327\213<\265XN\375\17\17\266p\3723\3273\24\265XJ\375\17\211P\372\17\266p\377\213<\265XN\375\17\17\266P\1\213\24\225XV\375\17\17\26603\327\213<\265XR\375\17\17\266p\3763\3273\24\265XJ\375\17\211P\376\17\266p\4\213<\265XR\375\17\17\266P\5\213\24\225XV\375\17\17\266p\33\327\213<\265XN\375\17\17\266p\23\3273\24\265XJ\375\17\211P\2\17\266p\10\17\266P\11\213<\265XR\375\17\17\266p\7\213\24\225XV\375\173\327\213<\265XN\375\17\17\266p\63\3273\24\265XJ\375\17\211P\6\203\300\20I\17\205+\377\377\377_^]\302\10\0\314\314\314\314\314\213\377U\213\354\203\354\30SV\213u\10\213\16W\213}\20\213\27\213_\4\213~\103\312\213V\4\213v\143\323\213]\203{\10\241\244B\377\17\211}\364\213\373\213_\14\17\266}\3663\363\213\34\275X1\375\17\211u\370\301\356\30\2134\265X5\375\173\363\17\266\37634\275X-\375\17\17\266\371\213\34\275X)\375\17\17\266}\3723\363\211E\374\213E\14\2110\213\34\275X1\375\17\213\361\301\356\30\2134\265X5\375\173\363\213]\364\211U\360\17\266\37734\275X-\375\17\17\266\322\213<\225X)\375\17\17\266U\3633\367\211p\4\213<\225X5\375\17\211M\354\17\266u\3563<\265X1\375\17\213U\370\17\266\3663<\265X-\375\17\17\266\363\213\34\265X)\375\17\17\266u\3673\373", ) , ) == 0x0
 01767   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "]\370\301\353\10\17\266\33334\235X-\375\17\17\266]\36434\235X)\375\17\17\266]\362\211p\10\17\266u\367\2134\265X5\375\1734\235X1\375\17\17\266\326\213\34\225X-\375\17\17\266U\3703\363\213\34\225X)\375\17\213U\3503\363\203\301@J\211p\14\211U\350\17\205\365\373\377\377\213\217\220\0\0\0\213\227\224\0\0\0\213\303P\4\213\267\230\0\0\03\3133p\10\213X\14\211u\364\213\267\234\0\0\03\363\211u\370\17\266\361\212\34\265Y)\375\17\210\30\17\266\366\212\34\265Y)\375\17\17\266u\366\210X\1\212\34\265Y)\375\17\213u\370\210X\2\211U\360\17\266\322\301\356\30\212\34\265Y)\375\17\210X\3\212\24\225Y)\375\17\210P\4\213U\364\17\266\366\212\34\265Y)\375\17\17\266u\372\210X\5\212\34\265Y)\375\17\210X\6\211M\354\17\266u\357\212\34\265Y)\375\17\210X\7\17\266\322\212\24\225Y)\375\17\210P\10\213U\370\17\266\366\212\34\265Y)\375\17\17\266u\356\210X\11\212\34\265Y)\375\17\17\266u\363\210X\12\212\34\265Y)\375\17\210X\13\213\30\213p\4\17\266\322\212\24\225Y)\375\17\210P\14\17\266\315\212\24\215Y)\375\17\17\266M\362\210P\15\212\24\215Y)\375\17\17\266M\367\210P\16\212\24\215Y)\375\17\210P\17\213\217\240\0\0\03\331\211\30\213\227\244\0\0\03\362\213P\10\211p\4\213\217\250\0\0\03\321\213H\14\211P\10\213\227\254\0\0\03\312_\211H\14\213M\374^[\350*\304\377\377\213\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\203\354\30\213U\24\213M\20\301\342\4S\213\34\12V\2154\12\213U\10\213\22W\213~\43\323\213]\103{\4\241\244B\377\17\211", ) , ) == 0x0
 01768   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\17\17\266\326\213<\225X=\375\17\213U\3643\367\17\266\37234\275X9\375\17\17\266}\362\211p\10\17\266u\357\2134\265XE\375\1734\275XA\375\17\17\266\326\213<\225X=\375\17\17\266\3233\36734\225X9\375\17\213U\350\203\351@J\211p\14\211U\350\17\205G\374\377\377\213M\20\213q\24\213Q\20\213x\43\20\213X\103\367\213x\14\211u\360\213q\303\363\211u\364\213q\343\367\211u\370\17\266\362\212\236XI\375\17\17\266u\371\210\30\212\236XI\375\17\17\266u\366\210X\1\212\236XI\375\17\213u\360\210X\2\211U\354\301\356\30\212\236XI\375\17\17\266u\360\210X\3\212\236XI\375\17\210X\4\17\266\326\212\222XI\375\17\210P\5\213U\370\301\352\20\17\266\322\212\222XI\375\17\210P\6\213U\364\301\352\30\212\222XI\375\17\210P\7\213U\364\17\266\362\212\236XI\375\17\17\266u\361\210X\10\212\236XI\375\17\17\266u\356\210X\11\212\236XI\375\17\17\266u\373\210X\12\212\236XI\375\17\17\266u\370\210X\13\212\236XI\375\17\213x\4\17\266\326\210X\14\212\222XI\375\17\213\30\213p\10\210P\15\17\266U\362\212\222XI\375\17\210P\16\17\266U\357\212\222XI\375\17\210P\17\213\213\332\211\30\213Q\43\372\211x\4\213Q\103\362\213P\14\211p\10\213I\14_3\321\213M\374^\211P\14[\350H\264\377\377\213\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\203}\24\1\213M\20\213\1uD\203\301\4\203\370\16u\22\213E\10Q\213M\14PQ\350\332\342\377\377]\302\20\0\203\370\12u\22\213U\10\213E\14QRP\350S\351\377\377]\302\20\0\213U\14PQ\213M\10QR\350 \337\377\377", ) , ) == 0x0
 01769   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\377v?SV\213u\10\212\142\17\266\301\213\330\301\353\4\17\266\233H(\375\17\203\340\17\17\266\200H(\375\17\3\330\201\343\1\0\0\200y\5K\203\313\376Cu\6\200\361\1\210\142B;\327r\310^[_]\302\10\0\314\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354V\213u\10W\213}\14WV\350\254\371\377\377\203\307\10W\215\206\200\0\0\0P\350\234\371\377\377\215\276\0\1\0\0\271 \0\0\0\363\245_^]\302\10\0\314\314\314\314\314\314\314\314\314\213\377U\213\354V\213u\14W\213}\10VW\350l\371\377\377\215F\10P\215\217\200\0\0\0Q\350\\371\377\377\203\306\20V\201\307\0\1\0\0W\350L\371\377\377_^]\302\10\0\314\314\314\314\314\314\213\377U\213\354\213E\24\215P\7\301\352\3\215\14\325\0\0\0\0+\310\270\377\0\0\0\323\370S\213]\20V\213u\14\213\313W\213}\10\210E\27\213\301\301\351\2\363\245\213\310\203\341\3\201\373\200\0\0\0\363\244}9\213M\10\277\1\0\0\0\276\200\0\0\0+\373\215D\31\377+\363\215\233\0\0\0\03\311\212\14\73\333\212\30\3\313\201\341\377\0\0\0\212\211 \27\375\17\210H\1@Nu\342\213u\10\17\266M\27\213\306+\302\17\266\270\200\0\0\0\5\200\0\0\0#\317\212\211 \27\375\17\210\10\271\177\0\0\0+\312x\37\215D1\1\215q\1\220\17\266L\2\377\17\26683\317\212\211 \27\375\17\210H\377HNu\351_^3\300[]\302\20\0\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\213L$\203\300\205\311v7W\213|$\14V\213t$\24SU\213\$\24+\376+\336\213\24>\213.\3\320\270\0\0\0\0\23\300\3\325\203\320\0\211\24\36\203\340\1\203\306\4Iu\341][^", ) , ) == 0x0
 01770   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\213\313\215\4\23\213\321\301\351\2\213\360\363\245\213\312\203\341\3\363\244\213u\370\213}\10\213\313\301\351\2\363\245\213\312\213U\360\203\341\3\363\244\213}\374\2154\23\213\313\213\321\301\351\2\363\245\213\312\213U\364\203\341\3\363\244\213\313\213\370\213\301\301\351\2\213\362\363\245\213\310\203\341\3\363\244\213}\370\3\323\213\362\213\313\213\321\301\351\2\363\245\213\312\213U\370\351\317\376\377\377\213E\14\213L\3\374\277\0\0\0\200\205\317t\14\213M\30VQPP\350%\361\377\377\213E\20\205|\3\374t\14\213U\24VRPP\350\20\361\377\377\213E\350\205\300^t\7P\377\25\250\21\375\17_\270\1\0\0\0[\213\345]\302\30\0_3\300[\213\345]\302\30\0\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\201\354\220\0\0\0S\213]\10\213\3W3\377=RSA1\211}\374t\12_3\300[\213\345]\302\14\0\213C\10\321\350V\213\360\301\356\5F\250\37t\1F\213K\20\270\1\0\0\0;\310\215\146u\21\213u\14\213}\20\363\245^_[\213\345]\302\14\0\215C\24QP\211E\370\213E\14P\211M\10\350\223\363\377\377\205\300}b\301\346\3\201\376\210\0\0\0v\24Vj\0\377\25\364\20\375\17\205\300\211E\374tG\213\320\353\6\215\225p\377\377\3773\300\213\316\301\351\2\213\372\363\253\213\316\203\341\3\363\252\213K\20\213E\10P\213E\20\211\12\213M\370QR\213U\14RP\350\355\20\0\0\213\370\213E\374\205\300t\7P\377\25\250\21\375\17^\213\307_[\213\345]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354\203\354(V\213u\10\201>RSA2u\16\215E\330PV\350\22\6\0\0\205\300u\113\300^\213\345]\302\14\0\213N\10\321\351", ) , ) == 0x0
 01771   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "u\325_^[]\302\14\0\314\314\314\314\314\314\314\314\314\314\314\213\377U\213\354Q\213E\20\205\300VW\17\204\374\0\0\0\213}\14\2154\205\0\0\0\0\213L>\374\205\311\17\204\346\0\0\0\215\14v\215T\301\4Rj\0\377\25\364\20\375\17\205\300\211E\374\17\204\313\0\0\0\215\140S\213]\10\211K\10\3\316\211K\14\3\316\211K\20\213\316\211C\4\213\367\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\20\213K\4\301\346\2\213D\16\374\277\0\0\0\200\205\307u\30\213C\4\213U\20RPPP\350\14\341\377\377\213C\4\205|\6\374t\350\213{\20\215N\4\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213C\20\213}\14\307D0\4\1\0\0\0\213u\20\213S\10\213C\20V\215N\2QRWP\350\351\345\377\377\205\300u\25\213M\374Q\377\25\250\21\375\17[_3\300^\213\345]\302\14\0\213S\10\213C\14VRWP\350\345\340\377\377\2113[_\270\1\0\0\0^\213\345]\302\14\0_3\300^\213\345]\302\14\0\314\314\314\314\314\314\314\213\377U\213\354\203\354\10\213E\10\213H\10\213P\14SV\213u\14W\2138\213@\4\211E\10\215\\276\3703\300;\336\211M\374\211U\370r'\220\213L\273\4;\310Ws\11\213U\374R+\301P\353\7\213U\370R+\310QS\350a\375\377\377\203\353\4;\336s\332\215\34\275\0\0\0\0\213\143;\310s!+\310\211\143\215\244$\0\0\0\0\213E\10WP\215F\4PP\350\1\340\377\377\205\300t\355\353&+\310\211\143\213M\10W\215F\4QP\350\10\343\377\377\205\300|\17\213U\10WR\215F\4PP\350\31\340\377\377\213E\10\213L3\374\213\243WP\213D\3\374PQR\350E", ) , ) == 0x0
 01772   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\253\253\2533\300\203e\374\0\215}\364\253\2533\300\215}\354\253\253\215E\374\211E\370\215E\354Pj\0\215E\324Pj\0\215E\344Ph4]\375\17\215E\364P\307E\324\20\0\0\0\307E\364\4\0\0\0\307E\344\21\0\0\0\307E\350 ]\375\17\350\273\371\377\377\203}\360\0\213\370t\11\377u\360\377\25\250\21\375\17\213\307_\311\303\314\314\314\314\314\213\377U\213\354\203\354(3\300VW\215}\330\253\253\253\2533\300\215}\360\253\2533\300\215}\370\2533\3119M\14j\4\253Xt\2\213\310\211E\360\215E\10\211E\364\215E\370PQ\215E\330Pj\0\215E\350Ph4]\375\17\215E\360P\307E\330\20\0\0\0\307E\350\21\0\0\0\307E\354 ]\375\17\3508\371\377\377\205\300t\4\213\360\3533\377u\370\350b\367\377\377\205\300\213U\20\211\2u\5j\10^\353\35\213M\370\213E\24\213u\374\211\10\213:\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\203}\374\0t\11\377u\374\377\25\250\21\375\17_\213\306^\311\302\20\0\314\314\314\314\314\213\377U\213\354\203\354(W3\300\215}\330\253\253\253\2533\300\215}\360\253\2533\300\215}\350\253\2533\300\215}\370\2533\3119M\10\253t\3j\4Y\213E\20\211E\360\213E\14j\0\211E\364\215E\350PQ\215E\330Pj\0\215E\370Pj\0\215E\360P\307E\330\20\0\0\0\307E\370\21\0\0\0\307E\374 ]\375\17\350\343\370\377\377\205\300\213M\354t\4\213\370\353\26\203}\350\4t\7\277\26\0\11\200\353\11\213\1\213U\24\211\23\377\205\311t\7Q\377\25\250\21\375\17\213\307_\311\302\20\0\314\314\314\314\314\213\377U\213\354\203\354 \241\244B\377\17S3\333VW\2135D\20\375\17\213}\10\211E\374", ) , ) == 0x0
 01773   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\363\2443\300_^[\311\302\14\0\314\314\314\314\314\213\377U\213\354\203\3548\241\244B\377\17\213M S\213]\34V\2135 \21\375\17W3\377WS\377u\30\211E\374\213E\14W\377u\24\211E\320\377u\20\211M\314P\211}\330\211}\324\377\326\203\370\377\17\205\246\0\0\0\377\25\310\21\375\179}\10\17\204\223\0\0\0\211E\310\215E\330Pj\10\3508\351\377\377;\307uxj\103\300\366E\23\200Y\215}\334\363\253\215E\344\307E\334\1\0\0\0Pt\7hx^\375\17\353\5hd^\375\17j\0\377\25p\20\375\173\377;\307t=\215E\324P\215E\334P\377u\330\307E\354\2\0\0\0\377\25l\20\375\17\205\300t!9}\324t&W\201\313\0\0\0\2S\377u\30W\377u\24\377u\20\377u\320\377\326\203\370\377u\23\377\25\310\21\375\17\213\360\353\20\213u\310\353\13\213\360\353\26\213M\314\211\13\366\203}\330\0t\11\377u\330\377\25\370\20\375\17\213M\374_\213\306^[\350\273d\377\377\311\302\34\0\314\314\314\314\314\213\377U\213\354QQSV\213u\30\203\16\377Wj\33\3773\333\366E\17\200X\211}\374\211E\370t\4C\211E\370\366E\17@t\12j\4X3\333\211E\370\213\370\215E\374P\377u\24\377u\20\350&\376\377\377\205\300ufV\201\317\0\0\0\10W\377u\370S\377u\14\377u\374\377u\10\350\202\376\377\377\205\300t:3\366\203\370 t\5\203\370\5u2\203\376\30s-\377\266\364B\377\17\377\25\20\21\375\17\377u\30\203\306\4W\377u\370S\377u\14\377u\374\377u\10\350H\376\377\377\205\300u\3103\366\353\14\203\370\2\276\26\0\11\200t\2\213\360\203}\374\0t\10\377u\374\350\244\346\377\377_\213\306^[\311\302\24\0\314", ) , ) == 0x0
 01774   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "6\377\327\205\300\17\204\316\0\0\09]\14u\109\235\234\375\377\377tL\215\205\244\375\377\377P\350\14\335\377\377;\303\17\205\277\0\0\09\235\244\375\377\377u\32\276 \0\11\200\353g\215\205\254\375\377\377P\3776\377\327\205\300\17\204\213\0\0\0\377\265\244\375\377\377\215\205\330\375\377\377P\350"\376\377\377\205\300t\327\377\265\224\375\377\377\215\205\330\375\377\377\377\265\230\375\377\377\377\265\250\375\377\377P\377u\14\350\345\373\377\377;\303\17\205k\377\377\3773\3669\235\244\375\377\377t\13\377\265\244\375\377\377\350\354\327\377\3779\235\250\375\377\377t\13\377\265\250\375\377\377\350\331\327\377\3779\235\240\375\377\377t\13\377\265\240\375\377\377\350\306\327\377\377\213M\374_\213\306^[\350\7U\377\377\311\302\30\0\377\25\310\21\375\17\203\370\22u\7\276\3\1\0\0\353\244\213\360\353\240\314\314\314\314\314\213\377U\213\354\201\354(\4\0\0\241\244B\377\17S\213]\14V\2135\24\21\375\17W3\322RR\211E\374\213E\10j\377\211\205\330\373\377\377\213E\30S\211\205\334\373\377\377j\23\300\271\5\1\0\0\215\275\350\373\377\377R\211\225\340\373\377\377\363\253\377\326\213\370\205\377u\15\377\25\310\21\375\17\213\360\351\251\0\0\0\215G\1=\12\2\0\0v(\215D?\2P\350\336\326\377\377\205\300\211\205\344\373\377\377u\10j\10^\351\203\0\0\0\307\205\340\373\377\377\1\0\0\0\353\14\215\205\350\373\377\377\211\205\344\373\377\377W\377\265\344\373\377\377j\377Sj\2j\0\377\326\205\300u\12\377\25\310\21\375\17\213\360\3530\377\265\334\373\377\377\377u\24\377u\20\377\265\344\373\377\377\377\265\330\373\377\377\377\25t\20\375\17\205\300t\14\203\370\2u\325\276\26\0\11\200\353\23\366\203\275\340\373\377\377\0t\24\203\275\344\373\377\377", ) \376\377\377\205\300t\327\377\265\224\375\377\377\215\205\330\375\377\377\377\265\230\375\377\377\377\265\250\375\377\377P\377u\14\350\345\373\377\377;\303\17\205k\377\377\3773\3669\235\244\375\377\377t\13\377\265\244\375\377\377\350\354\327\377\3779\235\250\375\377\377t\13\377\265\250\375\377\377\350\331\327\377\3779\235\240\375\377\377t\13\377\265\240\375\377\377\350\306\327\377\377\213M\374_\213\306^[\350\7U\377\377\311\302\30\0\377\25\310\21\375\17\203\370\22u\7\276\3\1\0\0\353\244\213\360\353\240\314\314\314\314\314\213\377U\213\354\201\354(\4\0\0\241\244B\377\17S\213]\14V\2135\24\21\375\17W3\322RR\211E\374\213E\10j\377\211\205\330\373\377\377\213E\30S\211\205\334\373\377\377j\23\300\271\5\1\0\0\215\275\350\373\377\377R\211\225\340\373\377\377\363\253\377\326\213\370\205\377u\15\377\25\310\21\375\17\213\360\351\251\0\0\0\215G\1=\12\2\0\0v(\215D?\2P\350\336\326\377\377\205\300\211\205\344\373\377\377u\10j\10^\351\203\0\0\0\307\205\340\373\377\377\1\0\0\0\353\14\215\205\350\373\377\377\211\205\344\373\377\377W\377\265\344\373\377\377j\377Sj\2j\0\377\326\205\300u\12\377\25\310\21\375\17\213\360\3530\377\265\334\373\377\377\377u\24\377u\20\377\265\344\373\377\377\377\265\330\373\377\377\377\25t\20\375\17\205\300t\14\203\370\2u\325\276\26\0\11\200\353\23\366\203\275\340\373\377\377\0t\24\203\275\344\373\377\377", ) == 0x0
 01775   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\353U\215E\10P\215E\374PS\350\11\375\377\377\205\300t\4\213\360\3531\213}\30\205\377\213M\10\213E\34u\4\211\10\353\369\10\211\10s\7\276\352\0\0\0\353\23\213u\374\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\203}\374\0t\10\377u\374\3507\310\377\377\205\333t\6S\350-\310\377\377[\203}\370\0t\10\377u\370\350\36\310\377\377\203}\364\0t\10\377u\364\350\20\310\377\377_\213\306^\311\302\30\0\314\314\314\314\314\213\377U\213\354V\213u\10\205\366t\24\213F\4\205\300t\7P\377\25\244\21\375\17V\350\342\307\377\377^]\302\4\0\314\314\314\314\314h4\1\0\0hx_\375\17\350\303G\377\377\241\244B\377\17\211E\344\213E\10\211\205\274\376\377\3773\333\211\235\330\376\377\377\211\235\304\376\377\377\211\235\300\376\377\377\211\235\324\376\377\377\211\235\314\376\377\377\211]\374\215\205\324\376\377\377Ph\31\0\2\0ShP_\375\17h\2\0\0\200\377\25\224\20\375\17\211\205\310\376\377\377;\303\17\205\341\0\0\0\307\205\320\376\377\377\5\1\0\0\215\205\320\376\377\377P\215\205\334\376\377\377PSS\277D_\375\17W\377\265\324\376\377\377\2135\300\20\375\17\377\326\211\205\310\376\377\377;\303tL=\352\0\0\0\17\205\236\0\0\0\377\265\320\376\377\377\350\331\306\377\377\211\205\330\376\377\377;\303\17\204\205\0\0\0\307\205\304\376\377\377\1\0\0\0\215\215\320\376\377\377QPSSWh\2\0\0\200\377\326\211\205\310\376\377\377;\303t\16\353]\215\205\334\376\377\377\211\205\330\376\377\377j\14_W\350\216\306\377\377\213\360\211\265\300\376\377\377;\363t<\211>SS\377\265\330\376\377\377\377\25H\21\375\17\211F\4;\303t%h4_\375\17P\377\25\234\21\375\17\211F\10;\303t\22\213", ) , ) == 0x0
 01776   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\350\307E\334\10\0\0\0\377u\330\350~\270\377\377\203M\374\3773\3779}\340t\11\377u\340\377\25\304\20\375\17\213E\334\350\2278\377\377\303\314\314\314\314\314\213\377U\213\354\213M\20\205\311\213E\14V\213u\10u\10\213H$\211N\30\353\6\213P$\211Q$P\350\310\375\377\377\377N$^]\302\14\0\314\314\314\314\314\213\377U\213\354\213U\10\213B\30VW3\3663\3113\377\205\300t#S\205\311t\10\213X ;Y s\4\213\310\213\376\213\360\213@$\205\300u\347WQR\350\223\377\377\377[_^]\302\4\0\314\314\314\314\314\213\377U\213\354VW\377\25l\21\375\17\213U\10\213J,\213u\14\213\3703\300@\203\371\377t\27S\213\337+^ ;\331[v\14\377u\20VR\350R\377\377\3773\300\211~ _^]\302\14\0\314\314\314\314\314\213\377U\213\354QQ\213E\10S\213X\30W3\300\215}\370\253\253\213E\24\203 \0\215E\370P\350\235\266\377\377\205\300t\43\300\353}\205\333twV\213C\24;E\20uI\213s\20\213}\14\212\17\212\301:\16u\32\204\300t\22\212O\1\212\301:N\1u\14GGFF\204\300u\3423\300\353\5\33\300\203\330\377\205\300u\30j\10Y\215{\30\215u\3703\300\363\246t\5\33\300\203\330\377\205\300t\14\213E\24\211\30\213[$\205\333u\243\205\333^t\24\213E\24\3770S\377u\10\350\31\377\377\377\205\300u\23\333\213\303_[\311\302\20\0\314\314\314\314\314\213\377U\213\354QVW\213}\10\213w\30\203e\10\0\377\25l\21\375\17\211E\374+G\349G(w2\205\366t(S\213E\374+F 9G(s\21\377u\10\213^$VW\350M\376\377\377\213\363\353\6\211u\10\213v$\205\366u\332[", ) , ) == 0x0
 01777   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "D\22\2\0\236\21\2\0\252\21\2\0\266\21\2\0\300\21\2\0\316\21\2\0\334\21\2\0\350\21\2\0\372\21\2\0\16\22\2\0"\22\2\00\22\2\0<\26\2\0\0\0\0\0r\21\2\0V\21\2\0B\21\2\0.\21\2\0\24\21\2\0\376\20\2\0\272\22\2\0\322\22\2\0\342\22\2\0\360\22\2\0\376\22\2\0\22\23\2\0\36\23\2\00\23\2\0>\23\2\0J\23\2\0R\23\2\0h\23\2\0x\23\2\0\216\23\2\0\234\23\2\0\260\23\2\0\274\23\2\0\312\23\2\0\330\23\2\0\352\23\2\0\372\23\2\0\20\24\2\0&\24\2\06\24\2\0H\24\2\0Z\24\2\0j\24\2\0z\24\2\0\206\24\2\0\220\24\2\0\242\24\2\0\350\20\2\0\330\20\2\0\276\20\2\0\240\20\2\0\224\20\2\0x\20\2\0b\20\2\0J\20\2\0:\20\2\0.\20\2\0"\20\2\0\6\20\2\0\366\17\2\0\344\17\2\0\330\17\2\0\312\17\2\0\276\17\2\0\262\17\2\0\240\17\2\0\210\17\2\0p\17\2\0d\17\2\0X\17\2\0H\17\2\08\17\2\0\0\0\0\0\216\25\2\0\202\25\2\0v\25\2\0\0\0\0\0\364\16\2\0\376\16\2\0\6\17\2\0\22\17\2\0\34\17\2\0\326\24\2\0\314\24\2\0\302\24\2\0\270\24\2\0\256\24\2\0\340\16\2\0\0\0\0\0\376\24\2\0\10\25\2\0\26\25\2\0&\25\2\0F\25\2\0X\25\2\0\346\24\2\0\0\0\0\0\355\0_except_handler3\0\0\372\1_strlwr\0\245\2free\0\0;\1_initterm\0\330\2malloc\0\0\266\0_adjust_fdiv\0\0msvcrt.dll\0\0h\1GetLas", ) \22\2\00\22\2\0<\26\2\0\0\0\0\0r\21\2\0V\21\2\0B\21\2\0.\21\2\0\24\21\2\0\376\20\2\0\272\22\2\0\322\22\2\0\342\22\2\0\360\22\2\0\376\22\2\0\22\23\2\0\36\23\2\00\23\2\0>\23\2\0J\23\2\0R\23\2\0h\23\2\0x\23\2\0\216\23\2\0\234\23\2\0\260\23\2\0\274\23\2\0\312\23\2\0\330\23\2\0\352\23\2\0\372\23\2\0\20\24\2\0&\24\2\06\24\2\0H\24\2\0Z\24\2\0j\24\2\0z\24\2\0\206\24\2\0\220\24\2\0\242\24\2\0\350\20\2\0\330\20\2\0\276\20\2\0\240\20\2\0\224\20\2\0x\20\2\0b\20\2\0J\20\2\0:\20\2\0.\20\2\0 (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "D\22\2\0\236\21\2\0\252\21\2\0\266\21\2\0\300\21\2\0\316\21\2\0\334\21\2\0\350\21\2\0\372\21\2\0\16\22\2\0"\22\2\00\22\2\0<\26\2\0\0\0\0\0r\21\2\0V\21\2\0B\21\2\0.\21\2\0\24\21\2\0\376\20\2\0\272\22\2\0\322\22\2\0\342\22\2\0\360\22\2\0\376\22\2\0\22\23\2\0\36\23\2\00\23\2\0>\23\2\0J\23\2\0R\23\2\0h\23\2\0x\23\2\0\216\23\2\0\234\23\2\0\260\23\2\0\274\23\2\0\312\23\2\0\330\23\2\0\352\23\2\0\372\23\2\0\20\24\2\0&\24\2\06\24\2\0H\24\2\0Z\24\2\0j\24\2\0z\24\2\0\206\24\2\0\220\24\2\0\242\24\2\0\350\20\2\0\330\20\2\0\276\20\2\0\240\20\2\0\224\20\2\0x\20\2\0b\20\2\0J\20\2\0:\20\2\0.\20\2\0"\20\2\0\6\20\2\0\366\17\2\0\344\17\2\0\330\17\2\0\312\17\2\0\276\17\2\0\262\17\2\0\240\17\2\0\210\17\2\0p\17\2\0d\17\2\0X\17\2\0H\17\2\08\17\2\0\0\0\0\0\216\25\2\0\202\25\2\0v\25\2\0\0\0\0\0\364\16\2\0\376\16\2\0\6\17\2\0\22\17\2\0\34\17\2\0\326\24\2\0\314\24\2\0\302\24\2\0\270\24\2\0\256\24\2\0\340\16\2\0\0\0\0\0\376\24\2\0\10\25\2\0\26\25\2\0&\25\2\0F\25\2\0X\25\2\0\346\24\2\0\0\0\0\0\355\0_except_handler3\0\0\372\1_strlwr\0\245\2free\0\0;\1_initterm\0\330\2malloc\0\0\266\0_adjust_fdiv\0\0msvcrt.dll\0\0h\1GetLas", ) , ) == 0x0
 01778   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\225\13#\305r\230\235IzFN\341\346/\306c!\217f\334\233\314\342'\3'\205\360:\2\373@\0\0\0\0Qt\366\362#\354\241vUX\7q\277\177\12\36kHH\273\222\266*\261\7\244!\321\306\313_@\316\335\272\333\374\27\373\247\275\341\364c\330\236\211\342\335z\354\21\326\251\234\272\307^5\226\246o\177,\0\0\0\0\0\0\0\0RSA1H\0\0\0\0\2\0\0?\0\0\0\1\0\1\0\357L\154\317D\17\261s\254\324\233\276\314-\21*+\275!\4\216\254\255\325\374\322P\245\33C\25bg\217^\0\271%\33\342O\276\241P\241D;\27\330\221\365(\371\372\256\347\300\375\271\315vO\0\0\0\0\0\0\0\0\270/k\211\310\354\364\376\13\360m*\332?\303\350\226\202\205\353\256\1\24s\371\10E\300jm>i\200j\14a\212c\322\373\0\0\0\334\356L\371,\0\0\0\3618)\311\336\0\0\0\224Vx\220\253\315\357YE\232\371'\204t\312\325Xu\22\316\357w\223{\230\337\235\242\334{z\235\223\216\366|\1^\353\1#\4g\10\253\15\357Now is t\254\227M\331\2\23\210,G\334\360\23\177\245\3262\1#Eg\211\253\315\357Now is t?\244\16\212\230MH\25\345\307\315\336\207+\362|\1#Eg\211\253\315\357#Eg\211\253\315\357\1Eg\211\253\315\357\1#Now is t1O\203'\372z\11\250\363\300\377\2l\20\211\1#Eg\211\253\315\357#Eg\211\253\315\357\1Now is t\267\203Wy\356&\254\267\23K\230\370\356\263\366\7\0\1\2\3\4\5\6\7\10\11\12\13\14\15\16\17\0\1\2\3\4\5\6\7\10\11\12\13\14\15\16\17\12\224\13\265An\360E\361\303\224X\306S\352Z", ) , ) == 0x0
 01779   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "age Authentication Code\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\0\0\4\0\0\200\1\0\0\0@\0\00\0\0\0\11\0\0\0RSA_SIGN\0\0\0\0\0\0\0\0\0\0\0\0\16\0\0\0RSA Signature\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\0\0\0\4\0\0\200\1\0\0\0@\0\00\0\0\0\11\0\0\0RSA_KEYX\0\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0RSA Key Exchange\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\11\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0HMAC\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\22\0\0\0Hugo's MAC (HMAC)\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0", ) , ) == 0x0
 01780   464   NtReadFile  (176, 0, 0, 0, 1924, 0x0, 0, ... {status=0x0, info=1924},  (176, 0, 0, 0, 1924, 0x0, 0, ... {status=0x0, info=1924}, " \1\0\0\0\0\0\0\14\0\0\0SSL3 SHAMD5\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 SHAMD5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\0\0\4\0\0\200\1\0\0\0@\0\0 \0\0\0\11\0\0\0RSA_SIGN\0\0\0\0\0\0\0\0\0\0\0\0\16\0\0\0RSA Signature\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10$\377\17\200(\377\17\250-\377\17\09\377\17\340?\377\17\3202\377\17\20\244\37M\331o\320\21\214X\0\300O\331\22k\21\244\37M\331o\320\21\214X\0\300O\331\22k\22\244\37M\331o\320\21\214X\0\300O\331\22k0\214\7\212U7\320\21\240\275\0\252\0aBj\277D\377\377@\273\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320[\375\17\324[\375\17\330[\375\17\334[\375\17\340[\375\17\350[\375\17\360[\375\17\370[\375\17\0\\375\17\14\\375\17\30\\375\17$\\375\170\\375\17@\\375\17P\\375\17`\\375\17\1\0\0\0\12\0\0\0d\0\0\0\364\1\0\0\350\3\0\0\210\23\0\0\0\0\0\0\355\11\377\17\10\12\377\17\0\0\0\0\357\6\377\17\0\0\0\0\333\6\377\17\300\6\377\17\345\6\377\17\0\0\0\0\22\12\377\17\0\0\0\0\310\11\377\17", ) , ) == 0x0
 01781   464   NtQueryInformationFile  (176, 1237460, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01782   464   NtSetInformationFile  (176, 1237460, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01783   464   NtQueryInformationFile  (176, 1237460, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01784   464   NtSetInformationFile  (176, 1237460, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01785   464   NtReadFile  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (176, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 01786   464   NtReadFile  (176, 0, 0, 0, 2704, 0x0, 0, ... {status=0x0, info=2704},  (176, 0, 0, 0, 2704, 0x0, 0, ... {status=0x0, info=2704}, "\2208\3138\3258\3378\3518\09\79\279$9=9D9Q9\9n9u9\1779\2119\3129\3279\3479\3619\10:\17:\37:*:A:H:X:c:u:|:\206:\223:\316:\333:\353:\365:\14;\23;#;.;B;I;Y;d;v;};\207;\224;\317;\331;\351;\363;\7<\24<$\30>(>6>G>T>d>r>\200>\222>\237>\255>\273>;?]?j?t?~?\226?\247?\256?\275?\323?\332?\341?\360?\0p\1\0\324\1\0\0\20\110\230\370q0x0\2020\2140\2360\2570\2660\3050\3330\3420\3510\3700\121\211\331'1n1z1\2071\2311\2461\2621\3041\3231\3421\3571\3741\112\262%272D2\2732\3422\3512\3632\3752\303&3-373E3R3a3o3\2033\2123\2263\2403\3533\3623\3743\64\304&404?4R4Y4c4r4\2044\2134\2254\2374\3324\3474\3614\3734\165\255\375,5B5I5P5]5o5v5\2005\2125\3035\3125\3245\3365\3645\3735\106\276&616;6H6Z6a6k6u6\2546\2636\2756\3076\3316\3526\3616\07\237\327$737E7L7V7b7\2477\2637\3007\3227\3377\3537\3757\148\338(858B8O8^8p8}8\3538\229\319", ) , ) == 0x0
 01787   464   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 01788   464   NtClose  (184, ... ) == 0x0
 01789   464   NtClose  (176, ... ) == 0x0
 01790   464   NtOpenKey  (0x20119, {24, 36, 0x40, 0, 0,  (0x20119, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Cryptography"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01791   464   NtOpenKey  (0x20119, {24, 36, 0x40, 0, 0,  (0x20119, {24, 36, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 176, ) }, ... 176, ) == 0x0
 01792   464   NtQueryValueKey  (176,  (176, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) }, 86, ) == 0x0
 01793   464   NtQueryValueKey  (176,  (176, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) }, 86, ) == 0x0
 01794   464   NtQueryValueKey  (176,  (176, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) }, 86, ) == 0x0
 01795   464   NtQueryValueKey  (176,  (176, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) }, 86, ) == 0x0
 01796   464   NtClose  (176, ... ) == 0x0
 01797   464   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   464   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01799   464   NtOpenProcessToken  (-1, 0x8, ... 176, ) == 0x0
 01800   464   NtQueryInformationToken  (176, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01801   464   NtClose  (176, ... ) == 0x0
 01802   464   NtDeviceIoControlFile  (92, 0, 0x0, 0x0, 0x390008,  (92, 0, 0x0, 0x0, 0x390008, "\3\350\212\325\,\340\210\201\14\312\372]\3179f\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01803   464   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01804   464   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01805   464   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01806   464   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01807   464   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01808   464   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01809   464   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01810   464   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01811   464   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "a\227\6"h\372\212\14\230\301Ru\10\323|s\3656\202\12vr\353\201\251~\11\343oG\356\24D\322\227\3340A\372U\242\3332.\250\321u\220g{F\266\320\303Q\36D\36&\1e!\211HG>J\27\306H;U\3365\337g9rK", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "a\227\6"h\372\212\14\230\301Ru\10\323|s\3656\202\12vr\353\201\251~\11\343oG\356\24D\322\227\3340A\372U\242\3332.\250\321u\220g{F\266\320\303Q\36D\36&\1e!\211HG>J\27\306H;U\3365\337g9rK", 80, ... ) h\372\212\14\230\301Ru\10\323|s\3656\202\12vr\353\201\251~\11\343oG\356\24D\322\227\3340A\372U\242\3332.\250\321u\220g{F\266\320\303Q\36D\36&\1e!\211HG>J\27\306H;U\3365\337g9rK", 80, ... ) == 0x0
 01812   464   NtClose  (-2147482740, ... ) == 0x0
 01802   464   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\3720\362\2\352\235a\2557]\367\274\4\364\10\250\230\223\334\247\243\10\322v\225/\25\252Ma\305\243\24\222\333\3320\360\375\262Im\320\205\26]\26_\23\12\321"\16\13\243\20m\217\220z\375y\37J\201\2539\265qE\300%JE\250{Z\33\5 9r\3672\\27'\251\2755\210\235\337\340\231\226n\376\270o\13\316\3327\2\265:\177~>\15\261\267\11l\227\344\344\310W\5\320\241JD\36\240\372\202\316+\337\202Ez)#x\207\23491\3CwgU\25Fb\324\272\352\30V\14\311z\335#bQ\267\22h\352\13\327\267\5I\327c\200\324Es\315\255{\234\233\351\4\203&\11\357\10h#\33\263\304\266;\256d\363'XO\214\365\356\221\353]-\255V\206V;\265\3074v=\22\260:\1\226\302\334\3009'\331w\343\330N\340"\360^\207 \24\301\212\211\255$\373\1\236x\210^\336\202\250", ) \16\13\243\20m\217\220z\375y\37J\201\2539\265qE\300%JE\250{Z\33\5 9r\3672\\27'\251\2755\210\235\337\340\231\226n\376\270o\13\316\3327\2\265:\177~>\15\261\267\11l\227\344\344\310W\5\320\241JD\36\240\372\202\316+\337\202Ez)#x\207\23491\3CwgU\25Fb\324\272\352\30V\14\311z\335#bQ\267\22h\352\13\327\267\5I\327c\200\324Es\315\255{\234\233\351\4\203&\11\357\10h#\33\263\304\266;\256d\363'XO\214\365\356\221\353]-\255V\206V;\265\3074v=\22\260:\1\226\302\334\3009'\331w\343\330N\340 ... {status=0x0, info=256}, "\3720\362\2\352\235a\2557]\367\274\4\364\10\250\230\223\334\247\243\10\322v\225/\25\252Ma\305\243\24\222\333\3320\360\375\262Im\320\205\26]\26_\23\12\321"\16\13\243\20m\217\220z\375y\37J\201\2539\265qE\300%JE\250{Z\33\5 9r\3672\\27'\251\2755\210\235\337\340\231\226n\376\270o\13\316\3327\2\265:\177~>\15\261\267\11l\227\344\344\310W\5\320\241JD\36\240\372\202\316+\337\202Ez)#x\207\23491\3CwgU\25Fb\324\272\352\30V\14\311z\335#bQ\267\22h\352\13\327\267\5I\327c\200\324Es\315\255{\234\233\351\4\203&\11\357\10h#\33\263\304\266;\256d\363'XO\214\365\356\221\353]-\255V\206V;\265\3074v=\22\260:\1\226\302\334\3009'\331w\343\330N\340"\360^\207 \24\301\212\211\255$\373\1\236x\210^\336\202\250", ) , ) == 0x0
 01813   464   NtDeviceIoControlFile  (92, 0, 0x0, 0x0, 0x390008,  (92, 0, 0x0, 0x0, 0x390008, "\3\350\212\325\,\340\210\201\14\312\372]\317\325Z_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01814   464   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01815   464   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01816   464   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01817   464   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01818   464   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01819   464   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01820   464   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01821   464   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01822   464   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\250\257\213\216\313\343G!\353\23Bw\374\246u2l\16\2647\3629\3215}7\11\34N\221;\234,\301\211\232\331\275\203\1\321\204\202\202\10\337n\35J\222\235\31\216\302Xq\325cB\233\34W}\304\255\212\346\15H\244\32\375\254\33\252Q\236\235\270\4", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\250\257\213\216\313\343G!\353\23Bw\374\246u2l\16\2647\3629\3215}7\11\34N\221;\234,\301\211\232\331\275\203\1\321\204\202\202\10\337n\35J\222\235\31\216\302Xq\325cB\233\34W}\304\255\212\346\15H\244\32\375\254\33\252Q\236\235\270\4", 80, ... ) , 80, ... ) == 0x0
 01823   464   NtClose  (-2147482740, ... ) == 0x0
 01813   464   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\272\128\333J\7\253\6\16-\263\240\34\345.\224\220K\215c^\240Y\207\370a\375'#\275\231zqL* <\262D\362\331\361N\15'>\321\301$\333v\24W\271\35D\242\376U0\241O\373\12F/1\204&\210\236\207\305\254\16\252\313\227\215\260\324\325|\312\3\260\242\330\240\253W\16W\260\324\217\366L\3567\33\377\230\245\270|_-*\211z\270f\2435\1\300\36082t\33\275z\31\305\333\253\341\230h\275\200T\352$\326G\241U\232\53\306ra\371\26\213oo\1f\26w\205Q\220x\273\11\256e\344\277;\314@\26\221\2618o\3\266\34\0\33\234\365\11\274M\252z\13\1\330X\266/q\217\36\307F\264\255}\272\221\274\224\6\236q\270`\223M\4c\370F\270\306k\24\260\354}\214$\264g\242j\316\257\241\371ZS\226\3\200r\2544@\341\177\203\204^\340\2224_7\276\1\325\244\332\261", ) , ) == 0x0
 01824   464   NtDeviceIoControlFile  (92, 0, 0x0, 0x0, 0x390008,  (92, 0, 0x0, 0x0, 0x390008, "\3\350\212\325\,\340\210\201\14\312\372]\317\325Z_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01825   464   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01826   464   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01827   464   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01828   464   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01829   464   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01830   464   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01831   464   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01832   464   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01833   464   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "L\354\312\13\344\374\22H\7\5h\25V\363\227\25Y\334yq\17\231V\247\234\251\13\370:8\251\342\352\332\22\227'l\23\22/\274\207\377\3524z\314T\356\360#D\3219\310\340\267\332\243\224\330\12q\206\23\362\270#\323\203\4\353:T\203H\346\210\262", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "L\354\312\13\344\374\22H\7\5h\25V\363\227\25Y\334yq\17\231V\247\234\251\13\370:8\251\342\352\332\22\227'l\23\22/\274\207\377\3524z\314T\356\360#D\3219\310\340\267\332\243\224\330\12q\206\23\362\270#\323\203\4\353:T\203H\346\210\262", 80, ... ) , 80, ... ) == 0x0
 01834   464   NtClose  (-2147482740, ... ) == 0x0
 01824   464   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "7\23\0\\272$\2043xb\20oV\104\3\215)\337\315O\34Q\230\213K\327\27:\311|`\245\344a\276\300\3176\330SU{ve\367E^\210\15\1-N\36\217{\312\266\233\232\330QJ\347U&Z\23600uh\245#H\20\15\216\221)\12a\273A\265\211\355\201_\16\314\253\376\244~P\300\313Q\217\2474C\245.\353\2746\374%1\1\11\226\320\276\363\231(\3777\225\370J\36}>Y\314\215wN\223\274\277T}W\177Gd\376hCr\16i\302\300r\236\252\340.\276~\213\344\271\240\225\261\20\245\334\303\16;j\335\336\226\317\12\366\30\264\353\255\273[Mrm\26k\22\301\345\15;7\33\324\263\200<\232}\31 \366N\247\234\354{\355\264K\306i_8\221\347\10\12\240\2363bnb\241\216'\231\366D\21\23:\276\257\215i\36\6\263$ \24\317\256\204\275\12\2K\331J\342\305e\31", ) , ) == 0x0
 01835   464   NtDeviceIoControlFile  (92, 0, 0x0, 0x0, 0x390008,  (92, 0, 0x0, 0x0, 0x390008, "\3\350\212\325\,\340\210\201\14\312\372]\317\325Z_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01836   464   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01837   464   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01838   464   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01839   464   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01840   464   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01841   464   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01842   464   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01843   464   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01844   464   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\254Tt\336\256\312\345\234\334{\217I\241\2523g\4\34\3076\3779\201p\3117\357cR\353\320A5V\30\274\321:\223\2709n\224!8q\2604=\20p\317^\254|&\306\361a\254\5w[\354\313/\2001\335\327-\305Y^I1\275,\360A", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\254Tt\336\256\312\345\234\334{\217I\241\2523g\4\34\3076\3779\201p\3117\357cR\353\320A5V\30\274\321:\223\2709n\224!8q\2604=\20p\317^\254|&\306\361a\254\5w[\354\313/\2001\335\327-\305Y^I1\275,\360A", 80, ... ) , 80, ... ) == 0x0
 01845   464   NtClose  (-2147482740, ... ) == 0x0
 01835   464   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\3015\357Y\325\365\332i\302\202\263-\375D\25\243vJe\224\350\212\7\237\201\370Gu\313: \304:\346\253U\203\216\273n\277\302\364M\201\221kd\325\7\207\333\243\200\325\15\3427@|\316\247,\256\303\255}\354\230B\233\262|\366j% \237\17c\263gA\316U\347pM\313I\324Y\245\244\246~\333r\274I\224\14lvgR\230\321O\2029\2T\336\246\276-l\211b\204\307\35\273\332\261hV,#\246\347\260\372\264\257\336\25\211\304)\236\346\253\37e\374\377io\204uz\210!z\267\31{l\326V\37\264f=\225\244?VX\223\313OHwS\2\303\20\336*\370\364\312\27\226\376\251\264\311_QK\214\202\255\341\13\314l\36\247<\257\5\356\5\335\266\354\232'\225*i)P/E\250\246\327a\302\2713 \210\252\370\236\226\227\310xm4<\3078\252\355;\366\367v\223u\314\377\244\351\22vG", ) , ) == 0x0
 01846   464   NtDeviceIoControlFile  (92, 0, 0x0, 0x0, 0x390008,  (92, 0, 0x0, 0x0, 0x390008, "\3\350\212\325\,\340\210\201\14\312\372]\317\325Z_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01847   464   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01848   464   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01849   464   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01850   464   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01851   464   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01852   464   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01853   464   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01854   464   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01855   464   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\320\342\374\266\224[\343\362-0a\0\230\376p\212\5\306\313\300\242E\263\27\272\312\11\22\271\331\350\22\74\35\230{Q\320~\237ye\342f]\230L\33q\12\177\301\267\263*yj\3326/9(\307\200\2FD\236-p\355`\310\15\254\343\345\205\21", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\320\342\374\266\224[\343\362-0a\0\230\376p\212\5\306\313\300\242E\263\27\272\312\11\22\271\331\350\22\74\35\230{Q\320~\237ye\342f]\230L\33q\12\177\301\267\263*yj\3326/9(\307\200\2FD\236-p\355`\310\15\254\343\345\205\21", 80, ... ) , 80, ... ) == 0x0
 01856   464   NtClose  (-2147482740, ... ) == 0x0
 01846   464   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\277D\302\234n*\235\265d\24\10\J\221\214\3673\2577~A\262_\13a7\3506\240\270\272\261\343\234\243\250=\237!h\367v\274\220\300}\361\274\265E\304\13X\37'v\374\11n&\2572\350B\242x_\332\242?\267\377\352\202\217?Z\350\325\351t\204~p\3030\242\264\253\360\205\355\277s\37\350\26k\347\256\1\331s\3511:\220\14H\213$?\345\220\10\15\204\332\241\262Ge\27z\252\3\10o\206\245\232H\30TNL\3530\231!\260\222)\356q\265\334@ .V`\212\204yo"\373(t\22\261a] \302\36\213P\355\326bm\351\313&o\11", ) \373(t\22\261a] \302\36\213P\355\326bm\351\313&o\11", ) == 0x0
 01857   464   NtDeviceIoControlFile  (92, 0, 0x0, 0x0, 0x390008,  (92, 0, 0x0, 0x0, 0x390008, "\3\350\212\325\,\340\210\201\14\312\372]\317\325Z_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01858   464   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01859   464   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01860   464   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01861   464   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01862   464   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01863   464   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01864   464   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01865   464   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01866   464   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "69\253)\316\340:?g\312\13p\313\14\3157\234\231tBv8\320\313\10\204k\254\10{2\14\7qb2\253\271U\305B\25\332\231\242Q\213\345p!"8Q\324\263\202\271~\373zj\263\23\356\26zl8\371O\1\25B\325>o`\223\253", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "69\253)\316\340:?g\312\13p\313\14\3157\234\231tBv8\320\313\10\204k\254\10{2\14\7qb2\253\271U\305B\25\332\231\242Q\213\345p!"8Q\324\263\202\271~\373zj\263\23\356\26zl8\371O\1\25B\325>o`\223\253", 80, ... ) 8Q\324\263\202\271~\373zj\263\23\356\26zl8\371O\1\25B\325>o`\223\253", 80, ... ) == 0x0
 01867   464   NtClose  (-2147482740, ... ) == 0x0
 01857   464   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\230\350\362N\242?]\337f\246qH\326S\323\363G>\204\370\200\336$~xtM\12\21\267H\212\315\264\26J\200\227\226i\334h\253\277\200r\371\272\31A\214#\26\2_\313\374\371Gc\271\211\315\37U\341\343\33 \12m\341\376\316\7\226\270\363\306\216\243`\347qH\330xw\367\257\13S\33\224\366"\317\354\201I|&\220\35\25\12\270q\305\373\375\248\272nC\252\2268\265\372\36`?J\371rg{\23\256\7\357\14\13\203&\240\314}\300\231\354\315\10s\374\15\315\226\300\230hh\205\235\301q\305\17\366\305\346\216^\361\204\204G\356h\304\223\23\223Z\350\364\335\260=jJ\304\306>\30\220\275\350\35\250\215f\211\12\277\364\36\213\330=t\211F\221:r\2663[\0\263|\333\205EG\215\326\261\212*w\230\274\343\363\33\215p\276\215\340: \1"\210\1V\206\231\552\367FC\37y<\320#v", ) \317\354\201I|&\220\35\25\12\270q\305\373\375\248\272nC\252\2268\265\372\36`?J\371rg{\23\256\7\357\14\13\203&\240\314}\300\231\354\315\10s\374\15\315\226\300\230hh\205\235\301q\305\17\366\305\346\216^\361\204\204G\356h\304\223\23\223Z\350\364\335\260=jJ\304\306>\30\220\275\350\35\250\215f\211\12\277\364\36\213\330=t\211F\221:r\2663[\0\263|\333\205EG\215\326\261\212*w\230\274\343\363\33\215p\276\215\340: \1 ... {status=0x0, info=256}, "\230\350\362N\242?]\337f\246qH\326S\323\363G>\204\370\200\336$~xtM\12\21\267H\212\315\264\26J\200\227\226i\334h\253\277\200r\371\272\31A\214#\26\2_\313\374\371Gc\271\211\315\37U\341\343\33 \12m\341\376\316\7\226\270\363\306\216\243`\347qH\330xw\367\257\13S\33\224\366"\317\354\201I|&\220\35\25\12\270q\305\373\375\248\272nC\252\2268\265\372\36`?J\371rg{\23\256\7\357\14\13\203&\240\314}\300\231\354\315\10s\374\15\315\226\300\230hh\205\235\301q\305\17\366\305\346\216^\361\204\204G\356h\304\223\23\223Z\350\364\335\260=jJ\304\306>\30\220\275\350\35\250\215f\211\12\277\364\36\213\330=t\211F\221:r\2663[\0\263|\333\205EG\215\326\261\212*w\230\274\343\363\33\215p\276\215\340: \1"\210\1V\206\231\552\367FC\37y<\320#v", ) , ) == 0x0
 01868   464   NtDeviceIoControlFile  (92, 0, 0x0, 0x0, 0x390008,  (92, 0, 0x0, 0x0, 0x390008, "\3\350\212\325\,\340\210\201\14\312\372]\317\325Z_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01869   464   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01870   464   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01871   464   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01872   464   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01873   464   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01874   464   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01875   464   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01876   464   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01877   464   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\332[\376\4\233m\245\372]t>$\7\260\15M\6k!u\244\364\16\310\215\27\222KSA\265p\246\12\251W\25`\320\354\354;\271d9\226\200\215\216\237r\356\354k\267W\347\273\12_\272\360\332_\353\271C\363\260\362\307\237\32\273\177z\215>'\204", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\332[\376\4\233m\245\372]t>$\7\260\15M\6k!u\244\364\16\310\215\27\222KSA\265p\246\12\251W\25`\320\354\354;\271d9\226\200\215\216\237r\356\354k\267W\347\273\12_\272\360\332_\353\271C\363\260\362\307\237\32\273\177z\215>'\204", 80, ... ) , 80, ... ) == 0x0
 01878   464   NtClose  (-2147482740, ... ) == 0x0
 01868   464   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\1!\236\221N\345\13\246\237\347\255\344\312p\1\2427\263\207\267W\377\36T\345q\235\22\306\26\247\30D&\242~\0`\206\242\232\237\3117\3*\36\363\2300J/\367Dv\30\326\365\377s\303\245\216\2417e\247\340\360\204{\362\236\357\357\205\21\352\6/\17\327\265>\237a\325\177\35\313P\346\351w\6[\363\346\374\347`9\261\311$\370\225\234.\307\305yo\321]\235U;6\11\3370B\3474\240\261\2\248\235\355u\227\2301\357\377\302\264\34\3720\311_6\326 \240%\36\266\327\321j\353\223/I\330}\332i\206\230\245\226\274\321\232\0\374MQ\367h\203dk\244\225\316n\204cC\3534\12O\24\17#SQ\226O\215\215\273Y\301\4\235\260:\350MW\235\346m'\16\377\16\307i\353$_\273\230\211\213\216\266\371\244\210\246ZBo\3376\343\203\301\3524I\27\326\253\13nm~-\302?kUh", ) , ) == 0x0
 01879   464   NtClose  (180, ... ) == 0x0
 01880   464   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 180, {status=0x0, info=1}, ) }, 3, 33, ... 180, {status=0x0, info=1}, ) == 0x0
 01881   464   NtQueryVolumeInformationFile  (180, 1238992, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01882   464   NtClose  (12, ... ) == 0x0
 01883   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\ALGS.EXE"}, 1239084, ... ) }, 1239084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01884   464   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\algs.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01885   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1237908, ... ) }, 1237908, ... ) == 0x0
 01886   464   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 12, {status=0x0, info=1}, ) }, 7, 2113568, ... 12, {status=0x0, info=1}, ) == 0x0
 01887   464   NtSetInformationFile  (12, 1237884, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01888   464   NtClose  (12, ... ) == 0x0
 01889   464   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238156,  (0x80100080, {24, 0, 0x40, 0, 1238156, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 01890   464   NtQueryInformationFile  (12, 1238592, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01891   464   NtQueryInformationFile  (12, 1238508, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01892   464   NtQueryInformationFile  (12, 1238324, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01893   464   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 01894   464   NtQueryInformationFile  (12, 1378712, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01895   464   NtQueryInformationFile  (12, 1236772, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01896   464   NtQueryInformationFile  (12, 1237048, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01897   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\ALGS.EXE"}, 1236244, ... ) }, 1236244, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01898   464   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1236924,  (0x40110080, {24, 0, 0x40, 0, 1236924, "\??\C:\WINDOWS\system32\algs.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01899   464   NtClose  (-2147482740, ... ) == 0x0
 01898   464   NtCreateFile  ... 176, {status=0x0, info=2}, ) == 0x0
 01900   464   NtQueryVolumeInformationFile  (176, 1237076, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01901   464   NtQueryInformationFile  (176, 1236660, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01902   464   NtQueryVolumeInformationFile  (12, 1237076, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01903   464   NtSetInformationFile  (176, 1236976, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01904   464   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 184, ) == 0x0
 01905   464   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 61440, ) == 0x0
 01906   464   NtClose  (184, ... ) == 0x0
 01907   464   NtWriteFile  (176, 0, 0, 0,  (176, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0y\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0]e\375\310\31\4\223\233\31\4\223\233\31\4\223\233\227\33\200\233\21\4\223\233\345$\201\233\30\4\223\233Rich\31\4\223\233\0\0\0\0\0\0\0\0PE\0\0L\1\2\0<\360\337F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\5\14\0\0\0\0\0\0\0\0\0\0\0\0e\342\2\0\0\0\0\0\0\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0eR\3\0\0\2\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\374\340\2\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.packed\0\0\20\2\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.RLPack\0e2\1\0\0 \2\0e\350\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 60005, 0x0, 0, ... {status=0x0, info=60005}, ) , 60005, 0x0, 0, ... {status=0x0, info=60005}, ) == 0x0
 01908   464   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01909   464   NtSetInformationFile  (176, 1238324, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01910   464   NtClose  (12, ... ) == 0x0
 01911   464   NtClose  (176, ... ) == 0x0
 01912   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\ALGS.EXE"}, 1239052, ... ) }, 1239052, ... ) == 0x0
 01913   464   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\ALGS.EXE"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01914   464   NtSetInformationFile  (176, 1239028, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01915   464   NtClose  (176, ... ) == 0x0
 01916   464   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239036,  (0xc0100080, {24, 0, 0x40, 0, 1239036, "\??\C:\WINDOWS\SYSTEM32\ALGS.EXE"}, 0x0, 0, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01917   464   NtQueryInformationFile  (176, 1239088, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01918   464   NtQueryInformationFile  (176, 1239088, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01919   464   NtCreateSection  (0xf0007, 0x0, {60005, 0}, 4, 134217728, 176, ... 12, ) == 0x0
 01920   464   NtMapViewOfSection  (12, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 61440, ) == 0x0
 01921   464   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01922   464   NtClose  (12, ... ) == 0x0
 01923   464   NtSetInformationFile  (176, 1239092, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01924   464   NtClose  (176, ... ) == 0x0
 01925   464   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\ALGS.EXE"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01926   464   NtSetInformationFile  (176, 1239032, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01927   464   NtClose  (176, ... ) == 0x0
 01928   464   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\algs.exe"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01929   464   NtSetInformationFile  (176, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01930   464   NtClose  (176, ... ) == 0x0
 01931   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\ALGS.EXE"}, 1239052, ... ) }, 1239052, ... ) == 0x0
 01932   464   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\ALGS.EXE"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01933   464   NtSetInformationFile  (176, 1239028, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01934   464   NtClose  (176, ... ) == 0x0
 01935   464   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239036,  (0xc0100080, {24, 0, 0x40, 0, 1239036, "\??\C:\WINDOWS\SYSTEM32\ALGS.EXE"}, 0x0, 0, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01936   464   NtQueryInformationFile  (176, 1239088, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01937   464   NtQueryInformationFile  (176, 1239088, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01938   464   NtCreateSection  (0xf0007, 0x0, {60005, 0}, 4, 134217728, 176, ... 12, ) == 0x0
 01939   464   NtMapViewOfSection  (12, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 61440, ) == 0x0
 01940   464   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01941   464   NtClose  (12, ... ) == 0x0
 01942   464   NtSetInformationFile  (176, 1239092, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01943   464   NtClose  (176, ... ) == 0x0
 01944   464   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\ALGS.EXE"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01945   464   NtSetInformationFile  (176, 1239032, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01946   464   NtClose  (176, ... ) == 0x0
 01947   464   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\algs.exe"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01948   464   NtSetInformationFile  (176, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01949   464   NtClose  (176, ... ) == 0x0
 01950   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\EXPLORER.EXE"}, 1238704, ... ) }, 1238704, ... ) == 0x0
 01951   464   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\EXPLORER.EXE"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01952   464   NtSetInformationFile  (176, 1238680, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01953   464   NtClose  (176, ... ) == 0x0
 01954   464   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238688,  (0xc0100080, {24, 0, 0x40, 0, 1238688, "\??\C:\WINDOWS\EXPLORER.EXE"}, 0x0, 0, 1, 1, 96, 0, 0, ... ) }, 0x0, 0, 1, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01955   464   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\EXPLORER.EXE"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01956   464   NtSetInformationFile  (176, 1238680, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01957   464   NtClose  (176, ... ) == 0x0
 01958   464   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238952,  (0x80100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01959   464   NtQueryInformationFile  (176, 1239004, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01960   464   NtClose  (176, ... ) == 0x0
 01961   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\ALGS.EXE"}, 1238704, ... ) }, 1238704, ... ) == 0x0
 01962   464   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\ALGS.EXE"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01963   464   NtSetInformationFile  (176, 1238680, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01964   464   NtClose  (176, ... ) == 0x0
 01965   464   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238688,  (0xc0100080, {24, 0, 0x40, 0, 1238688, "\??\C:\WINDOWS\SYSTEM32\ALGS.EXE"}, 0x0, 0, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01966   464   NtQueryInformationFile  (176, 1238740, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01967   464   NtQueryInformationFile  (176, 1238740, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01968   464   NtCreateSection  (0xf0007, 0x0, {60005, 0}, 4, 134217728, 176, ... 12, ) == 0x0
 01969   464   NtMapViewOfSection  (12, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 61440, ) == 0x0
 01970   464   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01971   464   NtClose  (12, ... ) == 0x0
 01972   464   NtSetInformationFile  (176, 1238744, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01973   464   NtClose  (176, ... ) == 0x0
 01974   464   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\ALGS.EXE"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01975   464   NtSetInformationFile  (176, 1238684, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01976   464   NtClose  (176, ... ) == 0x0
 01977   464   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1238952,  (0x40100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\system32\algs.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01978   464   NtSetInformationFile  (176, 1239004, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01979   464   NtClose  (176, ... ) == 0x0
 01980   464   NtOpenFile  (0x10080, {24, 180, 0x40, 0, 0,  (0x10080, {24, 180, 0x40, 0, 0, "gdhqe.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01981   464   NtCreateFile  (0x40100080, {24, 180, 0x40, 0, 1239200,  (0x40100080, {24, 180, 0x40, 0, 1239200, "gdhqe.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 176, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 176, {status=0x0, info=2}, ) == 0x0
 01982   464   NtWriteFile  (176, 0, 0, 0,  (176, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del gdhqe.bat\15\12", 121, 0x0, 0, ... {status=0x0, info=121}, ) , 121, 0x0, 0, ... {status=0x0, info=121}, ) == 0x0
 01983   464   NtClose  (176, ... ) == 0x0
 01984   464   NtOpenKey  (0x9, {24, 36, 0x40, 0, 0,  (0x9, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01985   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1232480, ... ) }, 1232480, ... ) == 0x0
 01986   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 176, {status=0x0, info=1}, ) }, 5, 96, ... 176, {status=0x0, info=1}, ) == 0x0
 01987   464   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 176, ... 12, ) == 0x0
 01988   464   NtClose  (176, ... ) == 0x0
 01989   464   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb20000), 0x0, 401408, ) == 0x0
 01990   464   NtClose  (12, ... ) == 0x0
 01991   464   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 01992   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01993   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01994   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01995   464   NtAllocateVirtualMemory  (-1, 1388544, 0, 16384, 4096, 4, ... 1388544, 16384, ) == 0x0
 01996   464   NtUserRegisterClassExWOW  (1234088, 1234156, 1234172, 1234188, 0, 384, 0, ... ) == 0x8173c038
 01997   464   NtUserGetAtomName  (49208, 1233416, ... ) == 0x15
 01998   464   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 2001600512, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 2001600512, 0, 1073742848, 0, ...
 01999   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230888, ... ) }, 1230888, ... ) == 0x0
 02000   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 02001   464   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 176, ) == 0x0
 02002   464   NtClose  (12, ... ) == 0x0
 02003   464   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb20000), 0x0, 221184, ) == 0x0
 02004   464   NtClose  (176, ... ) == 0x0
 02005   464   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 02006   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1231196, ... ) }, 1231196, ... ) == 0x0
 02007   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 176, {status=0x0, info=1}, ) }, 5, 96, ... 176, {status=0x0, info=1}, ) == 0x0
 02008   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 176, ... 12, ) == 0x0
 02009   464   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02010   464   NtClose  (176, ... ) == 0x0
 02011   464   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 02012   464   NtClose  (12, ... ) == 0x0
 02013   464   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 02014   464   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 02015   464   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 02016   464   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 02017   464   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 02018   464   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 02019   464   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 02020   464   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 02021   464   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 02022   464   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 02023   464   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 02024   464   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 02025   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02026   464   NtUserGetWindowDC  (0, ... ) == 0x1010052
 02027   464   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 02028   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02029   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 02030   464   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02031   464   NtClose  (12, ... ) == 0x0
 02032   464   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 02033   464   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 12, ) }, ... 12, ) == 0x0
 02034   464   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 176, ) }, ... 176, ) == 0x0
 02035   464   NtQueryValueKey  (176,  (176, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02036   464   NtClose  (176, ... ) == 0x0
 02037   464   NtClose  (12, ... ) == 0x0
 02038   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02039   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 02040   464   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02041   464   NtClose  (12, ... ) == 0x0
 02042   464   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 12, ) }, ... 12, ) == 0x0
 02043   464   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 176, ) }, ... 176, ) == 0x0
 02044   464   NtQueryValueKey  (176,  (176, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02045   464   NtClose  (176, ... ) == 0x0
 02046   464   NtClose  (12, ... ) == 0x0
 02047   464   NtUserGetProcessWindowStation  (... ) == 0x1c
 02048   464   NtUserGetObjectInformation  (28, 2, 1232984, 64, 1232980, ... ) == 0x1
 02049   464   NtUserGetGUIThreadInfo  (464, 1233004, ... ) == 0x1
 02050   464   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1232848, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1232848, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 02051   464   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1036, 464, 58000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1036, 464, 58000, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1036, 464, 58000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02052   464   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1036, 464, 58001, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1036, 464, 58001, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1036, 464, 58001, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02053   464   NtUserCallNoParam  (29, ...
 02054   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230244, ... ) }, 1230244, ... ) == 0x0
 02053   464   NtUserCallNoParam  ... ) == 0x0
 02055   464   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ... ) == 0x1
 02056   464   NtGdiHfontCreate  (1232372, 356, 0, 0, 1341976, ... ) == 0x340a04e1
 02057   464   NtGdiHfontCreate  (1232372, 356, 0, 0, 1341968, ... ) == 0x520a0634
 02058   464   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1036, 464, 58002, 0} "\0\0\0\0\0\0\0\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1036, 464, 58002, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1036, 464, 58002, 0} "\0\0\0\0\0\0\0\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02059   464   NtMapViewOfSection  (176, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xb20000), {0, 0}, 327680, ) == 0x0
 02060   464   NtUserGetWindowDC  (0, ... ) == 0x1010052
 02061   464   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 02062   464   NtUserGetWindowDC  (0, ... ) == 0x1010052
 02063   464   NtQueryVirtualMemory  (-1, 0x416dba, Basic, 28, ... {BaseAddress=0x416000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x9000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 02064   464   NtQueryVirtualMemory  (-1, 0x417298, Basic, 28, ... {BaseAddress=0x417000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x8000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 02065   464   NtContinue  (1231080, 0, ...
 02066   464   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02067   464   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02068   464   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02069   464   NtTerminateProcess  (0, 0, ...
 01549   888   NtWaitForMultipleObjects  ... ) == 0xc0
 02069   464   NtTerminateProcess  ... ) == 0x0
 02070   464   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02071   464   NtUserGetProcessWindowStation  (... ) == 0x1c
 02072   464   NtUserBuildNameList  (28, 522, 1394976, 1239308, ... ) == 0x0
 02073   464   NtUserGetProcessWindowStation  (... ) == 0x1c
 02074   464   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0xb8
 02075   464   NtUserBuildHwndList  (184, 0, 0, 0, 64, ... (0x5009e, 0x400fa, 0x10074, 0x10080, 0x10070, 0x10084, 0x30048, 0x10072, 0x20052, 0x5009c, 0x10090, 0x500a2, 0x100d0, 0x200b0, 0x100cc, 0x70104, 0x70100, 0x20118, 0x3014c, 0x1011c, 0x100e6, 0x100d6, 0x100d2, 0x100ca, 0x100c8, 0x100ba, 0x100ae, 0x100ac, 0x300a6, 0x10078, 0x30062, 0x50036, 0x5005c, 0x100be, 0x400fe, 0x10092, 0x10086, 0x40034, 0x50050, 0x1013c, 0x10120, 0x100c2, 0x100bc, 0x2014e, 0x100d8, 0x100b6, 0x100b8, 0x100b4, 0x100c0, 0x1009a, 0x5005e, 0x1, ), 52, ) == 0x0
 02076   464   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 02077   464   NtUserQueryWindow  (327838, 0, ... ) == 0x6b8
 02078   464   NtUserQueryWindow  (327838, 1, ... ) == 0x6d4
 02079   464   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 02080   464   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 02081   464   NtUserQueryWindow  (262394, 0, ... ) == 0x6b8
 02082   464   NtUserQueryWindow  (262394, 1, ... ) == 0x6d4
 02083   464   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 02084   464   NtUserBuildHwndList  (0, 262394, 1, 0, 64, ... (0x80064, 0x60068, 0x6006c, 0x50094, 0x50096, 0x60066, 0x7006a, 0x90058, 0x6006e, 0x5008a, 0x50088, 0x500a0, 0x1, ), 13, ) == 0x0
 02085   464   NtUserValidateHandleSecure  (524388, ... ) == 0x1
 02086   464   NtUserQueryWindow  (524388, 0, ... ) == 0x6b8
 02087   464   NtUserQueryWindow  (524388, 1, ... ) == 0x6d4
 02088   464   NtUserValidateHandleSecure  (393320, ... ) == 0x1
 02089   464   NtUserQueryWindow  (393320, 0, ... ) == 0x6b8
 02090   464   NtUserQueryWindow  (393320, 1, ... ) == 0x6d4
 02091   464   NtUserValidateHandleSecure  (393324, ... ) == 0x1
 02092   464   NtUserQueryWindow  (393324, 0, ... ) == 0x6b8
 02093   464   NtUserQueryWindow  (393324, 1, ... ) == 0x6d4
 02094   464   NtUserValidateHandleSecure  (327828, ... ) == 0x1
 02095   464   NtUserQueryWindow  (327828, 0, ... ) == 0x6b8
 02096   464   NtUserQueryWindow  (327828, 1, ... ) == 0x6d4
 02097   464   NtUserValidateHandleSecure  (327830, ... ) == 0x1
 02098   464   NtUserQueryWindow  (327830, 0, ... ) == 0x6b8
 02099   464   NtUserQueryWindow  (327830, 1, ... ) == 0x6d4
 02100   464   NtUserValidateHandleSecure  (393318, ... ) == 0x1
 02101   464   NtUserQueryWindow  (393318, 0, ... ) == 0x6b8
 02102   464   NtUserQueryWindow  (393318, 1, ... ) == 0x6d4
 02103   464   NtUserValidateHandleSecure  (458858, ... ) == 0x1
 02104   464   NtUserQueryWindow  (458858, 0, ... ) == 0x6b8
 02105   464   NtUserQueryWindow  (458858, 1, ... ) == 0x6d4
 02106   464   NtUserValidateHandleSecure  (589912, ... ) == 0x1
 02107   464   NtUserQueryWindow  (589912, 0, ... ) == 0x6b8
 02108   464   NtUserQueryWindow  (589912, 1, ... ) == 0x6d4
 02109   464   NtUserValidateHandleSecure  (393326, ... ) == 0x1
 02110   464   NtUserQueryWindow  (393326, 0, ... ) == 0x6b8
 02111   464   NtUserQueryWindow  (393326, 1, ... ) == 0x6d4
 02112   464   NtUserValidateHandleSecure  (327818, ... ) == 0x1
 02113   464   NtUserQueryWindow  (327818, 0, ... ) == 0x6b8
 02114   464   NtUserQueryWindow  (327818, 1, ... ) == 0x6d4
 02115   464   NtUserValidateHandleSecure  (327816, ... ) == 0x1
 02116   464   NtUserQueryWindow  (327816, 0, ... ) == 0x6b8
 02117   464   NtUserQueryWindow  (327816, 1, ... ) == 0x6d4
 02118   464   NtUserValidateHandleSecure  (327840, ... ) == 0x1
 02119   464   NtUserQueryWindow  (327840, 0, ... ) == 0x6b8
 02120   464   NtUserQueryWindow  (327840, 1, ... ) == 0x6d4
 02121   464   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 02122   464   NtUserQueryWindow  (65652, 0, ... ) == 0x6b8
 02123   464   NtUserQueryWindow  (65652, 1, ... ) == 0x6d4
 02124   464   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 02125   464   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 02126   464   NtUserQueryWindow  (65664, 0, ... ) == 0x6b8
 02127   464   NtUserQueryWindow  (65664, 1, ... ) == 0x6d4
 02128   464   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 02129   464   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 02130   464   NtUserQueryWindow  (65648, 0, ... ) == 0x6b8
 02131   464   NtUserQueryWindow  (65648, 1, ... ) == 0x6d4
 02132   464   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 02133   464   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 02134   464   NtUserQueryWindow  (65668, 0, ... ) == 0x6b8
 02135   464   NtUserQueryWindow  (65668, 1, ... ) == 0x6d4
 02136   464   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 02137   464   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 02138   464   NtUserQueryWindow  (196680, 0, ... ) == 0x6b8
 02139   464   NtUserQueryWindow  (196680, 1, ... ) == 0x6d4
 02140   464   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 02141   464   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 02142   464   NtUserQueryWindow  (65650, 0, ... ) == 0x6b8
 02143   464   NtUserQueryWindow  (65650, 1, ... ) == 0x6d4
 02144   464   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 02145   464   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 02146   464   NtUserQueryWindow  (131154, 0, ... ) == 0x6b8
 02147   464   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 02148   464   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 02149   464   NtUserBuildHwndList  (0, 131154, 1, 0, 64, ... (0x3003e, 0x3003c, 0x30040, 0x30042, 0x30044, 0x30046, 0x10076, 0x10082, 0x1007a, 0x1007e, 0x1, ), 11, ) == 0x0
 02150   464   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 02151   464   NtUserQueryWindow  (196670, 0, ... ) == 0x6b8
 02152   464   NtUserQueryWindow  (196670, 1, ... ) == 0x6d4
 02153   464   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 02154   464   NtUserQueryWindow  (196668, 0, ... ) == 0x6b8
 02155   464   NtUserQueryWindow  (196668, 1, ... ) == 0x6d4
 02156   464   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 02157   464   NtUserQueryWindow  (196672, 0, ... ) == 0x6b8
 02158   464   NtUserQueryWindow  (196672, 1, ... ) == 0x6d4
 02159   464   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 02160   464   NtUserQueryWindow  (196674, 0, ... ) == 0x6b8
 02161   464   NtUserQueryWindow  (196674, 1, ... ) == 0x6d4
 02162   464   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 02163   464   NtUserQueryWindow  (196676, 0, ... ) == 0x6b8
 02164   464   NtUserQueryWindow  (196676, 1, ... ) == 0x6d4
 02165   464   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 02166   464   NtUserQueryWindow  (196678, 0, ... ) == 0x6b8
 02167   464   NtUserQueryWindow  (196678, 1, ... ) == 0x6d4
 02168   464   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 02169   464   NtUserQueryWindow  (65654, 0, ... ) == 0x6b8
 02170   464   NtUserQueryWindow  (65654, 1, ... ) == 0x6d4
 02171   464   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 02172   464   NtUserQueryWindow  (65666, 0, ... ) == 0x6b8
 02173   464   NtUserQueryWindow  (65666, 1, ... ) == 0x6d4
 02174   464   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 02175   464   NtUserQueryWindow  (65658, 0, ... ) == 0x6b8
 02176   464   NtUserQueryWindow  (65658, 1, ... ) == 0x6d4
 02177   464   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 02178   464   NtUserQueryWindow  (65662, 0, ... ) == 0x6b8
 02179   464   NtUserQueryWindow  (65662, 1, ... ) == 0x6d4
 02180   464   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 02181   464   NtUserQueryWindow  (327836, 0, ... ) == 0x6b8
 02182   464   NtUserQueryWindow  (327836, 1, ... ) == 0x6d4
 02183   464   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 02184   464   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 02185   464   NtUserQueryWindow  (65680, 0, ... ) == 0x6b8
 02186   464   NtUserQueryWindow  (65680, 1, ... ) == 0x6bc
 02187   464   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 02188   464   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 02189   464   NtUserQueryWindow  (327842, 0, ... ) == 0x6b8
 02190   464   NtUserQueryWindow  (327842, 1, ... ) == 0x6d4
 02191   464   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 02192   464   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 02193   464   NtUserQueryWindow  (65744, 0, ... ) == 0x19c
 02194   464   NtUserQueryWindow  (65744, 1, ... ) == 0x1a0
 02195   464   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 02196   464   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 02197   464   NtUserQueryWindow  (131248, 0, ... ) == 0xa0
 02198   464   NtUserQueryWindow  (131248, 1, ... ) == 0xe4
 02199   464   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 02200   464   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 02201   464   NtUserQueryWindow  (65740, 0, ... ) == 0x19c
 02202   464   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 02203   464   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 02204   464   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 02205   464   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 02206   464   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 02207   464   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 02208   464   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 02209   464   NtUserQueryWindow  (459008, 0, ... ) == 0x5e8
 02210   464   NtUserQueryWindow  (459008, 1, ... ) == 0x1dc
 02211   464   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 02212   464   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 02213   464   NtUserQueryWindow  (131352, 0, ... ) == 0x6ac
 02214   464   NtUserQueryWindow  (131352, 1, ... ) == 0x7f4
 02215   464   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 02216   464   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 02217   464   NtUserQueryWindow  (196940, 0, ... ) == 0x4b4
 02218   464   NtUserQueryWindow  (196940, 1, ... ) == 0x474
 02219   464   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 02220   464   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 02221   464   NtUserQueryWindow  (65820, 0, ... ) == 0x22c
 02222   464   NtUserQueryWindow  (65820, 1, ... ) == 0x220
 02223   464   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 02224   464   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 02225   464   NtUserQueryWindow  (65766, 0, ... ) == 0x6b8
 02226   464   NtUserQueryWindow  (65766, 1, ... ) == 0x13c
 02227   464   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 02228   464   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 02229   464   NtUserQueryWindow  (65750, 0, ... ) == 0x6b8
 02230   464   NtUserQueryWindow  (65750, 1, ... ) == 0x13c
 02231   464   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 02232   464   NtUserBuildHwndList  (0, 65750, 1, 0, 64, ... (0x100da, 0x100dc, 0x100de, 0x100e0, 0x1, ), 5, ) == 0x0
 02233   464   NtUserValidateHandleSecure  (65754, ... ) == 0x1
 02234   464   NtUserQueryWindow  (65754, 0, ... ) == 0x6b8
 02235   464   NtUserQueryWindow  (65754, 1, ... ) == 0x13c
 02236   464   NtUserValidateHandleSecure  (65756, ... ) == 0x1
 02237   464   NtUserQueryWindow  (65756, 0, ... ) == 0x6b8
 02238   464   NtUserQueryWindow  (65756, 1, ... ) == 0x13c
 02239   464   NtUserValidateHandleSecure  (65758, ... ) == 0x1
 02240   464   NtUserQueryWindow  (65758, 0, ... ) == 0x6b8
 02241   464   NtUserQueryWindow  (65758, 1, ... ) == 0x13c
 02242   464   NtUserValidateHandleSecure  (65760, ... ) == 0x1
 02243   464   NtUserQueryWindow  (65760, 0, ... ) == 0x6b8
 02244   464   NtUserQueryWindow  (65760, 1, ... ) == 0x13c
 02245   464   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 02246   464   NtUserQueryWindow  (65746, 0, ... ) == 0x6b8
 02247   464   NtUserQueryWindow  (65746, 1, ... ) == 0x6d4
 02248   464   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 02249   464   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 02250   464   NtUserQueryWindow  (65738, 0, ... ) == 0x19c
 02251   464   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 02252   464   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 02253   464   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 02254   464   NtUserQueryWindow  (65736, 0, ... ) == 0xa0
 02255   464   NtUserQueryWindow  (65736, 1, ... ) == 0xe4
 02256   464   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 02257   464   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 02258   464   NtUserQueryWindow  (65722, 0, ... ) == 0x104
 02259   464   NtUserQueryWindow  (65722, 1, ... ) == 0x108
 02260   464   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 02261   464   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 02262   464   NtUserQueryWindow  (65710, 0, ... ) == 0x104
 02263   464   NtUserQueryWindow  (65710, 1, ... ) == 0x108
 02264   464   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 02265   464   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 02266   464   NtUserQueryWindow  (65708, 0, ... ) == 0x120
 02267   464   NtUserQueryWindow  (65708, 1, ... ) == 0x124
 02268   464   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 02269   464   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 02270   464   NtUserQueryWindow  (196774, 0, ... ) == 0xc4
 02271   464   NtUserQueryWindow  (196774, 1, ... ) == 0xc8
 02272   464   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 02273   464   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 02274   464   NtUserQueryWindow  (65656, 0, ... ) == 0x6b8
 02275   464   NtUserQueryWindow  (65656, 1, ... ) == 0x6ec
 02276   464   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 02277   464   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 02278   464   NtUserQueryWindow  (196706, 0, ... ) == 0x6b8
 02279   464   NtUserQueryWindow  (196706, 1, ... ) == 0x6bc
 02280   464   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 02281   464   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 02282   464   NtUserQueryWindow  (327734, 0, ... ) == 0x6b8
 02283   464   NtUserQueryWindow  (327734, 1, ... ) == 0x6bc
 02284   464   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 02285   464   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 02286   464   NtUserQueryWindow  (327772, 0, ... ) == 0x6b8
 02287   464   NtUserQueryWindow  (327772, 1, ... ) == 0x6bc
 02288   464   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 02289   464   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 02290   464   NtUserQueryWindow  (65726, 0, ... ) == 0x19c
 02291   464   NtUserQueryWindow  (65726, 1, ... ) == 0x1a0
 02292   464   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 02293   464   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 02294   464   NtUserQueryWindow  (262398, 0, ... ) == 0x6b8
 02295   464   NtUserQueryWindow  (262398, 1, ... ) == 0x6d4
 02296   464   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 02297   464   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 02298   464   NtUserQueryWindow  (65682, 0, ... ) == 0x6b8
 02299   464   NtUserQueryWindow  (65682, 1, ... ) == 0x6bc
 02300   464   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 02301   464   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 02302   464   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 02303   464   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 02304   464   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 02305   464   NtUserBuildHwndList  (0, 65670, 1, 0, 64, ... (0x1008c, 0x1008e, 0x1, ), 3, ) == 0x0
 02306   464   NtUserValidateHandleSecure  (65676, ... ) == 0x1
 02307   464   NtUserQueryWindow  (65676, 0, ... ) == 0x6b8
 02308   464   NtUserQueryWindow  (65676, 1, ... ) == 0x6bc
 02309   464   NtUserValidateHandleSecure  (65678, ... ) == 0x1
 02310   464   NtUserQueryWindow  (65678, 0, ... ) == 0x6b8
 02311   464   NtUserQueryWindow  (65678, 1, ... ) == 0x6bc
 02312   464   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 02313   464   NtUserQueryWindow  (262196, 0, ... ) == 0x6b8
 02314   464   NtUserQueryWindow  (262196, 1, ... ) == 0x6d4
 02315   464   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 02316   464   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 02317   464   NtUserQueryWindow  (327760, 0, ... ) == 0x6b8
 02318   464   NtUserQueryWindow  (327760, 1, ... ) == 0x6d4
 02319   464   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 02320   464   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 02321   464   NtUserQueryWindow  (65852, 0, ... ) == 0x22c
 02322   464   NtUserQueryWindow  (65852, 1, ... ) == 0x220
 02323   464   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 02324   464   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 02325   464   NtUserQueryWindow  (65824, 0, ... ) == 0x22c
 02326   464   NtUserQueryWindow  (65824, 1, ... ) == 0x220
 02327   464   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 02328   464   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 02329   464   NtUserQueryWindow  (65730, 0, ... ) == 0xa0
 02330   464   NtUserQueryWindow  (65730, 1, ... ) == 0xe4
 02331   464   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 02332   464   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 02333   464   NtUserQueryWindow  (65724, 0, ... ) == 0xa0
 02334   464   NtUserQueryWindow  (65724, 1, ... ) == 0xe4
 02335   464   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 02336   464   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 02337   464   NtUserQueryWindow  (131406, 0, ... ) == 0x4b4
 02338   464   NtUserQueryWindow  (131406, 1, ... ) == 0x474
 02339   464   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 02340   464   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 02341   464   NtUserQueryWindow  (65752, 0, ... ) == 0x6b8
 02342   464   NtUserQueryWindow  (65752, 1, ... ) == 0x13c
 02343   464   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 02344   464   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 02345   464   NtUserQueryWindow  (65718, 0, ... ) == 0x104
 02346   464   NtUserQueryWindow  (65718, 1, ... ) == 0x108
 02347   464   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 02348   464   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 02349   464   NtUserQueryWindow  (65720, 0, ... ) == 0x120
 02350   464   NtUserQueryWindow  (65720, 1, ... ) == 0x124
 02351   464   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 02352   464   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 02353   464   NtUserQueryWindow  (65716, 0, ... ) == 0xc4
 02354   464   NtUserQueryWindow  (65716, 1, ... ) == 0xc8
 02355   464   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 02356   464   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 02357   464   NtUserQueryWindow  (65728, 0, ... ) == 0x19c
 02358   464   NtUserQueryWindow  (65728, 1, ... ) == 0x1a0
 02359   464   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 02360   464   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 02361   464   NtUserQueryWindow  (65690, 0, ... ) == 0x6b8
 02362   464   NtUserQueryWindow  (65690, 1, ... ) == 0x6bc
 02363   464   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 02364   464   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 02365   464   NtUserQueryWindow  (327774, 0, ... ) == 0x6b8
 02366   464   NtUserQueryWindow  (327774, 1, ... ) == 0x6bc
 02367   464   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 02368   464   NtUserCloseDesktop  (184, ... ) == 0x1
 02369   464   NtUserGetProcessWindowStation  (... ) == 0x1c
 02370   464   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02371   464   NtUserGetProcessWindowStation  (... ) == 0x1c
 02372   464   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02373   464   NtGdiDeleteObjectApp  (873071841, ... ) == 0x1
 02374   464   NtGdiDeleteObjectApp  (1376388660, ... ) == 0x1
 02375   464   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 02376   464   NtClose  (176, ... ) == 0x0
 02377   464   NtClose  (12, ... ) == 0x0
 02378   464   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 02379   464   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 02380   464   NtClose  (168, ... ) == 0x0
 02381   464   NtDeviceIoControlFile  (128, 132, 0x0, 0x12e93c, 0x22415c,  (128, 132, 0x0, 0x12e93c, 0x22415c, "U\4\376\14\272\223\15D\243\376U9s\320\267#\210\0\0\0\0\0\0\0\10 \222\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "U\4\376\14\272\223\15D\243\376U9s\320\267#\210\0\0\0\0\0\0\0\10 \222\0\306\205\337w", ) , 32, 32, ... {status=0x0, info=32},  (128, 132, 0x0, 0x12e93c, 0x22415c, "U\4\376\14\272\223\15D\243\376U9s\320\267#\210\0\0\0\0\0\0\0\10 \222\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "U\4\376\14\272\223\15D\243\376U9s\320\267#\210\0\0\0\0\0\0\0\10 \222\0\306\205\337w", ) , ) == 0x0
 02382   464   NtDeviceIoControlFile  (128, 132, 0x0, 0x12e904, 0x228168,  (128, 132, 0x0, 0x12e904, 0x228168, "\210\0\0\0\0\0\0\0", 8, 0, ... {status=0x0, info=0}, 0x0, ) , 8, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02383   464   NtDeviceIoControlFile  (128, 132, 0x0, 0x12e93c, 0x22415c,  (128, 132, 0x0, 0x12e93c, 0x22415c, "\254\253\177yX{\226G\271$\325\21x\245\234\344\244\0\0\0\0\0\0\0\10 \222\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "\254\253\177yX{\226G\271$\325\21x\245\234\344\244\0\0\0\0\0\0\0\10 \222\0\306\205\337w", ) , 32, 32, ... {status=0x0, info=32},  (128, 132, 0x0, 0x12e93c, 0x22415c, "\254\253\177yX{\226G\271$\325\21x\245\234\344\244\0\0\0\0\0\0\0\10 \222\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "\254\253\177yX{\226G\271$\325\21x\245\234\344\244\0\0\0\0\0\0\0\10 \222\0\306\205\337w", ) , ) == 0x0
 02384   464   NtDeviceIoControlFile  (128, 132, 0x0, 0x12e904, 0x228168,  (128, 132, 0x0, 0x12e904, 0x228168, "\244\0\0\0\0\0\0\0", 8, 0, ... {status=0x0, info=0}, 0x0, ) , 8, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02385   464   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 02386   464   NtUserGetAtomName  (49211, 1239032, ... ) == 0xf
 02387   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02388   464   NtUserGetAtomName  (49213, 1239032, ... ) == 0xd
 02389   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02390   464   NtUserGetAtomName  (49215, 1239032, ... ) == 0x10
 02391   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02392   464   NtUserGetAtomName  (49217, 1239032, ... ) == 0x12
 02393   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02394   464   NtUserGetAtomName  (49219, 1239032, ... ) == 0xd
 02395   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02396   464   NtUserGetAtomName  (49221, 1239032, ... ) == 0xb
 02397   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02398   464   NtUserGetAtomName  (49223, 1239032, ... ) == 0xf
 02399   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02400   464   NtUserGetAtomName  (49225, 1239032, ... ) == 0xd
 02401   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02402   464   NtUserGetAtomName  (49227, 1239032, ... ) == 0x11
 02403   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02404   464   NtUserGetAtomName  (49229, 1239032, ... ) == 0xf
 02405   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02406   464   NtUserGetAtomName  (49231, 1239032, ... ) == 0x11
 02407   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02408   464   NtUserGetAtomName  (49233, 1239032, ... ) == 0xf
 02409   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02410   464   NtUserGetAtomName  (49235, 1239032, ... ) == 0xc
 02411   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02412   464   NtUserGetAtomName  (49237, 1239024, ... ) == 0xd
 02413   464   NtUserUnregisterClass  (1239084, 1560870912, 1239072, ... ) == 0x1
 02414   464   NtUserGetAtomName  (49239, 1239024, ... ) == 0x11
 02415   464   NtUserUnregisterClass  (1239084, 1560870912, 1239072, ... ) == 0x1
 02416   464   NtUserGetAtomName  (49241, 1239032, ... ) == 0xc
 02417   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02418   464   NtUserGetAtomName  (49243, 1239032, ... ) == 0xe
 02419   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02420   464   NtUserGetAtomName  (49245, 1239032, ... ) == 0x8
 02421   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02422   464   NtUserGetAtomName  (49247, 1239032, ... ) == 0xd
 02423   464   NtUserUnregisterClass  (1239092, 1560870912, 1239080, ... ) == 0x1
 02424   464   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 02425   464   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 02426   464   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 65536, ) == 0x0
 02427   464   NtUserGetAtomName  (49211, 1239064, ... ) == 0xf
 02428   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02429   464   NtUserGetAtomName  (49213, 1239064, ... ) == 0xd
 02430   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02431   464   NtUserGetAtomName  (49215, 1239064, ... ) == 0x10
 02432   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02433   464   NtUserGetAtomName  (49217, 1239064, ... ) == 0x12
 02434   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02435   464   NtUserGetAtomName  (49219, 1239064, ... ) == 0xd
 02436   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02437   464   NtUserGetAtomName  (49221, 1239064, ... ) == 0xb
 02438   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02439   464   NtUserGetAtomName  (49223, 1239064, ... ) == 0xf
 02440   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02441   464   NtUserGetAtomName  (49225, 1239064, ... ) == 0xd
 02442   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02443   464   NtUserGetAtomName  (49227, 1239064, ... ) == 0x11
 02444   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02445   464   NtUserGetAtomName  (49229, 1239064, ... ) == 0xf
 02446   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02447   464   NtUserGetAtomName  (49231, 1239064, ... ) == 0x11
 02448   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02449   464   NtUserGetAtomName  (49233, 1239064, ... ) == 0xf
 02450   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02451   464   NtUserGetAtomName  (49235, 1239064, ... ) == 0xc
 02452   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02453   464   NtUserGetAtomName  (49237, 1239056, ... ) == 0xd
 02454   464   NtUserUnregisterClass  (1239116, 2000486400, 1239104, ... ) == 0x1
 02455   464   NtUserGetAtomName  (49239, 1239056, ... ) == 0x11
 02456   464   NtUserUnregisterClass  (1239116, 2000486400, 1239104, ... ) == 0x1
 02457   464   NtUserGetAtomName  (49241, 1239064, ... ) == 0xc
 02458   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02459   464   NtUserGetAtomName  (49243, 1239064, ... ) == 0xe
 02460   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02461   464   NtUserGetAtomName  (49245, 1239064, ... ) == 0x8
 02462   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02463   464   NtUserGetAtomName  (49247, 1239064, ... ) == 0xd
 02464   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02465   464   NtUserGetAtomName  (49175, 1239064, ... ) == 0x6
 02466   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02467   464   NtUserGetAtomName  (49177, 1239064, ... ) == 0x6
 02468   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02469   464   NtUserGetAtomName  (49176, 1239064, ... ) == 0x4
 02470   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02471   464   NtUserGetAtomName  (49178, 1239064, ... ) == 0x7
 02472   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02473   464   NtUserGetAtomName  (49180, 1239064, ... ) == 0x8
 02474   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02475   464   NtUserGetAtomName  (49182, 1239064, ... ) == 0x9
 02476   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02477   464   NtUserGetAtomName  (49179, 1239056, ... ) == 0x9
 02478   464   NtUserUnregisterClass  (1239116, 2000486400, 1239104, ... ) == 0x1
 02479   464   NtUserGetAtomName  (49256, 1239064, ... ) == 0x7
 02480   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02481   464   NtUserGetAtomName  (49258, 1239064, ... ) == 0xd
 02482   464   NtUserUnregisterClass  (1239124, 2000486400, 1239112, ... ) == 0x1
 02483   464   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02484   464   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 02485   464   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 02486   464   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 02487   464   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02488   464   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02489   464   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02490   464   NtClose  (88, ... ) == 0x0
 02491   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 88, ) }, ... 88, ) == 0x0
 02492   464   NtQueryValueKey  (88,  (88, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02493   464   NtClose  (88, ... ) == 0x0
 02494   464   NtClose  (92, ... ) == 0x0
 02495   464   NtClose  (128, ... ) == 0x0
 02496   464   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 02497   464   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2089878865, 1465662019, 1329876553, 1935430487}  (24, {20, 48, new_msg, 0, 2089878865, 1465662019, 1329876553, 1935430487} "\0\0\0\0\3\0\1\0algs.exe\0\0\0\0" ... {20, 48, reply, 0, 1036, 464, 58005, 0} "\0\0\0\0\3\0\1\0\0\0\0\0.exe\0\0\0\0" )  ... {20, 48, reply, 0, 1036, 464, 58005, 0}  (24, {20, 48, new_msg, 0, 2089878865, 1465662019, 1329876553, 1935430487} "\0\0\0\0\3\0\1\0algs.exe\0\0\0\0" ... {20, 48, reply, 0, 1036, 464, 58005, 0} "\0\0\0\0\3\0\1\0\0\0\0\0.exe\0\0\0\0" )  ) == 0x0
 02498   464   NtTerminateProcess  (-1, 0, ...
NtAddAtom(>)	1	NtUserGetObjectInformation(>)	1	NtContinue(>)	4	NtSetInformationFile(>)	24
NtAdjustPrivilegesToken(>)	1	NtUserGetThreadDesktop(>)	1	NtCreateSemaphore(>)	4	NtDeviceIoControlFile(>)	26
NtCallbackReturn(>)	1	NtCreateIoCompletion(>)	2	NtDuplicateObject(>)	4	NtCreateSection(>)	30
NtConnectPort(>)	1	NtCreateThread(>)	2	NtFsControlFile(>)	4	NtOpenProcess(>)	30
NtCreateMutant(>)	1	NtGdiCreateSolidBrush(>)	2	NtOpenThreadToken(>)	4	NtQueryDefaultLocale(>)	30
NtDuplicateToken(>)	1	NtGdiDeleteObjectApp(>)	2	NtSetEvent(>)	4	NtQueryVirtualMemory(>)	36
NtEnumerateValueKey(>)	1	NtGdiHfontCreate(>)	2	NtGdiGetStockObject(>)	5	NtOpenFile(>)	44
NtGdiCreateBitmap(>)	1	NtOpenDirectoryObject(>)	2	NtUserBuildHwndList(>)	5	NtUserUnregisterClass(>)	47
NtGdiInit(>)	1	NtRegisterThreadTerminatePort(>)	2	NtUserGetProcessWindowStation(>)	5	NtUserGetAtomName(>)	48
NtGdiQueryFontAssocInfo(>)	1	NtResumeThread(>)	2	NtQueryVolumeInformationFile(>)	6	NtQueryValueKey(>)	49
NtGdiSelectBitmap(>)	1	NtSetEventBoostPriority(>)	2	NtFreeVirtualMemory(>)	8	NtAllocateVirtualMemory(>)	50
NtNotifyChangeKey(>)	1	NtSetInformationProcess(>)	2	NtOpenProcessToken(>)	8	NtUserFindExistingCursorIcon(>)	50
NtOpenEvent(>)	1	NtTestAlert(>)	2	NtSetValueKey(>)	8	NtUnmapViewOfSection(>)	58
NtOpenKeyedEvent(>)	1	NtWaitForSingleObject(>)	2	NtCreateKey(>)	9	NtOpenSection(>)	59
NtOpenSymbolicLinkObject(>)	1	NtDelayExecution(>)	3	NtQueryDefaultUILanguage(>)	10	NtQueryAttributesFile(>)	61
NtQueryFullAttributesFile(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQuerySection(>)	10	NtUserRegisterClassExWOW(>)	62
NtQueryInformationThread(>)	1	NtQueryPerformanceCounter(>)	3	NtQueryInformationProcess(>)	11	NtReadFile(>)	79
NtQueryInstallUILanguage(>)	1	NtSetInformationObject(>)	3	NtSetInformationThread(>)	11	NtQuerySystemInformation(>)	81
NtQueryObject(>)	1	NtTerminateProcess(>)	3	NtUserSystemParametersInfo(>)	12	NtOpenKey(>)	97
NtQuerySymbolicLinkObject(>)	1	NtUserCallNoParam(>)	3	NtOpenProcessTokenEx(>)	13	NtFlushInstructionCache(>)	103
NtQuerySystemTime(>)	1	NtUserCallOneParam(>)	3	NtOpenThreadTokenEx(>)	13	NtWriteVirtualMemory(>)	116
NtSecureConnectPort(>)	1	NtUserGetWindowDC(>)	3	NtRequestWaitReplyPort(>)	14	NtMapViewOfSection(>)	117
NtUserBuildNameList(>)	1	NtUserOpenDesktop(>)	3	NtCreateEvent(>)	15	NtUserValidateHandleSecure(>)	130
NtUserCloseDesktop(>)	1	NtUserRegisterWindowMessage(>)	3	NtQueryDebugFilterState(>)	16	NtUserQueryWindow(>)	160
NtUserCreateWindowEx(>)	1	NtWaitForMultipleObjects(>)	3	NtQueryInformationToken(>)	17	NtClose(>)	245
NtUserGetDC(>)	1	NtWriteFile(>)	3	NtCreateFile(>)	19	NtProtectVirtualMemory(>)	334
NtUserGetGUIThreadInfo(>)	1	NtAccessCheck(>)	4	NtQueryInformationFile(>)	24