Summary:


NtAccessCheck(>)  1 
NtResumeThread(>)  1 
NtCreateSemaphore(>)  3 
NtQueryInformationProcess(>)  7 

NtCallbackReturn(>)  1 
NtSecureConnectPort(>)  1 
NtFlushInstructionCache(>)  3 
NtFsControlFile(>)  8 

NtContinue(>)  1 
NtTestAlert(>)  1 
NtFreeVirtualMemory(>)  3 
NtProtectVirtualMemory(>)  8 

NtCreateProcessEx(>)  1 
NtUnmapViewOfSection(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUserFindExistingCursorIcon(>)  9 

NtDuplicateToken(>)  1 
NtUserCallNoParam(>)  1 
NtSetInformationProcess(>)  3 
NtOpenFile(>)  10 

NtGdiCreateBitmap(>)  1 
NtUserGetThreadDesktop(>)  1 
NtSetInformationThread(>)  3 
NtQueryInformationFile(>)  10 

NtGdiInit(>)  1 
NtCreateIoCompletion(>)  2 
NtDuplicateObject(>)  4 
NtQueryDefaultLocale(>)  12 

NtGdiQueryFontAssocInfo(>)  1 
NtCreateThread(>)  2 
NtOpenProcessToken(>)  4 
NtQuerySystemInformation(>)  13 

NtGdiSelectBitmap(>)  1 
NtEnumerateKey(>)  2 
NtOpenThreadToken(>)  4 
NtUserRegisterClassExWOW(>)  15 

NtNotifyChangeKey(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryVolumeInformationFile(>)  4 
NtQueryAttributesFile(>)  17 

NtOpenEvent(>)  1 
NtOpenDirectoryObject(>)  2 
NtReadVirtualMemory(>)  4 
NtMapViewOfSection(>)  18 

NtOpenKeyedEvent(>)  1 
NtOpenMutant(>)  2 
NtSetInformationFile(>)  4 
NtOpenSection(>)  18 

NtQueryDebugFilterState(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtCreateFile(>)  5 
NtOpenProcessTokenEx(>)  21 

NtQueryInformationJobObject(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenThreadTokenEx(>)  21 

NtQueryInstallUILanguage(>)  1 
NtQueryDirectoryFile(>)  2 
NtQuerySection(>)  5 
NtQueryInformationToken(>)  27 

NtQueryObject(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtCreateSection(>)  6 
NtQueryValueKey(>)  27 

NtQuerySystemTime(>)  1 
NtQueryVirtualMemory(>)  2 
NtRequestWaitReplyPort(>)  6 
NtAllocateVirtualMemory(>)  31 

NtReadFile(>)  1 
NtSetInformationObject(>)  2 
NtWaitForSingleObject(>)  6 
NtOpenKey(>)  73 

NtRegisterThreadTerminatePort(>)  1 
NtTerminateProcess(>)  2 
NtWriteVirtualMemory(>)  6 
NtClose(>)  84 

NtReleaseMutant(>)  1 
NtWriteFile(>)  2 
NtCreateEvent(>)  7 

Trace:
 00001   392   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   392   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   392   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   392   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   392   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   392   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   392   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   392   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   392   NtClose  (12, ... ) == 0x0
 00014   392   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   392   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   392   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   392   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   392   NtClose  (16, ... ) == 0x0
 00021   392   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   392   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   392   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18743296}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18743296}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   392   NtClose  (16, ... ) == 0x0
 00026   392   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   392   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   392   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   392   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" ... {28, 56, reply, 0, 388, 392, 1514, 0} " z\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" )  ... {28, 56, reply, 0, 388, 392, 1514, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" ... {28, 56, reply, 0, 388, 392, 1514, 0} " z\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" )  ) == 0x0
 00032   392   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   392   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   392   NtClose  (16, ... ) == 0x0
 00036   392   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   392   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   392   NtClose  (28, ... ) == 0x0
 00041   392   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   392   NtClose  (28, ... ) == 0x0
 00045   392   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   392   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   392   NtClose  (28, ... ) == 0x0
 00049   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   392   NtClose  (28, ... ) == 0x0
 00052   392   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" ... {28, 56, reply, 0, 388, 392, 1519, 0} "H\322\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" )  ... {28, 56, reply, 0, 388, 392, 1519, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" ... {28, 56, reply, 0, 388, 392, 1519, 0} "H\322\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" )  ) == 0x0
 00056   392   NtProtectVirtualMemory  (-1, (0x406000), 15954, 4, ... (0x406000), 16384, 128, ) == 0x0
 00057   392   NtProtectVirtualMemory  (-1, (0x406000), 16384, 128, ... (0x406000), 16384, 4, ) == 0x0
 00058   392   NtFlushInstructionCache  (-1, 4218880, 15954, ... ) == 0x0
 00059   392   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   392   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   392   NtClose  (28, ... ) == 0x0
 00062   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   392   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   392   NtClose  (28, ... ) == 0x0
 00065   392   NtTestAlert  (... ) == 0x0
 00066   392   NtContinue  (1244464, 1, ...
 00067   392   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40802c,}, 4, ... ) == 0x0
 00068   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00069   392   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00070   392   NtClose  (28, ... ) == 0x0
 00071   392   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00072   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00073   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00074   392   NtClose  (28, ... ) == 0x0
 00075   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00076   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00077   392   NtClose  (28, ... ) == 0x0
 00078   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00079   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00080   392   NtClose  (28, ... ) == 0x0
 00081   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00082   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00083   392   NtClose  (28, ... ) == 0x0
 00084   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00085   392   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00086   392   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00087   392   NtClose  (28, ... ) == 0x0
 00088   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00089   392   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090   392   NtClose  (28, ... ) == 0x0
 00091   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00092   392   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00093   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00095   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\36\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\36\1$\1\0\0" ... {28, 56, reply, 0, 388, 392, 1548, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\36\1$\1\0\0" )  ... {28, 56, reply, 0, 388, 392, 1548, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\36\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\36\1$\1\0\0" ... {28, 56, reply, 0, 388, 392, 1548, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\36\1$\1\0\0" )  ) == 0x0
 00096   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00097   392   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1060864, ) == 0x0
 00098   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00099   392   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00100   392   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482036, ) == 0x0
 00101   392   NtQueryInformationToken  (-2147482036, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00102   392   NtQueryInformationToken  (-2147482036, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00103   392   NtClose  (-2147482036, ... ) == 0x0
 00104   392   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00105   392   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00106   392   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00107   392   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00108   392   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   392   NtClose  (-2147482032, ... ) == 0x0
 00110   392   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00111   392   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112   392   NtClose  (-2147482032, ... ) == 0x0
 00113   392   NtQueryDefaultLocale  (0, -130774516, ... ) == 0x0
 00114   392   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00115   392   NtUserCallNoParam  (24, ... ) == 0x0
 00116   392   NtGdiCreateCompatibleDC  (0, ...
 00117   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00116   392   NtGdiCreateCompatibleDC  ... ) == 0x8010427
 00118   392   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00119   392   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00120   392   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x9050429
 00121   392   NtGdiCreateSolidBrush  (0, 0, ...
 00122   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8519680, 4096, ) == 0x0
 00121   392   NtGdiCreateSolidBrush  ... ) == 0xb100440
 00123   392   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00124   392   NtGdiCreateCompatibleDC  (0, ... ) == 0x38010439
 00125   392   NtGdiSelectBitmap  (939590713, 151323689, ... ) == 0x185000f
 00126   392   NtUserGetThreadDesktop  (392, 0, ... ) == 0x2c
 00127   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00128   392   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00129   392   NtClose  (52, ... ) == 0x0
 00130   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00131   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 673, 128, 0, ... ) == 0x810ec017
 00132   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00133   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 674, 128, 0, ... ) == 0x810ec01c
 00134   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00135   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 675, 128, 0, ... ) == 0x810ec01e
 00136   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00137   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 676, 128, 0, ... ) == 0x810e8002
 00138   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10013
 00139   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 677, 128, 0, ... ) == 0x810ec018
 00140   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00141   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 678, 128, 0, ... ) == 0x810ec01a
 00142   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00143   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 679, 128, 0, ... ) == 0x810ec01d
 00144   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00145   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 681, 128, 0, ... ) == 0x810ec026
 00146   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00147   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 680, 128, 0, ... ) == 0x810ec019
 00148   392   NtUserRegisterClassExWOW  (1241368, 1241448, 1241432, 1241464, 0, 128, 0, ... ) == 0x810ec020
 00149   392   NtUserRegisterClassExWOW  (1241368, 1241444, 1241460, 1241432, 0, 130, 0, ... ) == 0x810ec022
 00150   392   NtUserRegisterClassExWOW  (1241368, 1241448, 1241432, 1241464, 0, 128, 0, ... ) == 0x810ec023
 00151   392   NtUserRegisterClassExWOW  (1241368, 1241444, 1241460, 1241432, 0, 130, 0, ... ) == 0x810ec024
 00152   392   NtUserRegisterClassExWOW  (1241368, 1241448, 1241432, 1241464, 0, 128, 0, ...
 00153   392   NtAllocateVirtualMemory  (-1, 5484544, 0, 4096, 4096, 32, ... 5484544, 4096, ) == 0x0
 00152   392   NtUserRegisterClassExWOW  ... ) == 0x810ec025
 00154   392   NtCallbackReturn  (0, 0, 0, ...
 00155   392   NtGdiInit  (... ) == 0x1
 00156   392   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00157   392   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00158   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00159   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1243092, ... ) }, 1243092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1243092, ... ) }, 1243092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00161   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1243092, ... ) }, 1243092, ... ) == 0x0
 00162   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00163   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 56, ) == 0x0
 00164   392   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00165   392   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00166   392   NtQueryInformationToken  (60, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00167   392   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00168   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 64, ) }, ... 64, ) == 0x0
 00169   392   NtQueryValueKey  (64,  (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00170   392   NtClose  (64, ... ) == 0x0
 00171   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00172   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00173   392   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00174   392   NtClose  (64, ... ) == 0x0
 00175   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   392   NtClose  (60, ... ) == 0x0
 00177   392   NtClose  (52, ... ) == 0x0
 00178   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00179   392   NtClose  (56, ... ) == 0x0
 00180   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00181   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00182   392   NtClose  (56, ... ) == 0x0
 00183   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242288, ... ) }, 1242288, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00185   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1242288, ... ) }, 1242288, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00186   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1242288, ... ) }, 1242288, ... ) == 0x0
 00187   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00188   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 52, ) == 0x0
 00189   392   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00190   392   NtClose  (56, ... ) == 0x0
 00191   392   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00192   392   NtClose  (52, ... ) == 0x0
 00193   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8585216, 65536, ) == 0x0
 00195   392   NtAllocateVirtualMemory  (-1, 8585216, 0, 4096, 4096, 4, ... 8585216, 4096, ) == 0x0
 00196   392   NtAllocateVirtualMemory  (-1, 8589312, 0, 8192, 4096, 4, ... 8589312, 8192, ) == 0x0
 00197   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00198   392   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x840000), 0x0, 12288, ) == 0x0
 00199   392   NtClose  (52, ... ) == 0x0
 00200   392   NtAllocateVirtualMemory  (-1, 8597504, 0, 4096, 4096, 4, ... 8597504, 4096, ) == 0x0
 00201   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00202   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00203   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSWSOCK.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00204   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSWSOCK.dll"}, 1243092, ... ) }, 1243092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00205   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MSWSOCK.dll"}, 1243092, ... ) }, 1243092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00206   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSWSOCK.dll"}, 1243092, ... ) }, 1243092, ... ) == 0x0
 00207   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSWSOCK.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00208   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 56, ) == 0x0
 00209   392   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00210   392   NtClose  (52, ... ) == 0x0
 00211   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 00212   392   NtClose  (56, ... ) == 0x0
 00213   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00214   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00215   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00216   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00217   392   NtClose  (56, ... ) == 0x0
 00218   392   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 56, ) == 0x0
 00219   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00220   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 60, ) }, ... 60, ) == 0x0
 00221   392   NtNotifyChangeKey  (60, 52, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00222   392   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00223   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 64, ) == 0x0
 00224   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 68, ) == 0x0
 00225   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\ServiceCurrent"}, ... 72, ) }, ... 72, ) == 0x0
 00226   392   NtQueryValueKey  (72, " (72, "", Partial, 144, ... TitleIdx=0, Type=4, Data="\7\0\0\0"}, 16, ) \7\0\0\0"}, 16, ) == 0x0
 00227   392   NtClose  (72, ... ) == 0x0
 00228   392   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00229   392   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\DosDevices\pipe\"}, 3, 32, ... 72, {status=0x0, info=1}, ) }, 3, 32, ... 72, {status=0x0, info=1}, ) == 0x0
 00230   392   NtFsControlFile  (72, 0, 0x0, 0x0, 0x110018,  (72, 0, 0x0, 0x0, 0x110018, "\200.\17\367\377\377\377\377$\0\0\0\1\0n\0e\0t\0\\0N\0t\0C\0o\0n\0t\0r\0o\0l\0P\0i\0p\0e\07\0", 50, 0, ... ) , 50, 0, ... ) == STATUS_IO_TIMEOUT
 00231   392   NtClose  (72, ... ) == 0x0
 00232   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244356,  (0xc0100080, {24, 0, 0x40, 0, 1244356, "\??\pipe\net\NtControlPipe7"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00233   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rpcsvc.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00234   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243920,  (0x80100080, {24, 0, 0x40, 0, 1243920, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00235   392   NtQueryInformationFile  (72, 1244856, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00236   392   NtQueryInformationFile  (72, 1244828, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00237   392   NtQueryInformationFile  (72, 1244780, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00238   392   NtAllocateVirtualMemory  (-1, 1331200, 0, 8192, 4096, 4, ... 1331200, 8192, ) == 0x0
 00239   392   NtQueryInformationFile  (72, 1327280, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00240   392   NtQueryInformationFile  (72, 1243324, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00241   392   NtQueryInformationFile  (72, 1243168, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00242   392   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1243176,  (0x40110080, {24, 0, 0x40, 0, 1243176, "\??\C:\WINDOWS\System32\rpcsvc.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00243   392   NtClose  (-2147482040, ... ) == 0x0
 00242   392   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00244   392   NtQueryVolumeInformationFile  (76, 1242548, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00245   392   NtQueryInformationFile  (76, 1242508, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00246   392   NtQueryVolumeInformationFile  (72, 1242548, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00247   392   NtSetInformationFile  (76, 1242336, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00248   392   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00249   392   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x850000), {0, 0}, 20480, ) == 0x0
 00250   392   NtClose  (80, ... ) == 0x0
 00251   392   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "MZ\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\2\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\17\1\13\1\0\0\0\2\0\0\0\0\0\0\0\0V\0,\200\0\0\0\20\0\0\14\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0R\236\0\0\0\2\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\01\200\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0MEW\0F\22\322\303\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\2\322u\333\212\26\353\324R>\0\0\0`\0\0\0@\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\340\276\34`@\0\213\336\255\255P\255\227\262\200\244\266\200\377\23s\3713\311\377\23s\263\300\377\23s!\266\200A\260\20\377\23\22\300s\372u>\252\353\340\350v^\0\0\2\366\203\331\1u\16\377S\374\353&\254\321\350t/\23\311\353\32\221H\301\340\10\254\377S\374=\0}\0\0s\12\200\374\5s\6\203\370\177w\2AA\225\213\305\266\0V\213\367+\360\363\244^\353\233\255\205\300u\220\255\226\255\227V\254<\0u\373\377S\360\225V\255\17\310@Yt\354y\7\254<\0u\373\221@PU\377S\364\253", 16896, 0x0, 0, ... {status=0x0, info=16896}, ) , 16896, 0x0, 0, ... {status=0x0, info=16896}, ) == 0x0
 00252   392   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 00253   392   NtSetInformationFile  (76, 1244780, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00254   392   NtClose  (72, ... ) == 0x0
 00255   392   NtClose  (76, ... ) == 0x0
 00256   392   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 76, ) }, ... 76, ) == 0x0
 00257   392   NtOpenEvent  (0x100000, {24, 76, 0x0, 0, 0,  (0x100000, {24, 76, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 72, ) }, ... 72, ) == 0x0
 00258   392   NtWaitForSingleObject  (72, 0, {-1800000000, -1}, ... ) == 0x0
 00259   392   NtClose  (72, ... ) == 0x0
 00260   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00261   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 72, ) }, ... 72, ) == 0x0
 00263   392   NtQueryValueKey  (72,  (72, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   392   NtClose  (72, ... ) == 0x0
 00265   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 72, ) == 0x0
 00267   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 80, ) == 0x0
 00268   392   NtQuerySystemTime  (... {604274374, 29889231}, ) == 0x0
 00269   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00270   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00271   392   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00272   392   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00273   392   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00274   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00275   392   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 92, ) == 0x0
 00276   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 96, ) }, ... 96, ) == 0x0
 00277   392   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "ActiveComputerName"}, ... 100, ) }, ... 100, ) == 0x0
 00278   392   NtQueryValueKey  (100,  (100, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (100, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (100, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00279   392   NtClose  (100, ... ) == 0x0
 00280   392   NtClose  (96, ... ) == 0x0
 00281   392   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 96, ) == 0x0
 00282   392   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 100, ) == 0x0
 00283   392   NtDuplicateObject  (-1, 96, -1, 0x0, 0, 2, ... 104, ) == 0x0
 00284   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00285   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00286   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00287   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00288   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243124,  (0xc0100080, {24, 0, 0x40, 0, 1243124, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00289   392   NtSetInformationFile  (112, 1243180, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00290   392   NtSetInformationFile  (112, 1243172, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00291   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00292   392   NtWriteFile  (112, 89, 0, 0,  (112, 89, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00293   392   NtReadFile  (112, 89, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (112, 89, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\360 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00294   392   NtFsControlFile  (112, 89, 0x0, 0x0, 0x11c017,  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\22\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\360 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\22\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\360 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00295   392   NtFsControlFile  (112, 89, 0x0, 0x0, 0x11c017,  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0D\0\0\0\2\0\0\0,\0\0\0\0\0\34\0\0\0\0\0n\304\366[\302~\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0rpcsvc\0\0\20\0\0\0", 68, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0n\304\366[\302~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 68, 1024, ... {status=0x103, info=48},  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0D\0\0\0\2\0\0\0,\0\0\0\0\0\34\0\0\0\0\0n\304\366[\302~\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0rpcsvc\0\0\20\0\0\0", 68, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0n\304\366[\302~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 00296   392   NtFsControlFile  (112, 89, 0x0, 0x0, 0x11c017,  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\334\0\0\0\3\0\0\0\304\0\0\0\0\0\30\0\0\0\0\0n\304\366[\302~\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0rpcsvc\0`\370\34@\01\0\0\0\0\0\0\01\0\0\0Windows Remote Procedure Call Monitoring Service\0\0\0\0\22\0\4\0\20\1\0\0\2\0\0\0\0\0\0\0\37\0\0\0\0\0\0\0\37\0\0\0C:\WINDOWS\System32\rpcsvc.exe\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 220, 1024, ... {status=0x103, info=48}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 220, 1024, ... {status=0x103, info=48},  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\334\0\0\0\3\0\0\0\304\0\0\0\0\0\30\0\0\0\0\0n\304\366[\302~\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0rpcsvc\0`\370\34@\01\0\0\0\0\0\0\01\0\0\0Windows Remote Procedure Call Monitoring Service\0\0\0\0\22\0\4\0\20\1\0\0\2\0\0\0\0\0\0\0\37\0\0\0\0\0\0\0\37\0\0\0C:\WINDOWS\System32\rpcsvc.exe\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 220, 1024, ... {status=0x103, info=48}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00297   392   NtWaitForSingleObject  (89, 0, 0x0, ... ) == 0x0
 00298   392   NtFsControlFile  (112, 89, 0x0, 0x0, 0x11c017,  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0X\0\0\0\4\0\0\0@\0\0\0\0\0$\0\0\0\0\0o\304\366[\302~\334\21\261\310\0\14)\371\246\305\2\0\0\0\2\0\0\0\210\377\22\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\377\22\0\1\0\0\0\1\0\0\0\0\0\0\0", 88, 1024, ... {status=0x103, info=52}, "\5\0\2\3\20\0\0\04\0\0\0\3\0\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\304\366[\302~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 88, 1024, ... {status=0x103, info=52},  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0X\0\0\0\4\0\0\0@\0\0\0\0\0$\0\0\0\0\0o\304\366[\302~\334\21\261\310\0\14)\371\246\305\2\0\0\0\2\0\0\0\210\377\22\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\377\22\0\1\0\0\0\1\0\0\0\0\0\0\0", 88, 1024, ... {status=0x103, info=52}, "\5\0\2\3\20\0\0\04\0\0\0\3\0\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\304\366[\302~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 00299   392   NtWaitForSingleObject  (89, 0, 0x0, ... ) == 0x0
 00300   392   NtFsControlFile  (112, 89, 0x0, 0x0, 0x11c017,  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0H\1\0\0\5\0\0\00\1\0\0\0\0$\0\0\0\0\0o\304\366[\302~\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0\244\377\22\0\210\376\22\0\0\1\0\0\0\0\0\0\0\1\0\0Provides reliability and uptime monitoring for components that use the RPC subsystem. If this service is stopped, RPC communication between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depe\0", 328, 1024, ... {status=0x103, info=28}, "\5\0\0\3\20\0\0\0\334\0\0\0\3\0\0\0\304\0\0\0\0\0\30\0\0\0\0\0", ) , 328, 1024, ... {status=0x103, info=28},  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0H\1\0\0\5\0\0\00\1\0\0\0\0$\0\0\0\0\0o\304\366[\302~\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0\244\377\22\0\210\376\22\0\0\1\0\0\0\0\0\0\0\1\0\0Provides reliability and uptime monitoring for components that use the RPC subsystem. If this service is stopped, RPC communication between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depe\0", 328, 1024, ... {status=0x103, info=28}, "\5\0\0\3\20\0\0\0\334\0\0\0\3\0\0\0\304\0\0\0\0\0\30\0\0\0\0\0", ) , ) == 0x103
 00301   392   NtWaitForSingleObject  (89, 0, 0x0, ... ) == 0x0
 00302   392   NtFsControlFile  (112, 89, 0x0, 0x0, 0x11c017,  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\6\0\0\0\34\0\0\0\0\0\37\0\0\0\0\0o\304\366[\302~\334\21\261\310\0\14)\371\246\305\0\0\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\5\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x103, info=28},  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\6\0\0\0\34\0\0\0\0\0\37\0\0\0\0\0o\304\366[\302~\334\21\261\310\0\14)\371\246\305\0\0\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\5\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00303   392   NtWaitForSingleObject  (89, 0, 0x0, ... ) == 0x0
 00304   392   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00305   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\explorer.exe"}, 1241436, ... ) }, 1241436, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "explorer.exe"}, 1241436, ... ) }, 1241436, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 1241436, ... ) }, 1241436, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\explorer.exe"}, 1241436, ... ) }, 1241436, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\explorer.exe"}, 1241436, ... ) }, 1241436, ... ) == 0x0
 00310   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\explorer.exe"}, 1242152, ... ) }, 1242152, ... ) == 0x0
 00311   392   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\explorer.exe"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00312   392   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 116, ... 120, ) == 0x0
 00313   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 124, ) }, ... 124, ) == 0x0
 00315   392   NtQueryValueKey  (124,  (124, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316   392   NtClose  (124, ... ) == 0x0
 00317   392   NtQueryVolumeInformationFile  (116, 1241460, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00318   392   NtOpenMutant  (0x120001, {24, 76, 0x0, 0, 0,  (0x120001, {24, 76, 0x0, 0, 0, "ShimCacheMutex"}, ... 124, ) }, ... 124, ) == 0x0
 00319   392   NtWaitForSingleObject  (124, 0, {-1000000, -1}, ... ) == 0x0
 00320   392   NtOpenSection  (0x2, {24, 76, 0x0, 0, 0,  (0x2, {24, 76, 0x0, 0, 0, "ShimSharedMemory"}, ... 128, ) }, ... 128, ) == 0x0
 00321   392   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x850000), {0, 0}, 57344, ) == 0x0
 00322   392   NtQueryInformationFile  (116, 1241424, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00323   392   NtQueryInformationFile  (116, 1241464, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00324   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00325   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00326   392   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00327   392   NtClose  (132, ... ) == 0x0
 00328   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   392   NtReleaseMutant  (124, ... 0x0, ) == 0x0
 00330   392   NtQuerySection  (120, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00331   392   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00332   392   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00333   392   NtOpenProcessToken  (-1, 0xa, ... 132, ) == 0x0
 00334   392   NtQueryInformationToken  (132, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00335   392   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00336   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 136, ) }, ... 136, ) == 0x0
 00337   392   NtQueryValueKey  (136,  (136, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (136, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00338   392   NtQueryValueKey  (136,  (136, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (136, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00339   392   NtClose  (136, ... ) == 0x0
 00340   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 136, ) }, ... 136, ) == 0x0
 00341   392   NtQueryValueKey  (136,  (136, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00342   392   NtQueryValueKey  (136,  (136, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (136, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00343   392   NtClose  (136, ... ) == 0x0
 00344   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00345   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 136, ) }, ... 136, ) == 0x0
 00346   392   NtQueryValueKey  (136,  (136, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00347   392   NtClose  (136, ... ) == 0x0
 00348   392   NtQueryDefaultUILanguage  (2013024600, ...
 00349   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00350   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481964, ) == 0x0
 00351   392   NtQueryInformationToken  (-2147481964, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00352   392   NtClose  (-2147481964, ... ) == 0x0
 00353   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147481960, ) }, ... -2147481960, ) == 0x0
 00354   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00355   392   NtOpenKey  (0x80000000, {24, -2147481960, 0x640, 0, 0,  (0x80000000, {24, -2147481960, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481956, ) }, ... -2147481956, ) == 0x0
 00356   392   NtQueryValueKey  (-2147481956,  (-2147481956, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00357   392   NtClose  (-2147481956, ... ) == 0x0
 00358   392   NtClose  (-2147481960, ... ) == 0x0
 00348   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00359   392   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00360   392   NtQueryDefaultLocale  (1, 1240832, ... ) == 0x0
 00361   392   NtQueryDefaultLocale  (1, 1240832, ... ) == 0x0
 00362   392   NtQueryDefaultLocale  (1, 1240832, ... ) == 0x0
 00363   392   NtQueryDefaultLocale  (1, 1240832, ... ) == 0x0
 00364   392   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00365   392   NtQueryDefaultLocale  (1, 1240832, ... ) == 0x0
 00366   392   NtQueryDefaultLocale  (1, 1240832, ... ) == 0x0
 00367   392   NtQueryDefaultLocale  (1, 1240832, ... ) == 0x0
 00368   392   NtQueryDefaultLocale  (1, 1240832, ... ) == 0x0
 00369   392   NtQueryDefaultLocale  (1, 1240832, ... ) == 0x0
 00370   392   NtQueryDefaultLocale  (1, 1240832, ... ) == 0x0
 00371   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 136, ) }, ... 136, ) == 0x0
 00372   392   NtEnumerateKey  (136, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (136, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00373   392   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 140, ) }, ... 140, ) == 0x0
 00374   392   NtQueryValueKey  (140,  (140, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (140, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00375   392   NtQueryValueKey  (140,  (140, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (140, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00376   392   NtClose  (140, ... ) == 0x0
 00377   392   NtEnumerateKey  (136, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00378   392   NtClose  (136, ... ) == 0x0
 00379   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00380   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00381   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00384   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00386   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00387   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00388   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00389   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00390   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00391   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00392   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00393   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00394   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00395   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00396   392   NtClose  (136, ... ) == 0x0
 00397   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00399   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00400   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00401   392   NtClose  (136, ... ) == 0x0
 00402   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00404   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00405   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00406   392   NtClose  (136, ... ) == 0x0
 00407   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00409   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00410   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00411   392   NtClose  (136, ... ) == 0x0
 00412   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00413   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00414   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00415   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00416   392   NtClose  (136, ... ) == 0x0
 00417   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00419   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00420   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00421   392   NtClose  (136, ... ) == 0x0
 00422   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00423   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00424   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00425   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00426   392   NtClose  (136, ... ) == 0x0
 00427   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00428   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00429   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00430   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00431   392   NtClose  (136, ... ) == 0x0
 00432   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00433   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00434   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00435   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00436   392   NtClose  (136, ... ) == 0x0
 00437   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00438   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00439   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00440   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00441   392   NtClose  (136, ... ) == 0x0
 00442   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00443   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00444   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00445   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00446   392   NtClose  (136, ... ) == 0x0
 00447   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00448   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00449   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00450   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00451   392   NtClose  (136, ... ) == 0x0
 00452   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00453   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00454   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00455   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00456   392   NtClose  (136, ... ) == 0x0
 00457   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00458   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00459   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00460   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00461   392   NtClose  (136, ... ) == 0x0
 00462   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00463   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00464   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00465   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00466   392   NtClose  (136, ... ) == 0x0
 00467   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00468   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 136, ) }, ... 136, ) == 0x0
 00469   392   NtQueryValueKey  (136,  (136, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (136, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (136, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 00470   392   NtClose  (136, ... ) == 0x0
 00471   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00472   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00473   392   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00474   392   NtClose  (136, ... ) == 0x0
 00475   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00476   392   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00477   392   NtOpenProcessToken  (-1, 0xa, ... 136, ) == 0x0
 00478   392   NtDuplicateToken  (136, 0xc, {24, 0, 0x0, 0, 1241352, 0x0}, 0, 2, ... 140, ) == 0x0
 00479   392   NtClose  (136, ... ) == 0x0
 00480   392   NtAccessCheck  (1341488, 140, 0x1, 1241480, 1241424, 56, 1241508, ... (0x1), ) == 0x0
 00481   392   NtClose  (140, ... ) == 0x0
 00482   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 140, ) }, ... 140, ) == 0x0
 00483   392   NtQueryValueKey  (140,  (140, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (140, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00484   392   NtClose  (140, ... ) == 0x0
 00485   392   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 140, ) }, ... 140, ) == 0x0
 00486   392   NtQuerySymbolicLinkObject  (140, ...  (140, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 00487   392   NtClose  (140, ... ) == 0x0
 00488   392   NtQueryInformationFile  (116, 1239812, 528, Name, ... {status=0x0, info=46}, ) == 0x0
 00489   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00490   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00491   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\EXPLORER.EXE"}, 1238492, ... ) }, 1238492, ... ) == 0x0
 00492   392   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00493   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 140, {status=0x0, info=1}, ) }, 3, 16417, ... 140, {status=0x0, info=1}, ) == 0x0
 00494   392   NtQueryDirectoryFile  (140, 0, 0, 0, 1237852, 616, BothDirectory, 1,  (140, 0, 0, 0, 1237852, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00495   392   NtClose  (140, ... ) == 0x0
 00496   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 140, {status=0x0, info=1}, ) }, 3, 16417, ... 140, {status=0x0, info=1}, ) == 0x0
 00497   392   NtQueryDirectoryFile  (140, 0, 0, 0, 1237852, 616, BothDirectory, 1,  (140, 0, 0, 0, 1237852, 616, BothDirectory, 1, "EXPLORER.EXE", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 00498   392   NtClose  (140, ... ) == 0x0
 00499   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00500   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00501   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00502   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 140, ) == 0x0
 00503   392   NtQueryInformationToken  (140, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00504   392   NtClose  (140, ... ) == 0x0
 00505   392   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 140, ) }, ... 140, ) == 0x0
 00506   392   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 136, ) }, ... 136, ) == 0x0
 00507   392   NtClose  (140, ... ) == 0x0
 00508   392   NtQueryValueKey  (136,  (136, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00509   392   NtQueryValueKey  (136,  (136, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (136, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 00510   392   NtClose  (136, ... ) == 0x0
 00511   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 8781824, 4096, ) == 0x0
 00512   392   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00513   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 136, ) }, ... 136, ) == 0x0
 00514   392   NtQueryValueKey  (136,  (136, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   392   NtClose  (136, ... ) == 0x0
 00516   392   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00517   392   NtQueryInformationToken  (132, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 00518   392   NtQueryInformationToken  (132, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 00519   392   NtClose  (132, ... ) == 0x0
 00520   392   NtCreateProcessEx  (1244088, 2035711, 0, -1, 0, 120, 0, 0, 0, ... ) == 0x0
 00521   392   NtSetInformationProcess  (132, PriorityClass, {process info, class 18, size 2}, 83886336, ... ) == 0x0
 00522   392   NtQueryInformationProcess  (132, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=4,Pid=892,ParentPid=388,}, 0x0, ) == 0x0
 00523   392   NtReadVirtualMemory  (132, 0x7ffdf008, 4, ...  (132, 0x7ffdf008, 4, ... "\0\0\0\1", 0x0, ) , 0x0, ) == 0x0
 00524   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\explorer.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00525   392   NtAllocateVirtualMemory  (-1, 1343488, 0, 8192, 4096, 4, ... 1343488, 8192, ) == 0x0
 00526   392   NtReadVirtualMemory  (132, 0x1000000, 4096, ...  (132, 0x1000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\335\261\350\231\320sc\231\320sc\231\320sc\252\362Vc\233\320scc\3633c\235\320sc\231\320rc\37\322scc\363jc\200\320sc\16\3636c\230\320scC\363nc\277\320scC\363oc\201\320scc\363Nc\230\320scRich\231\320sc\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0n\340};\0\0\0\0\0\0\0\0\340\0\16\1\13\1\7\0\0\314\3\0\0x\13\0\0\0\0\0\22,\1\0\0\20\0\0\0\300\3\0\0\0\0\1\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\12\0\0\0\0\0\0p\17\0\0\4\0\0\225)\20\0\2\0\0\200\0\0\4\0\0\340\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\200\261\3\0\30\1\0\0\0\0\4\0p"\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\17\0\2004\0\0\210\333\3\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\2\0\0\20\1\0\0\0\20\0\0P\11\0\0\20\256\3\0\300\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\300\313\3\0", 4096, ) \13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\17\0\2004\0\0\210\333\3\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\2\0\0\20\1\0\0\0\20\0\0P\11\0\0\20\256\3\0\300\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\300\313\3\0", 4096, ) == 0x0
 00527   392   NtReadVirtualMemory  (132, 0x1040000, 256, ...  (132, 0x1040000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\12\0\2\0\0\0`\0\0\200\3\0\0\0p\1\0\200\4\0\0\0\10\5\0\200\5\0\0\0@\5\0\200\6\0\0\0\210\5\0\200\11\0\0\0H\6\0\200\16\0\0\0`\6\0\200\20\0\0\0\0\7\0\200\30\0\0\0\30\7\0\200\360\0\0\00\7\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\217\0\0\0H\7\0\200\221\0\0\0`\7\0\200\222\0\0\0x\7\0\200\223\0\0\0\220\7\0\200\224\0\0\0\250\7\0\200\225\0\0\0\300\7\0\200\226\0\0\0\330\7\0\200\227\0\0\0\360\7\0\200\230\0\0\0\10\10\0\200\231\0\0\0 \10\0\200\236\0\0\08\10\0\200\242\0\0\0P\10\0\200\243\0\0\0h\10\0\200\244\0\0\0\200\10\0\200\245\0\0\0\230\10\0\200\246\0\0\0\260\10\0\200\247\0\0\0\310\10\0\200\252\0\0\0\340\10\0\200", 256, ) , 256, ) == 0x0
 00528   392   NtReadVirtualMemory  (132, 0x1040718, 24, ...  (132, 0x1040718, 24, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0{\0\0\0\360\31\0\200", 24, ) , 24, ) == 0x0
 00529   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00530   392   NtQueryInformationProcess  (132, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=4,Pid=892,ParentPid=388,}, 0x0, ) == 0x0
 00531   392   NtAllocateVirtualMemory  (-1, 0, 0, 1572, 4096, 4, ... 8847360, 4096, ) == 0x0
 00532   392   NtAllocateVirtualMemory  (132, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 00533   392   NtWriteVirtualMemory  (132, 0x10000,  (132, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 00534   392   NtAllocateVirtualMemory  (132, 0, 0, 1572, 4096, 4, ... 131072, 4096, ) == 0x0
 00535   392   NtWriteVirtualMemory  (132, 0x20000,  (132, 0x20000, "\0\20\0\0$\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\352\0\354\0\230\4\0\0.\00\0\204\5\0\0\30\0\32\0\264\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\201\0\0\0\0\0\0\0.\00\0\320\5\0\0\36\0 \0\0\6\0\0\0\0\2\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1572, ... 0x0, ) , 1572, ... 0x0, ) == 0x0
 00536   392   NtWriteVirtualMemory  (132, 0x7ffdf010,  (132, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00537   392   NtWriteVirtualMemory  (132, 0x7ffdf1e8,  (132, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00538   392   NtFreeVirtualMemory  (-1, (0x870000), 0, 32768, ... (0x870000), 4096, ) == 0x0
 00539   392   NtAllocateVirtualMemory  (132, 0, 0, 262144, 8192, 4, ... 196608, 262144, ) == 0x0
 00540   392   NtAllocateVirtualMemory  (132, 397312, 0, 61440, 4096, 4, ... 397312, 61440, ) == 0x0
 00541   392   NtProtectVirtualMemory  (132, (0x61000), 4096, 260, ... (0x61000), 4096, 4, ) == 0x0
 00542   392   NtCreateThread  (0x1f03ff, 0x0, 132, 1242352, 1243072, 1, ... 136, {892, 908}, ) == 0x0
 00543   392   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312632, 1310720, 0, 1244172}  (24, {168, 196, new_msg, 0, 1312632, 1310720, 0, 1244172} "\0\0\0\0\0\0\1\0\2$\370w\0d\24\0\206\0\0\0\210\0\0\0|\3\0\0\214\3\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\250 \24\0\270\374\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0N\0D\0O\0" ... {168, 196, reply, 0, 388, 392, 1590, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0d\24\0\204\0\0\0\210\0\0\0|\3\0\0\214\3\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\250 \24\0\270\374\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0N\0D\0O\0" )  ... {168, 196, reply, 0, 388, 392, 1590, 0}  (24, {168, 196, new_msg, 0, 1312632, 1310720, 0, 1244172} "\0\0\0\0\0\0\1\0\2$\370w\0d\24\0\206\0\0\0\210\0\0\0|\3\0\0\214\3\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\250 \24\0\270\374\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0N\0D\0O\0" ... {168, 196, reply, 0, 388, 392, 1590, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0d\24\0\204\0\0\0\210\0\0\0|\3\0\0\214\3\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\250 \24\0\270\374\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0N\0D\0O\0" )  ) == 0x0
 00544   392   NtClose  (116, ... ) == 0x0
 00545   392   NtClose  (120, ... ) == 0x0
 00546   392   NtDuplicateObject  (-1, -1, 132, 0x0, 0, 2, ... 4, ) == 0x0
 00547   392   NtAllocateVirtualMemory  (132, 0, 0, 312, 4096, 4, ... 524288, 4096, ) == 0x0
 00548   392   NtProtectVirtualMemory  (132, (0x80000), 52, 64, ... (0x80000), 4096, 4, ) == 0x0
 00549   392   NtProtectVirtualMemory  (132, (0x80000), 4096, 4, ... (0x80000), 4096, 64, ) == 0x0
 00550   392   NtWriteVirtualMemory  (132, 0x80000,  (132, 0x80000, "\353-h\377\377\377\377h\4\0\0\0\270[\235\347w\377\320h\4\0\0\0\270cy\347w\377\320\270(6\347w\377\320j\0\270\265\\347w\377\320\350\316\377\377\377", 52, ... 52, ) , 52, ... 52, ) == 0x0
 00551   392   NtFlushInstructionCache  (132, 524288, 52, ... ) == 0x0
 00552   392   NtProtectVirtualMemory  (132, (0x80034), 260, 64, ... (0x80000), 4096, 4, ) == 0x0
 00553   392   NtProtectVirtualMemory  (132, (0x80000), 4096, 4, ... (0x80000), 4096, 64, ) == 0x0
 00554   392   NtWriteVirtualMemory  (132, 0x80034,  (132, 0x80034, "u:\work\packed.exe\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 260, ... 260, ) , 260, ... 260, ) == 0x0
 00555   392   NtFlushInstructionCache  (132, 524340, 260, ... ) == 0x0
 00556   392   NtAllocateVirtualMemory  (132, 0, 0, 1048576, 8192, 4, ... 589824, 1048576, ) == 0x0
 00557   392   NtAllocateVirtualMemory  (132, 1630208, 0, 8192, 4096, 4, ... 1630208, 8192, ) == 0x0
 00558   392   NtProtectVirtualMemory  (132, (0x18e000), 4096, 260, ... (0x18e000), 4096, 4, ) == 0x0
 00559   392   NtCreateThread  (0x1f03ff, 0x0, 132, 1244288, 1245004, 1, ... 120, {892, 912}, ) == 0x0
 00560   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 14626370, 2011115058}  (24, {28, 56, new_msg, 0, 0, 0, 14626370, 2011115058} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\0\0\0|\3\0\0\220\3\0\0" ... {28, 56, reply, 0, 388, 392, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\0\0\0|\3\0\0\220\3\0\0" )  ... {28, 56, reply, 0, 388, 392, 1591, 0}  (24, {28, 56, new_msg, 0, 0, 0, 14626370, 2011115058} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\0\0\0|\3\0\0\220\3\0\0" ... {28, 56, reply, 0, 388, 392, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\0\0\0|\3\0\0\220\3\0\0" )  ) == 0x0
 00561   392   NtResumeThread  (120, ... 1, ) == 0x0
 00562   392   NtTerminateProcess  (0, 0, ... ) == 0x0
 00563   392   NtFreeVirtualMemory  (-1, (0x860000), 4096, 32768, ... (0x860000), 4096, ) == 0x0
 00564   392   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1713399662, 1663070831, 1, 68}  (24, {20, 48, new_msg, 0, 1713399662, 1663070831, 1, 68} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 388, 392, 1592, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 388, 392, 1592, 0}  (24, {20, 48, new_msg, 0, 1713399662, 1663070831, 1, 68} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 388, 392, 1592, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00565   392   NtTerminateProcess  (-1, 0, ...
 00566   392   NtClose  (44, ... ) == 0x0
NtAccessCheck(>)	1	NtResumeThread(>)	1	NtCreateSemaphore(>)	3	NtQueryInformationProcess(>)	7
NtCallbackReturn(>)	1	NtSecureConnectPort(>)	1	NtFlushInstructionCache(>)	3	NtFsControlFile(>)	8
NtContinue(>)	1	NtTestAlert(>)	1	NtFreeVirtualMemory(>)	3	NtProtectVirtualMemory(>)	8
NtCreateProcessEx(>)	1	NtUnmapViewOfSection(>)	1	NtGdiCreateCompatibleDC(>)	3	NtUserFindExistingCursorIcon(>)	9
NtDuplicateToken(>)	1	NtUserCallNoParam(>)	1	NtSetInformationProcess(>)	3	NtOpenFile(>)	10
NtGdiCreateBitmap(>)	1	NtUserGetThreadDesktop(>)	1	NtSetInformationThread(>)	3	NtQueryInformationFile(>)	10
NtGdiInit(>)	1	NtCreateIoCompletion(>)	2	NtDuplicateObject(>)	4	NtQueryDefaultLocale(>)	12
NtGdiQueryFontAssocInfo(>)	1	NtCreateThread(>)	2	NtOpenProcessToken(>)	4	NtQuerySystemInformation(>)	13
NtGdiSelectBitmap(>)	1	NtEnumerateKey(>)	2	NtOpenThreadToken(>)	4	NtUserRegisterClassExWOW(>)	15
NtNotifyChangeKey(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryVolumeInformationFile(>)	4	NtQueryAttributesFile(>)	17
NtOpenEvent(>)	1	NtOpenDirectoryObject(>)	2	NtReadVirtualMemory(>)	4	NtMapViewOfSection(>)	18
NtOpenKeyedEvent(>)	1	NtOpenMutant(>)	2	NtSetInformationFile(>)	4	NtOpenSection(>)	18
NtQueryDebugFilterState(>)	1	NtOpenSymbolicLinkObject(>)	2	NtCreateFile(>)	5	NtOpenProcessTokenEx(>)	21
NtQueryInformationJobObject(>)	1	NtQueryDefaultUILanguage(>)	2	NtGdiGetStockObject(>)	5	NtOpenThreadTokenEx(>)	21
NtQueryInstallUILanguage(>)	1	NtQueryDirectoryFile(>)	2	NtQuerySection(>)	5	NtQueryInformationToken(>)	27
NtQueryObject(>)	1	NtQuerySymbolicLinkObject(>)	2	NtCreateSection(>)	6	NtQueryValueKey(>)	27
NtQuerySystemTime(>)	1	NtQueryVirtualMemory(>)	2	NtRequestWaitReplyPort(>)	6	NtAllocateVirtualMemory(>)	31
NtReadFile(>)	1	NtSetInformationObject(>)	2	NtWaitForSingleObject(>)	6	NtOpenKey(>)	73
NtRegisterThreadTerminatePort(>)	1	NtTerminateProcess(>)	2	NtWriteVirtualMemory(>)	6	NtClose(>)	84
NtReleaseMutant(>)	1	NtWriteFile(>)	2	NtCreateEvent(>)	7