Summary:


NtAddAtom(>)  1 
NtUserGetThreadDesktop(>)  1 
NtUserFindWindowEx(>)  4 
NtUserRegisterWindowMessage(>)  19 

NtAdjustPrivilegesToken(>)  1 
NtAccessCheck(>)  2 
NtWaitForSingleObject(>)  4 
NtCreateSection(>)  20 

NtCallbackReturn(>)  1 
NtCreateIoCompletion(>)  2 
NtDuplicateObject(>)  5 
NtOpenProcessTokenEx(>)  25 

NtCreateProcessEx(>)  1 
NtCreateKey(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenThreadTokenEx(>)  25 

NtDuplicateToken(>)  1 
NtCreateThread(>)  2 
NtSetInformationFile(>)  5 
NtOpenProcess(>)  26 

NtEnumerateValueKey(>)  1 
NtEnumerateKey(>)  2 
NtWriteFile(>)  5 
NtQueryAttributesFile(>)  27 

NtGdiCreateBitmap(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtFreeVirtualMemory(>)  6 
NtQuerySystemInformation(>)  30 

NtGdiInit(>)  1 
NtOpenDirectoryObject(>)  2 
NtOpenProcessToken(>)  6 
NtQueryInformationToken(>)  31 

NtGdiQueryFontAssocInfo(>)  1 
NtOpenEvent(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtReadVirtualMemory(>)  33 

NtGdiSelectBitmap(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtCreateFile(>)  7 
NtOpenFile(>)  35 

NtNotifyChangeKey(>)  1 
NtQueryInstallUILanguage(>)  2 
NtSetInformationProcess(>)  7 
NtQueryValueKey(>)  40 

NtOpenKeyedEvent(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtUnmapViewOfSection(>)  40 

NtQueryInformationJobObject(>)  1 
NtRaiseException(>)  2 
NtQuerySection(>)  8 
NtUserUnregisterClass(>)  45 

NtQueryObject(>)  1 
NtResumeThread(>)  2 
NtSetInformationThread(>)  8 
NtOpenSection(>)  48 

NtQueryPerformanceCounter(>)  1 
NtTerminateProcess(>)  2 
NtCreateEvent(>)  9 
NtUserFindExistingCursorIcon(>)  48 

NtQuerySystemTime(>)  1 
NtCreateSemaphore(>)  3 
NtRequestWaitReplyPort(>)  9 
NtAllocateVirtualMemory(>)  56 

NtReadFile(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtContinue(>)  10 
NtWriteVirtualMemory(>)  61 

NtRegisterThreadTerminatePort(>)  1 
NtOpenMutant(>)  3 
NtQueryDirectoryFile(>)  10 
NtUserRegisterClassExWOW(>)  63 

NtSecureConnectPort(>)  1 
NtSetInformationObject(>)  3 
NtUserSystemParametersInfo(>)  10 
NtUserGetClassInfo(>)  82 

NtSetSecurityObject(>)  1 
NtFsControlFile(>)  4 
NtFlushInstructionCache(>)  11 
NtMapViewOfSection(>)  84 

NtTestAlert(>)  1 
NtOpenThreadToken(>)  4 
NtQueryInformationFile(>)  13 
NtProtectVirtualMemory(>)  99 

NtUserCallNoParam(>)  1 
NtQueryVirtualMemory(>)  4 
NtQueryInformationProcess(>)  14 
NtOpenKey(>)  108 

NtUserCallOneParam(>)  1 
NtReleaseMutant(>)  4 
NtQueryDebugFilterState(>)  15 
NtUserQueryWindow(>)  156 

NtUserGetDC(>)  1 
NtUserBuildHwndList(>)  4 
NtQueryDefaultLocale(>)  15 
NtClose(>)  201 


Trace:
 00001   476   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   476   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   476   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   476   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   476   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   476   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   476   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   476   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   476   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   476   NtClose  (12, ... ) == 0x0
 00014   476   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   476   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   476   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   476   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   476   NtClose  (16, ... ) == 0x0
 00021   476   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   476   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   476   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   476   NtClose  (16, ... ) == 0x0
 00026   476   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   476   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   476   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   476   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   476   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 464, 476, 1527, 0} "\320\3\30\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 464, 476, 1527, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 464, 476, 1527, 0} "\320\3\30\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   476   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   476   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   476   NtClose  (16, ... ) == 0x0
 00036   476   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   476   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   476   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   476   NtClose  (28, ... ) == 0x0
 00041   476   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   476   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   476   NtClose  (28, ... ) == 0x0
 00045   476   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   476   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   476   NtClose  (28, ... ) == 0x0
 00049   476   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   476   NtClose  (28, ... ) == 0x0
 00052   476   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   476   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   476   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   476   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 464, 476, 1548, 0} "\260.\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 464, 476, 1548, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 464, 476, 1548, 0} "\260.\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   476   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 128, ) == 0x0
 00057   476   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 128, ... (0x45d000), 204800, 4, ) == 0x0
 00058   476   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00059   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   476   NtClose  (28, ... ) == 0x0
 00062   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   476   NtClose  (28, ... ) == 0x0
 00065   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   476   NtClose  (28, ... ) == 0x0
 00068   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   476   NtClose  (28, ... ) == 0x0
 00071   476   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 64, ) == 0x0
 00072   476   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 64, ... (0x45d000), 204800, 4, ) == 0x0
 00073   476   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00074   476   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   476   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   476   NtClose  (28, ... ) == 0x0
 00077   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   476   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   476   NtClose  (28, ... ) == 0x0
 00080   476   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00081   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   476   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   476   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   476   NtClose  (28, ... ) == 0x0
 00085   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   476   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   476   NtClose  (28, ... ) == 0x0
 00088   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   476   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   476   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 464, 476, 1559, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 464, 476, 1559, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 464, 476, 1559, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00093   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   476   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4a0000), 0x0, 1060864, ) == 0x0
 00095   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   476   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   476   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00098   476   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   476   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   476   NtClose  (-2147482020, ... ) == 0x0
 00101   476   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5963776, 4096, ) == 0x0
 00102   476   NtFreeVirtualMemory  (-1, (0x5b0000), 4096, 32768, ... (0x5b0000), 4096, ) == 0x0
 00103   476   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   476   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00105   476   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   476   NtClose  (-2147482020, ... ) == 0x0
 00107   476   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00108   476   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   476   NtClose  (-2147482020, ... ) == 0x0
 00110   476   NtQueryDefaultLocale  (0, -136246772, ... ) == 0x0
 00111   476   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   476   NtUserCallNoParam  (24, ... ) == 0x0
 00113   476   NtGdiCreateCompatibleDC  (0, ...
 00114   476   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5963776, 4096, ) == 0x0
 00113   476   NtGdiCreateCompatibleDC  ... ) == 0xf010448
 00115   476   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   476   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   476   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb05044f
 00118   476   NtGdiCreateSolidBrush  (0, 0, ...
 00119   476   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9175040, 4096, ) == 0x0
 00118   476   NtGdiCreateSolidBrush  ... ) == 0x8100452
 00120   476   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   476   NtGdiCreateCompatibleDC  (0, ... ) == 0x6010453
 00122   476   NtGdiSelectBitmap  (100729939, 184878159, ... ) == 0x185000f
 00123   476   NtUserGetThreadDesktop  (476, 0, ... ) == 0x2c
 00124   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   476   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   476   NtClose  (52, ... ) == 0x0
 00127   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00129   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00131   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00133   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00135   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00137   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00139   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00141   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00143   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00144   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00145   476   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc020
 00146   476   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00147   476   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00148   476   NtAllocateVirtualMemory  (-1, 6139904, 0, 4096, 4096, 32, ... 6139904, 4096, ) == 0x0
 00147   476   NtUserRegisterClassExWOW  ... ) == 0x810cc023
 00149   476   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc024
 00150   476   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc025
 00151   476   NtCallbackReturn  (0, 0, 0, ...
 00152   476   NtGdiInit  (... ) == 0x1
 00153   476   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   476   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   476   NtAllocateVirtualMemory  (-1, 0, 0, 17506, 4096, 4, ... 9240576, 20480, ) == 0x0
 00156   476   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 20480, ) == 0x0
 00157   476   NtQueryVirtualMemory  (-1, 0x401000, Basic, 52, ... {BaseAddress=0x401000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x23000,State=0x1000,Protect=0x80,Type=0x1000000,}, 28, ) == 0x0
 00158   476   NtQueryVirtualMemory  (-1, 0x45754c, Basic, 28, ... {BaseAddress=0x457000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x6000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00159   476   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00160   476   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00161   476   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00162   476   NtProtectVirtualMemory  (-1, (0x400218), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00163   476   NtProtectVirtualMemory  (-1, (0x400218), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00164   476   NtProtectVirtualMemory  (-1, (0x400240), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00165   476   NtProtectVirtualMemory  (-1, (0x400240), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00166   476   NtProtectVirtualMemory  (-1, (0x400268), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00167   476   NtProtectVirtualMemory  (-1, (0x400268), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00168   476   NtProtectVirtualMemory  (-1, (0x400290), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00169   476   NtProtectVirtualMemory  (-1, (0x400290), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00170   476   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00171   476   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00172   476   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00173   476   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00174   476   NtProtectVirtualMemory  (-1, (0x400308), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00175   476   NtProtectVirtualMemory  (-1, (0x400308), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00176   476   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00177   476   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00178   476   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100dc, 0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100d8, 0x100d0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20064, 0x100cc, 0x100c2, 0x100c0, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 40, ) == 0x0
 00179   476   NtUserQueryWindow  (196684, 0, ... ) == 0x768
 00180   476   NtUserQueryWindow  (196684, 1, ... ) == 0x77c
 00181   476   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1896, 0}, ... 52, ) == 0x0
 00182   476   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00183   476   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00184   476   NtContinue  (-136250212, 0, ...
 00183   476   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00185   476   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00186   476   NtContinue  (-136250212, 0, ...
 00185   476   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00187   476   NtClose  (52, ... ) == 0x0
 00188   476   NtUserQueryWindow  (65756, 0, ... ) == 0x768
 00189   476   NtUserQueryWindow  (65756, 1, ... ) == 0x77c
 00190   476   NtUserQueryWindow  (65706, 0, ... ) == 0x7d8
 00191   476   NtUserQueryWindow  (65706, 1, ... ) == 0x7dc
 00192   476   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2008, 0}, ... 52, ) == 0x0
 00193   476   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \1\0\0", 64, ) , 64, ) == 0x0
 00194   476   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00195   476   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00196   476   NtClose  (52, ... ) == 0x0
 00197   476   NtUserQueryWindow  (65704, 0, ... ) == 0x7d8
 00198   476   NtUserQueryWindow  (65704, 1, ... ) == 0x7dc
 00199   476   NtUserQueryWindow  (65702, 0, ... ) == 0x7d8
 00200   476   NtUserQueryWindow  (65702, 1, ... ) == 0x7dc
 00201   476   NtUserQueryWindow  (131168, 0, ... ) == 0x7d8
 00202   476   NtUserQueryWindow  (131168, 1, ... ) == 0x7dc
 00203   476   NtUserQueryWindow  (65696, 0, ... ) == 0x768
 00204   476   NtUserQueryWindow  (65696, 1, ... ) == 0x77c
 00205   476   NtUserQueryWindow  (65662, 0, ... ) == 0x768
 00206   476   NtUserQueryWindow  (65662, 1, ... ) == 0x77c
 00207   476   NtUserQueryWindow  (65652, 0, ... ) == 0x768
 00208   476   NtUserQueryWindow  (65652, 1, ... ) == 0x77c
 00209   476   NtUserQueryWindow  (65640, 0, ... ) == 0x768
 00210   476   NtUserQueryWindow  (65640, 1, ... ) == 0x77c
 00211   476   NtUserQueryWindow  (196682, 0, ... ) == 0x768
 00212   476   NtUserQueryWindow  (196682, 1, ... ) == 0x77c
 00213   476   NtUserQueryWindow  (65638, 0, ... ) == 0x768
 00214   476   NtUserQueryWindow  (65638, 1, ... ) == 0x77c
 00215   476   NtUserQueryWindow  (196668, 0, ... ) == 0x768
 00216   476   NtUserQueryWindow  (196668, 1, ... ) == 0x77c
 00217   476   NtUserQueryWindow  (65688, 0, ... ) == 0x768
 00218   476   NtUserQueryWindow  (65688, 1, ... ) == 0x77c
 00219   476   NtUserQueryWindow  (65676, 0, ... ) == 0x768
 00220   476   NtUserQueryWindow  (65676, 1, ... ) == 0x77c
 00221   476   NtUserQueryWindow  (65660, 0, ... ) == 0x768
 00222   476   NtUserQueryWindow  (65660, 1, ... ) == 0x76c
 00223   476   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00224   476   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 00225   476   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 52, ) == 0x0
 00226   476   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00227   476   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00228   476   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00229   476   NtClose  (52, ... ) == 0x0
 00230   476   NtUserQueryWindow  (65752, 0, ... ) == 0x104
 00231   476   NtUserQueryWindow  (65752, 1, ... ) == 0x108
 00232   476   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 52, ) == 0x0
 00233   476   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00234   476   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00235   476   NtContinue  (-136250212, 0, ...
 00234   476   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00236   476   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00237   476   NtContinue  (-136250212, 0, ...
 00236   476   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00238   476   NtClose  (52, ... ) == 0x0
 00239   476   NtUserQueryWindow  (65744, 0, ... ) == 0x104
 00240   476   NtUserQueryWindow  (65744, 1, ... ) == 0x108
 00241   476   NtUserQueryWindow  (65726, 0, ... ) == 0x7e0
 00242   476   NtUserQueryWindow  (65726, 1, ... ) == 0x7e4
 00243   476   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2016, 0}, ... 52, ) == 0x0
 00244   476   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0", 64, ) , 64, ) == 0x0
 00245   476   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\377\0\377\377", 4, ) , 4, ) == 0x0
 00246   476   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\210fvx\210x\206wfvGe$\306d\21\26\210ls\210\210\250g\207\210hhx\207xhvwdfF|d\21\27\210\206hx\250\252\206\210\207v\207\210x\207\207gfv4F\306G\21\21\210\206\207\210\212\250\250h\210\207x\210\210wvwgFD$d!\21\21x\250g\210\212\252\250\206\210\207w\210\207\207wvvgBGd\21\21\21\210\212\203\210\250\252\212\210x\210w\210\210xwgcd%F\1\21\21\21\27\212\250\210\212\252\252\210f\210\207x\210\207w7fR@`\21\21\21\21\21\210\2508\212\252\250\250\210gw\21088vvu$$!\21\21\21\21\21\30\210\210\210\212\252\210\206vgw\210\203wsb`\7\21\21\21\21\21\21\21\210\203\210\210\210\210\207vvwwwsf4\7\21\21\21\21\21\21\21\21\30\210\210\210\210\210wGwvwww5\2\21\21\21\21\21\21", 256, ) , 256, ) == 0x0
 00247   476   NtClose  (52, ... ) == 0x0
 00248   476   NtUserQueryWindow  (65724, 0, ... ) == 0x7e0
 00249   476   NtUserQueryWindow  (65724, 1, ... ) == 0x7e4
 00250   476   NtUserQueryWindow  (65722, 0, ... ) == 0x7e0
 00251   476   NtUserQueryWindow  (65722, 1, ... ) == 0x7e4
 00252   476   NtUserQueryWindow  (65720, 0, ... ) == 0x7e0
 00253   476   NtUserQueryWindow  (65720, 1, ... ) == 0x7e4
 00254   476   NtUserQueryWindow  (65718, 0, ... ) == 0x7e0
 00255   476   NtUserQueryWindow  (65718, 1, ... ) == 0x7e4
 00256   476   NtUserQueryWindow  (65716, 0, ... ) == 0x7e0
 00257   476   NtUserQueryWindow  (65716, 1, ... ) == 0x7e4
 00258   476   NtUserQueryWindow  (65712, 0, ... ) == 0x7e0
 00259   476   NtUserQueryWindow  (65712, 1, ... ) == 0x7e4
 00260   476   NtUserQueryWindow  (65710, 0, ... ) == 0x7e0
 00261   476   NtUserQueryWindow  (65710, 1, ... ) == 0x7e4
 00262   476   NtUserQueryWindow  (131172, 0, ... ) == 0x7ec
 00263   476   NtUserQueryWindow  (131172, 1, ... ) == 0x7f0
 00264   476   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2028, 0}, ... 52, ) == 0x0
 00265   476   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\301\0\0\0\0\1\0\0\377\356\377\356\11\0\0\0\11\0\0\0\0\376\0\0\0\0\20\0\0 \0\0\0\2\0\0\0 \0\0q\0\0\0\377\357\375\177\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00266   476   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00267   476   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00268   476   NtClose  (52, ... ) == 0x0
 00269   476   NtUserQueryWindow  (65740, 0, ... ) == 0x768
 00270   476   NtUserQueryWindow  (65740, 1, ... ) == 0x114
 00271   476   NtUserQueryWindow  (65730, 0, ... ) == 0x768
 00272   476   NtUserQueryWindow  (65730, 1, ... ) == 0x114
 00273   476   NtUserQueryWindow  (65728, 0, ... ) == 0x768
 00274   476   NtUserQueryWindow  (65728, 1, ... ) == 0x77c
 00275   476   NtUserQueryWindow  (65708, 0, ... ) == 0x7d8
 00276   476   NtUserQueryWindow  (65708, 1, ... ) == 0x7dc
 00277   476   NtUserQueryWindow  (131170, 0, ... ) == 0x7d0
 00278   476   NtUserQueryWindow  (131170, 1, ... ) == 0x7d4
 00279   476   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2000, 0}, ... 52, ) == 0x0
 00280   476   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0", 64, ) , 64, ) == 0x0
 00281   476   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00282   476   NtContinue  (-136250212, 0, ...
 00281   476   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00283   476   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00284   476   NtContinue  (-136250212, 0, ...
 00283   476   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00285   476   NtClose  (52, ... ) == 0x0
 00286   476   NtUserQueryWindow  (65644, 0, ... ) == 0x768
 00287   476   NtUserQueryWindow  (65644, 1, ... ) == 0x7a8
 00288   476   NtUserQueryWindow  (327760, 0, ... ) == 0x768
 00289   476   NtUserQueryWindow  (327760, 1, ... ) == 0x76c
 00290   476   NtUserQueryWindow  (262228, 0, ... ) == 0x768
 00291   476   NtUserQueryWindow  (262228, 1, ... ) == 0x76c
 00292   476   NtUserQueryWindow  (327758, 0, ... ) == 0x768
 00293   476   NtUserQueryWindow  (327758, 1, ... ) == 0x76c
 00294   476   NtUserQueryWindow  (65666, 0, ... ) == 0x768
 00295   476   NtUserQueryWindow  (65666, 1, ... ) == 0x76c
 00296   476   NtUserQueryWindow  (65654, 0, ... ) == 0x768
 00297   476   NtUserQueryWindow  (65654, 1, ... ) == 0x76c
 00298   476   NtRaiseException  (1242696, 1241956, 1, ...
 00299   476   NtContinue  (1240752, 0, ...
 00300   476   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00301   476   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 56, ) }, ... 56, ) == 0x0
 00302   476   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00303   476   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   476   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00305   476   NtDuplicateObject  (-1, 3101, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00306   476   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00307   476   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00308   476   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100dc, 0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100d8, 0x100d0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20064, 0x100cc, 0x100c2, 0x100c0, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 40, ) == 0x0
 00309   476   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00310   476   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00311   476   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100dc, 0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100d8, 0x100d0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20064, 0x100cc, 0x100c2, 0x100c0, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 40, ) == 0x0
 00312   476   NtUserQueryWindow  (196684, 0, ... ) == 0x768
 00313   476   NtUserQueryWindow  (196684, 1, ... ) == 0x77c
 00314   476   NtUserQueryWindow  (65756, 0, ... ) == 0x768
 00315   476   NtUserQueryWindow  (65756, 1, ... ) == 0x77c
 00316   476   NtUserQueryWindow  (65706, 0, ... ) == 0x7d8
 00317   476   NtUserQueryWindow  (65706, 1, ... ) == 0x7dc
 00318   476   NtUserQueryWindow  (65704, 0, ... ) == 0x7d8
 00319   476   NtUserQueryWindow  (65704, 1, ... ) == 0x7dc
 00320   476   NtUserQueryWindow  (65702, 0, ... ) == 0x7d8
 00321   476   NtUserQueryWindow  (65702, 1, ... ) == 0x7dc
 00322   476   NtUserQueryWindow  (131168, 0, ... ) == 0x7d8
 00323   476   NtUserQueryWindow  (131168, 1, ... ) == 0x7dc
 00324   476   NtUserQueryWindow  (65696, 0, ... ) == 0x768
 00325   476   NtUserQueryWindow  (65696, 1, ... ) == 0x77c
 00326   476   NtUserQueryWindow  (65662, 0, ... ) == 0x768
 00327   476   NtUserQueryWindow  (65662, 1, ... ) == 0x77c
 00328   476   NtUserQueryWindow  (65652, 0, ... ) == 0x768
 00329   476   NtUserQueryWindow  (65652, 1, ... ) == 0x77c
 00330   476   NtUserQueryWindow  (65640, 0, ... ) == 0x768
 00331   476   NtUserQueryWindow  (65640, 1, ... ) == 0x77c
 00332   476   NtUserQueryWindow  (196682, 0, ... ) == 0x768
 00333   476   NtUserQueryWindow  (196682, 1, ... ) == 0x77c
 00334   476   NtUserQueryWindow  (65638, 0, ... ) == 0x768
 00335   476   NtUserQueryWindow  (65638, 1, ... ) == 0x77c
 00336   476   NtUserQueryWindow  (196668, 0, ... ) == 0x768
 00337   476   NtUserQueryWindow  (196668, 1, ... ) == 0x77c
 00338   476   NtUserQueryWindow  (65688, 0, ... ) == 0x768
 00339   476   NtUserQueryWindow  (65688, 1, ... ) == 0x77c
 00340   476   NtUserQueryWindow  (65676, 0, ... ) == 0x768
 00341   476   NtUserQueryWindow  (65676, 1, ... ) == 0x77c
 00342   476   NtUserQueryWindow  (65660, 0, ... ) == 0x768
 00343   476   NtUserQueryWindow  (65660, 1, ... ) == 0x76c
 00344   476   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00345   476   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 00346   476   NtUserQueryWindow  (65752, 0, ... ) == 0x104
 00347   476   NtUserQueryWindow  (65752, 1, ... ) == 0x108
 00348   476   NtUserQueryWindow  (65744, 0, ... ) == 0x104
 00349   476   NtUserQueryWindow  (65744, 1, ... ) == 0x108
 00350   476   NtUserQueryWindow  (65726, 0, ... ) == 0x7e0
 00351   476   NtUserQueryWindow  (65726, 1, ... ) == 0x7e4
 00352   476   NtUserQueryWindow  (65724, 0, ... ) == 0x7e0
 00353   476   NtUserQueryWindow  (65724, 1, ... ) == 0x7e4
 00354   476   NtUserQueryWindow  (65722, 0, ... ) == 0x7e0
 00355   476   NtUserQueryWindow  (65722, 1, ... ) == 0x7e4
 00356   476   NtUserQueryWindow  (65720, 0, ... ) == 0x7e0
 00357   476   NtUserQueryWindow  (65720, 1, ... ) == 0x7e4
 00358   476   NtUserQueryWindow  (65718, 0, ... ) == 0x7e0
 00359   476   NtUserQueryWindow  (65718, 1, ... ) == 0x7e4
 00360   476   NtUserQueryWindow  (65716, 0, ... ) == 0x7e0
 00361   476   NtUserQueryWindow  (65716, 1, ... ) == 0x7e4
 00362   476   NtUserQueryWindow  (65712, 0, ... ) == 0x7e0
 00363   476   NtUserQueryWindow  (65712, 1, ... ) == 0x7e4
 00364   476   NtUserQueryWindow  (65710, 0, ... ) == 0x7e0
 00365   476   NtUserQueryWindow  (65710, 1, ... ) == 0x7e4
 00366   476   NtUserQueryWindow  (131172, 0, ... ) == 0x7ec
 00367   476   NtUserQueryWindow  (131172, 1, ... ) == 0x7f0
 00368   476   NtUserQueryWindow  (65740, 0, ... ) == 0x768
 00369   476   NtUserQueryWindow  (65740, 1, ... ) == 0x114
 00370   476   NtUserQueryWindow  (65730, 0, ... ) == 0x768
 00371   476   NtUserQueryWindow  (65730, 1, ... ) == 0x114
 00372   476   NtUserQueryWindow  (65728, 0, ... ) == 0x768
 00373   476   NtUserQueryWindow  (65728, 1, ... ) == 0x77c
 00374   476   NtUserQueryWindow  (65708, 0, ... ) == 0x7d8
 00375   476   NtUserQueryWindow  (65708, 1, ... ) == 0x7dc
 00376   476   NtUserQueryWindow  (131170, 0, ... ) == 0x7d0
 00377   476   NtUserQueryWindow  (131170, 1, ... ) == 0x7d4
 00378   476   NtUserQueryWindow  (65644, 0, ... ) == 0x768
 00379   476   NtUserQueryWindow  (65644, 1, ... ) == 0x7a8
 00380   476   NtUserQueryWindow  (327760, 0, ... ) == 0x768
 00381   476   NtUserQueryWindow  (327760, 1, ... ) == 0x76c
 00382   476   NtUserQueryWindow  (262228, 0, ... ) == 0x768
 00383   476   NtUserQueryWindow  (262228, 1, ... ) == 0x76c
 00384   476   NtUserQueryWindow  (327758, 0, ... ) == 0x768
 00385   476   NtUserQueryWindow  (327758, 1, ... ) == 0x76c
 00386   476   NtUserQueryWindow  (65666, 0, ... ) == 0x768
 00387   476   NtUserQueryWindow  (65666, 1, ... ) == 0x76c
 00388   476   NtUserQueryWindow  (65654, 0, ... ) == 0x768
 00389   476   NtUserQueryWindow  (65654, 1, ... ) == 0x76c
 00390   476   NtRaiseException  (1242640, 1241900, 1, ...
 00391   476   NtContinue  (1240696, 0, ...
 00392   476   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00393   476   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00394   476   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00395   476   NtDuplicateObject  (-1, 3380, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00396   476   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00397   476   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00398   476   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100dc, 0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100d8, 0x100d0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20064, 0x100cc, 0x100c2, 0x100c0, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 40, ) == 0x0
 00399   476   NtSetSecurityObject  (-1, 4, {1, 0, 0x4, 0, 0, 0, 1242476}, ... ) == 0x0
 00400   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00401   476   NtQueryValueKey  (60,  (60, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   476   NtClose  (60, ... ) == 0x0
 00403   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00404   476   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00405   476   NtClose  (60, ... ) == 0x0
 00406   476   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 60, ) == 0x0
 00407   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00408   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 68, ) }, ... 68, ) == 0x0
 00409   476   NtNotifyChangeKey  (68, 64, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00410   476   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00411   476   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00412   476   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00413   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00414   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00415   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00416   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00417   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00418   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 84, ) == 0x0
 00419   476   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00420   476   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00421   476   NtQueryInformationToken  (88, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00422   476   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00423   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 92, ) }, ... 92, ) == 0x0
 00424   476   NtQueryValueKey  (92,  (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00425   476   NtClose  (92, ... ) == 0x0
 00426   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00427   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00428   476   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00429   476   NtClose  (92, ... ) == 0x0
 00430   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00431   476   NtClose  (88, ... ) == 0x0
 00432   476   NtClose  (80, ... ) == 0x0
 00433   476   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00434   476   NtClose  (84, ... ) == 0x0
 00435   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00436   476   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00437   476   NtClose  (84, ... ) == 0x0
 00438   476   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00439   476   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00440   476   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00441   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00442   476   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00443   476   NtClose  (84, ... ) == 0x0
 00444   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00445   476   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00446   476   NtClose  (84, ... ) == 0x0
 00447   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00448   476   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00449   476   NtClose  (84, ... ) == 0x0
 00450   476   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00451   476   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00452   476   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00453   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00454   476   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00455   476   NtClose  (84, ... ) == 0x0
 00456   476   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {464, 0}, ... 84, ) == 0x0
 00457   476   NtQueryInformationProcess  (84, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00458   476   NtClose  (84, ... ) == 0x0
 00459   476   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00460   476   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00461   476   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00462   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00463   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00464   476   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00465   476   NtClose  (84, ... ) == 0x0
 00466   476   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 84, ) }, ... 84, ) == 0x0
 00467   476   NtSetInformationObject  (84, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00468   476   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00469   476   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00470   476   NtClose  (80, ... ) == 0x0
 00471   476   NtUserSystemParametersInfo  (41, 500, 1241216, 0, ... ) == 0x1
 00472   476   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00473   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00474   476   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00475   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc03b
 00476   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00477   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc03d
 00478   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00479   476   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00480   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc03f
 00481   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00482   476   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00483   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc041
 00484   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00485   476   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00486   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc043
 00487   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00488   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc045
 00489   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00490   476   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00491   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc047
 00492   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00493   476   NtUserFindExistingCursorIcon  (1241004, 1241020, 1241588, ... ) == 0x10011
 00494   476   NtUserRegisterClassExWOW  (1241456, 1241536, 1241520, 1241552, 0, 384, 0, ... ) == 0x810cc049
 00495   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00496   476   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00497   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc04b
 00498   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00499   476   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00500   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc04d
 00501   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00502   476   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00503   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc04f
 00504   476   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0x0
 00505   476   NtUserRegisterClassExWOW  (1241464, 1241544, 1241528, 1241560, 0, 384, 0, ... ) == 0x810cc051
 00506   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00507   476   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00508   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc053
 00509   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00510   476   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00511   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc055
 00512   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc057
 00513   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00514   476   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00515   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc059
 00516   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00517   476   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10013
 00518   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc05b
 00519   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00520   476   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00521   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc05d
 00522   476   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00523   476   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00524   476   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc05f
 00525   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00526   476   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 00527   476   NtAllocateVirtualMemory  (-1, 9240576, 0, 4096, 4096, 4, ... 9240576, 4096, ) == 0x0
 00528   476   NtAllocateVirtualMemory  (-1, 9244672, 0, 8192, 4096, 4, ... 9244672, 8192, ) == 0x0
 00529   476   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 80, ) }, ... 80, ) == 0x0
 00530   476   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8e0000), 0x0, 12288, ) == 0x0
 00531   476   NtClose  (80, ... ) == 0x0
 00532   476   NtAllocateVirtualMemory  (-1, 9252864, 0, 4096, 4096, 4, ... 9252864, 4096, ) == 0x0
 00533   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00534   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 00535   476   NtQueryValueKey  (80,  (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00536   476   NtClose  (80, ... ) == 0x0
 00537   476   NtQueryDefaultUILanguage  (1239840, ...
 00538   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00539   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00540   476   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00541   476   NtClose  (-2147482020, ... ) == 0x0
 00542   476   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00543   476   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00544   476   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00545   476   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00546   476   NtClose  (-2147482032, ... ) == 0x0
 00547   476   NtClose  (-2147482020, ... ) == 0x0
 00537   476   NtQueryDefaultUILanguage  ... ) == 0x0
 00548   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549   476   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00550   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00551   476   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 88, ) == 0x0
 00552   476   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 8323072, ) == 0x0
 00553   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00554   476   NtQueryDefaultUILanguage  (2013024600, ...
 00555   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00556   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00557   476   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00558   476   NtClose  (-2147482020, ... ) == 0x0
 00559   476   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00560   476   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00561   476   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00562   476   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00563   476   NtClose  (-2147482032, ... ) == 0x0
 00564   476   NtClose  (-2147482020, ... ) == 0x0
 00554   476   NtQueryDefaultUILanguage  ... ) == 0x0
 00565   476   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00566   476   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00567   476   NtQueryDefaultLocale  (1, 1237876, ... ) == 0x0
 00568   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00569   476   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 476, 1570, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 476, 1570, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 476, 1570, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ) == 0x0
 00570   476   NtClose  (80, ... ) == 0x0
 00571   476   NtClose  (88, ... ) == 0x0
 00572   476   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00573   476   NtUnmapViewOfSection  (-1, 0x12edcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00574   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00575   476   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00577   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00578   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236960, ... ) }, 1236960, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00580   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00581   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00582   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237552, ... ) }, 1237552, ... ) == 0x0
 00583   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 88, {status=0x0, info=1}, ) }, 3, 33, ... 88, {status=0x0, info=1}, ) == 0x0
 00584   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00585   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00586   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00587   476   NtClose  (80, ... ) == 0x0
 00588   476   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00589   476   NtClose  (92, ... ) == 0x0
 00590   476   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00591   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00592   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 80, ) == 0x0
 00593   476   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00594   476   NtClose  (92, ... ) == 0x0
 00595   476   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00596   476   NtClose  (80, ... ) == 0x0
 00597   476   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00598   476   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00599   476   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00600   476   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00601   476   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00602   476   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00603   476   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00604   476   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00605   476   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00606   476   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00607   476   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00608   476   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00609   476   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00610   476   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00611   476   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00612   476   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00613   476   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00614   476   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00615   476   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00616   476   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00617   476   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00618   476   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238736, ... ) , 42, 1238736, ... ) == 0x0
 00619   476   NtQueryDefaultUILanguage  (1237452, ...
 00620   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00621   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00622   476   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00623   476   NtClose  (-2147482020, ... ) == 0x0
 00624   476   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00625   476   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00626   476   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00627   476   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00628   476   NtClose  (-2147482032, ... ) == 0x0
 00629   476   NtClose  (-2147482020, ... ) == 0x0
 00619   476   NtQueryDefaultUILanguage  ... ) == 0x0
 00630   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00631   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236304, ... ) }, 1236304, ... ) == 0x0
 00632   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00633   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00634   476   NtClose  (80, ... ) == 0x0
 00635   476   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 4096, ) == 0x0
 00636   476   NtClose  (92, ... ) == 0x0
 00637   476   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00638   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235944, ... ) }, 1235944, ... ) == 0x0
 00639   476   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236644,  (0x80100080, {24, 0, 0x40, 0, 1236644, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00640   476   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 92, ... 80, ) == 0x0
 00641   476   NtClose  (92, ... ) == 0x0
 00642   476   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8f0000), {0, 0}, 4096, ) == 0x0
 00643   476   NtClose  (80, ... ) == 0x0
 00644   476   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00645   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00646   476   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 92, ) == 0x0
 00647   476   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 4096, ) == 0x0
 00648   476   NtQueryInformationFile  (80, 1236264, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00649   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00650   476   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 476, 1571, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 476, 1571, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 476, 1571, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ) == 0x0
 00651   476   NtClose  (80, ... ) == 0x0
 00652   476   NtClose  (92, ... ) == 0x0
 00653   476   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00654   476   NtUnmapViewOfSection  (-1, 0x12e478, ... ) == STATUS_NOT_MAPPED_VIEW
 00655   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00656   476   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00657   476   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00658   476   NtUserGetDC  (0, ... ) == 0x1010052
 00659   476   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00660   476   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00661   476   NtUserSystemParametersInfo  (66, 12, 1238756, 0, ... ) == 0x1
 00662   476   NtOpenProcessToken  (-1, 0x8, ... 92, ) == 0x0
 00663   476   NtAccessCheck  (1393640, 92, 0x1, 1238160, 1238104, 56, 1238188, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00664   476   NtClose  (92, ... ) == 0x0
 00665   476   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 92, ) }, ... 92, ) == 0x0
 00666   476   NtQueryValueKey  (92,  (92, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667   476   NtClose  (92, ... ) == 0x0
 00668   476   NtUserSystemParametersInfo  (41, 500, 1238256, 0, ... ) == 0x1
 00669   476   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00670   476   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 92, ) }, ... 92, ) == 0x0
 00671   476   NtQueryValueKey  (92,  (92, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 80, ) }, ... 80, ) == 0x0
 00673   476   NtQueryValueKey  (80,  (80, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   476   NtClose  (80, ... ) == 0x0
 00675   476   NtClose  (92, ... ) == 0x0
 00676   476   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00677   476   NtUserSystemParametersInfo  (4130, 0, 1238780, 0, ... ) == 0x1
 00678   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 92, ) }, ... 92, ) == 0x0
 00679   476   NtEnumerateValueKey  (92, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00680   476   NtClose  (92, ... ) == 0x0
 00681   476   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00682   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc03b
 00683   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc03d
 00684   476   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00685   476   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc03f
 00686   476   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00687   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc041
 00688   476   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00689   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc043
 00690   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc045
 00691   476   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00692   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc047
 00693   476   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00694   476   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ...
 00695   476   NtAllocateVirtualMemory  (-1, 6144000, 0, 4096, 4096, 32, ... 6144000, 4096, ) == 0x0
 00694   476   NtUserRegisterClassExWOW  ... ) == 0x810cc049
 00696   476   NtUserGetClassInfo  (1905590272, 1238676, 1238628, 1238704, 0, ... ) == 0xc049
 00697   476   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00698   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc04b
 00699   476   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00700   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc04d
 00701   476   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00702   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc04f
 00703   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc051
 00704   476   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00705   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc053
 00706   476   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00707   476   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc055
 00708   476   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc057
 00709   476   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00710   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc059
 00711   476   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10013
 00712   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc05b
 00713   476   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00714   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc05d
 00715   476   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00716   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc05f
 00717   476   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00718   476   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc017
 00719   476   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00720   476   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc019
 00721   476   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10013
 00722   476   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc018
 00723   476   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00724   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc01a
 00725   476   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00726   476   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc01c
 00727   476   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00728   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc01e
 00729   476   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00730   476   NtUserRegisterClassExWOW  (1238572, 1238652, 1238636, 1238668, 0, 384, 0, ... ) == 0x810cc01b
 00731   476   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00732   476   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810cc068
 00733   476   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00734   476   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc06a
 00735   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03b
 00736   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03d
 00737   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03f
 00738   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc041
 00739   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc043
 00740   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc045
 00741   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc047
 00742   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc049
 00743   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04b
 00744   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04d
 00745   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04f
 00746   476   NtUserGetClassInfo  (1999896576, 1241580, 1241532, 1241608, 0, ... ) == 0xc051
 00747   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc053
 00748   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc055
 00749   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc059
 00750   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05b
 00751   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05d
 00752   476   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05f
 00753   476   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00754   476   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00755   476   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00756   476   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00757   476   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00758   476   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00759   476   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00760   476   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00761   476   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00762   476   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00763   476   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00764   476   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00765   476   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00766   476   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00767   476   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00768   476   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00769   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00771   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00772   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00773   476   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9502720, 262144, ) == 0x0
 00774   476   NtAllocateVirtualMemory  (-1, 9502720, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 00775   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00776   476   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9764864, 262144, ) == 0x0
 00777   476   NtAllocateVirtualMemory  (-1, 9764864, 0, 4096, 4096, 4, ... 9764864, 4096, ) == 0x0
 00778   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00779   476   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10027008, 262144, ) == 0x0
 00780   476   NtAllocateVirtualMemory  (-1, 10027008, 0, 4096, 4096, 4, ... 10027008, 4096, ) == 0x0
 00781   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00782   476   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10289152, 262144, ) == 0x0
 00783   476   NtAllocateVirtualMemory  (-1, 10289152, 0, 4096, 4096, 4, ... 10289152, 4096, ) == 0x0
 00784   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00785   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00786   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00787   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00788   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 00789   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00790   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 80, ) == 0x0
 00791   476   NtClose  (92, ... ) == 0x0
 00792   476   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa10000), 0x0, 90112, ) == 0x0
 00793   476   NtClose  (80, ... ) == 0x0
 00794   476   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00795   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 00796   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00797   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 92, ) == 0x0
 00798   476   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00799   476   NtClose  (80, ... ) == 0x0
 00800   476   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00801   476   NtClose  (92, ... ) == 0x0
 00802   476   NtQueryDefaultLocale  (1, 1239460, ... ) == 0x0
 00803   476   NtAllocateVirtualMemory  (-1, 9506816, 0, 4096, 4096, 4, ... 9506816, 4096, ) == 0x0
 00804   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 92, ) }, ... 92, ) == 0x0
 00805   476   NtClose  (92, ... ) == 0x0
 00806   476   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00807   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808   476   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00809   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00810   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00811   476   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00812   476   NtClose  (92, ... ) == 0x0
 00813   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00814   476   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00815   476   NtClose  (92, ... ) == 0x0
 00816   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00817   476   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00818   476   NtClose  (92, ... ) == 0x0
 00819   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00820   476   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00821   476   NtClose  (92, ... ) == 0x0
 00822   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 92, ) }, ... 92, ) == 0x0
 00823   476   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00824   476   NtClose  (92, ... ) == 0x0
 00825   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00826   476   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00827   476   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00828   476   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00829   476   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1241616, 0,  (0x1f0003, {24, 52, 0x80, 1241616, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00830   476   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 92, ) }, ... 92, ) == 0x0
 00831   476   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00832   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00833   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00834   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 80, ) }, ... 80, ) == 0x0
 00835   476   NtQueryValueKey  (80,  (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00836   476   NtClose  (80, ... ) == 0x0
 00837   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00838   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00839   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00840   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00841   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 80, ) }, ... 80, ) == 0x0
 00842   476   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00843   476   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   476   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00845   476   NtClose  (80, ... ) == 0x0
 00846   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 80, ) }, ... 80, ) == 0x0
 00847   476   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00848   476   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00849   476   NtClose  (80, ... ) == 0x0
 00850   476   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   476   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00852   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00853   476   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00855   476   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00856   476   NtCreateKey  (0xf003f, {24, 84, 0x40, 0, 0,  (0xf003f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 80, 2, ) }, 0, 0x0, 0, ... 80, 2, ) == 0x0
 00857   476   NtQueryDefaultUILanguage  (1239852, ...
 00858   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00859   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00860   476   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00861   476   NtClose  (-2147482020, ... ) == 0x0
 00862   476   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00863   476   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   476   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00865   476   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00866   476   NtClose  (-2147482032, ... ) == 0x0
 00867   476   NtClose  (-2147482020, ... ) == 0x0
 00857   476   NtQueryDefaultUILanguage  ... ) == 0x0
 00868   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00869   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00870   476   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00871   476   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa10000), 0x0, 593920, ) == 0x0
 00872   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   476   NtQueryDefaultLocale  (1, 1237888, ... ) == 0x0
 00874   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00875   476   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 476, 1572, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 476, 1572, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 476, 1572, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ) == 0x0
 00876   476   NtClose  (96, ... ) == 0x0
 00877   476   NtClose  (100, ... ) == 0x0
 00878   476   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00879   476   NtUnmapViewOfSection  (-1, 0x12edd8, ... ) == STATUS_NOT_MAPPED_VIEW
 00880   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00881   476   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00883   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00884   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236428, ... ) }, 1236428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00886   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00887   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00888   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237020, ... ) }, 1237020, ... ) == 0x0
 00889   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00890   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00891   476   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00892   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00894   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00896   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00897   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00898   476   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00899   476   NtClose  (104, ... ) == 0x0
 00900   476   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00901   476   NtClose  (108, ... ) == 0x0
 00902   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00906   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00907   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00908   476   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00909   476   NtClose  (108, ... ) == 0x0
 00910   476   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00911   476   NtClose  (104, ... ) == 0x0
 00912   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00913   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00914   476   NtTestAlert  (... ) == 0x0
 00915   476   NtContinue  (1244464, 1, ...
 00916   476   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x490000,}, 4, ... ) == 0x0
 00917   476   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1245092, 0,  (0x1f0003, {24, 52, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 104, ) }, 1, 0, ... 104, ) == 0x0
 00918   476   NtCreateSection  (0xf0007, {24, 52, 0x80, 1245092, 0,  (0xf0007, {24, 52, 0x80, 1245092, 0, "W32_Virtu"}, {22589, 0}, 4, 134217728, 0, ... 108, ) }, {22589, 0}, 4, 134217728, 0, ... 108, ) == 0x0
 00919   476   NtMapViewOfSection  (108, -1, (0x0), 0, 22589, 0x0, 22589, 2, 0, 4, ... (0xa10000), 0x0, 24576, ) == 0x0
 00920   476   NtOpenProcessToken  (-1, 0x20, ... 112, ) == 0x0
 00921   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00922   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 00924   476   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925   476   NtClose  (116, ... ) == 0x0
 00926   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00928   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 00929   476   NtQuerySystemTime  (... {-744635000, 29873124}, ) == 0x0
 00930   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 00931   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932   476   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00933   476   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00934   476   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00935   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 00936   476   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 132, ) == 0x0
 00937   476   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 00938   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00939   476   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "ActiveComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 00940   476   NtQueryValueKey  (140,  (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00941   476   NtClose  (140, ... ) == 0x0
 00942   476   NtClose  (136, ... ) == 0x0
 00943   476   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 136, ) == 0x0
 00944   476   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 140, ) == 0x0
 00945   476   NtDuplicateObject  (-1, 136, -1, 0x0, 0, 2, ... 144, ) == 0x0
 00946   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00947   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 00948   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00949   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00950   476   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243268,  (0xc0100080, {24, 0, 0x40, 0, 1243268, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 00951   476   NtSetInformationFile  (152, 1243324, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00952   476   NtSetInformationFile  (152, 1243316, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00953   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00954   476   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00955   476   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ... 1429504, 4096, ) == 0x0
 00956   476   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20O\36\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00957   476   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20O\36\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20O\36\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00958   476   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0)$\315\14\330?\334\21\261\310\0\14)\371\246\305 \0"\0(\262\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0)$\315\14\330?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0(\262\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0)$\315\14\330?\334\21\261\310\0\14)\371\246\305 \0"\0(\262\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0)$\315\14\330?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0)$\315\14\330?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 00959   476   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0)$\315\14\330?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0)$\315\14\330?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00960   476   NtClose  (148, ... ) == 0x0
 00961   476   NtClose  (152, ... ) == 0x0
 00962   476   NtAdjustPrivilegesToken  (112, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00963   476   NtClose  (112, ... ) == 0x0
 00964   476   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 10616832, 65536, ) == 0x0
 00965   476   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00966   476   NtCreateSection  (0xf0007, 0x0, {12284, 0}, 4, 134217728, 0, ... 112, ) == 0x0
 00967   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 12288, ) == 0x0
 00968   476   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 00969   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 12288, ) == 0x0
 00970   476   NtFreeVirtualMemory  (-1, (0xa20000), 0, 32768, ... (0xa20000), 65536, ) == 0x0
 00971   476   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 00972   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00973   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00974   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00975   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00976   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00977   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00978   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00979   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00980   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00981   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00982   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 152, ) == 0x0
 00983   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 148, ) }, ... 148, ) == 0x0
 00984   476   NtMapViewOfSection  (148, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 00985   476   NtClose  (148, ... ) == 0x0
 00986   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00987   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00988   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00989   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\1\10", 5, ... 0x0, ) -\1\10", 5, ... 0x0, ) == 0x0
 00990   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00991   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00992   476   NtAllocateVirtualMemory  (152, 0, 0, 1048576, 8192, 4, ... 22544384, 1048576, ) == 0x0
 00993   476   NtAllocateVirtualMemory  (152, 23584768, 0, 8192, 4096, 4, ... 23584768, 8192, ) == 0x0
 00994   476   NtProtectVirtualMemory  (152, (0x167e000), 4096, 260, ... (0x167e000), 4096, 4, ) == 0x0
 00995   476   NtCreateThread  (0x1f03ff, 0x0, 152, 1244008, 1244724, 1, ... 148, {616, 860}, ) == 0x0
 00996   476   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\25\0\0\0\0\0\224\0\0\0h\2\0\0\\3\0\0" ... {28, 56, reply, 0, 464, 476, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\0\0\0h\2\0\0\\3\0\0" )  ... {28, 56, reply, 0, 464, 476, 1573, 0}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\25\0\0\0\0\0\224\0\0\0h\2\0\0\\3\0\0" ... {28, 56, reply, 0, 464, 476, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\0\0\0h\2\0\0\\3\0\0" )  ) == 0x0
 00997   476   NtResumeThread  (148, ... 1, ) == 0x0
 00998   476   NtClose  (152, ... ) == 0x0
 00999   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01000   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01001   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {660, 0}, ... 152, ) == 0x0
 01002   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01003   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 01004   476   NtClose  (156, ... ) == 0x0
 01005   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01006   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01007   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01008   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\1\10", 5, ... 0x0, ) -\1\10", 5, ... 0x0, ) == 0x0
 01009   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01010   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01011   476   NtClose  (152, ... ) == 0x0
 01012   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01013   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01014   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {672, 0}, ... 152, ) == 0x0
 01015   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01016   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 01017   476   NtClose  (156, ... ) == 0x0
 01018   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01019   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01020   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01021   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\1\10", 5, ... 0x0, ) -\1\10", 5, ... 0x0, ) == 0x0
 01022   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01023   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01024   476   NtClose  (152, ... ) == 0x0
 01025   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01026   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01027   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {844, 0}, ... 152, ) == 0x0
 01028   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01029   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01030   476   NtClose  (156, ... ) == 0x0
 01031   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01032   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01033   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01034   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01035   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01036   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01037   476   NtClose  (152, ... ) == 0x0
 01038   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01039   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01040   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {964, 0}, ... 152, ) == 0x0
 01041   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01042   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ff70000), 0x0, 24576, ) == 0x0
 01043   476   NtClose  (156, ... ) == 0x0
 01044   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01045   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01046   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01047   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\377\7", 5, ... 0x0, ) -\377\7", 5, ... 0x0, ) == 0x0
 01048   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01049   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01050   476   NtClose  (152, ... ) == 0x0
 01051   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01052   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01053   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1044, 0}, ... 152, ) == 0x0
 01054   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01055   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01056   476   NtClose  (156, ... ) == 0x0
 01057   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01058   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01059   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01060   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01061   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01062   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01063   476   NtClose  (152, ... ) == 0x0
 01064   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01065   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01066   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1064, 0}, ... 152, ) == 0x0
 01067   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01068   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01069   476   NtClose  (156, ... ) == 0x0
 01070   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01071   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01072   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01073   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01074   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01075   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01076   476   NtClose  (152, ... ) == 0x0
 01077   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01078   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01079   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1392, 0}, ... 152, ) == 0x0
 01080   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01081   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01082   476   NtClose  (156, ... ) == 0x0
 01083   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01084   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01085   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01086   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01087   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01088   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01089   476   NtClose  (152, ... ) == 0x0
 01090   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01091   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01092   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1632, 0}, ... 152, ) == 0x0
 01093   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01094   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01095   476   NtClose  (156, ... ) == 0x0
 01096   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01097   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01098   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01099   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01100   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01101   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01102   476   NtClose  (152, ... ) == 0x0
 01103   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01104   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01105   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1844, 0}, ... 152, ) == 0x0
 01106   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01107   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01108   476   NtClose  (156, ... ) == 0x0
 01109   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01110   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01111   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01112   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01113   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01114   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01115   476   NtClose  (152, ... ) == 0x0
 01116   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01117   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01118   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1896, 0}, ... 152, ) == 0x0
 01119   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01120   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01121   476   NtClose  (156, ... ) == 0x0
 01122   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01123   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01124   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01125   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01126   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01127   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01128   476   NtClose  (152, ... ) == 0x0
 01129   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01130   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01131   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2000, 0}, ... 152, ) == 0x0
 01132   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01133   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01134   476   NtClose  (156, ... ) == 0x0
 01135   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01136   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01137   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01138   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01139   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01140   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01141   476   NtClose  (152, ... ) == 0x0
 01142   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01143   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01144   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2008, 0}, ... 152, ) == 0x0
 01145   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01146   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01147   476   NtClose  (156, ... ) == 0x0
 01148   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01149   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01150   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01151   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01152   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01153   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01154   476   NtClose  (152, ... ) == 0x0
 01155   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01156   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01157   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2016, 0}, ... 152, ) == 0x0
 01158   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01159   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01160   476   NtClose  (156, ... ) == 0x0
 01161   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01162   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01163   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01164   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01165   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01166   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01167   476   NtClose  (152, ... ) == 0x0
 01168   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01169   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01170   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2028, 0}, ... 152, ) == 0x0
 01171   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01172   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01173   476   NtClose  (156, ... ) == 0x0
 01174   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01175   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01176   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01177   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01178   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01179   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01180   476   NtClose  (152, ... ) == 0x0
 01181   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01182   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01183   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {188, 0}, ... 152, ) == 0x0
 01184   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01185   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01186   476   NtClose  (156, ... ) == 0x0
 01187   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01188   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01189   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01190   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01191   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01192   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01193   476   NtClose  (152, ... ) == 0x0
 01194   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01195   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01196   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 152, ) == 0x0
 01197   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01198   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01199   476   NtClose  (156, ... ) == 0x0
 01200   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01201   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01202   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01203   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01204   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01205   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01206   476   NtClose  (152, ... ) == 0x0
 01207   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01208   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01209   476   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {464, 0}, ... 152, ) == 0x0
 01210   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01211   476   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01212   476   NtClose  (156, ... ) == 0x0
 01213   476   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01214   476   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01215   476   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01216   476   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01217   476   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01218   476   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01219   476   NtClose  (152, ... ) == 0x0
 01220   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01221   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01222   476   NtClose  (112, ... ) == 0x0
 01223   476   NtClose  (104, ... ) == 0x0
 01224   476   NtQueryPerformanceCounter  (... {111963672, 0}, {3579545, 0}, ) == 0x0
 01225   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01226   476   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10616832, 65536, ) == 0x0
 01227   476   NtAllocateVirtualMemory  (-1, 10616832, 0, 4096, 4096, 4, ... 10616832, 4096, ) == 0x0
 01228   476   NtAllocateVirtualMemory  (-1, 10620928, 0, 8192, 4096, 4, ... 10620928, 8192, ) == 0x0
 01229   476   NtAllocateVirtualMemory  (-1, 10629120, 0, 4096, 4096, 4, ... 10629120, 4096, ) == 0x0
 01230   476   NtAllocateVirtualMemory  (-1, 10633216, 0, 4096, 4096, 4, ... 10633216, 4096, ) == 0x0
 01231   476   NtAllocateVirtualMemory  (-1, 0, 0, 6, 12288, 64, ... 10682368, 4096, ) == 0x0
 01232   476   NtProtectVirtualMemory  (-1, (0xa30000), 6, 64, ...
 01233   476   NtContinue  (-136249556, 0, ...
 01232   476   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 01234   476   NtFreeVirtualMemory  (-1, (0xa30000), 0, 32768, ... (0xa30000), 4096, ) == 0x0
 01235   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1241688, ... ) }, 1241688, ... ) == 0x0
 01236   476   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 01237   476   NtSetInformationFile  (104, 1241664, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01238   476   NtClose  (104, ... ) == 0x0
 01239   476   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241932,  (0x80100080, {24, 0, 0x40, 0, 1241932, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 01240   476   NtQueryInformationFile  (104, 1242868, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01241   476   NtQueryInformationFile  (104, 1242840, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01242   476   NtQueryInformationFile  (104, 1242792, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01243   476   NtAllocateVirtualMemory  (-1, 1433600, 0, 8192, 4096, 4, ... 1433600, 8192, ) == 0x0
 01244   476   NtQueryInformationFile  (104, 1431152, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01245   476   NtQueryInformationFile  (104, 1241336, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01246   476   NtQueryInformationFile  (104, 1241180, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01247   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\EUPSVC.EXE"}, 1240072, ... ) }, 1240072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01248   476   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1241188,  (0x40110080, {24, 0, 0x40, 0, 1241188, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01249   476   NtClose  (-2147482020, ... ) == 0x0
 01248   476   NtCreateFile  ... 112, {status=0x0, info=2}, ) == 0x0
 01250   476   NtQueryVolumeInformationFile  (112, 1240560, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01251   476   NtQueryInformationFile  (112, 1240520, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01252   476   NtQueryVolumeInformationFile  (104, 1240560, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01253   476   NtQueryVolumeInformationFile  (104, 1240244, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01254   476   NtSetInformationFile  (112, 1240348, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01255   476   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 104, ... 152, ) == 0x0
 01256   476   NtMapViewOfSection  (152, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa30000), {0, 0}, 221184, ) == 0x0
 01257   476   NtClose  (152, ... ) == 0x0
 01258   476   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01259   476   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352 (112, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353 (112, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01260   476   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\353`m\263\222\16Zi\373\3759\377Al:\306\233\30\21!g\226\254j\14Q\312\366P)6\252\361\374wR\276\216\30\3\6\310\255\6\303'tiZ\357L\17{\272\303\341\201\245\20\361\323yf&\17\6\11\261\207\300\303\321\17\30\367u@\301\324\371\356-\253.S\255\244"O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01261   476   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\25\313\36\270\214\226\21B\304\243`\371\275\66-:\177\243\35\264OQ\207\273\321\2559\243/O\202\300\216\234\3505\315D*\27+\220\360\354\201\205G\337\266\240\331\221\303\273\333\242\5w\247\254\25_\376\332\12\240\26\4!\212e\22e\344\276/Y\341\235] \362\240!YK\343F\36\370\36\13\255\270\361\316\245\210#\16\3\332\215\371fC\263\243\253\262\220\323]\21\37\12\277o\222\252\231\316T\354\207U\205\334\25-r\251\274\373%\22\251\66\313\2534g}S\177\17\271\232\360~\313E\234U\305\2515z\252\226\376g\211\15\203\364\316\275\314\310\237Iz\227+\233\317\270f\21\310?\266\367\213\251\24\34\365\321\307\370;\31?\334+\232\231~\30\0i\231c\303\36\325\253\361[\276\205lp\264O\224<\365\353\200B@\247\4\360\225\366B\212H9\336\252\242Ui\265\330\331\364\371\305a\3663\347\213[\315\250\343m\321\273$\203\210\350\27\234\271"\16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", 35328, 0x0, 0, ... {status=0x0, info=35328}, ) \16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", 35328, 0x0, 0, ... {status=0x0, info=35328}, ) == 0x0
 01262   476   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 01263   476   NtSetInformationFile  (112, 1242792, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01264   476   NtClose  (104, ... ) == 0x0
 01265   476   NtClose  (112, ... ) == 0x0
 01266   476   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01267   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1239084, ... ) }, 1239084, ... ) == 0x0
 01268   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1239776, ... ) }, 1239776, ... ) == 0x0
 01269   476   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01270   476   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 112, ... 104, ) == 0x0
 01271   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 152, ) }, ... 152, ) == 0x0
 01273   476   NtQueryValueKey  (152,  (152, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01274   476   NtClose  (152, ... ) == 0x0
 01275   476   NtQueryVolumeInformationFile  (112, 1239084, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01276   476   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 152, ) }, ... 152, ) == 0x0
 01277   476   NtWaitForSingleObject  (152, 0, {-1000000, -1}, ... ) == 0x0
 01278   476   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 156, ) }, ... 156, ) == 0x0
 01279   476   NtMapViewOfSection  (156, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 57344, ) == 0x0
 01280   476   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01281   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237068, ... ) }, 1237068, ... ) == 0x0
 01282   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 01283   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 160, ... 164, ) == 0x0
 01284   476   NtClose  (160, ... ) == 0x0
 01285   476   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa40000), 0x0, 106496, ) == 0x0
 01286   476   NtClose  (164, ... ) == 0x0
 01287   476   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01288   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237384, ... ) }, 1237384, ... ) == 0x0
 01289   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 164, {status=0x0, info=1}, ) }, 5, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 01290   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 164, ... 160, ) == 0x0
 01291   476   NtQuerySection  (160, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01292   476   NtClose  (164, ... ) == 0x0
 01293   476   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01294   476   NtClose  (160, ... ) == 0x0
 01295   476   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01296   476   NtQueryInformationFile  (160, 1237672, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01297   476   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 160, ... 164, ) == 0x0
 01298   476   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa40000), 0x0, 1028096, ) == 0x0
 01299   476   NtQueryInformationFile  (160, 1237768, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01300   476   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01302   476   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01303   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01304   476   NtQueryDirectoryFile  (168, 0, 0, 0, 1235332, 616, BothDirectory, 1,  (168, 0, 0, 0, 1235332, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01305   476   NtClose  (168, ... ) == 0x0
 01306   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01307   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01308   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1234720, ... ) }, 1234720, ... ) == 0x0
 01309   476   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01310   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01311   476   NtQueryDirectoryFile  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01312   476   NtClose  (168, ... ) == 0x0
 01313   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01314   476   NtQueryDirectoryFile  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01315   476   NtClose  (168, ... ) == 0x0
 01316   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01317   476   NtQueryDirectoryFile  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01318   476   NtClose  (168, ... ) == 0x0
 01319   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01320   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01321   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01322   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01323   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01324   476   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01325   476   NtClose  (168, ... ) == 0x0
 01326   476   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01327   476   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\eupsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01328   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01329   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01330   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1237000, ... ) }, 1237000, ... ) == 0x0
 01331   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01332   476   NtQueryDirectoryFile  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01333   476   NtClose  (168, ... ) == 0x0
 01334   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01335   476   NtQueryDirectoryFile  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01336   476   NtClose  (168, ... ) == 0x0
 01337   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01338   476   NtQueryDirectoryFile  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01339   476   NtClose  (168, ... ) == 0x0
 01340   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01341   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01342   476   NtWaitForSingleObject  (152, 0, {-1000000, -1}, ... ) == 0x0
 01343   476   NtQueryVolumeInformationFile  (112, 1237644, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01344   476   NtQueryInformationFile  (112, 1237624, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01345   476   NtQueryInformationFile  (112, 1237664, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01346   476   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01347   476   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01348   476   NtClose  (164, ... ) == 0x0
 01349   476   NtClose  (160, ... ) == 0x0
 01350   476   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01351   476   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eupsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01352   476   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01353   476   NtOpenProcessToken  (-1, 0xa, ... 160, ) == 0x0
 01354   476   NtQueryInformationToken  (160, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01355   476   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01356   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 164, ) }, ... 164, ) == 0x0
 01357   476   NtQueryValueKey  (164,  (164, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (164, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01358   476   NtQueryValueKey  (164,  (164, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (164, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01359   476   NtClose  (164, ... ) == 0x0
 01360   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 164, ) }, ... 164, ) == 0x0
 01361   476   NtQueryValueKey  (164,  (164, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01362   476   NtQueryValueKey  (164,  (164, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (164, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01363   476   NtClose  (164, ... ) == 0x0
 01364   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01365   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 164, ) }, ... 164, ) == 0x0
 01366   476   NtQueryValueKey  (164,  (164, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01367   476   NtClose  (164, ... ) == 0x0
 01368   476   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01369   476   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01370   476   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01371   476   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01372   476   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01373   476   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01374   476   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01375   476   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01376   476   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01377   476   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01378   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 164, ) }, ... 164, ) == 0x0
 01379   476   NtEnumerateKey  (164, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (164, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01380   476   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 168, ) }, ... 168, ) == 0x0
 01381   476   NtQueryValueKey  (168,  (168, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (168, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01382   476   NtQueryValueKey  (168,  (168, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (168, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01383   476   NtClose  (168, ... ) == 0x0
 01384   476   NtEnumerateKey  (164, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01385   476   NtClose  (164, ... ) == 0x0
 01386   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01387   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01388   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01389   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01390   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01391   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01392   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01393   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01394   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01395   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01396   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01397   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01398   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01399   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01400   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01401   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01402   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01403   476   NtClose  (164, ... ) == 0x0
 01404   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01405   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01406   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01407   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01408   476   NtClose  (164, ... ) == 0x0
 01409   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01410   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01411   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01412   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01413   476   NtClose  (164, ... ) == 0x0
 01414   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01416   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01417   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01418   476   NtClose  (164, ... ) == 0x0
 01419   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01420   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01421   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01422   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01423   476   NtClose  (164, ... ) == 0x0
 01424   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01425   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01426   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01427   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01428   476   NtClose  (164, ... ) == 0x0
 01429   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01430   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01431   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01432   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01433   476   NtClose  (164, ... ) == 0x0
 01434   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01435   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01436   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01437   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01438   476   NtClose  (164, ... ) == 0x0
 01439   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01441   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01442   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01443   476   NtClose  (164, ... ) == 0x0
 01444   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01446   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01447   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01448   476   NtClose  (164, ... ) == 0x0
 01449   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01450   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01451   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01452   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01453   476   NtClose  (164, ... ) == 0x0
 01454   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01456   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01457   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01458   476   NtClose  (164, ... ) == 0x0
 01459   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01461   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01462   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01463   476   NtClose  (164, ... ) == 0x0
 01464   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01465   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01466   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01467   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01468   476   NtClose  (164, ... ) == 0x0
 01469   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01470   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01471   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01472   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01473   476   NtClose  (164, ... ) == 0x0
 01474   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 164, ) }, ... 164, ) == 0x0
 01476   476   NtQueryValueKey  (164,  (164, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (164, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (164, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01477   476   NtClose  (164, ... ) == 0x0
 01478   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01479   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01480   476   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01481   476   NtClose  (164, ... ) == 0x0
 01482   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483   476   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01484   476   NtOpenProcessToken  (-1, 0xa, ... 164, ) == 0x0
 01485   476   NtDuplicateToken  (164, 0xc, {24, 0, 0x0, 0, 1238976, 0x0}, 0, 2, ... 168, ) == 0x0
 01486   476   NtClose  (164, ... ) == 0x0
 01487   476   NtAccessCheck  (1438096, 168, 0x1, 1239104, 1239048, 56, 1239132, ... (0x1), ) == 0x0
 01488   476   NtClose  (168, ... ) == 0x0
 01489   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 168, ) }, ... 168, ) == 0x0
 01490   476   NtQueryValueKey  (168,  (168, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (168, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01491   476   NtClose  (168, ... ) == 0x0
 01492   476   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 168, ) }, ... 168, ) == 0x0
 01493   476   NtQuerySymbolicLinkObject  (168, ...  (168, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01494   476   NtClose  (168, ... ) == 0x0
 01495   476   NtQueryInformationFile  (112, 1237436, 528, Name, ... {status=0x0, info=60}, ) == 0x0
 01496   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01497   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01498   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1236116, ... ) }, 1236116, ... ) == 0x0
 01499   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01500   476   NtQueryDirectoryFile  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01501   476   NtClose  (168, ... ) == 0x0
 01502   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01503   476   NtQueryDirectoryFile  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01504   476   NtClose  (168, ... ) == 0x0
 01505   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01506   476   NtQueryDirectoryFile  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01507   476   NtClose  (168, ... ) == 0x0
 01508   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01509   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01510   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01511   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01512   476   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01513   476   NtClose  (168, ... ) == 0x0
 01514   476   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 168, ) }, ... 168, ) == 0x0
 01515   476   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 164, ) }, ... 164, ) == 0x0
 01516   476   NtClose  (168, ... ) == 0x0
 01517   476   NtQueryValueKey  (164,  (164, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01518   476   NtQueryValueKey  (164,  (164, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (164, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01519   476   NtClose  (164, ... ) == 0x0
 01520   476   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10747904, 4096, ) == 0x0
 01521   476   NtAllocateVirtualMemory  (-1, 10747904, 0, 4096, 4096, 4, ... 10747904, 4096, ) == 0x0
 01522   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 164, ) }, ... 164, ) == 0x0
 01523   476   NtQueryValueKey  (164,  (164, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   476   NtClose  (164, ... ) == 0x0
 01525   476   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526   476   NtQueryInformationToken  (160, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01527   476   NtQueryInformationToken  (160, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01528   476   NtClose  (160, ... ) == 0x0
 01529   476   NtCreateProcessEx  (1241712, 2035711, 0, -1, 0, 104, 0, 0, 0, ... ) == 0x0
 01530   476   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 164, ) }, ... 164, ) == 0x0
 01531   476   NtMapViewOfSection  (164, 160, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01532   476   NtClose  (164, ... ) == 0x0
 01533   476   NtProtectVirtualMemory  (160, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01534   476   NtWriteVirtualMemory  (160, 0x77f7e603,  (160, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01535   476   NtProtectVirtualMemory  (160, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01536   476   NtWriteVirtualMemory  (160, 0x77f7e6a3,  (160, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01537   476   NtProtectVirtualMemory  (160, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01538   476   NtWriteVirtualMemory  (160, 0x77f7e6b3,  (160, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01539   476   NtSetInformationProcess  (160, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 01540   476   NtQueryInformationProcess  (160, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=888,ParentPid=464,}, 0x0, ) == 0x0
 01541   476   NtReadVirtualMemory  (160, 0x7ffdf008, 4, ...  (160, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 01542   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01543   476   NtAllocateVirtualMemory  (-1, 1441792, 0, 8192, 4096, 4, ... 1441792, 8192, ) == 0x0
 01544   476   NtReadVirtualMemory  (160, 0x400000, 4096, ...  (160, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 4096, ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 4096, ) == 0x0
 01545   476   NtReadVirtualMemory  (160, 0x439000, 256, ...  (160, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) urn:schemas-microsoft-com:asm.v1 (160, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) 1.0 (160, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) , 256, ) == 0x0
 01546   476   NtReadVirtualMemory  (160, 0x439018, 24, ...  (160, 0x439018, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200", 24, ) , 24, ) == 0x0
 01547   476   NtReadVirtualMemory  (160, 0x439030, 24, ...  (160, 0x439030, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0", 24, ) , 24, ) == 0x0
 01548   476   NtReadVirtualMemory  (160, 0x439048, 16, ...  (160, 0x439048, 16, ... "X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0", 16, ) , 16, ) == 0x0
 01549   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01550   476   NtQueryInformationProcess  (160, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=888,ParentPid=464,}, 0x0, ) == 0x0
 01551   476   NtAllocateVirtualMemory  (-1, 0, 0, 1716, 4096, 4, ... 10813440, 4096, ) == 0x0
 01552   476   NtAllocateVirtualMemory  (160, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01553   476   NtWriteVirtualMemory  (160, 0x10000,  (160, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01554   476   NtAllocateVirtualMemory  (160, 0, 0, 1716, 4096, 4, ... 131072, 4096, ) == 0x0
 01555   476   NtWriteVirtualMemory  (160, 0x20000,  (160, 0x20000, "\0\20\0\0\264\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0<\0>\0\230\5\0\0v\0x\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\0>\0P\6\0\0\36\0 \0\220\6\0\0\0\0\2\0\260\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1716, ... 0x0, ) , 1716, ... 0x0, ) == 0x0
 01556   476   NtWriteVirtualMemory  (160, 0x7ffdf010,  (160, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01557   476   NtWriteVirtualMemory  (160, 0x7ffdf1e8,  (160, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01558   476   NtFreeVirtualMemory  (-1, (0xa50000), 0, 32768, ... (0xa50000), 4096, ) == 0x0
 01559   476   NtAllocateVirtualMemory  (160, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01560   476   NtAllocateVirtualMemory  (160, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01561   476   NtProtectVirtualMemory  (160, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01562   476   NtCreateThread  (0x1f03ff, 0x0, 160, 1239976, 1240696, 1, ... 164, {888, 892}, ) == 0x0
 01563   476   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796}  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796} "\210\6\32\1\0\0\1\0\2$\370w U\367w\243\0\0\0\244\0\0\0x\3\0\0|\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\32\1p\0\0\0\240\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\32\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" ... {168, 196, reply, 0, 464, 476, 1587, 0} "\320\231\26\0\0\0\1\0\0\0\0\0 U\367w\240\0\0\0\244\0\0\0x\3\0\0|\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\32\1p\0\0\0\240\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\32\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" )  ... {168, 196, reply, 0, 464, 476, 1587, 0}  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796} "\210\6\32\1\0\0\1\0\2$\370w U\367w\243\0\0\0\244\0\0\0x\3\0\0|\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\32\1p\0\0\0\240\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\32\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" ... {168, 196, reply, 0, 464, 476, 1587, 0} "\320\231\26\0\0\0\1\0\0\0\0\0 U\367w\240\0\0\0\244\0\0\0x\3\0\0|\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\32\1p\0\0\0\240\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\32\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" )  ) == 0x0
 01564   476   NtResumeThread  (164, ... 1, ) == 0x0
 01565   476   NtClose  (112, ... ) == 0x0
 01566   476   NtClose  (104, ... ) == 0x0
 01567   476   NtTerminateProcess  (0, 0, ... ) == 0x0
 01568   476   NtClose  (96, ... ) == 0x0
 01569   476   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01570   476   NtClose  (100, ... ) == 0x0
 01571   476   NtClose  (80, ... ) == 0x0
 01572   476   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01573   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01574   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01575   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01576   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01577   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01578   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01579   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01580   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01581   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01582   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01583   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01584   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01585   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01586   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01587   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01588   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01589   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01590   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01591   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01592   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01593   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01594   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01595   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01596   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01597   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01598   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01599   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01600   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01601   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01602   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01603   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01604   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01605   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01606   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01607   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01608   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01609   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc017
 01610   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01611   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc019
 01612   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01613   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc018
 01614   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01615   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01a
 01616   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01617   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01c
 01618   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01619   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01e
 01620   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01621   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01b
 01622   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01623   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc068
 01624   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01625   476   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc06a
 01626   476   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01627   476   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 01628   476   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01629   476   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01630   476   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01631   476   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01632   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01633   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01634   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01635   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01636   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01637   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01638   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01639   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01640   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01641   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01642   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01643   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01644   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01645   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01646   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01647   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01648   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01649   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01650   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01651   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01652   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01653   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01654   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01655   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01656   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01657   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01658   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01659   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01660   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01661   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01662   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01663   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01664   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01665   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01666   476   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01667   476   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01668   476   NtFreeVirtualMemory  (-1, (0xa40000), 4096, 32768, ... (0xa40000), 4096, ) == 0x0
 01669   476   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244} "\0\0\0\0\3\0\1\0\320vC\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 464, 476, 1595, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ... {20, 48, reply, 0, 464, 476, 1595, 0}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244} "\0\0\0\0\3\0\1\0\320vC\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 464, 476, 1595, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ) == 0x0
 01670   476   NtTerminateProcess  (-1, 0, ...
 01671   476   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtUserGetThreadDesktop(>)	1	NtUserFindWindowEx(>)	4	NtUserRegisterWindowMessage(>)	19
NtAdjustPrivilegesToken(>)	1	NtAccessCheck(>)	2	NtWaitForSingleObject(>)	4	NtCreateSection(>)	20
NtCallbackReturn(>)	1	NtCreateIoCompletion(>)	2	NtDuplicateObject(>)	5	NtOpenProcessTokenEx(>)	25
NtCreateProcessEx(>)	1	NtCreateKey(>)	2	NtGdiGetStockObject(>)	5	NtOpenThreadTokenEx(>)	25
NtDuplicateToken(>)	1	NtCreateThread(>)	2	NtSetInformationFile(>)	5	NtOpenProcess(>)	26
NtEnumerateValueKey(>)	1	NtEnumerateKey(>)	2	NtWriteFile(>)	5	NtQueryAttributesFile(>)	27
NtGdiCreateBitmap(>)	1	NtGdiCreateSolidBrush(>)	2	NtFreeVirtualMemory(>)	6	NtQuerySystemInformation(>)	30
NtGdiInit(>)	1	NtOpenDirectoryObject(>)	2	NtOpenProcessToken(>)	6	NtQueryInformationToken(>)	31
NtGdiQueryFontAssocInfo(>)	1	NtOpenEvent(>)	2	NtQueryVolumeInformationFile(>)	6	NtReadVirtualMemory(>)	33
NtGdiSelectBitmap(>)	1	NtOpenSymbolicLinkObject(>)	2	NtCreateFile(>)	7	NtOpenFile(>)	35
NtNotifyChangeKey(>)	1	NtQueryInstallUILanguage(>)	2	NtSetInformationProcess(>)	7	NtQueryValueKey(>)	40
NtOpenKeyedEvent(>)	1	NtQuerySymbolicLinkObject(>)	2	NtQueryDefaultUILanguage(>)	8	NtUnmapViewOfSection(>)	40
NtQueryInformationJobObject(>)	1	NtRaiseException(>)	2	NtQuerySection(>)	8	NtUserUnregisterClass(>)	45
NtQueryObject(>)	1	NtResumeThread(>)	2	NtSetInformationThread(>)	8	NtOpenSection(>)	48
NtQueryPerformanceCounter(>)	1	NtTerminateProcess(>)	2	NtCreateEvent(>)	9	NtUserFindExistingCursorIcon(>)	48
NtQuerySystemTime(>)	1	NtCreateSemaphore(>)	3	NtRequestWaitReplyPort(>)	9	NtAllocateVirtualMemory(>)	56
NtReadFile(>)	1	NtGdiCreateCompatibleDC(>)	3	NtContinue(>)	10	NtWriteVirtualMemory(>)	61
NtRegisterThreadTerminatePort(>)	1	NtOpenMutant(>)	3	NtQueryDirectoryFile(>)	10	NtUserRegisterClassExWOW(>)	63
NtSecureConnectPort(>)	1	NtSetInformationObject(>)	3	NtUserSystemParametersInfo(>)	10	NtUserGetClassInfo(>)	82
NtSetSecurityObject(>)	1	NtFsControlFile(>)	4	NtFlushInstructionCache(>)	11	NtMapViewOfSection(>)	84
NtTestAlert(>)	1	NtOpenThreadToken(>)	4	NtQueryInformationFile(>)	13	NtProtectVirtualMemory(>)	99
NtUserCallNoParam(>)	1	NtQueryVirtualMemory(>)	4	NtQueryInformationProcess(>)	14	NtOpenKey(>)	108
NtUserCallOneParam(>)	1	NtReleaseMutant(>)	4	NtQueryDebugFilterState(>)	15	NtUserQueryWindow(>)	156
NtUserGetDC(>)	1	NtUserBuildHwndList(>)	4	NtQueryDefaultLocale(>)	15	NtClose(>)	201