Summary:


NtAccessCheck(>)  1 
NtUserGetThreadDesktop(>)  1 
NtSetInformationFile(>)  5 
NtQueryVirtualMemory(>)  15 

NtCallbackReturn(>)  1 
NtUserOpenWindowStation(>)  1 
NtUserBuildHwndList(>)  5 
NtDeviceIoControlFile(>)  16 

NtCreateProcessEx(>)  1 
NtUserSystemParametersInfo(>)  1 
NtWaitForSingleObject(>)  5 
NtRequestWaitReplyPort(>)  16 

NtCreateSemaphore(>)  1 
NtConnectPort(>)  2 
NtWriteVirtualMemory(>)  5 
NtOpenSection(>)  24 

NtCreateThread(>)  1 
NtCreateIoCompletion(>)  2 
NtContinue(>)  6 
NtQueryDirectoryFile(>)  24 

NtDuplicateToken(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtOpenProcessToken(>)  6 
NtSetInformationProcess(>)  25 

NtGdiCreateBitmap(>)  1 
NtGdiHfontCreate(>)  2 
NtQueryDefaultUILanguage(>)  6 
NtOpenProcessTokenEx(>)  28 

NtGdiCreatePatternBrushInternal(>)  1 
NtQueryInformationJobObject(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtOpenThreadTokenEx(>)  28 

NtGdiInit(>)  1 
NtReleaseMutant(>)  2 
NtWaitForMultipleObjects(>)  6 
NtCreateSection(>)  29 

NtGdiQueryFontAssocInfo(>)  1 
NtTerminateProcess(>)  2 
NtFsControlFile(>)  7 
NtQueryInformationToken(>)  37 

NtGdiSelectBitmap(>)  1 
NtUserCloseWindowStation(>)  2 
NtOpenThreadToken(>)  7 
NtOpenFile(>)  41 

NtOpenEvent(>)  1 
NtUserGetObjectInformation(>)  2 
NtQueryInformationFile(>)  7 
NtQueryInformationProcess(>)  44 

NtOpenKeyedEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtEnumerateKey(>)  8 
NtQueryDefaultLocale(>)  48 

NtOpenMutant(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtSetValueKey(>)  8 
NtUnmapViewOfSection(>)  48 

NtQueryDebugFilterState(>)  1 
NtOpenDirectoryObject(>)  3 
NtUserCallNoParam(>)  9 
NtAllocateVirtualMemory(>)  51 

NtQueryInstallUILanguage(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtUserFindExistingCursorIcon(>)  9 
NtQueryAttributesFile(>)  54 

NtQueryObject(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtUserGetWindowDC(>)  10 
NtFlushInstructionCache(>)  65 

NtQueryPerformanceCounter(>)  1 
NtReadVirtualMemory(>)  3 
NtCreateKey(>)  11 
NtMapViewOfSection(>)  69 

NtQuerySystemTime(>)  1 
NtSetEvent(>)  3 
NtFreeVirtualMemory(>)  11 
NtQuerySystemInformation(>)  76 

NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 
NtUserCallOneParam(>)  11 
NtQueryValueKey(>)  105 

NtResumeThread(>)  1 
NtUserOpenDesktop(>)  3 
NtWriteFile(>)  11 
NtUserValidateHandleSecure(>)  130 

NtSecureConnectPort(>)  1 
NtCreateMutant(>)  4 
NtQuerySection(>)  12 
NtOpenKey(>)  153 

NtTestAlert(>)  1 
NtDuplicateObject(>)  4 
NtSetInformationThread(>)  13 
NtProtectVirtualMemory(>)  156 

NtUserBuildNameList(>)  1 
NtQueryVolumeInformationFile(>)  4 
NtCreateEvent(>)  14 
NtUserQueryWindow(>)  158 

NtUserCloseDesktop(>)  1 
NtGdiGetStockObject(>)  5 
NtCreateFile(>)  14 
NtClose(>)  240 

NtUserGetGUIThreadInfo(>)  1 
NtReadFile(>)  5 
NtUserRegisterClassExWOW(>)  14 

Trace:
 00001  1756   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1756   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1756   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1756   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1756   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1756   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1756   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1756   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1756   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1756   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1756   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1756   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1756   NtClose  (12, ... ) == 0x0
 00015  1756   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1756   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1756   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1756   NtClose  (16, ... ) == 0x0
 00021  1756   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1756   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1756   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1756   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1756   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1756   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1756   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1756   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1756   NtClose  (16, ... ) == 0x0
 00030  1756   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1756   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1756   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1756   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1756   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1756   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1580, 1756, 57953, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 1580, 1756, 57953, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1580, 1756, 57953, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036  1756   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1756   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1756   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1756   NtClose  (16, ... ) == 0x0
 00041  1756   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1756   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1756   NtClose  (16, ... ) == 0x0
 00044  1756   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1756   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1756   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1756   NtClose  (16, ... ) == 0x0
 00048  1756   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1756   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1756   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1756   NtClose  (16, ... ) == 0x0
 00052  1756   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1756   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1756   NtClose  (16, ... ) == 0x0
 00055  1756   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1756   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1756   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1756   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1756   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1580, 1756, 57954, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 1580, 1756, 57954, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1580, 1756, 57954, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060  1756   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1580, 1756, 57955, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 1580, 1756, 57955, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1580, 1756, 57955, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061  1756   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 4, ... (0x47c000), 155648, 128, ) == 0x0
 00062  1756   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 128, ... (0x47c000), 155648, 4, ) == 0x0
 00063  1756   NtFlushInstructionCache  (-1, 4702208, 155648, ... ) == 0x0
 00064  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00065  1756   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00066  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.DLL"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00067  1756   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00068  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.DLL"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00069  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00070  1756   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00071  1756   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00072  1756   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00073  1756   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00074  1756   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075  1756   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00076  1756   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00077  1756   NtClose  (36, ... ) == 0x0
 00078  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00079  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00080  1756   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00081  1756   NtClose  (36, ... ) == 0x0
 00082  1756   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083  1756   NtClose  (32, ... ) == 0x0
 00084  1756   NtClose  (16, ... ) == 0x0
 00085  1756   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00086  1756   NtClose  (28, ... ) == 0x0
 00087  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00088  1756   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00089  1756   NtClose  (28, ... ) == 0x0
 00090  1756   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00091  1756   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00092  1756   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00093  1756   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00094  1756   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00095  1756   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00096  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00097  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == 0x0
 00099  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00100  1756   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 16, ) == 0x0
 00101  1756   NtQuerySection  (16, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00102  1756   NtClose  (28, ... ) == 0x0
 00103  1756   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00104  1756   NtClose  (16, ... ) == 0x0
 00105  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00106  1756   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00107  1756   NtClose  (16, ... ) == 0x0
 00108  1756   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00109  1756   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00110  1756   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00111  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00112  1756   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00113  1756   NtClose  (16, ... ) == 0x0
 00114  1756   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00115  1756   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00116  1756   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00117  1756   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00118  1756   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00119  1756   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00120  1756   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00121  1756   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00122  1756   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00123  1756   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00124  1756   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00125  1756   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00126  1756   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00127  1756   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00128  1756   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00129  1756   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00130  1756   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00131  1756   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00132  1756   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 4, ... (0x47c000), 155648, 64, ) == 0x0
 00133  1756   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 64, ... (0x47c000), 155648, 4, ) == 0x0
 00134  1756   NtFlushInstructionCache  (-1, 4702208, 155648, ... ) == 0x0
 00135  1756   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00136  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00137  1756   NtReadFile  (16, 0, 0, 0, 4, {175700, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {175700, 0}, 0, ... {status=0x0, info=4}, "\300 \0\0", ) , ) == 0x0
 00138  1756   NtReadFile  (16, 0, 0, 0, 8, {8380, 0}, 0, ... {status=0x0, info=8},  (16, 0, 0, 0, 8, {8380, 0}, 0, ... {status=0x0, info=8}, "\320J\233Dhs5\223", ) , ) == 0x0
 00139  1756   NtReadFile  (16, 0, 0, 0, 8, {167308, 0}, 0, ... {status=0x0, info=8},  (16, 0, 0, 0, 8, {167308, 0}, 0, ... {status=0x0, info=8}, "\3323\237\251)\350\374\25", ) , ) == 0x0
 00140  1756   NtClose  (16, ... ) == 0x0
 00141  1756   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00142  1756   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00143  1756   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00144  1756   NtClose  (16, ... ) == 0x0
 00145  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00146  1756   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00147  1756   NtClose  (16, ... ) == 0x0
 00148  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149  1756   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00150  1756   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00151  1756   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00152  1756   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00153  1756   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00154  1756   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 16, ) }, ... 16, ) == 0x0
 00155  1756   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00156  1756   NtClose  (16, ... ) == 0x0
 00157  1756   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00158  1756   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00159  1756   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00160  1756   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00161  1756   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00162  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00163  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00165  1756   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00166  1756   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00167  1756   NtClose  (16, ... ) == 0x0
 00168  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00169  1756   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00170  1756   NtClose  (16, ... ) == 0x0
 00171  1756   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00172  1756   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00173  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00174  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176  1756   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00177  1756   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00178  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00180  1756   NtTestAlert  (... ) == 0x0
 00181  1756   NtContinue  (1244464, 1, ...
 00182  1756   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x47c17a,}, 4, ... ) == 0x0
 00183  1756   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 3407872, 4096, ) == 0x0
 00184  1756   NtAllocateVirtualMemory  (-1, 0, 0, 15980, 4096, 4, ... 3473408, 16384, ) == 0x0
 00185  1756   NtFreeVirtualMemory  (-1, (0x350000), 0, 32768, ... (0x350000), 16384, ) == 0x0
 00186  1756   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00187  1756   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00188  1756   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189  1756   NtClose  (28, ... ) == 0x0
 00190  1756   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00191  1756   NtProtectVirtualMemory  (-1, (0x40e860), -1662053999, -238816909, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00192  1756   NtProtectVirtualMemory  (-1, (0x3fff02), -1920137235, -2091057152, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00193  1756   NtProtectVirtualMemory  (-1, (0x141c600), 148100, 251738496, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00194  1756   NtProtectVirtualMemory  (-1, (0xfed68589), -362, -2060728949, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00195  1756   NtProtectVirtualMemory  (-1, (0xff4ab58d), -314, -2063466497, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00196  1756   NtProtectVirtualMemory  (-1, (0x500068), 1080710741, 100794367, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00197  1756   NtProtectVirtualMemory  (-1, (0xff6e95ff), 6946816, 268462080, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00198  1756   NtProtectVirtualMemory  (-1, (0x85c90000), 57246735, -1064960001, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00199  1756   NtProtectVirtualMemory  (-1, (0x67f95b00), 232, -322, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00200  1756   NtProtectVirtualMemory  (-1, (0x4002b0), -397192999, 50331651, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00201  1756   NtProtectVirtualMemory  (-1, (0x3ffe86), -1123811957, 915103070, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00202  1756   NtProtectVirtualMemory  (-1, (0xf904c7), -2096466688, 1065607051, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00203  1756   NtProtectVirtualMemory  (-1, (0x3b430000), 112918, -352321536, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00204  1756   NtProtectVirtualMemory  (-1, (0x33cb1301), 880017467, -2096839805, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00205  1756   NtProtectVirtualMemory  (-1, (0x3fff32), -1241558191, 1459911427, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00206  1756   NtProtectVirtualMemory  (-1, (0x85cbcf8b), -695468033, -13715969, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00207  1756   NtProtectVirtualMemory  (-1, (0x5c10ff00), 371205, -322, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00208  1756   NtProtectVirtualMemory  (-1, (0xc82b08c3), -2096794624, -108830887, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00209  1756   NtProtectVirtualMemory  (-1, (0x3ebeb5), -16750080, 8388712, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00210  1756   NtProtectVirtualMemory  (-1, (0x3ec6b5), -1912602625, 848691199, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00211  1756   NtProtectVirtualMemory  (-1, (0x843e8b36), -1961863539, 139365375, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00212  1756   NtProtectVirtualMemory  (-1, (0x77413ce8), 742852490, 1064567033, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00213  1756   NtProtectVirtualMemory  (-1, (0x385a8a14), 1946157434, -2146989065, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00214  1756   NtProtectVirtualMemory  (-1, (0xc10108e8), -1050278817, -1964411617, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00215  1756   NtProtectVirtualMemory  (-1, (0xc101c486), 73370122, -339442160, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00216  1756   NtAllocateVirtualMemory  (-1, 0, 0, 118784, 4096, 4, ... 3407872, 118784, ) == 0x0
 00217  1756   NtAllocateVirtualMemory  (-1, 0, 0, 118784, 4096, 4, ... 3538944, 118784, ) == 0x0
 00218  1756   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 118784, ) == 0x0
 00219  1756   NtAllocateVirtualMemory  (-1, 0, 0, 1350, 4096, 4, ... 3407872, 4096, ) == 0x0
 00220  1756   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00221  1756   NtAllocateVirtualMemory  (-1, 0, 0, 79872, 4096, 4, ... 3407872, 81920, ) == 0x0
 00222  1756   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 81920, ) == 0x0
 00223  1756   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 4, ... 3407872, 4096, ) == 0x0
 00224  1756   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00225  1756   NtAllocateVirtualMemory  (-1, 0, 0, 2560, 4096, 4, ... 3407872, 4096, ) == 0x0
 00226  1756   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00227  1756   NtAllocateVirtualMemory  (-1, 0, 0, 5120, 4096, 4, ... 3407872, 8192, ) == 0x0
 00228  1756   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 8192, ) == 0x0
 00229  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00230  1756   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00231  1756   NtClose  (28, ... ) == 0x0
 00232  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00233  1756   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00234  1756   NtClose  (28, ... ) == 0x0
 00235  1756   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00236  1756   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00237  1756   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00238  1756   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00239  1756   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00240  1756   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00241  1756   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00242  1756   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00243  1756   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00244  1756   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00245  1756   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00246  1756   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00247  1756   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00248  1756   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00249  1756   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00250  1756   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00251  1756   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00252  1756   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00253  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255  1756   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00256  1756   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 7274606, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 7274606, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1580, 1756, 57965, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 1580, 1756, 57965, 0}  (24, {28, 56, new_msg, 0, 2089900645, 7274606, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1580, 1756, 57965, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00257  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00258  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00259  1756   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00260  1756   NtClose  (28, ... ) == 0x0
 00261  1756   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00262  1756   NtClose  (32, ... ) == 0x0
 00263  1756   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00264  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00265  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00266  1756   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00267  1756   NtClose  (32, ... ) == 0x0
 00268  1756   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00269  1756   NtClose  (28, ... ) == 0x0
 00270  1756   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00271  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00272  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00273  1756   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00274  1756   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00275  1756   NtClose  (28, ... ) == 0x0
 00276  1756   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00277  1756   NtClose  (32, ... ) == 0x0
 00278  1756   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00279  1756   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00280  1756   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00281  1756   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00282  1756   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00283  1756   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00284  1756   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00285  1756   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00286  1756   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00287  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00288  1756   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00289  1756   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00290  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00291  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00292  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00294  1756   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00295  1756   NtClose  (32, ... ) == 0x0
 00296  1756   NtMapViewOfSection  (-2147482580, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x580000), 0x0, 1060864, ) == 0x0
 00297  1756   NtClose  (-2147482580, ... ) == 0x0
 00298  1756   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00299  1756   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00300  1756   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482580, ) == 0x0
 00301  1756   NtQueryInformationToken  (-2147482580, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00302  1756   NtQueryInformationToken  (-2147482580, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00303  1756   NtClose  (-2147482580, ... ) == 0x0
 00304  1756   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00305  1756   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00306  1756   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00307  1756   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482580, ) }, ... -2147482580, ) == 0x0
 00308  1756   NtQueryValueKey  (-2147482580,  (-2147482580, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309  1756   NtClose  (-2147482580, ... ) == 0x0
 00310  1756   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482580, ) }, ... -2147482580, ) == 0x0
 00311  1756   NtQueryValueKey  (-2147482580,  (-2147482580, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312  1756   NtClose  (-2147482580, ... ) == 0x0
 00313  1756   NtQueryDefaultLocale  (0, -106645172, ... ) == 0x0
 00314  1756   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00315  1756   NtUserCallNoParam  (24, ... ) == 0x0
 00316  1756   NtGdiCreateCompatibleDC  (0, ...
 00317  1756   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00316  1756   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00318  1756   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00319  1756   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00320  1756   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00321  1756   NtGdiCreateSolidBrush  (0, 0, ...
 00322  1756   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00321  1756   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00323  1756   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00324  1756   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00325  1756   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00326  1756   NtUserGetThreadDesktop  (1756, 0, ... ) == 0x24
 00327  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00328  1756   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00329  1756   NtClose  (44, ... ) == 0x0
 00330  1756   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00331  1756   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x81aec017
 00332  1756   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00333  1756   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x81aec01c
 00334  1756   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00335  1756   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x81aec01e
 00336  1756   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00337  1756   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81ae8002
 00338  1756   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00339  1756   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x81aec018
 00340  1756   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00341  1756   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x81aec01a
 00342  1756   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00343  1756   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x81aec01d
 00344  1756   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00345  1756   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x81aec026
 00346  1756   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00347  1756   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x81aec019
 00348  1756   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81aec020
 00349  1756   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x81aec022
 00350  1756   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81aec023
 00351  1756   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x81aec024
 00352  1756   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81aec025
 00353  1756   NtCallbackReturn  (0, 0, 0, ...
 00354  1756   NtGdiInit  (... ) == 0x1
 00355  1756   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00356  1756   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00357  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00358  1756   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00359  1756   NtClose  (44, ... ) == 0x0
 00360  1756   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00361  1756   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00362  1756   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00363  1756   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00364  1756   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00365  1756   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00366  1756   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00367  1756   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00368  1756   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00369  1756   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00370  1756   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00371  1756   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00372  1756   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00373  1756   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00374  1756   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00375  1756   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00376  1756   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00377  1756   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00378  1756   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00379  1756   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00380  1756   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00381  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382  1756   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00383  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 44, {status=0x0, info=0}, ) }, 7, 16, ... 44, {status=0x0, info=0}, ) == 0x0
 00384  1756   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\31U\235\236{.\307\321\0\336D\352\237+\205 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00385  1756   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00386  1756   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00387  1756   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00388  1756   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00389  1756   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00390  1756   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00391  1756   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00392  1756   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482580, 2, ) }, 0, 0x0, 0, ... -2147482580, 2, ) == 0x0
 00393  1756   NtSetValueKey  (-2147482580,  (-2147482580, "Seed", 0, 3, "\343\14Y\36\23|\262BEf\214\301:\3034\333\264,\354\352\35\32(g\277\354^\345\264"\340?\362\345+\265\2\366\305\240\203\225j\214V\241\371\205\313\32_\354\20\353Bua\237\370M\305\17=\10F\324`\204\263\262\227\312P\261\345\356\254\364", 80, ... ) , 0, 3,  (-2147482580, "Seed", 0, 3, "\343\14Y\36\23|\262BEf\214\301:\3034\333\264,\354\352\35\32(g\277\354^\345\264"\340?\362\345+\265\2\366\305\240\203\225j\214V\241\371\205\313\32_\354\20\353Bua\237\370M\305\17=\10F\324`\204\263\262\227\312P\261\345\356\254\364", 80, ... ) \340?\362\345+\265\2\366\305\240\203\225j\214V\241\371\205\313\32_\354\20\353Bua\237\370M\305\17=\10F\324`\204\263\262\227\312P\261\345\356\254\364", 80, ... ) == 0x0
 00394  1756   NtClose  (-2147482580, ... ) == 0x0
 00384  1756   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "kUa\2l\340\356R\245\217bs\221'\244\33\0X8\277{\207\202uE\225\343\346\12\34?\351`M1\210\233\261O\240\32\270\21ko\1\6\372\330\210\241\21\226\253q\346i\262\243\346S\314\333F\7d\310(\217\367g\270~\0\33\350i\207K\223\276\334Y\355\177^\212c\2432M\350\257:\36g\304v\330\363\2475v\262\321\301\250\313\337\222\267i\224u\206\300 \277\301\327\334\313\3611\213\15ht\211\221\35\332T\274\14\206R\252\371\3470\265f\235\6\211\\36\267\221_\241\257\327S\332\275x\2061\241\213_\27E/%\377\351\256\203\307'\25\204\3224&\224\36T\1}C\202!\310\307\323\367yEI\260\230`B\271\325\243\363\262Lp\377\1n\204\224z\212\242\230\262N\237m\334 \20\352N?\277\321\223\367\202E8:\16\214HbV\316\2411s$\261Q(\17~%cpU\317\207\277\307\250\352", ) , ) == 0x0
 00395  1756   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00396  1756   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00397  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 48, ) }, ... 48, ) == 0x0
 00398  1756   NtQueryValueKey  (48,  (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00399  1756   NtClose  (48, ... ) == 0x0
 00400  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 48, ) }, ... 48, ) == 0x0
 00401  1756   NtQueryValueKey  (48,  (48, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402  1756   NtClose  (48, ... ) == 0x0
 00403  1756   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00404  1756   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00405  1756   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00406  1756   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00407  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 48, ) }, ... 48, ) == 0x0
 00408  1756   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00409  1756   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00410  1756   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00411  1756   NtClose  (48, ... ) == 0x0
 00412  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 48, ) }, ... 48, ) == 0x0
 00413  1756   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00414  1756   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00415  1756   NtClose  (48, ... ) == 0x0
 00416  1756   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 48, ) }, ... 48, ) == 0x0
 00417  1756   NtOpenEvent  (0x1f0003, {24, 48, 0x0, 0, 0,  (0x1f0003, {24, 48, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00419  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00420  1756   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00421  1756   NtClose  (52, ... ) == 0x0
 00422  1756   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00423  1756   NtSetInformationObject  (52, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00424  1756   NtOpenKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00425  1756   NtOpenKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00426  1756   NtOpenProcessToken  (-1, 0x8, ... 56, ) == 0x0
 00427  1756   NtQueryInformationToken  (56, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00428  1756   NtClose  (56, ... ) == 0x0
 00429  1756   NtUserCallOneParam  (0, 41, ... ) == 0x4
 00430  1756   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00431  1756   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 10027008, 1048576, ) == 0x0
 00432  1756   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00433  1756   NtAllocateVirtualMemory  (-1, 10027008, 0, 16384, 4096, 4, ... 10027008, 16384, ) == 0x0
 00434  1756   NtUserCallNoParam  (29, ...
 00435  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242268, ... ) }, 1242268, ... ) == 0x0
 00436  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00437  1756   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 60, ) == 0x0
 00438  1756   NtClose  (56, ... ) == 0x0
 00439  1756   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x380000), 0x0, 221184, ) == 0x0
 00440  1756   NtClose  (60, ... ) == 0x0
 00441  1756   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00442  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242576, ... ) }, 1242576, ... ) == 0x0
 00443  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00444  1756   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 56, ) == 0x0
 00445  1756   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00446  1756   NtClose  (60, ... ) == 0x0
 00447  1756   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 00448  1756   NtClose  (56, ... ) == 0x0
 00449  1756   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00450  1756   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00451  1756   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00452  1756   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00453  1756   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00454  1756   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00455  1756   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00456  1756   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00457  1756   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00458  1756   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00459  1756   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00460  1756   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00461  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00462  1756   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00463  1756   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00464  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00465  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00466  1756   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00467  1756   NtClose  (56, ... ) == 0x0
 00468  1756   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00469  1756   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 60, ) }, ... 60, ) == 0x0
 00470  1756   NtQueryValueKey  (60,  (60, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00471  1756   NtClose  (60, ... ) == 0x0
 00472  1756   NtClose  (56, ... ) == 0x0
 00473  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00474  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00475  1756   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00476  1756   NtClose  (56, ... ) == 0x0
 00477  1756   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00478  1756   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 60, ) }, ... 60, ) == 0x0
 00479  1756   NtQueryValueKey  (60,  (60, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00480  1756   NtClose  (60, ... ) == 0x0
 00481  1756   NtClose  (56, ... ) == 0x0
 00482  1756   NtUserGetProcessWindowStation  (... ) == 0x1c
 00483  1756   NtUserGetObjectInformation  (28, 2, 1244364, 64, 1244360, ... ) == 0x1
 00484  1756   NtUserGetGUIThreadInfo  (1756, 1244384, ... ) == 0x1
 00485  1756   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1244228, 64, ... 56, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1244228, 64, ... 56, 0x0, 0x0, 0x0, 64, ) == 0x0
 00486  1756   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1580, 1756, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1580, 1756, 57967, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1580, 1756, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00487  1756   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1580, 1756, 57968, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1580, 1756, 57968, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1580, 1756, 57968, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00488  1756   NtUserCallNoParam  (29, ...
 00489  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241624, ... ) }, 1241624, ... ) == 0x0
 00488  1756   NtUserCallNoParam  ... ) == 0x0
 00490  1756   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ... ) == 0x1
 00491  1756   NtGdiHfontCreate  (1243752, 356, 0, 0, 1340336, ... ) == 0x330a04e1
 00492  1756   NtGdiHfontCreate  (1243752, 356, 0, 0, 1340328, ... ) == 0x520a0634
 00493  1756   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1580, 1756, 57969, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1580, 1756, 57969, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1580, 1756, 57969, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00494  1756   NtMapViewOfSection  (60, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x380000), {0, 0}, 327680, ) == 0x0
 00495  1756   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00496  1756   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00497  1756   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00498  1756   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00499  1756   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00500  1756   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00501  1756   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00502  1756   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00503  1756   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00504  1756   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00505  1756   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00506  1756   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00507  1756   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00508  1756   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00509  1756   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00510  1756   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00511  1756   NtAllocateVirtualMemory  (-1, 3297280, 0, 4096, 4096, 4, ... 3297280, 4096, ) == 0x0
 00512  1756   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00513  1756   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ... ) == 0x72100798
 00514  1756   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00515  1756   NtUserCallNoParam  (29, ...
 00516  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241064, ... ) }, 1241064, ... ) == 0x0
 00515  1756   NtUserCallNoParam  ... ) == 0x0
 00517  1756   NtUserCallNoParam  (29, ...
 00518  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241060, ... ) }, 1241060, ... ) == 0x0
 00517  1756   NtUserCallNoParam  ... ) == 0x0
 00434  1756   NtUserCallNoParam  ... ) == 0x1
 00519  1756   NtQueryVirtualMemory  (-1, 0x373313, Basic, 28, ... {BaseAddress=0x373000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xa000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00520  1756   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00521  1756   NtContinue  (1244356, 0, ...
 00522  1756   NtQueryVirtualMemory  (-1, 0x372d5c, Basic, 28, ... {BaseAddress=0x372000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xb000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00523  1756   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00524  1756   NtContinue  (1244032, 0, ...
 00525  1756   NtQueryVirtualMemory  (-1, 0x372dc0, Basic, 28, ... {BaseAddress=0x372000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xb000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00526  1756   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00527  1756   NtContinue  (1244032, 0, ...
 00528  1756   NtQueryVirtualMemory  (-1, 0x370d71, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xd000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00529  1756   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00530  1756   NtQueryVirtualMemory  (-1, 0x373132, Basic, 28, ... {BaseAddress=0x373000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xa000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00531  1756   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00532  1756   NtQueryVirtualMemory  (-1, 0x7c816fe0, Basic, 28, ... {BaseAddress=0x7c816000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x6e000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00533  1756   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 00534  1756   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00535  1756   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00536  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00537  1756   NtQueryInformationJobObject  (0, BasicLimit, 48, ... ) == STATUS_ACCESS_DENIED
 00538  1756   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"}, ... 64, ) }, ... 64, ) == 0x0
 00539  1756   NtQueryValueKey  (64,  (64, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) , Partial, 526, ... TitleIdx=0, Type=1, Data= (64, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00540  1756   NtQueryValueKey  (64,  (64, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) , Partial, 526, ... TitleIdx=0, Type=1, Data=" (64, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) \0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) == 0x0
 00541  1756   NtClose  (64, ... ) == 0x0
 00542  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1239712, ... ) }, 1239712, ... ) == 0x0
 00543  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00544  1756   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 64, ... 68, ) == 0x0
 00545  1756   NtClose  (64, ... ) == 0x0
 00546  1756   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3d0000), 0x0, 81920, ) == 0x0
 00547  1756   NtClose  (68, ... ) == 0x0
 00548  1756   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 00549  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1240020, ... ) }, 1240020, ... ) == 0x0
 00550  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00551  1756   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 64, ) == 0x0
 00552  1756   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00553  1756   NtClose  (68, ... ) == 0x0
 00554  1756   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x69450000), 0x0, 90112, ) == 0x0
 00555  1756   NtClose  (64, ... ) == 0x0
 00556  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00557  1756   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 00558  1756   NtClose  (64, ... ) == 0x0
 00559  1756   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 00560  1756   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 00561  1756   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 00562  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00563  1756   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 733184, ) == 0x0
 00564  1756   NtClose  (64, ... ) == 0x0
 00565  1756   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00566  1756   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00567  1756   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00568  1756   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00569  1756   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00570  1756   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00571  1756   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00572  1756   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00573  1756   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00574  1756   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00575  1756   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00576  1756   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00577  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00578  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1239196, ... ) }, 1239196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 00580  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00581  1756   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00582  1756   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00583  1756   NtClose  (64, ... ) == 0x0
 00584  1756   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 65536, ) == 0x0
 00585  1756   NtClose  (68, ... ) == 0x0
 00586  1756   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00587  1756   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00588  1756   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00589  1756   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00590  1756   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00591  1756   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00592  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00593  1756   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 00594  1756   NtClose  (68, ... ) == 0x0
 00595  1756   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00596  1756   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00597  1756   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00598  1756   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00599  1756   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00600  1756   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00601  1756   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00602  1756   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00603  1756   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00604  1756   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00605  1756   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00606  1756   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00607  1756   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00608  1756   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00609  1756   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00610  1756   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00611  1756   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00612  1756   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00613  1756   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00614  1756   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00615  1756   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00616  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00617  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1239196, ... ) }, 1239196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00618  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 00619  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00620  1756   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 64, ) == 0x0
 00621  1756   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00622  1756   NtClose  (68, ... ) == 0x0
 00623  1756   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 00624  1756   NtClose  (64, ... ) == 0x0
 00625  1756   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00626  1756   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00627  1756   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00628  1756   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00629  1756   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00630  1756   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00631  1756   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00632  1756   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00633  1756   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00634  1756   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00635  1756   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00636  1756   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00637  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00638  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1239196, ... ) }, 1239196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00639  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 00640  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00641  1756   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00642  1756   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00643  1756   NtClose  (64, ... ) == 0x0
 00644  1756   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 00645  1756   NtClose  (68, ... ) == 0x0
 00646  1756   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00647  1756   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00648  1756   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00649  1756   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00650  1756   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00651  1756   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00652  1756   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00653  1756   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00654  1756   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00655  1756   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00656  1756   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00657  1756   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00658  1756   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00659  1756   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00660  1756   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00661  1756   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00662  1756   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00663  1756   NtClose  (68, ... ) == 0x0
 00664  1756   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00665  1756   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00666  1756   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00667  1756   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00668  1756   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00669  1756   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00670  1756   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00671  1756   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00672  1756   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00673  1756   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00674  1756   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00675  1756   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00676  1756   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00677  1756   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00678  1756   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00679  1756   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 00680  1756   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 00681  1756   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 00682  1756   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 00683  1756   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 00684  1756   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 00685  1756   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 00686  1756   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 00687  1756   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 00688  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00689  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00690  1756   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 68, ) }, ... 68, ) == 0x0
 00691  1756   NtQueryValueKey  (68,  (68, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00692  1756   NtClose  (68, ... ) == 0x0
 00693  1756   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 68, ) }, ... 68, ) == 0x0
 00694  1756   NtQueryValueKey  (68,  (68, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00695  1756   NtClose  (68, ... ) == 0x0
 00696  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 68, ) }, ... 68, ) == 0x0
 00697  1756   NtQueryValueKey  (68,  (68, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 00698  1756   NtClose  (68, ... ) == 0x0
 00699  1756   NtCreateEvent  (0x1f0003, {24, 48, 0x80, 1237788, 0,  (0x1f0003, {24, 48, 0x80, 1237788, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 68, ) }, 0, 1, ... 68, ) == STATUS_OBJECT_NAME_EXISTS
 00700  1756   NtQueryDefaultUILanguage  (2090319928, ...
 00701  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00702  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482580, ) == 0x0
 00703  1756   NtQueryInformationToken  (-2147482580, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00704  1756   NtClose  (-2147482580, ... ) == 0x0
 00705  1756   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482580, ) }, ... -2147482580, ) == 0x0
 00706  1756   NtOpenKey  (0x80000000, {24, -2147482580, 0x240, 0, 0,  (0x80000000, {24, -2147482580, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00707  1756   NtOpenKey  (0x80000000, {24, -2147482580, 0x640, 0, 0,  (0x80000000, {24, -2147482580, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481364, ) }, ... -2147481364, ) == 0x0
 00708  1756   NtQueryValueKey  (-2147481364,  (-2147481364, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00709  1756   NtClose  (-2147481364, ... ) == 0x0
 00710  1756   NtClose  (-2147482580, ... ) == 0x0
 00700  1756   NtQueryDefaultUILanguage  ... ) == 0x0
 00711  1756   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00712  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00713  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00714  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00715  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00716  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00717  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00718  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00719  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00720  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00721  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00722  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00723  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00724  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00725  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00726  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00727  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00728  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00729  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00730  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00731  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00732  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00733  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00734  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00735  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00736  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00737  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00738  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00739  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00740  1756   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00741  1756   NtClose  (64, ... ) == 0x0
 00742  1756   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00743  1756   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 72, ) }, ... 72, ) == 0x0
 00744  1756   NtQueryValueKey  (72,  (72, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (72, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 00745  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00746  1756   NtQueryValueKey  (72,  (72, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (72, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 00747  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00748  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00749  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00750  1756   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00751  1756   NtClose  (72, ... ) == 0x0
 00752  1756   NtClose  (64, ... ) == 0x0
 00753  1756   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 64, ) }, ... 64, ) == 0x0
 00754  1756   NtQueryValueKey  (64,  (64, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00755  1756   NtClose  (64, ... ) == 0x0
 00756  1756   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 64, ) }, ... 64, ) == 0x0
 00757  1756   NtQueryValueKey  (64,  (64, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00758  1756   NtQueryValueKey  (64,  (64, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00759  1756   NtClose  (64, ... ) == 0x0
 00760  1756   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761  1756   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 64, ) }, ... 64, ) == 0x0
 00762  1756   NtQueryValueKey  (64,  (64, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00763  1756   NtClose  (64, ... ) == 0x0
 00764  1756   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00765  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00766  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00767  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00768  1756   NtQueryPerformanceCounter  (... {925766862, 10}, {3579545, 0}, ) == 0x0
 00769  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770  1756   NtQueryDefaultLocale  (1, 1239916, ... ) == 0x0
 00771  1756   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00772  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00773  1756   NtQueryValueKey  (64,  (64, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00774  1756   NtClose  (64, ... ) == 0x0
 00775  1756   NtUserGetProcessWindowStation  (... ) == 0x1c
 00776  1756   NtUserGetObjectInformation  (28, 1, 1239512, 12, 1239524, ... ) == 0x1
 00777  1756   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\WPA\PnP"}, ... 64, ) }, ... 64, ) == 0x0
 00779  1756   NtQueryValueKey  (64,  (64, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 00780  1756   NtClose  (64, ... ) == 0x0
 00781  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00782  1756   NtQueryValueKey  (64,  (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00783  1756   NtQueryValueKey  (64,  (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00784  1756   NtClose  (64, ... ) == 0x0
 00785  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00786  1756   NtQueryValueKey  (64,  (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00787  1756   NtQueryValueKey  (64,  (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00788  1756   NtClose  (64, ... ) == 0x0
 00789  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00790  1756   NtQueryValueKey  (64,  (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00791  1756   NtQueryValueKey  (64,  (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00792  1756   NtClose  (64, ... ) == 0x0
 00793  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00794  1756   NtQueryValueKey  (64,  (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00795  1756   NtQueryValueKey  (64,  (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00796  1756   NtClose  (64, ... ) == 0x0
 00797  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00798  1756   NtQueryValueKey  (64,  (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 00799  1756   NtQueryValueKey  (64,  (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 00800  1756   NtClose  (64, ... ) == 0x0
 00801  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00802  1756   NtQueryValueKey  (64,  (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00803  1756   NtQueryValueKey  (64,  (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00804  1756   NtClose  (64, ... ) == 0x0
 00805  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 64, ) }, ... 64, ) == 0x0
 00806  1756   NtQueryValueKey  (64,  (64, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00807  1756   NtQueryValueKey  (64,  (64, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (64, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 00808  1756   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00809  1756   NtClose  (64, ... ) == 0x0
 00810  1756   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00811  1756   NtCreateMutant  (0x1f0001, 0x0, 0, ... 72, ) == 0x0
 00812  1756   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 76, ) == 0x0
 00813  1756   NtCreateMutant  (0x1f0001, 0x0, 0, ... 80, ) == 0x0
 00814  1756   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00815  1756   NtCreateMutant  (0x1f0001, 0x0, 0, ... 88, ) == 0x0
 00816  1756   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 92, ) }, ... 92, ) == 0x0
 00817  1756   NtQueryValueKey  (92,  (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00818  1756   NtQueryValueKey  (92,  (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00819  1756   NtQueryValueKey  (92,  (92, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820  1756   NtOpenKey  (0x1, {24, 92, 0x40, 0, 0,  (0x1, {24, 92, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00821  1756   NtClose  (92, ... ) == 0x0
 00822  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1239428, ... ) }, 1239428, ... ) == 0x0
 00823  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 92, ) }, ... 92, ) == 0x0
 00824  1756   NtQueryValueKey  (92,  (92, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (92, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (92, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00825  1756   NtClose  (92, ... ) == 0x0
 00826  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00827  1756   NtQueryValueKey  (92,  (92, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (92, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (92, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 00828  1756   NtClose  (92, ... ) == 0x0
 00829  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00830  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00831  1756   NtQueryValueKey  (92,  (92, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (92, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (92, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 00832  1756   NtClose  (92, ... ) == 0x0
 00833  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00834  1756   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835  1756   NtCreateSemaphore  (0x1f0003, {24, 48, 0x80, 1343256, 0,  (0x1f0003, {24, 48, 0x80, 1343256, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 92, ) }, 0, 2147483647, ... 92, ) == STATUS_OBJECT_NAME_EXISTS
 00836  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\faultrep.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837  1756   NtOpenKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\PCHealth\ErrorReporting"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00838  1756   NtCreateKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Microsoft\PCHealth\ErrorReporting"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00839  1756   NtOpenKey  (0x10000, {24, 96, 0x40, 0, 0,  (0x10000, {24, 96, 0x40, 0, 0, "DW"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00840  1756   NtQueryValueKey  (96,  (96, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00841  1756   NtQueryValueKey  (96,  (96, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00842  1756   NtQueryValueKey  (96,  (96, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00843  1756   NtQueryValueKey  (96,  (96, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00844  1756   NtQueryValueKey  (96,  (96, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00845  1756   NtQueryValueKey  (96,  (96, "DoTextLog", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00846  1756   NtQueryValueKey  (96,  (96, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00847  1756   NtQueryValueKey  (96,  (96, "IncludeShutdownErrs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00848  1756   NtQueryValueKey  (96,  (96, "NumberOfFaultPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00849  1756   NtQueryValueKey  (96,  (96, "NumberOfHangPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00850  1756   NtQueryValueKey  (96,  (96, "MaxUserQueueSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851  1756   NtQueryValueKey  (96,  (96, "ForceQueueMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00852  1756   NtCreateKey  (0x20119, {24, 96, 0x40, 0, 0,  (0x20119, {24, 96, 0x40, 0, 0, "ExclusionList"}, 0, 0x0, 0, ... 100, 2, ) }, 0, 0x0, 0, ... 100, 2, ) == 0x0
 00853  1756   NtCreateKey  (0x20119, {24, 96, 0x40, 0, 0,  (0x20119, {24, 96, 0x40, 0, 0, "InclusionList"}, 0, 0x0, 0, ... 104, 2, ) }, 0, 0x0, 0, ... 104, 2, ) == 0x0
 00854  1756   NtClose  (96, ... ) == 0x0
 00855  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 96, ) }, ... 96, ) == 0x0
 00856  1756   NtQueryValueKey  (96,  (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00857  1756   NtClose  (96, ... ) == 0x0
 00858  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00859  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00860  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1236956, ... ) }, 1236956, ... ) == 0x0
 00861  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 96, {status=0x0, info=1}, ) }, 3, 16417, ... 96, {status=0x0, info=1}, ) == 0x0
 00862  1756   NtQueryDirectoryFile  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1,  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 00863  1756   NtClose  (96, ... ) == 0x0
 00864  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 96, {status=0x0, info=1}, ) }, 3, 16417, ... 96, {status=0x0, info=1}, ) == 0x0
 00865  1756   NtQueryDirectoryFile  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1,  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 00866  1756   NtClose  (96, ... ) == 0x0
 00867  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00868  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00869  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00870  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00871  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1235604, ... ) }, 1235604, ... ) == 0x0
 00872  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234376, ... ) }, 1234376, ... ) == 0x0
 00873  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00874  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00875  1756   NtQueryValueKey  (100,  (100, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876  1756   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 00877  1756   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00878  1756   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00879  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 96, ) }, ... 96, ) == 0x0
 00881  1756   NtQueryValueKey  (96,  (96, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882  1756   NtClose  (96, ... ) == 0x0
 00883  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884  1756   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 96, ) == 0x0
 00885  1756   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00886  1756   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00887  1756   NtQuerySystemTime  (... {1663793308, 29918852}, ) == 0x0
 00888  1756   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 00889  1756   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890  1756   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00891  1756   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00892  1756   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00893  1756   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00894  1756   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 120, ) == 0x0
 00895  1756   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\31U\235\236{.\307\3162\357PJo\227\327O\202\342\274\334\350\342w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00896  1756   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00897  1756   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00898  1756   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00899  1756   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00900  1756   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00901  1756   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00902  1756   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00903  1756   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482580, 2, ) }, 0, 0x0, 0, ... -2147482580, 2, ) == 0x0
 00904  1756   NtSetValueKey  (-2147482580,  (-2147482580, "Seed", 0, 3, "\252\325*\2350\305}'B&7\203\351\353@\355\357\302\275\324H\23\234X\342\342>\201\353\231\26\203\327b\3550\260\277\210\35\251$\363\366\243\250\307\347\307, 80, ... ) , 0, 3,  (-2147482580, "Seed", 0, 3, "\252\325*\2350\305}'B&7\203\351\353@\355\357\302\275\324H\23\234X\342\342>\201\353\231\26\203\327b\3550\260\277\210\35\251$\363\366\243\250\307\347\307, 80, ... ) , 80, ... ) == 0x0
 00905  1756   NtClose  (-2147482580, ... ) == 0x0
 00895  1756   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\214\324\365\11\361\13\202\00\376(\213\267\17\365;\327vPdP6\336\263k\360\261\330\351*\252\250\263\255\30\234H\364L\223\377z\33\365\372\341>\244\321C\370\221Y&\370]\235)\307\263l\234\210\355L\200\247\366\34y.)\372J\317\236\326D\214(\234\277\12\2\233\3\270>\31\31\344\341\376\320/\307\372Z)\323\365\257\242\206\300\20\376o$\317J\204\301Q\220\356\247W\304\312\274iu\363\216\266\260\334\317\372\273\3546\230\212N`\2016\20\216\257\317V\232\35\16sIpY\347\313\354\371\356\227\327\267h#\315R\332\267~C0\241p\203mQr\102s\367iBq\214%=\377\227\303\11%\207O\337U\14$\31TZ)G\333\177\16\224\317\25}\233Ah)\27n\377\15\322\364I}\217!P\0\7\316\221B\361y\0vL\345\33U\5\177\257e\7\304\322[\262~b\233\327\256\220\266R(3*", ) , ) == 0x0
 00906  1756   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\31U\235\236{.\307\3162\357PJo\227\310}\263\366\34,T\260\30\202\342\274\334\350\342w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00907  1756   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00908  1756   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00909  1756   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00910  1756   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00911  1756   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00912  1756   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00913  1756   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00914  1756   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482580, 2, ) }, 0, 0x0, 0, ... -2147482580, 2, ) == 0x0
 00915  1756   NtSetValueKey  (-2147482580,  (-2147482580, "Seed", 0, 3, "\322\235\12\242\15\207}\254t\326#\231\212\210\200\244\230\324e\302fV2\202\226m7\231<\223\317$\240\2444=\262\320A\261M)4\246\205G\16\350\367h\373\225\362\257\273\302R\330__\220\23\265\246\0&\10~\307`\34\247\272v\367B[C\13", 80, ... ) , 0, 3,  (-2147482580, "Seed", 0, 3, "\322\235\12\242\15\207}\254t\326#\231\212\210\200\244\230\324e\302fV2\202\226m7\231<\223\317$\240\2444=\262\320A\261M)4\246\205G\16\350\367h\373\225\362\257\273\302R\330__\220\23\265\246\0&\10~\307`\34\247\272v\367B[C\13", 80, ... ) , 80, ... ) == 0x0
 00916  1756   NtClose  (-2147482580, ... ) == 0x0
 00906  1756   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\202\324\312!\6#\177\0\321\3319\267\336\261u\277\222PB\366uF1\205\332\275\275L\310u\254u\23\251_\271\\217d=\307N\337\26\32\306\223\17\33\373\255\357\312gA>\2144\347LD.\325=A\205\14\315T\26\325K\212#\241w\131\207?i\343\354\206.\365x\322\3528ew\304\254\261y'\344\267#2\261\316#^\347\333\254T\23`\3621tV%\355A8\1\360\301/3\14P\201\371%~\271\5\252\14\226!\253cC\366\300L\334:\215\267\310h\23\342\344\340V,/\21\331\255\252\223dv\276pK\240J\16\247o\257\337\203\202\360\4&2L\224\241\313i\360\251}\223UG0\264v\341\335Y\4Z\251\6\2640\322x\252+\201\20\366I\216\265v\351\332>\2435wn\347\264x\236/\353UH\26\260\37\263hzXR\360U\235'&\277\307\326\263O}d'\303\3176Ms", ) , ) == 0x0
 00917  1756   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\31U\235\236{.\307\3162\357PJo\227\310}\263\366\34,T\257*\263\366\34,T\260\30\202\342\274\334\350\342w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00918  1756   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00919  1756   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00920  1756   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00921  1756   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00922  1756   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00923  1756   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00924  1756   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00925  1756   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482580, 2, ) }, 0, 0x0, 0, ... -2147482580, 2, ) == 0x0
 00926  1756   NtSetValueKey  (-2147482580,  (-2147482580, "Seed", 0, 3, "\316\212~38Q%\216M\351\333\345\307\10\24\35\331\242i\245\224\332QW9#\316\314\271U\333\273Ef\214_\0f\24\30z\264\36\205\256\333\32 \306\4\364\320\302\332\352\307\377\355\361U\200k\2\246"Gu\271RU\307\267\342h\314\O\32\377\355", 80, ... ) , 0, 3,  (-2147482580, "Seed", 0, 3, "\316\212~38Q%\216M\351\333\345\307\10\24\35\331\242i\245\224\332QW9#\316\314\271U\333\273Ef\214_\0f\24\30z\264\36\205\256\333\32 \306\4\364\320\302\332\352\307\377\355\361U\200k\2\246"Gu\271RU\307\267\342h\314\O\32\377\355", 80, ... ) Gu\271RU\307\267\342h\314\O\32\377\355", 80, ... ) == 0x0
 00927  1756   NtClose  (-2147482580, ... ) == 0x0
 00917  1756   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\233\202\345i6\313\202Rul\276r\247\355\3321\202\366\200\253\343N\4\177\274\365\323p\340\310I\327\250\245=\374\246U\354>\272\263z\350\254\3329\344\364~\3628zy\216\311\312\254\205\324\233v\364\212y\275 3\314\312\314&\276\204\225\240\205\2X\362,?h\346\3716\307\360\24\271\234\204\323r\307\256J\247\223>\23\315\227#P\307\30)\270"\207\313\31M\235\36\231\220e\31([1\203H\327\7\243;=c/,z\221\36\360\7?N$\200~ )]\304\23?#D\327207\313\31M\235\36\231\220e\31([1\203H\327\7\243;=c/,z\221\36\360\7?N$\200~ )]\304\23?#D\327267&K(W^\331\5n\232\273\332\315q\200\237\316\35\12\24O\365\21559[7\27\226\334\324D\255{\343i[\207\357\365\273\217\234\13\310+\20.\326\373\223\327\335\256:\333y\301]#\214\305\23\332\334Q]\224W\244%\34|a\264\321\241\355I\344\4$\260\322\2407\202\307\251T\1A\264\315W`\200\252^\3438V", ) == 0x0
 00928  1756   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\31U\235\236{.\307\3162\357PJo\227\310}\263\366\34,T\257*\263\366\34,T\257*\263\366\34,T\260\30\202\342\274\334\350\342w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00929  1756   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00930  1756   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00931  1756   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00932  1756   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00933  1756   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00934  1756   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00935  1756   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00936  1756   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482580, 2, ) }, 0, 0x0, 0, ... -2147482580, 2, ) == 0x0
 00937  1756   NtSetValueKey  (-2147482580,  (-2147482580, "Seed", 0, 3, "\262\375\336\276\2271 s\364\202]_\33\32\231\370\332\3575c\241w\36\355\347\340:}rW\373\342\217\31\206\346Lk\24\23\242-\332Uh tYr\354\326)}\177b\275\37\23\264\343v\341i\23\345|\214\34$M\253\344\362=\305$\303^\35$", 80, ... ) , 0, 3,  (-2147482580, "Seed", 0, 3, "\262\375\336\276\2271 s\364\202]_\33\32\231\370\332\3575c\241w\36\355\347\340:}rW\373\342\217\31\206\346Lk\24\23\242-\332Uh tYr\354\326)}\177b\275\37\23\264\343v\341i\23\345|\214\34$M\253\344\362=\305$\303^\35$", 80, ... ) , 80, ... ) == 0x0
 00938  1756   NtClose  (-2147482580, ... ) == 0x0
 00928  1756   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\370"\300\220d\233\301\264v\326\312j\224\375b\37\323\245\227\206\34\203\246\240\370qA]\210\264\324\331\207\257;\33q2\211\361\325T\376I\2\262cc\264{\201\203\16\225\25l\326\275\354@\245\305L\346\344\360\314\31\200\211;u\2\14\26P\262\203\347\4I\232\20\264t/\216\224Vi\203\6\26\11\317\15\361`\270^\231"pfkb\354<\342/\236p\356\231\10p4\360\355\272\34\224\247\240l\317\223IBX\363~s\351\340\311\202M\376\230\307\23\356\317\206\32\6\224\13DF\224\26\256y\312\213|7@\245\345:\373L&\345C\275\265L3\317\217\234\261\250\213\236\255\233G8\325g\273s\244sOg\235\347re?\360\237/%\310\36\305\235)\31'0\3\334\244Ib\332\242\375\254y,[h\313(!\33\264\256\321\367!\227i\344'\275\376\377p", ) \300\220d\233\301\264v\326\312j\224\375b\37\323\245\227\206\34\203\246\240\370qA]\210\264\324\331\207\257;\33q2\211\361\325T\376I\2\262cc\264{\201\203\16\225\25l\326\275\354@\245\305L\346\344\360\314\31\200\211;u\2\14\26P\262\203\347\4I\232\20\264t/\216\224Vi\203\6\26\11\317\15\361`\270^\231 ... {status=0x0, info=256}, "\370"\300\220d\233\301\264v\326\312j\224\375b\37\323\245\227\206\34\203\246\240\370qA]\210\264\324\331\207\257;\33q2\211\361\325T\376I\2\262cc\264{\201\203\16\225\25l\326\275\354@\245\305L\346\344\360\314\31\200\211;u\2\14\26P\262\203\347\4I\232\20\264t/\216\224Vi\203\6\26\11\317\15\361`\270^\231"pfkb\354<\342/\236p\356\231\10p4\360\355\272\34\224\247\240l\317\223IBX\363~s\351\340\311\202M\376\230\307\23\356\317\206\32\6\224\13DF\224\26\256y\312\213|7@\245\345:\373L&\345C\275\265L3\317\217\234\261\250\213\236\255\233G8\325g\273s\244sOg\235\347re?\360\237/%\310\36\305\235)\31'0\3\334\244Ib\332\242\375\254y,[h\313(!\33\264\256\321\367!\227i\344'\275\376\377p", ) , ) == 0x0
 00939  1756   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\31U\235\236{.\307\3162\357PJo\227\310}\263\366\34,T\257*\263\366\34,T\257*\263\366\34,T\257*\263\366\34,T\260\30\202\342\274\334\350\342w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00940  1756   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00941  1756   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00942  1756   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00943  1756   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00944  1756   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00945  1756   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00946  1756   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00947  1756   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482580, 2, ) }, 0, 0x0, 0, ... -2147482580, 2, ) == 0x0
 00948  1756   NtSetValueKey  (-2147482580,  (-2147482580, "Seed", 0, 3, "\31\331\253&\231\267*gZ>u\2B.\264\365\16\17\23\343\333\14p[T\17j\5\223\311k\205p.\334\274\277C\332\245\30\2673\331\336\32P\331\204\375\205\306\245\23'\325L\0\251\26\251\264\5}f\237AST\362\207\313\320\364W\373\344\24\35", 80, ... ) , 0, 3,  (-2147482580, "Seed", 0, 3, "\31\331\253&\231\267*gZ>u\2B.\264\365\16\17\23\343\333\14p[T\17j\5\223\311k\205p.\334\274\277C\332\245\30\2673\331\336\32P\331\204\375\205\306\245\23'\325L\0\251\26\251\264\5}f\237AST\362\207\313\320\364W\373\344\24\35", 80, ... ) , 80, ... ) == 0x0
 00949  1756   NtClose  (-2147482580, ... ) == 0x0
 00939  1756   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\275\21H\22,\272\277\323r\12W\346\333\26\364\316\11\4\2270\32\201\275`F\221\206\266\372B(nP\16\355\1479\20\253\206\216\202]\37\377f%\220\230G\245\201gT\353\324\24\30\7Fl|z-\34\314$\255N>\204\0\11\275\371\267\340u\2560\24\364\322\35=~\211]\25\246qh\332\177\14AN\215\363\314\201\347\244\330\7M7bW\210\226\351[}B4\316\303\227\337\322\374\2156\210\23S\273C\20i\237\202\340\27\272\276\376,\306|\220C}*/"@}\364VZ\362\366\21\305j\2637\274\2602z\324\2437\322\267#ef\323\345\201\241\222\33\20j\27\365LN\306\264\261\375BI\2423\364k>\301\231wl\303\253\177v\277\303M\263\335\311_\373\337*\221]\345\36\243\3\301\322\337\327#\363\214m\15Ir\33L\31\321\3\275\227V7\362\33\213\2E\2742\344\364\211\350V\376\201\362~", ) @}\364VZ\362\366\21\305j\2637\274\2602z\324\2437\322\267#ef\323\345\201\241\222\33\20j\27\365LN\306\264\261\375BI\2423\364k>\301\231wl\303\253\177v\277\303M\263\335\311_\373\337*\221]\345\36\243\3\301\322\337\327#\363\214m\15Ir\33L\31\321\3\275\227V7\362\33\213\2E\2742\344\364\211\350V\376\201\362~", ) == 0x0
 00950  1756   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\31U\235\236{.\307\3162\357PJo\227\310}\263\366\34,T\257*\263\366\34,T\257*\263\366\34,T\257*\263\366\34,T\257*\263\366\34,T\260\30\202\342\274\334\350\342w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00951  1756   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00952  1756   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00953  1756   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00954  1756   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00955  1756   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00956  1756   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00957  1756   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00958  1756   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482580, 2, ) }, 0, 0x0, 0, ... -2147482580, 2, ) == 0x0
 00959  1756   NtSetValueKey  (-2147482580,  (-2147482580, "Seed", 0, 3, "\316\2\204\36\247\331:\22\226\36\26\325*\232\276\243\223\361\3\347O\27\370(\23\303\244\36\200\333\274\177\340\205\331\300\16\233>\332\340\247I\256ee\230=\204A\261YJ\3624\246\325\204\33\217Lhn\252lM\301\227\330\34a8\222+ A\363uq\257", 80, ... ) , 0, 3,  (-2147482580, "Seed", 0, 3, "\316\2\204\36\247\331:\22\226\36\26\325*\232\276\243\223\361\3\347O\27\370(\23\303\244\36\200\333\274\177\340\205\331\300\16\233>\332\340\247I\256ee\230=\204A\261YJ\3624\246\325\204\33\217Lhn\252lM\301\227\330\34a8\222+ A\363uq\257", 80, ... ) , 80, ... ) == 0x0
 00960  1756   NtClose  (-2147482580, ... ) == 0x0
 00950  1756   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\263F\2539p\311[\345K\204\353\316:]\337y\227\21\27\14\32\374\320\376f\317r?v\261K\261\215\303\234v\316)p\27\323\325\363\24\26:\317Y\220\201w\366b9Z\3571'\234\225\336\356\323\15\236*\250\340 +qk\3408\21[\334\220\231\202\201iL"\350W\253r\230\15\314vp\312\316c\265^\16\365X\277U\230\306\3309\37\365\254\206\27\25\310\372\320D\363\242\362\337\331\244\227zyY\33zzz\260k\10\324Q\222S\260\35\363\326\222\6\251T\237 \213\267-W\322+\306\233M\147k\233r|\236c}\3320\314\2412\300~\332A\376Fp\33g\304\347\256#nq S,\366\326\327\366h3\215B\23Q\13\202\27\207/\302\347\<\205U\12S\17\225\6\217M\336F\17\345$n\226\241\6:\346\276\263\374\27\12\20(5\204\250d\252A\16\17\35S`>f\300\3639+\313]\231\250", ) \350W\253r\230\15\314vp\312\316c\265^\16\365X\277U\230\306\3309\37\365\254\206\27\25\310\372\320D\363\242\362\337\331\244\227zyY\33zzz\260k\10\324Q\222S\260\35\363\326\222\6\251T\237 \213\267-W\322+\306\233M\147k\233r|\236c}\3320\314\2412\300~\332A\376Fp\33g\304\347\256#nq S,\366\326\327\366h3\215B\23Q\13\202\27\207/\302\347\<\205U\12S\17\225\6\217M\336F\17\345$n\226\241\6:\346\276\263\374\27\12\20(5\204\250d\252A\16\17\35S`>f\300\3639+\313]\231\250", ) == 0x0
 00961  1756   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\31U\235\236{.\307\3162\357PJo\227\310}\263\366\34,T\257*\263\366\34,T\257*\263\366\34,T\257*\263\366\34,T\257*\263\366\34,T\257*\263\366\34,T\260\30\202\342\274\334\350\342w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00962  1756   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00963  1756   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00964  1756   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00965  1756   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00966  1756   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00967  1756   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00968  1756   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00969  1756   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482580, 2, ) }, 0, 0x0, 0, ... -2147482580, 2, ) == 0x0
 00970  1756   NtSetValueKey  (-2147482580,  (-2147482580, "Seed", 0, 3, "t\220%\336G\273\224\22\14\30\31\371!z\0NL\255\32\31\204xE%cvcpe%\261\267\214H\237\376H\\233\352A=\256o4\315j#\206\342\205;W\227\253\0\270\316\277\143S\206\335\333\24ED\203\251\333\244\367\347\351\273\16\30cO", 80, ... ) , 0, 3,  (-2147482580, "Seed", 0, 3, "t\220%\336G\273\224\22\14\30\31\371!z\0NL\255\32\31\204xE%cvcpe%\261\267\214H\237\376H\\233\352A=\256o4\315j#\206\342\205;W\227\253\0\270\316\277\143S\206\335\333\24ED\203\251\333\244\367\347\351\273\16\30cO", 80, ... ) , 80, ... ) == 0x0
 00971  1756   NtClose  (-2147482580, ... ) == 0x0
 00961  1756   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\321\2236\326\11\226\333@\216b\251 b\11\214\316\257\220\213\241"5V\326\267[\342t"\361}\354\316-\213\343\22\233\202\336\354!_\373\350\0<\237G\254\322L\213\3501\201\352\342\354\245(j=\314"@'\2731\21\32\6\264U\243nJ\300\373vN\7%?\337-v?J\213\262T\344D\334\347\375x\351\224\277\226\242-$W\302\233\242\311FY3\23h\257\306\364u\303\260\332\16\245\7\372j\200\234x\272\201i\243w\31sA;,\335'\235N\301 \333\276\216\225F"\33v\202\220\257_\273\204 \232m\345[\11\205\344\25P\217M\10\241\271\227\202\200\216g\262\355\233\320I\271\350\255*\252{=\211K\324\32\313\337f\246\10~]\342\305Z\221A\342'[\307\251\364RMX9#\350\370v\233\233\225.\6\213\366\212{\15\302\341\324\275\333\313\342\341\376\13\341\273\14\275WA3\264X\12%\0\3718", ) 5V\326\267[\342t ... {status=0x0, info=256}, "\321\2236\326\11\226\333@\216b\251 b\11\214\316\257\220\213\241"5V\326\267[\342t"\361}\354\316-\213\343\22\233\202\336\354!_\373\350\0<\237G\254\322L\213\3501\201\352\342\354\245(j=\314"@'\2731\21\32\6\264U\243nJ\300\373vN\7%?\337-v?J\213\262T\344D\334\347\375x\351\224\277\226\242-$W\302\233\242\311FY3\23h\257\306\364u\303\260\332\16\245\7\372j\200\234x\272\201i\243w\31sA;,\335'\235N\301 \333\276\216\225F"\33v\202\220\257_\273\204 \232m\345[\11\205\344\25P\217M\10\241\271\227\202\200\216g\262\355\233\320I\271\350\255*\252{=\211K\324\32\313\337f\246\10~]\342\305Z\221A\342'[\307\251\364RMX9#\350\370v\233\233\225.\6\213\366\212{\15\302\341\324\275\333\313\342\341\376\13\341\273\14\275WA3\264X\12%\0\3718", ) @'\2731\21\32\6\264U\243nJ\300\373vN\7%?\337-v?J\213\262T\344D\334\347\375x\351\224\277\226\242-$W\302\233\242\311FY3\23h\257\306\364u\303\260\332\16\245\7\372j\200\234x\272\201i\243w\31sA;,\335'\235N\301 \333\276\216\225F ... {status=0x0, info=256}, "\321\2236\326\11\226\333@\216b\251 b\11\214\316\257\220\213\241"5V\326\267[\342t"\361}\354\316-\213\343\22\233\202\336\354!_\373\350\0<\237G\254\322L\213\3501\201\352\342\354\245(j=\314"@'\2731\21\32\6\264U\243nJ\300\373vN\7%?\337-v?J\213\262T\344D\334\347\375x\351\224\277\226\242-$W\302\233\242\311FY3\23h\257\306\364u\303\260\332\16\245\7\372j\200\234x\272\201i\243w\31sA;,\335'\235N\301 \333\276\216\225F"\33v\202\220\257_\273\204 \232m\345[\11\205\344\25P\217M\10\241\271\227\202\200\216g\262\355\233\320I\271\350\255*\252{=\211K\324\32\313\337f\246\10~]\342\305Z\221A\342'[\307\251\364RMX9#\350\370v\233\233\225.\6\213\366\212{\15\302\341\324\275\333\313\342\341\376\13\341\273\14\275WA3\264X\12%\0\3718", ) , ) == 0x0
 00972  1756   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 00973  1756   NtConnectPort  ( ("\RPC Control\IcaApi", {12, 2, 1, 0}, 0x0, 0x0, 1234748, 188, ... 128, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1234748, 188, ... 128, 0x0, 0x0, 0x0, 188, ) == 0x0
 00974  1756   NtRequestWaitReplyPort  (128, {200, 224, new_msg, 0, 1350664, 12, 2, 1310721}  (128, {200, 224, new_msg, 0, 1350664, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\08\232\24\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\362;\212E{\310$\2\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\02JWWx\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1580, 1756, 57971, 0} "\7\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\362;\212E{\310$\2\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\02JWWx\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1580, 1756, 57971, 0}  (128, {200, 224, new_msg, 0, 1350664, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\08\232\24\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\362;\212E{\310$\2\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\02JWWx\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1580, 1756, 57971, 0} "\7\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\362;\212E{\310$\2\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\02JWWx\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 00975  1756   NtRequestWaitReplyPort  (128, {32, 56, new_msg, 0, 0, 0, 0, 0}  (128, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 1580, 1756, 57972, 0} "\2\31\221|\1\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\1\0\0\0\0\0\0\0\4\0\0\0\1\365\11\0\1\0\0\0d\365\11\0\0\0\0\0\0\0\0\0\1\0\0\0\10\376\257\0\0\0\0\0\334\377\257\0\30\356\220|p\5\221|\377\377\377\377m\5\221|\344f\347w" )  ... {124, 148, reply, 0, 1580, 1756, 57972, 0}  (128, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 1580, 1756, 57972, 0} "\2\31\221|\1\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\1\0\0\0\0\0\0\0\4\0\0\0\1\365\11\0\1\0\0\0d\365\11\0\0\0\0\0\0\0\0\0\1\0\0\0\10\376\257\0\0\0\0\0\334\377\257\0\30\356\220|p\5\221|\377\377\377\377m\5\221|\344f\347w" )  ) == 0x0
 00976  1756   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00977  1756   NtRequestWaitReplyPort  (128, {44, 68, new_msg, 56, 1580, 1756, 57972, 0}  (128, {44, 68, new_msg, 56, 1580, 1756, 57972, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 1580, 1756, 57973, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 1580, 1756, 57973, 0}  (128, {44, 68, new_msg, 56, 1580, 1756, 57972, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 1580, 1756, 57973, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\14\5\0\0\320\371\15\0" )  ) == 0x0
 00978  1756   NtRequestWaitReplyPort  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1580, 1756, 57974, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 1580, 1756, 57974, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1580, 1756, 57974, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 00979  1756   NtRequestWaitReplyPort  (128, {44, 68, new_msg, 56, 1580, 1756, 57973, 0}  (128, {44, 68, new_msg, 56, 1580, 1756, 57973, 0} "\1\356\0\0B\2\5\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 1580, 1756, 57975, 0} "\2\31\221|\4\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 1580, 1756, 57975, 0}  (128, {44, 68, new_msg, 56, 1580, 1756, 57973, 0} "\1\356\0\0B\2\5\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 1580, 1756, 57975, 0} "\2\31\221|\4\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\14\5\0\0\320\371\15\0" )  ) == 0x0
 00980  1756   NtRequestWaitReplyPort  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1580, 1756, 57976, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 1580, 1756, 57976, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1580, 1756, 57976, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 00981  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00982  1756   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "ActiveComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00983  1756   NtQueryValueKey  (136,  (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00984  1756   NtClose  (136, ... ) == 0x0
 00985  1756   NtClose  (132, ... ) == 0x0
 00986  1756   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 132, ) == 0x0
 00987  1756   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 136, ) == 0x0
 00988  1756   NtDuplicateObject  (-1, 132, -1, 0x0, 0, 2, ... 140, ) == 0x0
 00989  1756   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00990  1756   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00991  1756   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00992  1756   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00993  1756   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234784,  (0xc0100080, {24, 0, 0x40, 0, 1234784, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 00994  1756   NtSetInformationFile  (148, 1234840, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00995  1756   NtSetInformationFile  (148, 1234828, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00996  1756   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00997  1756   NtWriteFile  (148, 117, 0, 0,  (148, 117, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00998  1756   NtReadFile  (148, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (148, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00999  1756   NtFsControlFile  (148, 117, 0x0, 0x0, 0x11c017,  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01000  1756   NtFsControlFile  (148, 117, 0x0, 0x0, 0x11c017,  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , ) == 0x103
 01001  1756   NtFsControlFile  (148, 117, 0x0, 0x0, 0x11c017,  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01002  1756   NtClose  (144, ... ) == 0x0
 01003  1756   NtClose  (148, ... ) == 0x0
 01004  1756   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01005  1756   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01006  1756   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01007  1756   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01008  1756   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234756,  (0xc0100080, {24, 0, 0x40, 0, 1234756, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 01009  1756   NtSetInformationFile  (144, 1234812, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01010  1756   NtSetInformationFile  (144, 1234800, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01011  1756   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01012  1756   NtWriteFile  (144, 117, 0, 0,  (144, 117, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01013  1756   NtReadFile  (144, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (144, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01014  1756   NtFsControlFile  (144, 117, 0x0, 0x0, 0x11c017,  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01015  1756   NtFsControlFile  (144, 117, 0x0, 0x0, 0x11c017,  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , ) == 0x103
 01016  1756   NtFsControlFile  (144, 117, 0x0, 0x0, 0x11c017,  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01017  1756   NtClose  (148, ... ) == 0x0
 01018  1756   NtClose  (144, ... ) == 0x0
 01019  1756   NtOpenProcessToken  (-1, 0x20008, ... 144, ) == 0x0
 01020  1756   NtQueryInformationToken  (144, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01021  1756   NtQueryInformationToken  (144, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 01022  1756   NtOpenDirectoryObject  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Windows\WindowStations"}, ... 148, ) }, ... 148, ) == 0x0
 01023  1756   NtUserOpenWindowStation  ({24, 148, 0x40, 0, 0,  ({24, 148, 0x40, 0, 0, "winsta0"}, 0x37f, ... ) }, 0x37f, ... ) == 0x98
 01024  1756   NtClose  (148, ... ) == 0x0
 01025  1756   NtUserCloseWindowStation  (152, ...
 01026  1756   NtClose  (152, ... ) == 0x0
 01025  1756   NtUserCloseWindowStation  ... ) == 0x1
 01027  1756   NtClose  (144, ... ) == 0x0
 01028  1756   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 144, ) == 0x0
 01029  1756   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 152, ) == 0x0
 01030  1756   NtCreateMutant  (0x1f0001, {24, 0, 0x2, 0, 0, 0x0}, 0, ... 148, ) == 0x0
 01031  1756   NtDuplicateObject  (-1, -1, -1, 0x1f0fff, 2, 0, ... 156, ) == 0x0
 01032  1756   NtCreateSection  (0xf0007, {24, 0, 0x2, 0, 0, 0x0}, {7248, 0}, 4, 134217728, 0, ... 160, ) == 0x0
 01033  1756   NtMapViewOfSection  (160, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3d0000), {0, 0}, 8192, ) == 0x0
 01034  1756   NtQueryDefaultUILanguage  (1235448, ...
 01035  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01036  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482580, ) == 0x0
 01037  1756   NtQueryInformationToken  (-2147482580, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01038  1756   NtClose  (-2147482580, ... ) == 0x0
 01039  1756   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482580, ) }, ... -2147482580, ) == 0x0
 01040  1756   NtOpenKey  (0x80000000, {24, -2147482580, 0x240, 0, 0,  (0x80000000, {24, -2147482580, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041  1756   NtOpenKey  (0x80000000, {24, -2147482580, 0x640, 0, 0,  (0x80000000, {24, -2147482580, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481364, ) }, ... -2147481364, ) == 0x0
 01042  1756   NtQueryValueKey  (-2147481364,  (-2147481364, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01043  1756   NtClose  (-2147481364, ... ) == 0x0
 01044  1756   NtClose  (-2147482580, ... ) == 0x0
 01034  1756   NtQueryDefaultUILanguage  ... ) == 0x0
 01045  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01046  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01047  1756   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01048  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233692, ... ) }, 1233692, ... ) == 0x0
 01049  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232464, ... ) }, 1232464, ... ) == 0x0
 01050  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01051  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01052  1756   NtCreateFile  (0x10100080, {24, 0, 0x40, 0, 1234800,  (0x10100080, {24, 0, 0x40, 0, 1234800, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\c28_appcompat.txt"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 01053  1756   NtQueryDirectoryFile  (-2147482580, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482580, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 01054  1756   NtClose  (-2147482580, ... ) == 0x0
 01055  1756   NtQueryDirectoryFile  (-2147482580, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482580, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01056  1756   NtClose  (-2147482580, ... ) == 0x0
 01057  1756   NtQueryDirectoryFile  (-2147482580, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482580, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01058  1756   NtClose  (-2147482580, ... ) == 0x0
 01052  1756   NtCreateFile  ... 164, {status=0x0, info=2}, ) == 0x0
 01059  1756   NtClose  (164, ... ) == 0x0
 01060  1756   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 164, ) == 0x0
 01061  1756   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0xa90000), 0x0, 4194304, ) == 0x0
 01062  1756   NtAllocateVirtualMemory  (-1, 11075584, 0, 1, 4096, 4, ... 11075584, 4096, ) == 0x0
 01063  1756   NtAllocateVirtualMemory  (-1, 11079680, 0, 1968, 4096, 4, ... 11079680, 4096, ) == 0x0
 01064  1756   NtCreateSection  (0xf0007, 0x0, {22396, 0}, 4, 134217728, 0, ... 168, ) == 0x0
 01065  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01066  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01067  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01068  1756   NtClose  (164, ... ) == 0x0
 01069  1756   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01070  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01071  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01072  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01073  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01074  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01075  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01076  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01077  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01078  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01079  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01080  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01081  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01082  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01083  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01084  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01085  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01086  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01087  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01088  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01089  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01090  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01091  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01092  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01093  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01094  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01095  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01096  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01097  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01098  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01099  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01100  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01101  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01102  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01103  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01104  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01105  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01106  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01107  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01108  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01109  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01110  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01111  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01112  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01113  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01114  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01115  1756   NtClose  (168, ... ) == 0x0
 01116  1756   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01117  1756   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 168, {status=0x0, info=1}, ) }, 3, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01118  1756   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 164, ) }, ... 164, ) == 0x0
 01119  1756   NtQuerySymbolicLinkObject  (164, ...  (164, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0
 01120  1756   NtClose  (164, ... ) == 0x0
 01121  1756   NtQueryVolumeInformationFile  (168, 1234016, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01122  1756   NtClose  (168, ... ) == 0x0
 01123  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1232812, ... ) }, 1232812, ... ) == 0x0
 01124  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01125  1756   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 168, ... 164, ) == 0x0
 01126  1756   NtClose  (168, ... ) == 0x0
 01127  1756   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 126976, ) == 0x0
 01128  1756   NtClose  (164, ... ) == 0x0
 01129  1756   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01130  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1233120, ... ) }, 1233120, ... ) == 0x0
 01131  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 164, {status=0x0, info=1}, ) }, 5, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 01132  1756   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 164, ... 168, ) == 0x0
 01133  1756   NtQuerySection  (168, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01134  1756   NtClose  (164, ... ) == 0x0
 01135  1756   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 01136  1756   NtClose  (168, ... ) == 0x0
 01137  1756   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 01138  1756   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 01139  1756   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 01140  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01141  1756   NtAllocateVirtualMemory  (-1, 1355776, 0, 12288, 4096, 4, ... 1355776, 12288, ) == 0x0
 01142  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234508, ... ) }, 1234508, ... ) == 0x0
 01143  1756   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234516,  (0x40100080, {24, 0, 0x40, 0, 1234516, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\c28_appcompat.txt"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 01144  1756   NtClose  (-2147482580, ... ) == 0x0
 01145  1756   NtQueryDirectoryFile  (-2147482580, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482580, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 01146  1756   NtClose  (-2147482580, ... ) == 0x0
 01147  1756   NtQueryDirectoryFile  (-2147482580, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482580, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01148  1756   NtClose  (-2147482580, ... ) == 0x0
 01149  1756   NtQueryDirectoryFile  (-2147482580, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482580, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01150  1756   NtClose  (-2147482580, ... ) == 0x0
 01143  1756   NtCreateFile  ... 168, {status=0x0, info=3}, ) == 0x0
 01151  1756   NtAllocateVirtualMemory  (-1, 1368064, 0, 12288, 4096, 4, ... 1368064, 12288, ) == 0x0
 01152  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 164, {status=0x0, info=1}, ) }, 3, 16417, ... 164, {status=0x0, info=1}, ) == 0x0
 01153  1756   NtQueryDirectoryFile  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1,  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01154  1756   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "\377\376", 2, 0x0, 0, ... {status=0x0, info=2}, ) , 2, 0x0, 0, ... {status=0x0, info=2}, ) == 0x0
 01155  1756   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \01\0.\00\0 (168, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \0U\0T\0F\0-\01\06\0 (168, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) , 106, 0x0, 0, ... {status=0x0, info=106}, ) == 0x0
 01156  1756   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 01157  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233600, ... ) }, 1233600, ... ) == 0x0
 01158  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01159  1756   NtQueryDirectoryFile  (172, 0, 0, 0, 1233212, 592, Directory, 1,  (172, 0, 0, 0, 1233212, 592, Directory, 1, "packed.exe", 0, ... {status=0x0, info=84}, ) , 0, ... {status=0x0, info=84}, ) == 0x0
 01160  1756   NtClose  (172, ... ) == 0x0
 01161  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01162  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01163  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232132, ... ) }, 1232132, ... ) == 0x0
 01164  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1230904, ... ) }, 1230904, ... ) == 0x0
 01165  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01166  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01167  1756   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0
 01168  1756   NtQueryInformationFile  (172, 1233688, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01169  1756   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 172, ... 176, ) == 0x0
 01170  1756   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 176128, ) == 0x0
 01171  1756   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01172  1756   NtClose  (176, ... ) == 0x0
 01173  1756   NtClose  (172, ... ) == 0x0
 01174  1756   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\05\07\00\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\05\07\00\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\07\05\07\00\04\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\05\07\00\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\01\03\08\07\07\0E\01\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\05\07\00\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0W\0I\0N\03\02\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\05\07\00\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\02\09\04\0A\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\05\07\00\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\00\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\05\07\00\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\05\07\00\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\05\07\00\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... , 418, 0x0, 0, ...
 01175  1756   NtContinue  (-106648108, 0, ...
 01174  1756   NtWriteFile  ... {status=0x0, info=418}, ) == 0x0
 01176  1756   NtQueryDirectoryFile  (164, 0, 0, 0, 1371248, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01177  1756   NtClose  (164, ... ) == 0x0
 01178  1756   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0", 16, 0x0, 0, ... {status=0x0, info=16}, ) , 16, 0x0, 0, ... {status=0x0, info=16}, ) == 0x0
 01179  1756   NtClose  (168, ... ) == 0x0
 01180  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1234508, ... ) }, 1234508, ... ) == 0x0
 01181  1756   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234516,  (0x40100080, {24, 0, 0x40, 0, 1234516, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\c28_appcompat.txt"}, 0x0, 128, 0, 3, 96, 0, 0, ... 168, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 168, {status=0x0, info=1}, ) == 0x0
 01182  1756   NtQueryInformationFile  (168, 1234540, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01183  1756   NtSetInformationFile  (168, 1234572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01184  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 164, {status=0x0, info=1}, ) }, 3, 16417, ... 164, {status=0x0, info=1}, ) == 0x0
 01185  1756   NtQueryDirectoryFile  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1,  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1, "kernel32.dll", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01186  1756   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) , 126, 0x0, 0, ... {status=0x0, info=126}, ) == 0x0
 01187  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1233572, ... ) }, 1233572, ... ) == 0x0
 01188  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01189  1756   NtQueryDirectoryFile  (172, 0, 0, 0, 1233212, 592, Directory, 1,  (172, 0, 0, 0, 1233212, 592, Directory, 1, "kernel32.dll", 0, ... {status=0x0, info=88}, ) , 0, ... {status=0x0, info=88}, ) == 0x0
 01190  1756   NtClose  (172, ... ) == 0x0
 01191  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01192  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01193  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232132, ... ) }, 1232132, ... ) == 0x0
 01194  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230904, ... ) }, 1230904, ... ) == 0x0
 01195  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01196  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01197  1756   NtQueryDefaultLocale  (1, 1233092, ... ) == 0x0
 01198  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01199  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01200  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232124, ... ) }, 1232124, ... ) == 0x0
 01201  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230896, ... ) }, 1230896, ... ) == 0x0
 01202  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01203  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01204  1756   NtQueryDefaultLocale  (1, 1233084, ... ) == 0x0
 01205  1756   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0
 01206  1756   NtQueryInformationFile  (172, 1233688, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01207  1756   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 172, ... 176, ) == 0x0
 01208  1756   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 987136, ) == 0x0
 01209  1756   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01210  1756   NtClose  (176, ... ) == 0x0
 01211  1756   NtClose  (172, ... ) == 0x0
 01212  1756   NtQueryDefaultUILanguage  (1233044, ...
 01213  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01214  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482580, ) == 0x0
 01215  1756   NtQueryInformationToken  (-2147482580, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01216  1756   NtClose  (-2147482580, ... ) == 0x0
 01217  1756   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482580, ) }, ... -2147482580, ) == 0x0
 01218  1756   NtOpenKey  (0x80000000, {24, -2147482580, 0x240, 0, 0,  (0x80000000, {24, -2147482580, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219  1756   NtOpenKey  (0x80000000, {24, -2147482580, 0x640, 0, 0,  (0x80000000, {24, -2147482580, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481364, ) }, ... -2147481364, ) == 0x0
 01220  1756   NtQueryValueKey  (-2147481364,  (-2147481364, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221  1756   NtClose  (-2147481364, ... ) == 0x0
 01222  1756   NtClose  (-2147482580, ... ) == 0x0
 01212  1756   NtQueryDefaultUILanguage  ... ) == 0x0
 01223  1756   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \09\08\04\05\07\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \00\0x\0F\00\0B\03\03\01\0F\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) == 0x0
 01224  1756   NtQueryDirectoryFile  (164, 0, 0, 0, 1362544, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01225  1756   NtClose  (164, ... ) == 0x0
 01226  1756   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0<\0/\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 42, 0x0, 0, ... {status=0x0, info=42}, ) , 42, 0x0, 0, ... {status=0x0, info=42}, ) == 0x0
 01227  1756   NtClose  (168, ... ) == 0x0
 01228  1756   NtUnmapViewOfSection  (-1, 0x77b40000, ... ) == 0x0
 01229  1756   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01230  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1231780, ... ) }, 1231780, ... ) == 0x0
 01231  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1232516, ... ) }, 1232516, ... ) == 0x0
 01232  1756   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01233  1756   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 168, ... 164, ) == 0x0
 01234  1756   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235  1756   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 172, ) }, ... 172, ) == 0x0
 01236  1756   NtQueryValueKey  (172,  (172, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237  1756   NtClose  (172, ... ) == 0x0
 01238  1756   NtQueryVolumeInformationFile  (168, 1231792, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01239  1756   NtOpenMutant  (0x120001, {24, 48, 0x0, 0, 0,  (0x120001, {24, 48, 0x0, 0, 0, "ShimCacheMutex"}, ... 172, ) }, ... 172, ) == 0x0
 01240  1756   NtWaitForSingleObject  (172, 0, {-1000000, -1}, ... ) == 0x0
 01241  1756   NtOpenSection  (0x2, {24, 48, 0x0, 0, 0,  (0x2, {24, 48, 0x0, 0, 0, "ShimSharedMemory"}, ... 176, ) }, ... 176, ) == 0x0
 01242  1756   NtMapViewOfSection  (176, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 57344, ) == 0x0
 01243  1756   NtReleaseMutant  (172, ... 0x0, ) == 0x0
 01244  1756   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01245  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229724, ... ) }, 1229724, ... ) == 0x0
 01246  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01247  1756   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 180, ... 184, ) == 0x0
 01248  1756   NtClose  (180, ... ) == 0x0
 01249  1756   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa90000), 0x0, 126976, ) == 0x0
 01250  1756   NtClose  (184, ... ) == 0x0
 01251  1756   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01252  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1230032, ... ) }, 1230032, ... ) == 0x0
 01253  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01254  1756   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01255  1756   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01256  1756   NtClose  (184, ... ) == 0x0
 01257  1756   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 01258  1756   NtClose  (180, ... ) == 0x0
 01259  1756   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 01260  1756   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 01261  1756   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 01262  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263  1756   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 180, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 180, {status=0x0, info=1}, ) == 0x0
 01264  1756   NtQueryInformationFile  (180, 1230048, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01265  1756   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 180, ... 184, ) == 0x0
 01266  1756   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 1191936, ) == 0x0
 01267  1756   NtQueryInformationFile  (180, 1230148, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01268  1756   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01269  1756   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01270  1756   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01271  1756   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272  1756   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 188, ) }, ... 188, ) == 0x0
 01273  1756   NtQueryValueKey  (188,  (188, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (188, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01274  1756   NtClose  (188, ... ) == 0x0
 01275  1756   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01276  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01277  1756   NtQueryDirectoryFile  (188, 0, 0, 0, 1227744, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227744, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01278  1756   NtClose  (188, ... ) == 0x0
 01279  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01280  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01281  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228120, ... ) }, 1228120, ... ) == 0x0
 01282  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01283  1756   NtQueryDirectoryFile  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01284  1756   NtClose  (188, ... ) == 0x0
 01285  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01286  1756   NtQueryDirectoryFile  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01287  1756   NtClose  (188, ... ) == 0x0
 01288  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01289  1756   NtQueryDirectoryFile  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01290  1756   NtClose  (188, ... ) == 0x0
 01291  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01292  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01293  1756   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01294  1756   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01296  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01297  1756   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01298  1756   NtClose  (188, ... ) == 0x0
 01299  1756   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300  1756   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228952, ... ) }, 1228952, ... ) == 0x0
 01302  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01303  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01304  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227820, ... ) }, 1227820, ... ) == 0x0
 01305  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 188, {status=0x0, info=1}, ) }, 5, 96, ... 188, {status=0x0, info=1}, ) == 0x0
 01306  1756   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 188, ... 192, ) == 0x0
 01307  1756   NtClose  (188, ... ) == 0x0
 01308  1756   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbc0000), 0x0, 180224, ) == 0x0
 01309  1756   NtClose  (192, ... ) == 0x0
 01310  1756   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01311  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227416, ... ) }, 1227416, ... ) == 0x0
 01312  1756   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228160,  (0x80100080, {24, 0, 0x40, 0, 1228160, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01313  1756   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 192, ... 188, ) == 0x0
 01314  1756   NtClose  (192, ... ) == 0x0
 01315  1756   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbc0000), {0, 0}, 180224, ) == 0x0
 01316  1756   NtClose  (188, ... ) == 0x0
 01317  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01318  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01319  1756   NtQueryDefaultLocale  (1, 1228780, ... ) == 0x0
 01320  1756   NtQueryVirtualMemory  (-1, 0xbc0000, Basic, 28, ... {BaseAddress=0xbc0000,AllocationBase=0xbc0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01321  1756   NtQueryVirtualMemory  (-1, 0xbc0000, Basic, 28, ... {BaseAddress=0xbc0000,AllocationBase=0xbc0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01322  1756   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01323  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01324  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01325  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227812, ... ) }, 1227812, ... ) == 0x0
 01326  1756   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 188, {status=0x0, info=1}, ) }, 5, 96, ... 188, {status=0x0, info=1}, ) == 0x0
 01327  1756   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 188, ... 192, ) == 0x0
 01328  1756   NtClose  (188, ... ) == 0x0
 01329  1756   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbc0000), 0x0, 180224, ) == 0x0
 01330  1756   NtClose  (192, ... ) == 0x0
 01331  1756   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01332  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227408, ... ) }, 1227408, ... ) == 0x0
 01333  1756   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228152,  (0x80100080, {24, 0, 0x40, 0, 1228152, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01334  1756   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 192, ... 188, ) == 0x0
 01335  1756   NtClose  (192, ... ) == 0x0
 01336  1756   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbc0000), {0, 0}, 180224, ) == 0x0
 01337  1756   NtClose  (188, ... ) == 0x0
 01338  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01339  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01340  1756   NtQueryDefaultLocale  (1, 1228772, ... ) == 0x0
 01341  1756   NtQueryVirtualMemory  (-1, 0xbc0000, Basic, 28, ... {BaseAddress=0xbc0000,AllocationBase=0xbc0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01342  1756   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01343  1756   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01345  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01346  1756   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01347  1756   NtClose  (188, ... ) == 0x0
 01348  1756   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01350  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01351  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1229372, ... ) }, 1229372, ... ) == 0x0
 01352  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01353  1756   NtQueryDirectoryFile  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01354  1756   NtClose  (188, ... ) == 0x0
 01355  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01356  1756   NtQueryDirectoryFile  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01357  1756   NtClose  (188, ... ) == 0x0
 01358  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01359  1756   NtQueryDirectoryFile  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01360  1756   NtClose  (188, ... ) == 0x0
 01361  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01362  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01363  1756   NtWaitForSingleObject  (172, 0, {-1000000, -1}, ... ) == 0x0
 01364  1756   NtReleaseMutant  (172, ... 0x0, ) == 0x0
 01365  1756   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01366  1756   NtClose  (184, ... ) == 0x0
 01367  1756   NtClose  (180, ... ) == 0x0
 01368  1756   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01369  1756   NtOpenProcessToken  (-1, 0xa, ... 180, ) == 0x0
 01370  1756   NtQueryInformationToken  (180, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01371  1756   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01372  1756   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01373  1756   NtQueryValueKey  (184,  (184, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (184, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01374  1756   NtQueryValueKey  (184,  (184, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (184, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01375  1756   NtClose  (184, ... ) == 0x0
 01376  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01377  1756   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01378  1756   NtQueryValueKey  (184,  (184, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379  1756   NtClose  (184, ... ) == 0x0
 01380  1756   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01381  1756   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01382  1756   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01383  1756   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01384  1756   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01385  1756   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01386  1756   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01387  1756   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01388  1756   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01389  1756   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01390  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 184, ) }, ... 184, ) == 0x0
 01391  1756   NtEnumerateKey  (184, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (184, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01392  1756   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 188, ) }, ... 188, ) == 0x0
 01393  1756   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01394  1756   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01395  1756   NtClose  (188, ... ) == 0x0
 01396  1756   NtEnumerateKey  (184, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01397  1756   NtClose  (184, ... ) == 0x0
 01398  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 184, ) }, ... 184, ) == 0x0
 01399  1756   NtEnumerateKey  (184, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 01400  1756   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 188, ) }, ... 188, ) == 0x0
 01401  1756   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 01402  1756   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01403  1756   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01404  1756   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01405  1756   NtClose  (188, ... ) == 0x0
 01406  1756   NtEnumerateKey  (184, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 01407  1756   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 188, ) }, ... 188, ) == 0x0
 01408  1756   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 01409  1756   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01410  1756   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01411  1756   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01412  1756   NtClose  (188, ... ) == 0x0
 01413  1756   NtEnumerateKey  (184, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 01414  1756   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 188, ) }, ... 188, ) == 0x0
 01415  1756   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 01416  1756   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01417  1756   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01418  1756   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01419  1756   NtClose  (188, ... ) == 0x0
 01420  1756   NtEnumerateKey  (184, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 01421  1756   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 188, ) }, ... 188, ) == 0x0
 01422  1756   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 01423  1756   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01424  1756   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01425  1756   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01426  1756   NtClose  (188, ... ) == 0x0
 01427  1756   NtEnumerateKey  (184, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 01428  1756   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 188, ) }, ... 188, ) == 0x0
 01429  1756   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 01430  1756   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01431  1756   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01432  1756   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01433  1756   NtClose  (188, ... ) == 0x0
 01434  1756   NtEnumerateKey  (184, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01435  1756   NtClose  (184, ... ) == 0x0
 01436  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01437  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01447  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01450  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01451  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01452  1756   NtClose  (184, ... ) == 0x0
 01453  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01454  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01455  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01456  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01457  1756   NtClose  (184, ... ) == 0x0
 01458  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01460  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01461  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01462  1756   NtClose  (184, ... ) == 0x0
 01463  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01465  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01466  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01467  1756   NtClose  (184, ... ) == 0x0
 01468  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01470  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01471  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01472  1756   NtClose  (184, ... ) == 0x0
 01473  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01475  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01476  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01477  1756   NtClose  (184, ... ) == 0x0
 01478  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01480  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01481  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01482  1756   NtClose  (184, ... ) == 0x0
 01483  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01485  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01486  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01487  1756   NtClose  (184, ... ) == 0x0
 01488  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01490  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01491  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01492  1756   NtClose  (184, ... ) == 0x0
 01493  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01495  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01496  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01497  1756   NtClose  (184, ... ) == 0x0
 01498  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01500  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01501  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01502  1756   NtClose  (184, ... ) == 0x0
 01503  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01505  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01506  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01507  1756   NtClose  (184, ... ) == 0x0
 01508  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01510  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01511  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01512  1756   NtClose  (184, ... ) == 0x0
 01513  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01515  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01516  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01517  1756   NtClose  (184, ... ) == 0x0
 01518  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01519  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01520  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01521  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01522  1756   NtClose  (184, ... ) == 0x0
 01523  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01525  1756   NtQueryValueKey  (184,  (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01526  1756   NtClose  (184, ... ) == 0x0
 01527  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01528  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01529  1756   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01530  1756   NtClose  (184, ... ) == 0x0
 01531  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532  1756   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01533  1756   NtOpenProcessToken  (-1, 0xa, ... 184, ) == 0x0
 01534  1756   NtDuplicateToken  (184, 0xc, {24, 0, 0x0, 0, 1231652, 0x0}, 0, 2, ... 188, ) == 0x0
 01535  1756   NtClose  (184, ... ) == 0x0
 01536  1756   NtAccessCheck  (1379984, 188, 0x1, 1231728, 1231780, 56, 1231760, ... (0x1), ) == 0x0
 01537  1756   NtClose  (188, ... ) == 0x0
 01538  1756   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 188, ) }, ... 188, ) == 0x0
 01539  1756   NtQueryValueKey  (188,  (188, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (188, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01540  1756   NtClose  (188, ... ) == 0x0
 01541  1756   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 188, ) }, ... 188, ) == 0x0
 01542  1756   NtQuerySymbolicLinkObject  (188, ...  (188, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01543  1756   NtClose  (188, ... ) == 0x0
 01544  1756   NtQueryVolumeInformationFile  (168, 1229484, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01545  1756   NtQueryInformationFile  (168, 1229600, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 01546  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01547  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01548  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228772, ... ) }, 1228772, ... ) == 0x0
 01549  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01550  1756   NtQueryDirectoryFile  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01551  1756   NtClose  (188, ... ) == 0x0
 01552  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01553  1756   NtQueryDirectoryFile  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01554  1756   NtClose  (188, ... ) == 0x0
 01555  1756   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01556  1756   NtQueryDirectoryFile  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01557  1756   NtClose  (188, ... ) == 0x0
 01558  1756   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01559  1756   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01560  1756   NtQueryInformationFile  (168, 1231640, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01561  1756   NtCreateSection  (0xf0005, 0x0, {180224, 0}, 2, 134217728, 168, ... 188, ) == 0x0
 01562  1756   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 180224, 1, 0, 2, ... (0xa90000), {0, 0}, 180224, ) == 0x0
 01563  1756   NtClose  (188, ... ) == 0x0
 01564  1756   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01565  1756   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01566  1756   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01567  1756   NtClose  (188, ... ) == 0x0
 01568  1756   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 188, ) }, ... 188, ) == 0x0
 01569  1756   NtOpenKey  (0x20019, {24, 188, 0x40, 0, 0,  (0x20019, {24, 188, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 184, ) }, ... 184, ) == 0x0
 01570  1756   NtClose  (188, ... ) == 0x0
 01571  1756   NtQueryValueKey  (184,  (184, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01572  1756   NtQueryValueKey  (184,  (184, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (184, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 01573  1756   NtClose  (184, ... ) == 0x0
 01574  1756   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01575  1756   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 4128768, 4096, ) == 0x0
 01576  1756   NtAllocateVirtualMemory  (-1, 4128768, 0, 4096, 4096, 4, ... 4128768, 4096, ) == 0x0
 01577  1756   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01578  1756   NtQueryValueKey  (184,  (184, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579  1756   NtClose  (184, ... ) == 0x0
 01580  1756   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581  1756   NtQueryInformationToken  (180, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01582  1756   NtQueryInformationToken  (180, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01583  1756   NtClose  (180, ... ) == 0x0
 01584  1756   NtQuerySection  (164, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01585  1756   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586  1756   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 01587  1756   NtCreateProcessEx  (1233564, 2035711, 0, -1, 4, 164, 0, 0, 0, ... ) == 0x0
 01588  1756   NtSetInformationProcess  (180, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 01589  1756   NtSetInformationProcess  (180, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01590  1756   NtQueryInformationProcess  (180, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd6000,AffinityMask=0x1,BasePriority=8,Pid=1556,ParentPid=1580,}, 0x0, ) == 0x0
 01591  1756   NtReadVirtualMemory  (180, 0x7ffd6008, 4, ...  (180, 0x7ffd6008, 4, ... "\0\0\00", 0x0, ) , 0x0, ) == 0x0
 01592  1756   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593  1756   NtReadVirtualMemory  (180, 0x30000000, 4096, ...  (180, 0x30000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0$\206\244\23`\347\312@`\347\312@`\347\312@9\304\331@b\347\312@`\347\313@d\347\312@\210\370\301@a\347\312@\343\373\304@j\347\312@\210\370\300@I\347\312@6\370\331@h\347\312@\272\304\326@i\347\312@\220\370\301@p\347\312@`\347\312@H\346\312@Rich`\347\312@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0N\23\216?\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\24\0\220\2\0\0\240\0\0\0\0\0\0\232t\0\0\0\20\0\0\0\320\3\0\0\0\00\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\3\0\0\20\0\0\237*\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\327\211\2\0z\1\0\0\00\3\0\244\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Z\236\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0\370\0\0\0\0\20\0\0\270\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222\216\2\0", 4096, ) , 4096, ) == 0x0
 01594  1756   NtReadVirtualMemory  (180, 0x30033000, 256, ...  (180, 0x30033000, 256, ... "\0\0\0\0J\23\216?\0\0\0\0\0\0\3\0\5\0\0\0(\0\0\200\13\0\0\0@\0\0\200\20\0\0\0X\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0e\0\0\0p\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\210\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\240\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\270\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\310\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\330\0\0\0\3600\3\0\26\3\0\0\0\0\0\0\0\0\0\0\104\3\0\254\1\0\0\0\0\0\0\0\0\0\0\2645\3\0\360\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\0\310\200\0\0\0\0\14\0\0\0\0\0f\1", 256, ) , 256, ) == 0x0
 01595  1756   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01596  1756   NtQueryInformationProcess  (180, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd6000,AffinityMask=0x1,BasePriority=8,Pid=1556,ParentPid=1580,}, 0x0, ) == 0x0
 01597  1756   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 1232516, ... ) }, 1232516, ... ) == 0x0
 01598  1756   NtAllocateVirtualMemory  (-1, 0, 0, 2428, 4096, 4, ... 11075584, 4096, ) == 0x0
 01599  1756   NtAllocateVirtualMemory  (180, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 01600  1756   NtWriteVirtualMemory  (180, 0x10000,  (180, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 01601  1756   NtAllocateVirtualMemory  (180, 0, 0, 2428, 4096, 4, ... 131072, 4096, ) == 0x0
 01602  1756   NtWriteVirtualMemory  (180, 0x20000,  (180, 0x20000, "\0\20\0\0|\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\364\3\366\3\230\4\0\0:\0<\0\220\10\0\0N\0P\0\314\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\34\11\0\0\36\0 \0X\11\0\0\0\0\2\0x\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2428, ... 0x0, ) , 2428, ... 0x0, ) == 0x0
 01603  1756   NtWriteVirtualMemory  (180, 0x7ffd6010,  (180, 0x7ffd6010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01604  1756   NtAllocateVirtualMemory  (180, 0, 0, 388, 4096, 4, ... 196608, 4096, ) == 0x0
 01605  1756   NtWriteVirtualMemory  (180, 0x30000,  (180, 0x30000, "S\0h\0i\0m\0E\0n\0g\0.\0d\0l\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\1\0\0\253\355\15\254\210\255\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 388, ... 0x0, ) , 388, ... 0x0, ) == 0x0
 01606  1756   NtWriteVirtualMemory  (180, 0x7ffd61e8,  (180, 0x7ffd61e8, "\0\0\3\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01607  1756   NtFreeVirtualMemory  (-1, (0xa90000), 0, 32768, ... (0xa90000), 4096, ) == 0x0
 01608  1756   NtAllocateVirtualMemory  (180, 0, 0, 1048576, 8192, 4, ... 262144, 1048576, ) == 0x0
 01609  1756   NtAllocateVirtualMemory  (180, 1302528, 0, 8192, 4096, 4, ... 1302528, 8192, ) == 0x0
 01610  1756   NtProtectVirtualMemory  (180, (0x13e000), 4096, 260, ... (0x13e000), 4096, 4, ) == 0x0
 01611  1756   NtCreateThread  (0x1f03ff, 0x0, 180, 1233572, 1233236, 1, ... 184, {1556, 460}, ) == 0x0
 01612  1756   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 2147344384, 2008285840, 0}  (24, {168, 196, new_msg, 0, 0, 2147344384, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\267\0\0\0\270\0\0\0\24\6\0\0\314\1\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 1580, 1756, 57977, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\264\0\0\0\270\0\0\0\24\6\0\0\314\1\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ... {168, 196, reply, 0, 1580, 1756, 57977, 0}  (24, {168, 196, new_msg, 0, 0, 2147344384, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\267\0\0\0\270\0\0\0\24\6\0\0\314\1\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 1580, 1756, 57977, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\264\0\0\0\270\0\0\0\24\6\0\0\314\1\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ) == 0x0
 01613  1756   NtResumeThread  (184, ... 1, ) == 0x0
 01614  1756   NtClose  (168, ... ) == 0x0
 01615  1756   NtClose  (164, ... ) == 0x0
 01616  1756   NtClose  (184, ... ) == 0x0
 01617  1756   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01618  1756   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x102
 01619  1756   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01620  1756   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x102
 01621  1756   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01622  1756   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x0
 01623  1756   NtClose  (180, ... ) == 0x0
 01624  1756   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 01625  1756   NtClose  (160, ... ) == 0x0
 01626  1756   NtClose  (144, ... ) == 0x0
 01627  1756   NtClose  (152, ... ) == 0x0
 01628  1756   NtClose  (148, ... ) == 0x0
 01629  1756   NtClose  (156, ... ) == 0x0
 01630  1756   NtClose  (100, ... ) == 0x0
 01631  1756   NtClose  (104, ... ) == 0x0
 01632  1756   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 01633  1756   NtWaitForMultipleObjects  (2, (64, 72, ), 1, 0, 0x0, ... ) == 0x1
 01634  1756   NtClose  (72, ... ) == 0x0
 01635  1756   NtSetEvent  (64, ... 0x0, ) == 0x0
 01636  1756   NtClose  (64, ... ) == 0x0
 01637  1756   NtWaitForMultipleObjects  (2, (76, 80, ), 1, 0, 0x0, ... ) == 0x1
 01638  1756   NtClose  (80, ... ) == 0x0
 01639  1756   NtSetEvent  (76, ... 0x0, ) == 0x0
 01640  1756   NtClose  (76, ... ) == 0x0
 01641  1756   NtWaitForMultipleObjects  (2, (84, 88, ), 1, 0, 0x0, ... ) == 0x1
 01642  1756   NtClose  (88, ... ) == 0x0
 01643  1756   NtSetEvent  (84, ... 0x0, ) == 0x0
 01644  1756   NtClose  (84, ... ) == 0x0
 01645  1756   NtRequestWaitReplyPort  (128, {88, 112, new_msg, 0, 1580, 1756, 57975, 0}  (128, {88, 112, new_msg, 0, 1580, 1756, 57975, 0} "\1\31\0\0A\2<\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\1\0\0\0\0\0\0\0\4\0\0\0\1\365\11\0\1\0\0\0d\365\11\0\0\0\0\0\0\0\0\0" ... {124, 148, reply, 0, 1580, 1756, 58122, 0} "\2\376\255\201\1\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371R\250S\200\304;\350\371\4\0\0\0\0\0\0\0\220\276u\201<(\255\201\7\0\0\0\304\277u\201]\0\0\0" )  ... {124, 148, reply, 0, 1580, 1756, 58122, 0}  (128, {88, 112, new_msg, 0, 1580, 1756, 57975, 0} "\1\31\0\0A\2<\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\1\0\0\0\0\0\0\0\4\0\0\0\1\365\11\0\1\0\0\0d\365\11\0\0\0\0\0\0\0\0\0" ... {124, 148, reply, 0, 1580, 1756, 58122, 0} "\2\376\255\201\1\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371R\250S\200\304;\350\371\4\0\0\0\0\0\0\0\220\276u\201<(\255\201\7\0\0\0\304\277u\201]\0\0\0" )  ) == 0x0
 01646  1756   NtClose  (124, ... ) == 0x0
 01647  1756   NtClose  (128, ... ) == 0x0
 01648  1756   NtClose  (68, ... ) == 0x0
 01649  1756   NtUnmapViewOfSection  (-1, 0x69450000, ... ) == 0x0
 01650  1756   NtUnmapViewOfSection  (-1, 0x77920000, ... ) == 0x0
 01651  1756   NtUnmapViewOfSection  (-1, 0x76f50000, ... ) == 0x0
 01652  1756   NtUnmapViewOfSection  (-1, 0x76360000, ... ) == 0x0
 01653  1756   NtUnmapViewOfSection  (-1, 0x5b860000, ... ) == 0x0
 01654  1756   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 01655  1756   NtContinue  (1242900, 0, ...
 01656  1756   NtTerminateProcess  (0, -1073741682, ... ) == 0x0
 01657  1756   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01658  1756   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 01659  1756   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01660  1756   NtClose  (92, ... ) == 0x0
 01661  1756   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 01662  1756   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01663  1756   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 01664  1756   NtClose  (60, ... ) == 0x0
 01665  1756   NtGdiDeleteObjectApp  (1913653144, ... ) == 0x1
 01666  1756   NtUserGetProcessWindowStation  (... ) == 0x1c
 01667  1756   NtUserBuildNameList  (28, 522, 1379448, 1244228, ... ) == 0x0
 01668  1756   NtUserGetProcessWindowStation  (... ) == 0x1c
 01669  1756   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x3c
 01670  1756   NtUserBuildHwndList  (60, 0, 0, 0, 64, ... (0x5009e, 0x400fa, 0x10074, 0x10080, 0x10070, 0x10084, 0x30048, 0x10072, 0x20052, 0x5009c, 0x10090, 0x500a2, 0x100d0, 0x200b0, 0x100cc, 0x70104, 0x70100, 0x20118, 0x3014c, 0x1011c, 0x100e6, 0x100d6, 0x100d2, 0x100ca, 0x100c8, 0x100ba, 0x100ae, 0x100ac, 0x300a6, 0x10078, 0x30062, 0x50036, 0x5005c, 0x100be, 0x400fe, 0x10092, 0x10086, 0x40034, 0x50050, 0x1013c, 0x10120, 0x100c2, 0x100bc, 0x2014e, 0x100d8, 0x100b6, 0x100b8, 0x100b4, 0x100c0, 0x1009a, 0x5005e, 0x1, ), 52, ) == 0x0
 01671  1756   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 01672  1756   NtUserQueryWindow  (327838, 0, ... ) == 0x6b8
 01673  1756   NtUserQueryWindow  (327838, 1, ... ) == 0x6d4
 01674  1756   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 01675  1756   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 01676  1756   NtUserQueryWindow  (262394, 0, ... ) == 0x6b8
 01677  1756   NtUserQueryWindow  (262394, 1, ... ) == 0x6d4
 01678  1756   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 01679  1756   NtUserBuildHwndList  (0, 262394, 1, 0, 64, ... (0x80064, 0x60068, 0x6006c, 0x50094, 0x50096, 0x60066, 0x7006a, 0x90058, 0x6006e, 0x5008a, 0x50088, 0x500a0, 0x1, ), 13, ) == 0x0
 01680  1756   NtUserValidateHandleSecure  (524388, ... ) == 0x1
 01681  1756   NtUserQueryWindow  (524388, 0, ... ) == 0x6b8
 01682  1756   NtUserQueryWindow  (524388, 1, ... ) == 0x6d4
 01683  1756   NtUserValidateHandleSecure  (393320, ... ) == 0x1
 01684  1756   NtUserQueryWindow  (393320, 0, ... ) == 0x6b8
 01685  1756   NtUserQueryWindow  (393320, 1, ... ) == 0x6d4
 01686  1756   NtUserValidateHandleSecure  (393324, ... ) == 0x1
 01687  1756   NtUserQueryWindow  (393324, 0, ... ) == 0x6b8
 01688  1756   NtUserQueryWindow  (393324, 1, ... ) == 0x6d4
 01689  1756   NtUserValidateHandleSecure  (327828, ... ) == 0x1
 01690  1756   NtUserQueryWindow  (327828, 0, ... ) == 0x6b8
 01691  1756   NtUserQueryWindow  (327828, 1, ... ) == 0x6d4
 01692  1756   NtUserValidateHandleSecure  (327830, ... ) == 0x1
 01693  1756   NtUserQueryWindow  (327830, 0, ... ) == 0x6b8
 01694  1756   NtUserQueryWindow  (327830, 1, ... ) == 0x6d4
 01695  1756   NtUserValidateHandleSecure  (393318, ... ) == 0x1
 01696  1756   NtUserQueryWindow  (393318, 0, ... ) == 0x6b8
 01697  1756   NtUserQueryWindow  (393318, 1, ... ) == 0x6d4
 01698  1756   NtUserValidateHandleSecure  (458858, ... ) == 0x1
 01699  1756   NtUserQueryWindow  (458858, 0, ... ) == 0x6b8
 01700  1756   NtUserQueryWindow  (458858, 1, ... ) == 0x6d4
 01701  1756   NtUserValidateHandleSecure  (589912, ... ) == 0x1
 01702  1756   NtUserQueryWindow  (589912, 0, ... ) == 0x6b8
 01703  1756   NtUserQueryWindow  (589912, 1, ... ) == 0x6d4
 01704  1756   NtUserValidateHandleSecure  (393326, ... ) == 0x1
 01705  1756   NtUserQueryWindow  (393326, 0, ... ) == 0x6b8
 01706  1756   NtUserQueryWindow  (393326, 1, ... ) == 0x6d4
 01707  1756   NtUserValidateHandleSecure  (327818, ... ) == 0x1
 01708  1756   NtUserQueryWindow  (327818, 0, ... ) == 0x6b8
 01709  1756   NtUserQueryWindow  (327818, 1, ... ) == 0x6d4
 01710  1756   NtUserValidateHandleSecure  (327816, ... ) == 0x1
 01711  1756   NtUserQueryWindow  (327816, 0, ... ) == 0x6b8
 01712  1756   NtUserQueryWindow  (327816, 1, ... ) == 0x6d4
 01713  1756   NtUserValidateHandleSecure  (327840, ... ) == 0x1
 01714  1756   NtUserQueryWindow  (327840, 0, ... ) == 0x6b8
 01715  1756   NtUserQueryWindow  (327840, 1, ... ) == 0x6d4
 01716  1756   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 01717  1756   NtUserQueryWindow  (65652, 0, ... ) == 0x6b8
 01718  1756   NtUserQueryWindow  (65652, 1, ... ) == 0x6d4
 01719  1756   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 01720  1756   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 01721  1756   NtUserQueryWindow  (65664, 0, ... ) == 0x6b8
 01722  1756   NtUserQueryWindow  (65664, 1, ... ) == 0x6d4
 01723  1756   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 01724  1756   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 01725  1756   NtUserQueryWindow  (65648, 0, ... ) == 0x6b8
 01726  1756   NtUserQueryWindow  (65648, 1, ... ) == 0x6d4
 01727  1756   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 01728  1756   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 01729  1756   NtUserQueryWindow  (65668, 0, ... ) == 0x6b8
 01730  1756   NtUserQueryWindow  (65668, 1, ... ) == 0x6d4
 01731  1756   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 01732  1756   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 01733  1756   NtUserQueryWindow  (196680, 0, ... ) == 0x6b8
 01734  1756   NtUserQueryWindow  (196680, 1, ... ) == 0x6d4
 01735  1756   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 01736  1756   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 01737  1756   NtUserQueryWindow  (65650, 0, ... ) == 0x6b8
 01738  1756   NtUserQueryWindow  (65650, 1, ... ) == 0x6d4
 01739  1756   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 01740  1756   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 01741  1756   NtUserQueryWindow  (131154, 0, ... ) == 0x6b8
 01742  1756   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 01743  1756   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 01744  1756   NtUserBuildHwndList  (0, 131154, 1, 0, 64, ... (0x3003e, 0x3003c, 0x30040, 0x30042, 0x30044, 0x30046, 0x10076, 0x10082, 0x1007a, 0x1007e, 0x1, ), 11, ) == 0x0
 01745  1756   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 01746  1756   NtUserQueryWindow  (196670, 0, ... ) == 0x6b8
 01747  1756   NtUserQueryWindow  (196670, 1, ... ) == 0x6d4
 01748  1756   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 01749  1756   NtUserQueryWindow  (196668, 0, ... ) == 0x6b8
 01750  1756   NtUserQueryWindow  (196668, 1, ... ) == 0x6d4
 01751  1756   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 01752  1756   NtUserQueryWindow  (196672, 0, ... ) == 0x6b8
 01753  1756   NtUserQueryWindow  (196672, 1, ... ) == 0x6d4
 01754  1756   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 01755  1756   NtUserQueryWindow  (196674, 0, ... ) == 0x6b8
 01756  1756   NtUserQueryWindow  (196674, 1, ... ) == 0x6d4
 01757  1756   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 01758  1756   NtUserQueryWindow  (196676, 0, ... ) == 0x6b8
 01759  1756   NtUserQueryWindow  (196676, 1, ... ) == 0x6d4
 01760  1756   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 01761  1756   NtUserQueryWindow  (196678, 0, ... ) == 0x6b8
 01762  1756   NtUserQueryWindow  (196678, 1, ... ) == 0x6d4
 01763  1756   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 01764  1756   NtUserQueryWindow  (65654, 0, ... ) == 0x6b8
 01765  1756   NtUserQueryWindow  (65654, 1, ... ) == 0x6d4
 01766  1756   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 01767  1756   NtUserQueryWindow  (65666, 0, ... ) == 0x6b8
 01768  1756   NtUserQueryWindow  (65666, 1, ... ) == 0x6d4
 01769  1756   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 01770  1756   NtUserQueryWindow  (65658, 0, ... ) == 0x6b8
 01771  1756   NtUserQueryWindow  (65658, 1, ... ) == 0x6d4
 01772  1756   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 01773  1756   NtUserQueryWindow  (65662, 0, ... ) == 0x6b8
 01774  1756   NtUserQueryWindow  (65662, 1, ... ) == 0x6d4
 01775  1756   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 01776  1756   NtUserQueryWindow  (327836, 0, ... ) == 0x6b8
 01777  1756   NtUserQueryWindow  (327836, 1, ... ) == 0x6d4
 01778  1756   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 01779  1756   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 01780  1756   NtUserQueryWindow  (65680, 0, ... ) == 0x6b8
 01781  1756   NtUserQueryWindow  (65680, 1, ... ) == 0x6bc
 01782  1756   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 01783  1756   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 01784  1756   NtUserQueryWindow  (327842, 0, ... ) == 0x6b8
 01785  1756   NtUserQueryWindow  (327842, 1, ... ) == 0x6d4
 01786  1756   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 01787  1756   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 01788  1756   NtUserQueryWindow  (65744, 0, ... ) == 0x19c
 01789  1756   NtUserQueryWindow  (65744, 1, ... ) == 0x1a0
 01790  1756   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 01791  1756   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 01792  1756   NtUserQueryWindow  (131248, 0, ... ) == 0xa0
 01793  1756   NtUserQueryWindow  (131248, 1, ... ) == 0xe4
 01794  1756   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 01795  1756   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 01796  1756   NtUserQueryWindow  (65740, 0, ... ) == 0x19c
 01797  1756   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 01798  1756   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 01799  1756   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 01800  1756   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 01801  1756   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 01802  1756   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 01803  1756   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 01804  1756   NtUserQueryWindow  (459008, 0, ... ) == 0x5e8
 01805  1756   NtUserQueryWindow  (459008, 1, ... ) == 0x1dc
 01806  1756   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 01807  1756   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 01808  1756   NtUserQueryWindow  (131352, 0, ... ) == 0x6ac
 01809  1756   NtUserQueryWindow  (131352, 1, ... ) == 0x7f4
 01810  1756   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 01811  1756   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 01812  1756   NtUserQueryWindow  (196940, 0, ... ) == 0x4b4
 01813  1756   NtUserQueryWindow  (196940, 1, ... ) == 0x474
 01814  1756   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 01815  1756   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 01816  1756   NtUserQueryWindow  (65820, 0, ... ) == 0x22c
 01817  1756   NtUserQueryWindow  (65820, 1, ... ) == 0x220
 01818  1756   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 01819  1756   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 01820  1756   NtUserQueryWindow  (65766, 0, ... ) == 0x6b8
 01821  1756   NtUserQueryWindow  (65766, 1, ... ) == 0x13c
 01822  1756   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 01823  1756   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 01824  1756   NtUserQueryWindow  (65750, 0, ... ) == 0x6b8
 01825  1756   NtUserQueryWindow  (65750, 1, ... ) == 0x13c
 01826  1756   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 01827  1756   NtUserBuildHwndList  (0, 65750, 1, 0, 64, ... (0x100da, 0x100dc, 0x100de, 0x100e0, 0x1, ), 5, ) == 0x0
 01828  1756   NtUserValidateHandleSecure  (65754, ... ) == 0x1
 01829  1756   NtUserQueryWindow  (65754, 0, ... ) == 0x6b8
 01830  1756   NtUserQueryWindow  (65754, 1, ... ) == 0x13c
 01831  1756   NtUserValidateHandleSecure  (65756, ... ) == 0x1
 01832  1756   NtUserQueryWindow  (65756, 0, ... ) == 0x6b8
 01833  1756   NtUserQueryWindow  (65756, 1, ... ) == 0x13c
 01834  1756   NtUserValidateHandleSecure  (65758, ... ) == 0x1
 01835  1756   NtUserQueryWindow  (65758, 0, ... ) == 0x6b8
 01836  1756   NtUserQueryWindow  (65758, 1, ... ) == 0x13c
 01837  1756   NtUserValidateHandleSecure  (65760, ... ) == 0x1
 01838  1756   NtUserQueryWindow  (65760, 0, ... ) == 0x6b8
 01839  1756   NtUserQueryWindow  (65760, 1, ... ) == 0x13c
 01840  1756   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 01841  1756   NtUserQueryWindow  (65746, 0, ... ) == 0x6b8
 01842  1756   NtUserQueryWindow  (65746, 1, ... ) == 0x6d4
 01843  1756   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 01844  1756   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 01845  1756   NtUserQueryWindow  (65738, 0, ... ) == 0x19c
 01846  1756   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 01847  1756   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 01848  1756   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 01849  1756   NtUserQueryWindow  (65736, 0, ... ) == 0xa0
 01850  1756   NtUserQueryWindow  (65736, 1, ... ) == 0xe4
 01851  1756   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 01852  1756   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 01853  1756   NtUserQueryWindow  (65722, 0, ... ) == 0x104
 01854  1756   NtUserQueryWindow  (65722, 1, ... ) == 0x108
 01855  1756   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 01856  1756   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 01857  1756   NtUserQueryWindow  (65710, 0, ... ) == 0x104
 01858  1756   NtUserQueryWindow  (65710, 1, ... ) == 0x108
 01859  1756   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 01860  1756   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 01861  1756   NtUserQueryWindow  (65708, 0, ... ) == 0x120
 01862  1756   NtUserQueryWindow  (65708, 1, ... ) == 0x124
 01863  1756   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 01864  1756   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 01865  1756   NtUserQueryWindow  (196774, 0, ... ) == 0xc4
 01866  1756   NtUserQueryWindow  (196774, 1, ... ) == 0xc8
 01867  1756   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 01868  1756   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 01869  1756   NtUserQueryWindow  (65656, 0, ... ) == 0x6b8
 01870  1756   NtUserQueryWindow  (65656, 1, ... ) == 0x6ec
 01871  1756   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 01872  1756   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 01873  1756   NtUserQueryWindow  (196706, 0, ... ) == 0x6b8
 01874  1756   NtUserQueryWindow  (196706, 1, ... ) == 0x6bc
 01875  1756   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 01876  1756   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 01877  1756   NtUserQueryWindow  (327734, 0, ... ) == 0x6b8
 01878  1756   NtUserQueryWindow  (327734, 1, ... ) == 0x6bc
 01879  1756   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 01880  1756   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 01881  1756   NtUserQueryWindow  (327772, 0, ... ) == 0x6b8
 01882  1756   NtUserQueryWindow  (327772, 1, ... ) == 0x6bc
 01883  1756   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 01884  1756   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 01885  1756   NtUserQueryWindow  (65726, 0, ... ) == 0x19c
 01886  1756   NtUserQueryWindow  (65726, 1, ... ) == 0x1a0
 01887  1756   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 01888  1756   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 01889  1756   NtUserQueryWindow  (262398, 0, ... ) == 0x6b8
 01890  1756   NtUserQueryWindow  (262398, 1, ... ) == 0x6d4
 01891  1756   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 01892  1756   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 01893  1756   NtUserQueryWindow  (65682, 0, ... ) == 0x6b8
 01894  1756   NtUserQueryWindow  (65682, 1, ... ) == 0x6bc
 01895  1756   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 01896  1756   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 01897  1756   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 01898  1756   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 01899  1756   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 01900  1756   NtUserBuildHwndList  (0, 65670, 1, 0, 64, ... (0x1008c, 0x1008e, 0x1, ), 3, ) == 0x0
 01901  1756   NtUserValidateHandleSecure  (65676, ... ) == 0x1
 01902  1756   NtUserQueryWindow  (65676, 0, ... ) == 0x6b8
 01903  1756   NtUserQueryWindow  (65676, 1, ... ) == 0x6bc
 01904  1756   NtUserValidateHandleSecure  (65678, ... ) == 0x1
 01905  1756   NtUserQueryWindow  (65678, 0, ... ) == 0x6b8
 01906  1756   NtUserQueryWindow  (65678, 1, ... ) == 0x6bc
 01907  1756   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 01908  1756   NtUserQueryWindow  (262196, 0, ... ) == 0x6b8
 01909  1756   NtUserQueryWindow  (262196, 1, ... ) == 0x6d4
 01910  1756   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 01911  1756   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 01912  1756   NtUserQueryWindow  (327760, 0, ... ) == 0x6b8
 01913  1756   NtUserQueryWindow  (327760, 1, ... ) == 0x6d4
 01914  1756   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 01915  1756   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 01916  1756   NtUserQueryWindow  (65852, 0, ... ) == 0x22c
 01917  1756   NtUserQueryWindow  (65852, 1, ... ) == 0x220
 01918  1756   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 01919  1756   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 01920  1756   NtUserQueryWindow  (65824, 0, ... ) == 0x22c
 01921  1756   NtUserQueryWindow  (65824, 1, ... ) == 0x220
 01922  1756   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 01923  1756   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 01924  1756   NtUserQueryWindow  (65730, 0, ... ) == 0xa0
 01925  1756   NtUserQueryWindow  (65730, 1, ... ) == 0xe4
 01926  1756   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 01927  1756   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 01928  1756   NtUserQueryWindow  (65724, 0, ... ) == 0xa0
 01929  1756   NtUserQueryWindow  (65724, 1, ... ) == 0xe4
 01930  1756   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 01931  1756   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 01932  1756   NtUserQueryWindow  (131406, 0, ... ) == 0x4b4
 01933  1756   NtUserQueryWindow  (131406, 1, ... ) == 0x474
 01934  1756   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 01935  1756   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 01936  1756   NtUserQueryWindow  (65752, 0, ... ) == 0x6b8
 01937  1756   NtUserQueryWindow  (65752, 1, ... ) == 0x13c
 01938  1756   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 01939  1756   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 01940  1756   NtUserQueryWindow  (65718, 0, ... ) == 0x104
 01941  1756   NtUserQueryWindow  (65718, 1, ... ) == 0x108
 01942  1756   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 01943  1756   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 01944  1756   NtUserQueryWindow  (65720, 0, ... ) == 0x120
 01945  1756   NtUserQueryWindow  (65720, 1, ... ) == 0x124
 01946  1756   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 01947  1756   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 01948  1756   NtUserQueryWindow  (65716, 0, ... ) == 0xc4
 01949  1756   NtUserQueryWindow  (65716, 1, ... ) == 0xc8
 01950  1756   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 01951  1756   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 01952  1756   NtUserQueryWindow  (65728, 0, ... ) == 0x19c
 01953  1756   NtUserQueryWindow  (65728, 1, ... ) == 0x1a0
 01954  1756   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 01955  1756   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 01956  1756   NtUserQueryWindow  (65690, 0, ... ) == 0x6b8
 01957  1756   NtUserQueryWindow  (65690, 1, ... ) == 0x6bc
 01958  1756   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 01959  1756   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 01960  1756   NtUserQueryWindow  (327774, 0, ... ) == 0x6b8
 01961  1756   NtUserQueryWindow  (327774, 1, ... ) == 0x6bc
 01962  1756   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 01963  1756   NtUserCloseDesktop  (60, ... ) == 0x1
 01964  1756   NtUserGetProcessWindowStation  (... ) == 0x1c
 01965  1756   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01966  1756   NtUserGetProcessWindowStation  (... ) == 0x1c
 01967  1756   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01968  1756   NtGdiDeleteObjectApp  (856294625, ... ) == 0x1
 01969  1756   NtGdiDeleteObjectApp  (1376388660, ... ) == 0x1
 01970  1756   NtClose  (56, ... ) == 0x0
 01971  1756   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01972  1756   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 56, ) }, ... 56, ) == 0x0
 01973  1756   NtQueryValueKey  (56,  (56, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01974  1756   NtClose  (56, ... ) == 0x0
 01975  1756   NtClose  (44, ... ) == 0x0
 01976  1756   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 01977  1756   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01978  1756   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01979  1756   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01980  1756   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1177968, 2011678370, 1178092, 1177980}  (24, {20, 48, new_msg, 0, 1177968, 2011678370, 1178092, 1177980} "\0\0\0\0\3\0\1\0\214\371\21\0\320\220\347w\216\0\0\300" ... {20, 48, reply, 0, 1580, 1756, 58125, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\320\220\347w\216\0\0\300" )  ... {20, 48, reply, 0, 1580, 1756, 58125, 0}  (24, {20, 48, new_msg, 0, 1177968, 2011678370, 1178092, 1177980} "\0\0\0\0\3\0\1\0\214\371\21\0\320\220\347w\216\0\0\300" ... {20, 48, reply, 0, 1580, 1756, 58125, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\320\220\347w\216\0\0\300" )  ) == 0x0
 01981  1756   NtTerminateProcess  (-1, -1073741682, ...
NtAccessCheck(>)	1	NtUserGetThreadDesktop(>)	1	NtSetInformationFile(>)	5	NtQueryVirtualMemory(>)	15
NtCallbackReturn(>)	1	NtUserOpenWindowStation(>)	1	NtUserBuildHwndList(>)	5	NtDeviceIoControlFile(>)	16
NtCreateProcessEx(>)	1	NtUserSystemParametersInfo(>)	1	NtWaitForSingleObject(>)	5	NtRequestWaitReplyPort(>)	16
NtCreateSemaphore(>)	1	NtConnectPort(>)	2	NtWriteVirtualMemory(>)	5	NtOpenSection(>)	24
NtCreateThread(>)	1	NtCreateIoCompletion(>)	2	NtContinue(>)	6	NtQueryDirectoryFile(>)	24
NtDuplicateToken(>)	1	NtGdiCreateSolidBrush(>)	2	NtOpenProcessToken(>)	6	NtSetInformationProcess(>)	25
NtGdiCreateBitmap(>)	1	NtGdiHfontCreate(>)	2	NtQueryDefaultUILanguage(>)	6	NtOpenProcessTokenEx(>)	28
NtGdiCreatePatternBrushInternal(>)	1	NtQueryInformationJobObject(>)	2	NtUserGetProcessWindowStation(>)	6	NtOpenThreadTokenEx(>)	28
NtGdiInit(>)	1	NtReleaseMutant(>)	2	NtWaitForMultipleObjects(>)	6	NtCreateSection(>)	29
NtGdiQueryFontAssocInfo(>)	1	NtTerminateProcess(>)	2	NtFsControlFile(>)	7	NtQueryInformationToken(>)	37
NtGdiSelectBitmap(>)	1	NtUserCloseWindowStation(>)	2	NtOpenThreadToken(>)	7	NtOpenFile(>)	41
NtOpenEvent(>)	1	NtUserGetObjectInformation(>)	2	NtQueryInformationFile(>)	7	NtQueryInformationProcess(>)	44
NtOpenKeyedEvent(>)	1	NtGdiCreateCompatibleDC(>)	3	NtEnumerateKey(>)	8	NtQueryDefaultLocale(>)	48
NtOpenMutant(>)	1	NtGdiDeleteObjectApp(>)	3	NtSetValueKey(>)	8	NtUnmapViewOfSection(>)	48
NtQueryDebugFilterState(>)	1	NtOpenDirectoryObject(>)	3	NtUserCallNoParam(>)	9	NtAllocateVirtualMemory(>)	51
NtQueryInstallUILanguage(>)	1	NtOpenSymbolicLinkObject(>)	3	NtUserFindExistingCursorIcon(>)	9	NtQueryAttributesFile(>)	54
NtQueryObject(>)	1	NtQuerySymbolicLinkObject(>)	3	NtUserGetWindowDC(>)	10	NtFlushInstructionCache(>)	65
NtQueryPerformanceCounter(>)	1	NtReadVirtualMemory(>)	3	NtCreateKey(>)	11	NtMapViewOfSection(>)	69
NtQuerySystemTime(>)	1	NtSetEvent(>)	3	NtFreeVirtualMemory(>)	11	NtQuerySystemInformation(>)	76
NtRegisterThreadTerminatePort(>)	1	NtSetInformationObject(>)	3	NtUserCallOneParam(>)	11	NtQueryValueKey(>)	105
NtResumeThread(>)	1	NtUserOpenDesktop(>)	3	NtWriteFile(>)	11	NtUserValidateHandleSecure(>)	130
NtSecureConnectPort(>)	1	NtCreateMutant(>)	4	NtQuerySection(>)	12	NtOpenKey(>)	153
NtTestAlert(>)	1	NtDuplicateObject(>)	4	NtSetInformationThread(>)	13	NtProtectVirtualMemory(>)	156
NtUserBuildNameList(>)	1	NtQueryVolumeInformationFile(>)	4	NtCreateEvent(>)	14	NtUserQueryWindow(>)	158
NtUserCloseDesktop(>)	1	NtGdiGetStockObject(>)	5	NtCreateFile(>)	14	NtClose(>)	240
NtUserGetGUIThreadInfo(>)	1	NtReadFile(>)	5	NtUserRegisterClassExWOW(>)	14