Summary:





NtAddAtom(>)  1 
NtAccessCheck(>)  2 
NtFreeVirtualMemory(>)  5 
NtSetInformationProcess(>)  26 


NtCallbackReturn(>)  1 
NtCreateIoCompletion(>)  2 
NtGdiGetStockObject(>)  5 
NtCreateFile(>)  27 


NtConnectPort(>)  1 
NtEnumerateKey(>)  2 
NtOpenSymbolicLinkObject(>)  5 
NtQuerySystemInformation(>)  29 


NtCreateMutant(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQuerySymbolicLinkObject(>)  5 
NtOpenProcessTokenEx(>)  30 


NtDuplicateToken(>)  1 
NtOpenEvent(>)  2 
NtDuplicateObject(>)  6 
NtOpenThreadTokenEx(>)  30 


NtEnumerateValueKey(>)  1 
NtQueryInstallUILanguage(>)  2 
NtSetInformationThread(>)  6 
NtCreateSection(>)  34 


NtGdiCreateBitmap(>)  1 
NtRaiseException(>)  2 
NtFsControlFile(>)  7 
NtQueryDirectoryFile(>)  34 


NtGdiInit(>)  1 
NtReadFile(>)  2 
NtWaitForSingleObject(>)  7 
NtReadVirtualMemory(>)  34 


NtGdiQueryFontAssocInfo(>)  1 
NtUserCloseWindowStation(>)  2 
NtOpenProcess(>)  8 
NtOpenSection(>)  35 


NtGdiSelectBitmap(>)  1 
NtCreateProcessEx(>)  3 
NtOpenProcessToken(>)  8 
NtUserGetClassInfo(>)  37 


NtNotifyChangeKey(>)  1 
NtCreateSemaphore(>)  3 
NtOpenThreadToken(>)  9 
NtQueryInformationToken(>)  42 


NtOpenKeyedEvent(>)  1 
NtCreateThread(>)  3 
NtContinue(>)  10 
NtQueryInformationProcess(>)  43 


NtQueryKey(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryVolumeInformationFile(>)  10 
NtQueryDefaultLocale(>)  48 


NtQueryObject(>)  1 
NtOpenDirectoryObject(>)  3 
NtUserSystemParametersInfo(>)  10 
NtUserFindExistingCursorIcon(>)  48 


NtQueryPerformanceCounter(>)  1 
NtOpenMutant(>)  3 
NtFlushInstructionCache(>)  11 
NtProtectVirtualMemory(>)  49 


NtQuerySystemTime(>)  1 
NtResumeThread(>)  3 
NtQueryDefaultUILanguage(>)  12 
NtUnmapViewOfSection(>)  55 


NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 
NtQuerySection(>)  13 
NtUserRegisterClassExWOW(>)  63 


NtSecureConnectPort(>)  1 
NtQueryInformationJobObject(>)  4 
NtSetInformationFile(>)  15 
NtAllocateVirtualMemory(>)  65 


NtSetSecurityObject(>)  1 
NtQueryVirtualMemory(>)  4 
NtWriteFile(>)  15 
NtOpenFile(>)  65 


NtTestAlert(>)  1 
NtReleaseMutant(>)  4 
NtQueryDebugFilterState(>)  18 
NtQueryAttributesFile(>)  66 


NtUserCallNoParam(>)  1 
NtUserBuildHwndList(>)  4 
NtCreateEvent(>)  19 
NtQueryValueKey(>)  75 


NtUserCallOneParam(>)  1 
NtUserFindWindowEx(>)  4 
NtRequestWaitReplyPort(>)  19 
NtMapViewOfSection(>)  89 


NtUserGetDC(>)  1 
NtUserWaitForInputIdle(>)  4 
NtUserRegisterWindowMessage(>)  19 
NtOpenKey(>)  140 


NtUserGetThreadDesktop(>)  1 
NtWaitForMultipleObjects(>)  4 
NtWriteVirtualMemory(>)  20 
NtUserQueryWindow(>)  156 


NtUserOpenWindowStation(>)  1 
NtCreateKey(>)  5 
NtQueryInformationFile(>)  26 
NtClose(>)  268 





Trace:

 00001   444   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   444   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   444   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   444   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   444   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   444   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   444   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   444   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   444   NtClose  (12, ... ) == 0x0
 00014   444   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   444   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   444   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   444   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   444   NtClose  (16, ... ) == 0x0
 00021   444   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   444   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   444   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   444   NtClose  (16, ... ) == 0x0
 00026   444   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   444   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   444   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   444   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 436, 444, 1513, 0} "\20\311\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 436, 444, 1513, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 436, 444, 1513, 0} "\20\311\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   444   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   444   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   444   NtClose  (16, ... ) == 0x0
 00036   444   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   444   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   444   NtClose  (28, ... ) == 0x0
 00041   444   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   444   NtClose  (28, ... ) == 0x0
 00045   444   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   444   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   444   NtClose  (28, ... ) == 0x0
 00049   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   444   NtClose  (28, ... ) == 0x0
 00052   444   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 436, 444, 1522, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 436, 444, 1522, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 436, 444, 1522, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   444   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 128, ) == 0x0
 00057   444   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 128, ... (0x45d000), 204800, 4, ) == 0x0
 00058   444   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00059   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   444   NtClose  (28, ... ) == 0x0
 00062   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   444   NtClose  (28, ... ) == 0x0
 00065   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   444   NtClose  (28, ... ) == 0x0
 00068   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   444   NtClose  (28, ... ) == 0x0
 00071   444   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 64, ) == 0x0
 00072   444   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 64, ... (0x45d000), 204800, 4, ) == 0x0
 00073   444   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00074   444   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   444   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   444   NtClose  (28, ... ) == 0x0
 00077   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   444   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   444   NtClose  (28, ... ) == 0x0
 00080   444   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00081   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   444   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   444   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   444   NtClose  (28, ... ) == 0x0
 00085   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   444   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   444   NtClose  (28, ... ) == 0x0
 00088   444   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   444   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 436, 444, 1544, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 436, 444, 1544, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 436, 444, 1544, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00093   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   444   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4d0000), 0x0, 1060864, ) == 0x0
 00095   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   444   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   444   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00098   444   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   444   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   444   NtClose  (-2147482020, ... ) == 0x0
 00101   444   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 6160384, 4096, ) == 0x0
 00102   444   NtFreeVirtualMemory  (-1, (0x5e0000), 4096, 32768, ... (0x5e0000), 4096, ) == 0x0
 00103   444   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   444   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00105   444   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   444   NtClose  (-2147482020, ... ) == 0x0
 00107   444   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00108   444   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   444   NtClose  (-2147482020, ... ) == 0x0
 00110   444   NtQueryDefaultLocale  (0, -135067124, ... ) == 0x0
 00111   444   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   444   NtUserCallNoParam  (24, ... ) == 0x0
 00113   444   NtGdiCreateCompatibleDC  (0, ...
 00114   444   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 6160384, 4096, ) == 0x0
 00113   444   NtGdiCreateCompatibleDC  ... ) == 0xf010448
 00115   444   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   444   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   444   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb05044f
 00118   444   NtGdiCreateSolidBrush  (0, 0, ...
 00119   444   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9371648, 4096, ) == 0x0
 00118   444   NtGdiCreateSolidBrush  ... ) == 0x8100452
 00120   444   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   444   NtGdiCreateCompatibleDC  (0, ... ) == 0x7010453
 00122   444   NtGdiSelectBitmap  (117507155, 184878159, ... ) == 0x185000f
 00123   444   NtUserGetThreadDesktop  (444, 0, ... ) == 0x2c
 00124   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   444   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   444   NtClose  (52, ... ) == 0x0
 00127   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00141   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00143   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00144   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00145   444   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00146   444   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00147   444   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00148   444   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ...
 00149   444   NtAllocateVirtualMemory  (-1, 6336512, 0, 4096, 4096, 32, ... 6336512, 4096, ) == 0x0
 00148   444   NtUserRegisterClassExWOW  ... ) == 0x810dc024
 00150   444   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   444   NtCallbackReturn  (0, 0, 0, ...
 00152   444   NtGdiInit  (... ) == 0x1
 00153   444   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   444   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   444   NtAllocateVirtualMemory  (-1, 0, 0, 17506, 4096, 4, ... 9437184, 20480, ) == 0x0
 00156   444   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 20480, ) == 0x0
 00157   444   NtQueryVirtualMemory  (-1, 0x401000, Basic, 52, ... {BaseAddress=0x401000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x23000,State=0x1000,Protect=0x80,Type=0x1000000,}, 28, ) == 0x0
 00158   444   NtQueryVirtualMemory  (-1, 0x45754c, Basic, 28, ... {BaseAddress=0x457000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x6000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00159   444   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00160   444   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00161   444   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00162   444   NtProtectVirtualMemory  (-1, (0x400218), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00163   444   NtProtectVirtualMemory  (-1, (0x400218), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00164   444   NtProtectVirtualMemory  (-1, (0x400240), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00165   444   NtProtectVirtualMemory  (-1, (0x400240), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00166   444   NtProtectVirtualMemory  (-1, (0x400268), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00167   444   NtProtectVirtualMemory  (-1, (0x400268), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00168   444   NtProtectVirtualMemory  (-1, (0x400290), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00169   444   NtProtectVirtualMemory  (-1, (0x400290), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00170   444   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00171   444   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00172   444   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00173   444   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00174   444   NtProtectVirtualMemory  (-1, (0x400308), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00175   444   NtProtectVirtualMemory  (-1, (0x400308), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00176   444   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00177   444   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00178   444   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100d8, 0x100a6, 0x100a4, 0x60036, 0x20064, 0x20062, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x1009c, 0x1008c, 0x1007c, 0x10026, 0x100d4, 0x100d0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x2005e, 0x100aa, 0x100cc, 0x100c2, 0x100c0, 0x100a8, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 40, ) == 0x0
 00179   444   NtUserQueryWindow  (196684, 0, ... ) == 0x70c
 00180   444   NtUserQueryWindow  (196684, 1, ... ) == 0x738
 00181   444   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1804, 0}, ... 52, ) == 0x0
 00182   444   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00183   444   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00184   444   NtContinue  (-135070564, 0, ...
 00183   444   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00185   444   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00186   444   NtContinue  (-135070564, 0, ...
 00185   444   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00187   444   NtClose  (52, ... ) == 0x0
 00188   444   NtUserQueryWindow  (65752, 0, ... ) == 0x70c
 00189   444   NtUserQueryWindow  (65752, 1, ... ) == 0x738
 00190   444   NtUserQueryWindow  (65702, 0, ... ) == 0x7d0
 00191   444   NtUserQueryWindow  (65702, 1, ... ) == 0x7d4
 00192   444   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2000, 0}, ... 52, ) == 0x0
 00193   444   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \1\0\0", 64, ) , 64, ) == 0x0
 00194   444   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00195   444   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00196   444   NtClose  (52, ... ) == 0x0
 00197   444   NtUserQueryWindow  (65700, 0, ... ) == 0x7d0
 00198   444   NtUserQueryWindow  (65700, 1, ... ) == 0x7d4
 00199   444   NtUserQueryWindow  (393270, 0, ... ) == 0x7d0
 00200   444   NtUserQueryWindow  (393270, 1, ... ) == 0x7d4
 00201   444   NtUserQueryWindow  (131172, 0, ... ) == 0x7d0
 00202   444   NtUserQueryWindow  (131172, 1, ... ) == 0x7d4
 00203   444   NtUserQueryWindow  (131170, 0, ... ) == 0x70c
 00204   444   NtUserQueryWindow  (131170, 1, ... ) == 0x738
 00205   444   NtUserQueryWindow  (65664, 0, ... ) == 0x70c
 00206   444   NtUserQueryWindow  (65664, 1, ... ) == 0x738
 00207   444   NtUserQueryWindow  (65652, 0, ... ) == 0x70c
 00208   444   NtUserQueryWindow  (65652, 1, ... ) == 0x738
 00209   444   NtUserQueryWindow  (65640, 0, ... ) == 0x70c
 00210   444   NtUserQueryWindow  (65640, 1, ... ) == 0x738
 00211   444   NtUserQueryWindow  (196682, 0, ... ) == 0x70c
 00212   444   NtUserQueryWindow  (196682, 1, ... ) == 0x738
 00213   444   NtUserQueryWindow  (65638, 0, ... ) == 0x70c
 00214   444   NtUserQueryWindow  (65638, 1, ... ) == 0x738
 00215   444   NtUserQueryWindow  (196668, 0, ... ) == 0x70c
 00216   444   NtUserQueryWindow  (196668, 1, ... ) == 0x738
 00217   444   NtUserQueryWindow  (65692, 0, ... ) == 0x70c
 00218   444   NtUserQueryWindow  (65692, 1, ... ) == 0x738
 00219   444   NtUserQueryWindow  (65676, 0, ... ) == 0x70c
 00220   444   NtUserQueryWindow  (65676, 1, ... ) == 0x738
 00221   444   NtUserQueryWindow  (65660, 0, ... ) == 0x70c
 00222   444   NtUserQueryWindow  (65660, 1, ... ) == 0x710
 00223   444   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00224   444   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 00225   444   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 52, ) == 0x0
 00226   444   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00227   444   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00228   444   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00229   444   NtClose  (52, ... ) == 0x0
 00230   444   NtUserQueryWindow  (65748, 0, ... ) == 0xf4
 00231   444   NtUserQueryWindow  (65748, 1, ... ) == 0xf8
 00232   444   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {244, 0}, ... 52, ) == 0x0
 00233   444   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00234   444   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00235   444   NtContinue  (-135070564, 0, ...
 00234   444   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00236   444   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00237   444   NtContinue  (-135070564, 0, ...
 00236   444   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00238   444   NtClose  (52, ... ) == 0x0
 00239   444   NtUserQueryWindow  (65744, 0, ... ) == 0xf4
 00240   444   NtUserQueryWindow  (65744, 1, ... ) == 0xf8
 00241   444   NtUserQueryWindow  (65726, 0, ... ) == 0x7dc
 00242   444   NtUserQueryWindow  (65726, 1, ... ) == 0x7e0
 00243   444   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2012, 0}, ... 52, ) == 0x0
 00244   444   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0", 64, ) , 64, ) == 0x0
 00245   444   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\377\0\377\377", 4, ) , 4, ) == 0x0
 00246   444   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\210fvx\210x\206wfvGe$\306d\21\26\210ls\210\210\250g\207\210hhx\207xhvwdfF|d\21\27\210\206hx\250\252\206\210\207v\207\210x\207\207gfv4F\306G\21\21\210\206\207\210\212\250\250h\210\207x\210\210wvwgFD$d!\21\21x\250g\210\212\252\250\206\210\207w\210\207\207wvvgBGd\21\21\21\210\212\203\210\250\252\212\210x\210w\210\210xwgcd%F\1\21\21\21\27\212\250\210\212\252\252\210f\210\207x\210\207w7fR@`\21\21\21\21\21\210\2508\212\252\250\250\210gw\21088vvu$$!\21\21\21\21\21\30\210\210\210\212\252\210\206vgw\210\203wsb`\7\21\21\21\21\21\21\21\210\203\210\210\210\210\207vvwwwsf4\7\21\21\21\21\21\21\21\21\30\210\210\210\210\210wGwvwww5\2\21\21\21\21\21\21", 256, ) , 256, ) == 0x0
 00247   444   NtClose  (52, ... ) == 0x0
 00248   444   NtUserQueryWindow  (65724, 0, ... ) == 0x7dc
 00249   444   NtUserQueryWindow  (65724, 1, ... ) == 0x7e0
 00250   444   NtUserQueryWindow  (65722, 0, ... ) == 0x7dc
 00251   444   NtUserQueryWindow  (65722, 1, ... ) == 0x7e0
 00252   444   NtUserQueryWindow  (65720, 0, ... ) == 0x7dc
 00253   444   NtUserQueryWindow  (65720, 1, ... ) == 0x7e0
 00254   444   NtUserQueryWindow  (65718, 0, ... ) == 0x7dc
 00255   444   NtUserQueryWindow  (65718, 1, ... ) == 0x7e0
 00256   444   NtUserQueryWindow  (65716, 0, ... ) == 0x7dc
 00257   444   NtUserQueryWindow  (65716, 1, ... ) == 0x7e0
 00258   444   NtUserQueryWindow  (65712, 0, ... ) == 0x7dc
 00259   444   NtUserQueryWindow  (65712, 1, ... ) == 0x7e0
 00260   444   NtUserQueryWindow  (65710, 0, ... ) == 0x7dc
 00261   444   NtUserQueryWindow  (65710, 1, ... ) == 0x7e0
 00262   444   NtUserQueryWindow  (131166, 0, ... ) == 0x7c8
 00263   444   NtUserQueryWindow  (131166, 1, ... ) == 0x7cc
 00264   444   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1992, 0}, ... 52, ) == 0x0
 00265   444   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0", 64, ) , 64, ) == 0x0
 00266   444   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00267   444   NtContinue  (-135070564, 0, ...
 00266   444   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00268   444   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00269   444   NtContinue  (-135070564, 0, ...
 00268   444   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00270   444   NtClose  (52, ... ) == 0x0
 00271   444   NtUserQueryWindow  (65706, 0, ... ) == 0x7e8
 00272   444   NtUserQueryWindow  (65706, 1, ... ) == 0x7ec
 00273   444   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 52, ) == 0x0
 00274   444   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\301\0\0\0\0\1\0\0\377\356\377\356\11\0\0\0\11\0\0\0\0\376\0\0\0\0\20\0\0 \0\0\0\2\0\0\0 \0\0q\0\0\0\377\357\375\177\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00275   444   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00276   444   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00277   444   NtClose  (52, ... ) == 0x0
 00278   444   NtUserQueryWindow  (65740, 0, ... ) == 0x70c
 00279   444   NtUserQueryWindow  (65740, 1, ... ) == 0x104
 00280   444   NtUserQueryWindow  (65730, 0, ... ) == 0x70c
 00281   444   NtUserQueryWindow  (65730, 1, ... ) == 0x104
 00282   444   NtUserQueryWindow  (65728, 0, ... ) == 0x70c
 00283   444   NtUserQueryWindow  (65728, 1, ... ) == 0x738
 00284   444   NtUserQueryWindow  (65704, 0, ... ) == 0x7d0
 00285   444   NtUserQueryWindow  (65704, 1, ... ) == 0x7d4
 00286   444   NtUserQueryWindow  (65644, 0, ... ) == 0x70c
 00287   444   NtUserQueryWindow  (65644, 1, ... ) == 0x79c
 00288   444   NtUserQueryWindow  (327760, 0, ... ) == 0x70c
 00289   444   NtUserQueryWindow  (327760, 1, ... ) == 0x710
 00290   444   NtUserQueryWindow  (262228, 0, ... ) == 0x70c
 00291   444   NtUserQueryWindow  (262228, 1, ... ) == 0x710
 00292   444   NtUserQueryWindow  (327758, 0, ... ) == 0x70c
 00293   444   NtUserQueryWindow  (327758, 1, ... ) == 0x710
 00294   444   NtUserQueryWindow  (65662, 0, ... ) == 0x70c
 00295   444   NtUserQueryWindow  (65662, 1, ... ) == 0x710
 00296   444   NtUserQueryWindow  (65654, 0, ... ) == 0x70c
 00297   444   NtUserQueryWindow  (65654, 1, ... ) == 0x710
 00298   444   NtRaiseException  (1242696, 1241956, 1, ...
 00299   444   NtContinue  (1240752, 0, ...
 00300   444   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00301   444   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 56, ) }, ... 56, ) == 0x0
 00302   444   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00303   444   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   444   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00305   444   NtDuplicateObject  (-1, 3101, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00306   444   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00307   444   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00308   444   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100d8, 0x100a6, 0x100a4, 0x60036, 0x20064, 0x20062, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x1009c, 0x1008c, 0x1007c, 0x10026, 0x100d4, 0x100d0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x2005e, 0x100aa, 0x100cc, 0x100c2, 0x100c0, 0x100a8, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 40, ) == 0x0
 00309   444   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00310   444   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00311   444   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100d8, 0x100a6, 0x100a4, 0x60036, 0x20064, 0x20062, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x1009c, 0x1008c, 0x1007c, 0x10026, 0x100d4, 0x100d0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x2005e, 0x100aa, 0x100cc, 0x100c2, 0x100c0, 0x100a8, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 40, ) == 0x0
 00312   444   NtUserQueryWindow  (196684, 0, ... ) == 0x70c
 00313   444   NtUserQueryWindow  (196684, 1, ... ) == 0x738
 00314   444   NtUserQueryWindow  (65752, 0, ... ) == 0x70c
 00315   444   NtUserQueryWindow  (65752, 1, ... ) == 0x738
 00316   444   NtUserQueryWindow  (65702, 0, ... ) == 0x7d0
 00317   444   NtUserQueryWindow  (65702, 1, ... ) == 0x7d4
 00318   444   NtUserQueryWindow  (65700, 0, ... ) == 0x7d0
 00319   444   NtUserQueryWindow  (65700, 1, ... ) == 0x7d4
 00320   444   NtUserQueryWindow  (393270, 0, ... ) == 0x7d0
 00321   444   NtUserQueryWindow  (393270, 1, ... ) == 0x7d4
 00322   444   NtUserQueryWindow  (131172, 0, ... ) == 0x7d0
 00323   444   NtUserQueryWindow  (131172, 1, ... ) == 0x7d4
 00324   444   NtUserQueryWindow  (131170, 0, ... ) == 0x70c
 00325   444   NtUserQueryWindow  (131170, 1, ... ) == 0x738
 00326   444   NtUserQueryWindow  (65664, 0, ... ) == 0x70c
 00327   444   NtUserQueryWindow  (65664, 1, ... ) == 0x738
 00328   444   NtUserQueryWindow  (65652, 0, ... ) == 0x70c
 00329   444   NtUserQueryWindow  (65652, 1, ... ) == 0x738
 00330   444   NtUserQueryWindow  (65640, 0, ... ) == 0x70c
 00331   444   NtUserQueryWindow  (65640, 1, ... ) == 0x738
 00332   444   NtUserQueryWindow  (196682, 0, ... ) == 0x70c
 00333   444   NtUserQueryWindow  (196682, 1, ... ) == 0x738
 00334   444   NtUserQueryWindow  (65638, 0, ... ) == 0x70c
 00335   444   NtUserQueryWindow  (65638, 1, ... ) == 0x738
 00336   444   NtUserQueryWindow  (196668, 0, ... ) == 0x70c
 00337   444   NtUserQueryWindow  (196668, 1, ... ) == 0x738
 00338   444   NtUserQueryWindow  (65692, 0, ... ) == 0x70c
 00339   444   NtUserQueryWindow  (65692, 1, ... ) == 0x738
 00340   444   NtUserQueryWindow  (65676, 0, ... ) == 0x70c
 00341   444   NtUserQueryWindow  (65676, 1, ... ) == 0x738
 00342   444   NtUserQueryWindow  (65660, 0, ... ) == 0x70c
 00343   444   NtUserQueryWindow  (65660, 1, ... ) == 0x710
 00344   444   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00345   444   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 00346   444   NtUserQueryWindow  (65748, 0, ... ) == 0xf4
 00347   444   NtUserQueryWindow  (65748, 1, ... ) == 0xf8
 00348   444   NtUserQueryWindow  (65744, 0, ... ) == 0xf4
 00349   444   NtUserQueryWindow  (65744, 1, ... ) == 0xf8
 00350   444   NtUserQueryWindow  (65726, 0, ... ) == 0x7dc
 00351   444   NtUserQueryWindow  (65726, 1, ... ) == 0x7e0
 00352   444   NtUserQueryWindow  (65724, 0, ... ) == 0x7dc
 00353   444   NtUserQueryWindow  (65724, 1, ... ) == 0x7e0
 00354   444   NtUserQueryWindow  (65722, 0, ... ) == 0x7dc
 00355   444   NtUserQueryWindow  (65722, 1, ... ) == 0x7e0
 00356   444   NtUserQueryWindow  (65720, 0, ... ) == 0x7dc
 00357   444   NtUserQueryWindow  (65720, 1, ... ) == 0x7e0
 00358   444   NtUserQueryWindow  (65718, 0, ... ) == 0x7dc
 00359   444   NtUserQueryWindow  (65718, 1, ... ) == 0x7e0
 00360   444   NtUserQueryWindow  (65716, 0, ... ) == 0x7dc
 00361   444   NtUserQueryWindow  (65716, 1, ... ) == 0x7e0
 00362   444   NtUserQueryWindow  (65712, 0, ... ) == 0x7dc
 00363   444   NtUserQueryWindow  (65712, 1, ... ) == 0x7e0
 00364   444   NtUserQueryWindow  (65710, 0, ... ) == 0x7dc
 00365   444   NtUserQueryWindow  (65710, 1, ... ) == 0x7e0
 00366   444   NtUserQueryWindow  (131166, 0, ... ) == 0x7c8
 00367   444   NtUserQueryWindow  (131166, 1, ... ) == 0x7cc
 00368   444   NtUserQueryWindow  (65706, 0, ... ) == 0x7e8
 00369   444   NtUserQueryWindow  (65706, 1, ... ) == 0x7ec
 00370   444   NtUserQueryWindow  (65740, 0, ... ) == 0x70c
 00371   444   NtUserQueryWindow  (65740, 1, ... ) == 0x104
 00372   444   NtUserQueryWindow  (65730, 0, ... ) == 0x70c
 00373   444   NtUserQueryWindow  (65730, 1, ... ) == 0x104
 00374   444   NtUserQueryWindow  (65728, 0, ... ) == 0x70c
 00375   444   NtUserQueryWindow  (65728, 1, ... ) == 0x738
 00376   444   NtUserQueryWindow  (65704, 0, ... ) == 0x7d0
 00377   444   NtUserQueryWindow  (65704, 1, ... ) == 0x7d4
 00378   444   NtUserQueryWindow  (65644, 0, ... ) == 0x70c
 00379   444   NtUserQueryWindow  (65644, 1, ... ) == 0x79c
 00380   444   NtUserQueryWindow  (327760, 0, ... ) == 0x70c
 00381   444   NtUserQueryWindow  (327760, 1, ... ) == 0x710
 00382   444   NtUserQueryWindow  (262228, 0, ... ) == 0x70c
 00383   444   NtUserQueryWindow  (262228, 1, ... ) == 0x710
 00384   444   NtUserQueryWindow  (327758, 0, ... ) == 0x70c
 00385   444   NtUserQueryWindow  (327758, 1, ... ) == 0x710
 00386   444   NtUserQueryWindow  (65662, 0, ... ) == 0x70c
 00387   444   NtUserQueryWindow  (65662, 1, ... ) == 0x710
 00388   444   NtUserQueryWindow  (65654, 0, ... ) == 0x70c
 00389   444   NtUserQueryWindow  (65654, 1, ... ) == 0x710
 00390   444   NtRaiseException  (1242640, 1241900, 1, ...
 00391   444   NtContinue  (1240696, 0, ...
 00392   444   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00393   444   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00394   444   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00395   444   NtDuplicateObject  (-1, 3380, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00396   444   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00397   444   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00398   444   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100d8, 0x100a6, 0x100a4, 0x60036, 0x20064, 0x20062, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x1009c, 0x1008c, 0x1007c, 0x10026, 0x100d4, 0x100d0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x2005e, 0x100aa, 0x100cc, 0x100c2, 0x100c0, 0x100a8, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 40, ) == 0x0
 00399   444   NtSetSecurityObject  (-1, 4, {1, 0, 0x4, 0, 0, 0, 1242476}, ... ) == 0x0
 00400   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00401   444   NtQueryValueKey  (60,  (60, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   444   NtClose  (60, ... ) == 0x0
 00403   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00404   444   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00405   444   NtClose  (60, ... ) == 0x0
 00406   444   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 60, ) == 0x0
 00407   444   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00408   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 68, ) }, ... 68, ) == 0x0
 00409   444   NtNotifyChangeKey  (68, 64, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00410   444   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00411   444   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00412   444   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00413   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00414   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00415   444   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00416   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00417   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00418   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 84, ) == 0x0
 00419   444   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00420   444   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00421   444   NtQueryInformationToken  (88, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00422   444   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00423   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 92, ) }, ... 92, ) == 0x0
 00424   444   NtQueryValueKey  (92,  (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00425   444   NtClose  (92, ... ) == 0x0
 00426   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00427   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00428   444   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00429   444   NtClose  (92, ... ) == 0x0
 00430   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00431   444   NtClose  (88, ... ) == 0x0
 00432   444   NtClose  (80, ... ) == 0x0
 00433   444   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00434   444   NtClose  (84, ... ) == 0x0
 00435   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00436   444   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00437   444   NtClose  (84, ... ) == 0x0
 00438   444   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00439   444   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00440   444   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00441   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00442   444   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00443   444   NtClose  (84, ... ) == 0x0
 00444   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00445   444   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00446   444   NtClose  (84, ... ) == 0x0
 00447   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00448   444   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00449   444   NtClose  (84, ... ) == 0x0
 00450   444   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00451   444   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00452   444   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00453   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00454   444   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00455   444   NtClose  (84, ... ) == 0x0
 00456   444   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {436, 0}, ... 84, ) == 0x0
 00457   444   NtQueryInformationProcess  (84, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00458   444   NtClose  (84, ... ) == 0x0
 00459   444   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00460   444   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00461   444   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00462   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00463   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00464   444   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00465   444   NtClose  (84, ... ) == 0x0
 00466   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 84, ) }, ... 84, ) == 0x0
 00467   444   NtSetInformationObject  (84, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00468   444   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00469   444   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00470   444   NtClose  (80, ... ) == 0x0
 00471   444   NtUserSystemParametersInfo  (41, 500, 1241216, 0, ... ) == 0x1
 00472   444   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00473   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00474   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00475   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03b
 00476   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00477   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03d
 00478   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00479   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00480   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03f
 00481   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00482   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00483   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc041
 00484   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00485   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00486   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc043
 00487   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00488   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc045
 00489   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00490   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00491   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc047
 00492   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00493   444   NtUserFindExistingCursorIcon  (1241004, 1241020, 1241588, ... ) == 0x10011
 00494   444   NtUserRegisterClassExWOW  (1241456, 1241536, 1241520, 1241552, 0, 384, 0, ... ) == 0x810dc049
 00495   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00496   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00497   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04b
 00498   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00499   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00500   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04d
 00501   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00502   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00503   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04f
 00504   444   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0x0
 00505   444   NtUserRegisterClassExWOW  (1241464, 1241544, 1241528, 1241560, 0, 384, 0, ... ) == 0x810dc051
 00506   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00507   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00508   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc053
 00509   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00510   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00511   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc055
 00512   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc057
 00513   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00514   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00515   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc059
 00516   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00517   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10013
 00518   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05b
 00519   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00520   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00521   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05d
 00522   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00523   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00524   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05f
 00525   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00526   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 00527   444   NtAllocateVirtualMemory  (-1, 9437184, 0, 4096, 4096, 4, ... 9437184, 4096, ) == 0x0
 00528   444   NtAllocateVirtualMemory  (-1, 9441280, 0, 8192, 4096, 4, ... 9441280, 8192, ) == 0x0
 00529   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 80, ) }, ... 80, ) == 0x0
 00530   444   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x910000), 0x0, 12288, ) == 0x0
 00531   444   NtClose  (80, ... ) == 0x0
 00532   444   NtAllocateVirtualMemory  (-1, 9449472, 0, 4096, 4096, 4, ... 9449472, 4096, ) == 0x0
 00533   444   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00534   444   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 00535   444   NtQueryValueKey  (80,  (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00536   444   NtClose  (80, ... ) == 0x0
 00537   444   NtQueryDefaultUILanguage  (1239840, ...
 00538   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00539   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00540   444   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00541   444   NtClose  (-2147482020, ... ) == 0x0
 00542   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00543   444   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00544   444   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00545   444   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00546   444   NtClose  (-2147482032, ... ) == 0x0
 00547   444   NtClose  (-2147482020, ... ) == 0x0
 00537   444   NtQueryDefaultUILanguage  ... ) == 0x0
 00548   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549   444   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00550   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00551   444   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 88, ) == 0x0
 00552   444   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x920000), 0x0, 8323072, ) == 0x0
 00553   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00554   444   NtQueryDefaultUILanguage  (2013024600, ...
 00555   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00556   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00557   444   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00558   444   NtClose  (-2147482020, ... ) == 0x0
 00559   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00560   444   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00561   444   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00562   444   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00563   444   NtClose  (-2147482032, ... ) == 0x0
 00564   444   NtClose  (-2147482020, ... ) == 0x0
 00554   444   NtQueryDefaultUILanguage  ... ) == 0x0
 00565   444   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00566   444   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00567   444   NtQueryDefaultLocale  (1, 1237876, ... ) == 0x0
 00568   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00569   444   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 436, 444, 1555, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 436, 444, 1555, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 436, 444, 1555, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ) == 0x0
 00570   444   NtClose  (80, ... ) == 0x0
 00571   444   NtClose  (88, ... ) == 0x0
 00572   444   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00573   444   NtUnmapViewOfSection  (-1, 0x12edcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00574   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00575   444   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00577   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00578   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236960, ... ) }, 1236960, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00580   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00581   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00582   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237552, ... ) }, 1237552, ... ) == 0x0
 00583   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 88, {status=0x0, info=1}, ) }, 3, 33, ... 88, {status=0x0, info=1}, ) == 0x0
 00584   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00585   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00586   444   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00587   444   NtClose  (80, ... ) == 0x0
 00588   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x920000), 0x0, 921600, ) == 0x0
 00589   444   NtClose  (92, ... ) == 0x0
 00590   444   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00591   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00592   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 80, ) == 0x0
 00593   444   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00594   444   NtClose  (92, ... ) == 0x0
 00595   444   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00596   444   NtClose  (80, ... ) == 0x0
 00597   444   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00598   444   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00599   444   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00600   444   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00601   444   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00602   444   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00603   444   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00604   444   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00605   444   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00606   444   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00607   444   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00608   444   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00609   444   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00610   444   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00611   444   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00612   444   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00613   444   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00614   444   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00615   444   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00616   444   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00617   444   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00618   444   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238736, ... ) , 42, 1238736, ... ) == 0x0
 00619   444   NtQueryDefaultUILanguage  (1237452, ...
 00620   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00621   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00622   444   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00623   444   NtClose  (-2147482020, ... ) == 0x0
 00624   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00625   444   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00626   444   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00627   444   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00628   444   NtClose  (-2147482032, ... ) == 0x0
 00629   444   NtClose  (-2147482020, ... ) == 0x0
 00619   444   NtQueryDefaultUILanguage  ... ) == 0x0
 00630   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00631   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236304, ... ) }, 1236304, ... ) == 0x0
 00632   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00633   444   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00634   444   NtClose  (80, ... ) == 0x0
 00635   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x920000), 0x0, 4096, ) == 0x0
 00636   444   NtClose  (92, ... ) == 0x0
 00637   444   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00638   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235944, ... ) }, 1235944, ... ) == 0x0
 00639   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236644,  (0x80100080, {24, 0, 0x40, 0, 1236644, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00640   444   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 92, ... 80, ) == 0x0
 00641   444   NtClose  (92, ... ) == 0x0
 00642   444   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x920000), {0, 0}, 4096, ) == 0x0
 00643   444   NtClose  (80, ... ) == 0x0
 00644   444   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00645   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00646   444   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 92, ) == 0x0
 00647   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x920000), 0x0, 4096, ) == 0x0
 00648   444   NtQueryInformationFile  (80, 1236264, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00649   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00650   444   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 436, 444, 1556, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 436, 444, 1556, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 436, 444, 1556, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ) == 0x0
 00651   444   NtClose  (80, ... ) == 0x0
 00652   444   NtClose  (92, ... ) == 0x0
 00653   444   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00654   444   NtUnmapViewOfSection  (-1, 0x12e478, ... ) == STATUS_NOT_MAPPED_VIEW
 00655   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00656   444   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00657   444   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00658   444   NtUserGetDC  (0, ... ) == 0x1010050
 00659   444   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00660   444   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00661   444   NtUserSystemParametersInfo  (66, 12, 1238756, 0, ... ) == 0x1
 00662   444   NtOpenProcessToken  (-1, 0x8, ... 92, ) == 0x0
 00663   444   NtAccessCheck  (1393640, 92, 0x1, 1238160, 1238104, 56, 1238188, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00664   444   NtClose  (92, ... ) == 0x0
 00665   444   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 92, ) }, ... 92, ) == 0x0
 00666   444   NtQueryValueKey  (92,  (92, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667   444   NtClose  (92, ... ) == 0x0
 00668   444   NtUserSystemParametersInfo  (41, 500, 1238256, 0, ... ) == 0x1
 00669   444   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00670   444   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 92, ) }, ... 92, ) == 0x0
 00671   444   NtQueryValueKey  (92,  (92, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   444   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 80, ) }, ... 80, ) == 0x0
 00673   444   NtQueryValueKey  (80,  (80, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   444   NtClose  (80, ... ) == 0x0
 00675   444   NtClose  (92, ... ) == 0x0
 00676   444   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00677   444   NtUserSystemParametersInfo  (4130, 0, 1238780, 0, ... ) == 0x1
 00678   444   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 92, ) }, ... 92, ) == 0x0
 00679   444   NtEnumerateValueKey  (92, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00680   444   NtClose  (92, ... ) == 0x0
 00681   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00682   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03b
 00683   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03d
 00684   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00685   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc03f
 00686   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00687   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc041
 00688   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00689   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc043
 00690   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc045
 00691   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00692   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc047
 00693   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00694   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ...
 00695   444   NtAllocateVirtualMemory  (-1, 6340608, 0, 4096, 4096, 32, ... 6340608, 4096, ) == 0x0
 00694   444   NtUserRegisterClassExWOW  ... ) == 0x810dc049
 00696   444   NtUserGetClassInfo  (1905590272, 1238676, 1238628, 1238704, 0, ... ) == 0xc049
 00697   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00698   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04b
 00699   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00700   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04d
 00701   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00702   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04f
 00703   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc051
 00704   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00705   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc053
 00706   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00707   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc055
 00708   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc057
 00709   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00710   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc059
 00711   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10013
 00712   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05b
 00713   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00714   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05d
 00715   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00716   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05f
 00717   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00718   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc017
 00719   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00720   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc019
 00721   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10013
 00722   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc018
 00723   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00724   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01a
 00725   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00726   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc01c
 00727   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00728   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01e
 00729   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00730   444   NtUserRegisterClassExWOW  (1238572, 1238652, 1238636, 1238668, 0, 384, 0, ... ) == 0x810dc01b
 00731   444   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00732   444   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc068
 00733   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00734   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc06a
 00735   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03b
 00736   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03d
 00737   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03f
 00738   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc041
 00739   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc043
 00740   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc045
 00741   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc047
 00742   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc049
 00743   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04b
 00744   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04d
 00745   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04f
 00746   444   NtUserGetClassInfo  (1999896576, 1241580, 1241532, 1241608, 0, ... ) == 0xc051
 00747   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc053
 00748   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc055
 00749   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc059
 00750   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05b
 00751   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05d
 00752   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05f
 00753   444   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00754   444   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00755   444   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00756   444   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00757   444   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00758   444   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00759   444   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00760   444   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00761   444   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00762   444   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00763   444   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00764   444   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00765   444   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00766   444   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00767   444   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00768   444   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00769   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00771   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00772   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00773   444   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9699328, 262144, ) == 0x0
 00774   444   NtAllocateVirtualMemory  (-1, 9699328, 0, 4096, 4096, 4, ... 9699328, 4096, ) == 0x0
 00775   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00776   444   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9961472, 262144, ) == 0x0
 00777   444   NtAllocateVirtualMemory  (-1, 9961472, 0, 4096, 4096, 4, ... 9961472, 4096, ) == 0x0
 00778   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00779   444   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10223616, 262144, ) == 0x0
 00780   444   NtAllocateVirtualMemory  (-1, 10223616, 0, 4096, 4096, 4, ... 10223616, 4096, ) == 0x0
 00781   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00782   444   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10485760, 262144, ) == 0x0
 00783   444   NtAllocateVirtualMemory  (-1, 10485760, 0, 4096, 4096, 4, ... 10485760, 4096, ) == 0x0
 00784   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00785   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00786   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00787   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00788   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 00789   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00790   444   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 80, ) == 0x0
 00791   444   NtClose  (92, ... ) == 0x0
 00792   444   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa40000), 0x0, 90112, ) == 0x0
 00793   444   NtClose  (80, ... ) == 0x0
 00794   444   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 00795   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 00796   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00797   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 92, ) == 0x0
 00798   444   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00799   444   NtClose  (80, ... ) == 0x0
 00800   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00801   444   NtClose  (92, ... ) == 0x0
 00802   444   NtQueryDefaultLocale  (1, 1239460, ... ) == 0x0
 00803   444   NtAllocateVirtualMemory  (-1, 9703424, 0, 4096, 4096, 4, ... 9703424, 4096, ) == 0x0
 00804   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 92, ) }, ... 92, ) == 0x0
 00805   444   NtClose  (92, ... ) == 0x0
 00806   444   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00807   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808   444   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00809   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00810   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00811   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00812   444   NtClose  (92, ... ) == 0x0
 00813   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00814   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00815   444   NtClose  (92, ... ) == 0x0
 00816   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00817   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00818   444   NtClose  (92, ... ) == 0x0
 00819   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00820   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00821   444   NtClose  (92, ... ) == 0x0
 00822   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 92, ) }, ... 92, ) == 0x0
 00823   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00824   444   NtClose  (92, ... ) == 0x0
 00825   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00826   444   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00827   444   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00828   444   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00829   444   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1241616, 0,  (0x1f0003, {24, 52, 0x80, 1241616, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00830   444   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 92, ) }, ... 92, ) == 0x0
 00831   444   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00832   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00833   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00834   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 80, ) }, ... 80, ) == 0x0
 00835   444   NtQueryValueKey  (80,  (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00836   444   NtClose  (80, ... ) == 0x0
 00837   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00838   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00839   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00840   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00841   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 80, ) }, ... 80, ) == 0x0
 00842   444   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00843   444   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   444   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00845   444   NtClose  (80, ... ) == 0x0
 00846   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 80, ) }, ... 80, ) == 0x0
 00847   444   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00848   444   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00849   444   NtClose  (80, ... ) == 0x0
 00850   444   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   444   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00852   444   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00853   444   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   444   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00855   444   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00856   444   NtCreateKey  (0xf003f, {24, 84, 0x40, 0, 0,  (0xf003f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 80, 2, ) }, 0, 0x0, 0, ... 80, 2, ) == 0x0
 00857   444   NtQueryDefaultUILanguage  (1239852, ...
 00858   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00859   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00860   444   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00861   444   NtClose  (-2147482020, ... ) == 0x0
 00862   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00863   444   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   444   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00865   444   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00866   444   NtClose  (-2147482032, ... ) == 0x0
 00867   444   NtClose  (-2147482020, ... ) == 0x0
 00857   444   NtQueryDefaultUILanguage  ... ) == 0x0
 00868   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00869   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00870   444   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00871   444   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa40000), 0x0, 593920, ) == 0x0
 00872   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   444   NtQueryDefaultLocale  (1, 1237888, ... ) == 0x0
 00874   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00875   444   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\253\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 436, 444, 1557, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\253\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 436, 444, 1557, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\253\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 436, 444, 1557, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\253\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ) == 0x0
 00876   444   NtClose  (96, ... ) == 0x0
 00877   444   NtClose  (100, ... ) == 0x0
 00878   444   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 00879   444   NtUnmapViewOfSection  (-1, 0x12edd8, ... ) == STATUS_NOT_MAPPED_VIEW
 00880   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00881   444   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00883   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00884   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236428, ... ) }, 1236428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00886   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00887   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00888   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237020, ... ) }, 1237020, ... ) == 0x0
 00889   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00890   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00891   444   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00892   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00894   444   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00896   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00897   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00898   444   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00899   444   NtClose  (104, ... ) == 0x0
 00900   444   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00901   444   NtClose  (108, ... ) == 0x0
 00902   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   444   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00906   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00907   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00908   444   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00909   444   NtClose  (108, ... ) == 0x0
 00910   444   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00911   444   NtClose  (104, ... ) == 0x0
 00912   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00913   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00914   444   NtTestAlert  (... ) == 0x0
 00915   444   NtContinue  (1244464, 1, ...
 00916   444   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x4b9000,}, 4, ... ) == 0x0
 00917   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1243656, ... ) }, 1243656, ... ) == 0x0
 00918   444   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1376256, 1422392, 0, 1243996}  (24, {20, 48, new_msg, 0, 1376256, 1422392, 0, 1243996} "\0\0\0\0\2\0\1\0\23\0\0\0\10\6\25\0\215\26\365w" ... {20, 48, reply, 0, 436, 444, 1558, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\10\6\25\0\1\0\0\0" )  ... {20, 48, reply, 0, 436, 444, 1558, 0}  (24, {20, 48, new_msg, 0, 1376256, 1422392, 0, 1243996} "\0\0\0\0\2\0\1\0\23\0\0\0\10\6\25\0\215\26\365w" ... {20, 48, reply, 0, 436, 444, 1558, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\10\6\25\0\1\0\0\0" )  ) == 0x0
 00919   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243664,  (0x80100080, {24, 0, 0x40, 0, 1243664, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00920   444   NtQueryDirectoryFile  (-2147482020, 0, 0, 0, -519798784, 4096, Names, 1,  (-2147482020, 0, 0, 0, -519798784, 4096, Names, 1, "~1.tmp", 1, ... {status=0x0, info=24}, ) , 1, ... {status=0x0, info=24}, ) == 0x0
 00921   444   NtClose  (-2147482020, ... ) == 0x0
 00919   444   NtCreateFile  ... 104, {status=0x0, info=2}, ) == 0x0
 00922   444   NtClose  (104, ... ) == 0x0
 00923   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1242912, ... ) }, 1242912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00924   444   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243644,  (0xc0100080, {24, 0, 0x40, 0, 1243644, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00925   444   NtClose  (-2147482020, ... ) == 0x0
 00926   444   NtQueryDirectoryFile  (-2147482020, 0, 0, 0, -519798784, 4096, Names, 1,  (-2147482020, 0, 0, 0, -519798784, 4096, Names, 1, "~1.tmp.exe", 1, ... ) , 1, ... ) == STATUS_NO_SUCH_FILE
 00927   444   NtClose  (-2147482020, ... ) == 0x0
 00924   444   NtCreateFile  ... 104, {status=0x0, info=2}, ) == 0x0
 00928   444   NtQueryVolumeInformationFile  (104, 1243804, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00929   444   NtQueryInformationFile  (104, 1243696, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00930   444   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\0\24\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 58880, 0x0, 0, ... {status=0x0, info=58880}, ) , 58880, 0x0, 0, ... {status=0x0, info=58880}, ) == 0x0
 00931   444   NtClose  (104, ... ) == 0x0
 00932   444   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00933   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1240368, ... ) }, 1240368, ... ) == 0x0
 00934   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1241060, ... ) }, 1241060, ... ) == 0x0
 00935   444   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00936   444   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00937   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 112, ) }, ... 112, ) == 0x0
 00939   444   NtQueryValueKey  (112,  (112, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   444   NtClose  (112, ... ) == 0x0
 00941   444   NtQueryVolumeInformationFile  (104, 1240368, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00942   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238352, ... ) }, 1238352, ... ) == 0x0
 00943   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00944   444   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 116, ) == 0x0
 00945   444   NtClose  (112, ... ) == 0x0
 00946   444   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa40000), 0x0, 106496, ) == 0x0
 00947   444   NtClose  (116, ... ) == 0x0
 00948   444   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 00949   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238668, ... ) }, 1238668, ... ) == 0x0
 00950   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00951   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 112, ) == 0x0
 00952   444   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00953   444   NtClose  (116, ... ) == 0x0
 00954   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00955   444   NtClose  (112, ... ) == 0x0
 00956   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00957   444   NtQueryInformationFile  (112, 1238956, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00958   444   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 112, ... 116, ) == 0x0
 00959   444   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa40000), 0x0, 1028096, ) == 0x0
 00960   444   NtQueryInformationFile  (112, 1239052, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00961   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00963   444   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00964   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 00965   444   NtQueryDirectoryFile  (120, 0, 0, 0, 1236616, 616, BothDirectory, 1,  (120, 0, 0, 0, 1236616, 616, BothDirectory, 1, "~1.tmp.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00966   444   NtClose  (120, ... ) == 0x0
 00967   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00968   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00969   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1236004, ... ) }, 1236004, ... ) == 0x0
 00970   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 00971   444   NtQueryDirectoryFile  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 00972   444   NtClose  (120, ... ) == 0x0
 00973   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 00974   444   NtQueryDirectoryFile  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00975   444   NtClose  (120, ... ) == 0x0
 00976   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 00977   444   NtQueryDirectoryFile  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 00978   444   NtClose  (120, ... ) == 0x0
 00979   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 00980   444   NtQueryDirectoryFile  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00981   444   NtClose  (120, ... ) == 0x0
 00982   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00983   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00984   444   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00985   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00986   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00987   444   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00988   444   NtClose  (120, ... ) == 0x0
 00989   444   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00990   444   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991   444   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 00992   444   NtClose  (116, ... ) == 0x0
 00993   444   NtClose  (112, ... ) == 0x0
 00994   444   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00995   444   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00996   444   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00997   444   NtOpenProcessToken  (-1, 0xa, ... 112, ) == 0x0
 00998   444   NtQueryInformationToken  (112, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00999   444   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01000   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 01001   444   NtQueryValueKey  (116,  (116, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (116, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01002   444   NtQueryValueKey  (116,  (116, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (116, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01003   444   NtClose  (116, ... ) == 0x0
 01004   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 01005   444   NtQueryValueKey  (116,  (116, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01006   444   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 01007   444   NtQueryValueKey  (116,  (116, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (116, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01008   444   NtClose  (116, ... ) == 0x0
 01009   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01010   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 01011   444   NtQueryValueKey  (116,  (116, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012   444   NtClose  (116, ... ) == 0x0
 01013   444   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 01014   444   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 01015   444   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 01016   444   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 01017   444   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 01018   444   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 01019   444   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 01020   444   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 01021   444   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 01022   444   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 01023   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 116, ) }, ... 116, ) == 0x0
 01024   444   NtEnumerateKey  (116, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (116, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01025   444   NtOpenKey  (0x20019, {24, 116, 0x40, 0, 0,  (0x20019, {24, 116, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 120, ) }, ... 120, ) == 0x0
 01026   444   NtQueryValueKey  (120,  (120, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (120, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01027   444   NtQueryValueKey  (120,  (120, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (120, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01028   444   NtClose  (120, ... ) == 0x0
 01029   444   NtEnumerateKey  (116, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01030   444   NtClose  (116, ... ) == 0x0
 01031   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01032   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01033   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01034   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01035   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01036   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01037   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01038   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01040   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01043   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01045   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01046   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01047   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01048   444   NtClose  (116, ... ) == 0x0
 01049   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01050   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01051   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01052   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01053   444   NtClose  (116, ... ) == 0x0
 01054   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01055   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01056   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01057   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01058   444   NtClose  (116, ... ) == 0x0
 01059   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01060   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01061   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01062   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01063   444   NtClose  (116, ... ) == 0x0
 01064   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01065   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01066   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01067   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01068   444   NtClose  (116, ... ) == 0x0
 01069   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01070   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01071   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01072   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01073   444   NtClose  (116, ... ) == 0x0
 01074   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01075   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01076   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01077   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01078   444   NtClose  (116, ... ) == 0x0
 01079   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01080   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01081   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01082   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01083   444   NtClose  (116, ... ) == 0x0
 01084   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01085   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01086   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01087   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01088   444   NtClose  (116, ... ) == 0x0
 01089   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01090   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01091   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01092   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01093   444   NtClose  (116, ... ) == 0x0
 01094   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01096   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01097   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01098   444   NtClose  (116, ... ) == 0x0
 01099   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01100   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01101   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01102   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01103   444   NtClose  (116, ... ) == 0x0
 01104   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01105   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01106   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01107   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01108   444   NtClose  (116, ... ) == 0x0
 01109   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01110   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01111   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01112   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01113   444   NtClose  (116, ... ) == 0x0
 01114   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01116   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01117   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01118   444   NtClose  (116, ... ) == 0x0
 01119   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 01121   444   NtQueryValueKey  (116,  (116, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (116, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (116, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01122   444   NtClose  (116, ... ) == 0x0
 01123   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01124   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01125   444   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01126   444   NtClose  (116, ... ) == 0x0
 01127   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01128   444   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01129   444   NtOpenProcessToken  (-1, 0xa, ... 116, ) == 0x0
 01130   444   NtDuplicateToken  (116, 0xc, {24, 0, 0x0, 0, 1240260, 0x0}, 0, 2, ... 120, ) == 0x0
 01131   444   NtClose  (116, ... ) == 0x0
 01132   444   NtAccessCheck  (1428392, 120, 0x1, 1240388, 1240332, 56, 1240416, ... (0x1), ) == 0x0
 01133   444   NtClose  (120, ... ) == 0x0
 01134   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 120, ) }, ... 120, ) == 0x0
 01135   444   NtQueryValueKey  (120,  (120, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (120, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01136   444   NtClose  (120, ... ) == 0x0
 01137   444   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 120, ) }, ... 120, ) == 0x0
 01138   444   NtQuerySymbolicLinkObject  (120, ...  (120, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01139   444   NtClose  (120, ... ) == 0x0
 01140   444   NtQueryInformationFile  (104, 1238720, 528, Name, ... {status=0x0, info=130}, ) == 0x0
 01141   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01142   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01143   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\~1.tmp.exe"}, 1237400, ... ) }, 1237400, ... ) == 0x0
 01144   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01145   444   NtQueryDirectoryFile  (120, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (120, 0, 0, 0, 1236760, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01146   444   NtClose  (120, ... ) == 0x0
 01147   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01148   444   NtQueryDirectoryFile  (120, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (120, 0, 0, 0, 1236760, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 01149   444   NtClose  (120, ... ) == 0x0
 01150   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01151   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01152   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01153   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01154   444   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01155   444   NtClose  (120, ... ) == 0x0
 01156   444   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 120, ) }, ... 120, ) == 0x0
 01157   444   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 116, ) }, ... 116, ) == 0x0
 01158   444   NtClose  (120, ... ) == 0x0
 01159   444   NtQueryValueKey  (116,  (116, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01160   444   NtQueryValueKey  (116,  (116, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (116, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01161   444   NtClose  (116, ... ) == 0x0
 01162   444   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10747904, 4096, ) == 0x0
 01163   444   NtAllocateVirtualMemory  (-1, 10747904, 0, 4096, 4096, 4, ... 10747904, 4096, ) == 0x0
 01164   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 01165   444   NtQueryValueKey  (116,  (116, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01166   444   NtClose  (116, ... ) == 0x0
 01167   444   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   444   NtQueryInformationToken  (112, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01169   444   NtQueryInformationToken  (112, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01170   444   NtClose  (112, ... ) == 0x0
 01171   444   NtCreateProcessEx  (1242996, 2035711, 0, -1, 0, 108, 0, 0, 0, ... ) == 0x0
 01172   444   NtQueryInformationProcess  (112, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=716,ParentPid=436,}, 0x0, ) == 0x0
 01173   444   NtReadVirtualMemory  (112, 0x7ffdf008, 4, ...  (112, 0x7ffdf008, 4, ... "\0\0\200\11", 0x0, ) , 0x0, ) == 0x0
 01174   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01175   444   NtAllocateVirtualMemory  (-1, 1429504, 0, 8192, 4096, 4, ... 1429504, 8192, ) == 0x0
 01176   444   NtReadVirtualMemory  (112, 0x9800000, 4096, ...  (112, 0x9800000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\0\24\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 4096, ) , 4096, ) == 0x0
 01177   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01178   444   NtQueryInformationProcess  (112, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=716,ParentPid=436,}, 0x0, ) == 0x0
 01179   444   NtAllocateVirtualMemory  (-1, 0, 0, 1772, 4096, 4, ... 10813440, 4096, ) == 0x0
 01180   444   NtAllocateVirtualMemory  (112, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01181   444   NtWriteVirtualMemory  (112, 0x10000,  (112, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01182   444   NtAllocateVirtualMemory  (112, 0, 0, 1772, 4096, 4, ... 131072, 4096, ) == 0x0
 01183   444   NtWriteVirtualMemory  (112, 0x20000,  (112, 0x20000, "\0\20\0\0\354\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0Z\0\\0\264\5\0\0Z\0\\0\20\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0Z\0\\0l\6\0\0\36\0 \0\310\6\0\0\0\0\2\0\350\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1772, ... 0x0, ) , 1772, ... 0x0, ) == 0x0
 01184   444   NtWriteVirtualMemory  (112, 0x7ffdf010,  (112, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01185   444   NtWriteVirtualMemory  (112, 0x7ffdf1e8,  (112, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01186   444   NtFreeVirtualMemory  (-1, (0xa50000), 0, 32768, ... (0xa50000), 4096, ) == 0x0
 01187   444   NtAllocateVirtualMemory  (112, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01188   444   NtAllocateVirtualMemory  (112, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01189   444   NtProtectVirtualMemory  (112, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01190   444   NtCreateThread  (0x1f03ff, 0x0, 112, 1241260, 1241980, 1, ... 116, {716, 836}, ) == 0x0
 01191   444   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1378552, 1376256, 1422400, 1243080}  (24, {168, 196, new_msg, 0, 1378552, 1376256, 1422400, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367ws\0\0\0t\0\0\0\314\2\0\0D\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 436, 444, 1559, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wp\0\0\0t\0\0\0\314\2\0\0D\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 436, 444, 1559, 0}  (24, {168, 196, new_msg, 0, 1378552, 1376256, 1422400, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367ws\0\0\0t\0\0\0\314\2\0\0D\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 436, 444, 1559, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wp\0\0\0t\0\0\0\314\2\0\0D\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01192   444   NtResumeThread  (116, ... 1, ) == 0x0
 01193   444   NtClose  (104, ... ) == 0x0
 01194   444   NtClose  (108, ... ) == 0x0
 01195   444   NtQueryInformationProcess  (112, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=716,ParentPid=436,}, 0x0, ) == 0x0
 01196   444   NtUserWaitForInputIdle  (716, 30000, 0, ...
 01197   444   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 108, ) == 0x0
 01198   444   NtClose  (108, ... ) == 0x0
 01196   444   NtUserWaitForInputIdle  ... ) == 0x102
 01199   444   NtClose  (112, ... ) == 0x0
 01200   444   NtClose  (116, ... ) == 0x0
 01201   444   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1245092, 0,  (0x1f0003, {24, 52, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 116, ) }, 1, 0, ... 116, ) == STATUS_OBJECT_NAME_EXISTS
 01202   444   NtClose  (116, ... ) == 0x0
 01203   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1243656, ... ) }, 1243656, ... ) == 0x0
 01204   444   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1376256, 1429432, 0, 1243996}  (24, {20, 48, new_msg, 0, 1376256, 1429432, 0, 1243996} "\0\0\0\0\2\0\1\0\203 \365w\10\6\25\0\215\26\365w" ... {20, 48, reply, 0, 436, 444, 2243, 0} "\0\0\0\0\2\0\1\0\3\0\0\0\10\6\25\0\3\0\0\0" )  ... {20, 48, reply, 0, 436, 444, 2243, 0}  (24, {20, 48, new_msg, 0, 1376256, 1429432, 0, 1243996} "\0\0\0\0\2\0\1\0\203 \365w\10\6\25\0\215\26\365w" ... {20, 48, reply, 0, 436, 444, 2243, 0} "\0\0\0\0\2\0\1\0\3\0\0\0\10\6\25\0\3\0\0\0" )  ) == 0x0
 01205   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243664,  (0x80100080, {24, 0, 0x40, 0, 1243664, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 01206   444   NtQueryDirectoryFile  (-2147482028, 0, 0, 0, -519880704, 4096, Names, 1,  (-2147482028, 0, 0, 0, -519880704, 4096, Names, 1, "~3.tmp", 1, ... {status=0x0, info=24}, ) , 1, ... {status=0x0, info=24}, ) == 0x0
 01207   444   NtClose  (-2147482028, ... ) == 0x0
 01205   444   NtCreateFile  ... 116, {status=0x0, info=2}, ) == 0x0
 01208   444   NtClose  (116, ... ) == 0x0
 01209   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1242912, ... ) }, 1242912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01210   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-USER\LOCALS~1\TEMP\~3.TMP.EXE"}, 1243400, ... ) }, 1243400, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01211   444   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243644,  (0xc0100080, {24, 0, 0x40, 0, 1243644, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 01212   444   NtClose  (-2147482028, ... ) == 0x0
 01213   444   NtQueryDirectoryFile  (-2147482028, 0, 0, 0, -519880704, 4096, Names, 1,  (-2147482028, 0, 0, 0, -519880704, 4096, Names, 1, "~3.tmp.exe", 1, ... ) , 1, ... ) == STATUS_NO_SUCH_FILE
 01214   444   NtClose  (-2147482028, ... ) == 0x0
 01211   444   NtCreateFile  ... 116, {status=0x0, info=2}, ) == 0x0
 01215   444   NtQueryVolumeInformationFile  (116, 1243804, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01216   444   NtQueryInformationFile  (116, 1243696, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01217   444   NtWriteFile  (116, 0, 0, 0,  (116, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\0\24\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 58880, 0x0, 0, ... {status=0x0, info=58880}, ) , 58880, 0x0, 0, ... {status=0x0, info=58880}, ) == 0x0
 01218   444   NtClose  (116, ... ) == 0x0
 01219   444   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01220   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1240368, ... ) }, 1240368, ... ) == 0x0
 01221   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1241060, ... ) }, 1241060, ... ) == 0x0
 01222   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-USER\LOCALS~1\TEMP\~3.TMP.EXE"}, 1240980, ... ) }, 1240980, ... ) == 0x0
 01223   444   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-USER\LOCALS~1\TEMP\~3.TMP.EXE"}, 7, 2113568, ... 116, {status=0x0, info=1}, ) }, 7, 2113568, ... 116, {status=0x0, info=1}, ) == 0x0
 01224   444   NtSetInformationFile  (116, 1240956, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01225   444   NtClose  (116, ... ) == 0x0
 01226   444   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240960,  (0xc0100080, {24, 0, 0x40, 0, 1240960, "\??\C:\DOCUME~1\SRI-USER\LOCALS~1\TEMP\~3.TMP.EXE"}, 0x0, 0, 1, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 01227   444   NtQueryInformationFile  (116, 1241012, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01228   444   NtQueryInformationFile  (116, 1241012, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01229   444   NtCreateSection  (0xf0007, 0x0, {58880, 0}, 4, 134217728, 116, ... 112, ) == 0x0
 01230   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 61440, ) == 0x0
 01231   444   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 01232   444   NtClose  (112, ... ) == 0x0
 01233   444   NtSetInformationFile  (116, 1241016, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01234   444   NtClose  (116, ... ) == 0x0
 01235   444   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-USER\LOCALS~1\TEMP\~3.TMP.EXE"}, 7, 2113568, ... 116, {status=0x0, info=1}, ) }, 7, 2113568, ... 116, {status=0x0, info=1}, ) == 0x0
 01236   444   NtSetInformationFile  (116, 1240960, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01237   444   NtClose  (116, ... ) == 0x0
 01238   444   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 01239   444   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 116, ... 112, ) == 0x0
 01240   444   NtQueryVolumeInformationFile  (116, 1240368, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01241   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) == 0x0
 01242   444   NtQueryInformationFile  (108, 1238956, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01243   444   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 108, ... 104, ) == 0x0
 01244   444   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa50000), 0x0, 1028096, ) == 0x0
 01245   444   NtQueryInformationFile  (108, 1239052, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01246   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01248   444   NtQueryDirectoryFile  (120, 0, 0, 0, 1236616, 616, BothDirectory, 1,  (120, 0, 0, 0, 1236616, 616, BothDirectory, 1, "~3.tmp.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01249   444   NtClose  (120, ... ) == 0x0
 01250   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01251   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01252   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1236004, ... ) }, 1236004, ... ) == 0x0
 01253   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01254   444   NtQueryDirectoryFile  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01255   444   NtClose  (120, ... ) == 0x0
 01256   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01257   444   NtQueryDirectoryFile  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01258   444   NtClose  (120, ... ) == 0x0
 01259   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01260   444   NtQueryDirectoryFile  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 01261   444   NtClose  (120, ... ) == 0x0
 01262   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01263   444   NtQueryDirectoryFile  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 01264   444   NtClose  (120, ... ) == 0x0
 01265   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01266   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01267   444   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01268   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01269   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01270   444   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01271   444   NtClose  (120, ... ) == 0x0
 01272   444   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01273   444   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\~3.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01274   444   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 01275   444   NtClose  (104, ... ) == 0x0
 01276   444   NtClose  (108, ... ) == 0x0
 01277   444   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01278   444   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~3.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01279   444   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01280   444   NtOpenProcessToken  (-1, 0xa, ... 108, ) == 0x0
 01281   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 01282   444   NtQueryValueKey  (104,  (104, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01283   444   NtQueryValueKey  (104,  (104, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (104, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01284   444   NtClose  (104, ... ) == 0x0
 01285   444   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 104, ) }, ... 104, ) == 0x0
 01286   444   NtQuerySymbolicLinkObject  (104, ...  (104, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01287   444   NtClose  (104, ... ) == 0x0
 01288   444   NtQueryInformationFile  (116, 1238720, 528, Name, ... {status=0x0, info=130}, ) == 0x0
 01289   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01290   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01291   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\~3.tmp.exe"}, 1237400, ... ) }, 1237400, ... ) == 0x0
 01292   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 01293   444   NtQueryDirectoryFile  (104, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (104, 0, 0, 0, 1236760, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01294   444   NtClose  (104, ... ) == 0x0
 01295   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 01296   444   NtQueryDirectoryFile  (104, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (104, 0, 0, 0, 1236760, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 01297   444   NtClose  (104, ... ) == 0x0
 01298   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01299   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01300   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 01301   444   NtQueryValueKey  (104,  (104, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   444   NtClose  (104, ... ) == 0x0
 01303   444   NtQueryInformationToken  (108, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01304   444   NtQueryInformationToken  (108, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01305   444   NtClose  (108, ... ) == 0x0
 01306   444   NtCreateProcessEx  (1242996, 2035711, 0, -1, 0, 112, 0, 0, 0, ... ) == 0x0
 01307   444   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 104, ) }, ... 104, ) == 0x0
 01308   444   NtMapViewOfSection  (104, 108, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01309   444   NtClose  (104, ... ) == 0x0
 01310   444   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01311   444   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01312   444   NtProtectVirtualMemory  (108, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01313   444   NtWriteVirtualMemory  (108, 0x77f7eaf3,  (108, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01314   444   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01315   444   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01316   444   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01317   444   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01318   444   NtQueryInformationProcess  (108, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1328,ParentPid=436,}, 0x0, ) == 0x0
 01319   444   NtReadVirtualMemory  (108, 0x7ffdf008, 4, ...  (108, 0x7ffdf008, 4, ... "\0\0\200\11", 0x0, ) , 0x0, ) == 0x0
 01320   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321   444   NtReadVirtualMemory  (108, 0x9800000, 4096, ...  (108, 0x9800000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\0\24\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 4096, ) , 4096, ) == 0x0
 01322   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01323   444   NtQueryInformationProcess  (108, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1328,ParentPid=436,}, 0x0, ) == 0x0
 01324   444   NtAllocateVirtualMemory  (-1, 0, 0, 1772, 4096, 4, ... 10813440, 4096, ) == 0x0
 01325   444   NtAllocateVirtualMemory  (108, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01326   444   NtWriteVirtualMemory  (108, 0x10000,  (108, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01327   444   NtAllocateVirtualMemory  (108, 0, 0, 1772, 4096, 4, ... 131072, 4096, ) == 0x0
 01328   444   NtWriteVirtualMemory  (108, 0x20000,  (108, 0x20000, "\0\20\0\0\354\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0Z\0\\0\264\5\0\0Z\0\\0\20\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0Z\0\\0l\6\0\0\36\0 \0\310\6\0\0\0\0\2\0\350\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1772, ... 0x0, ) , 1772, ... 0x0, ) == 0x0
 01329   444   NtWriteVirtualMemory  (108, 0x7ffdf010,  (108, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01330   444   NtWriteVirtualMemory  (108, 0x7ffdf1e8,  (108, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01331   444   NtFreeVirtualMemory  (-1, (0xa50000), 0, 32768, ... (0xa50000), 4096, ) == 0x0
 01332   444   NtAllocateVirtualMemory  (108, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01333   444   NtAllocateVirtualMemory  (108, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01334   444   NtProtectVirtualMemory  (108, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01335   444   NtCreateThread  (0x1f03ff, 0x0, 108, 1241260, 1241980, 1, ... 104, {1328, 1740}, ) == 0x0
 01336   444   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1378552, 1376256, 1422400, 1243080}  (24, {168, 196, new_msg, 0, 1378552, 1376256, 1422400, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367wo\0\0\0h\0\0\00\5\0\0\314\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\370\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 436, 444, 2244, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wl\0\0\0h\0\0\00\5\0\0\314\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\370\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 436, 444, 2244, 0}  (24, {168, 196, new_msg, 0, 1378552, 1376256, 1422400, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367wo\0\0\0h\0\0\00\5\0\0\314\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\370\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 436, 444, 2244, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wl\0\0\0h\0\0\00\5\0\0\314\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\370\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01337   444   NtResumeThread  (104, ... 1, ) == 0x0
 01338   444   NtClose  (116, ... ) == 0x0
 01339   444   NtClose  (112, ... ) == 0x0
 01340   444   NtQueryInformationProcess  (108, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1328,ParentPid=436,}, 0x0, ) == 0x0
 01341   444   NtUserWaitForInputIdle  (1328, 30000, 0, ...
 01342   444   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 01343   444   NtClose  (112, ... ) == 0x0
 01341   444   NtUserWaitForInputIdle  ... ) == 0x102
 01344   444   NtClose  (108, ... ) == 0x0
 01345   444   NtClose  (104, ... ) == 0x0
 01346   444   NtContinue  (1244272, 0, ...
 01347   444   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1245092, 0,  (0x1f0003, {24, 52, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 104, ) }, 1, 0, ... 104, ) == STATUS_OBJECT_NAME_EXISTS
 01348   444   NtClose  (104, ... ) == 0x0
 01349   444   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1245092, 0,  (0x1f0003, {24, 52, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 104, ) }, 1, 0, ... 104, ) == STATUS_OBJECT_NAME_EXISTS
 01350   444   NtClose  (104, ... ) == 0x0
 01351   444   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1245092, 0,  (0x1f0003, {24, 52, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 104, ) }, 1, 0, ... 104, ) == STATUS_OBJECT_NAME_EXISTS
 01352   444   NtClose  (104, ... ) == 0x0
 01353   444   NtQueryPerformanceCounter  (... {325423919, 0}, {3579545, 0}, ) == 0x0
 01354   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01355   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10813440, 65536, ) == 0x0
 01356   444   NtAllocateVirtualMemory  (-1, 10813440, 0, 4096, 4096, 4, ... 10813440, 4096, ) == 0x0
 01357   444   NtAllocateVirtualMemory  (-1, 10817536, 0, 8192, 4096, 4, ... 10817536, 8192, ) == 0x0
 01358   444   NtAllocateVirtualMemory  (-1, 10825728, 0, 4096, 4096, 4, ... 10825728, 4096, ) == 0x0
 01359   444   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 01360   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01361   444   NtQueryInformationJobObject  (0, BasicLimit, 48, ... ) == STATUS_ACCESS_DENIED
 01362   444   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"}, ... 104, ) }, ... 104, ) == 0x0
 01363   444   NtQueryValueKey  (104,  (104, "Debugger", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_BUFFER_OVERFLOW
 01364   444   NtQueryValueKey  (104,  (104, "Debugger", Partial, 64, ... TitleIdx=0, Type=1, Data="d\0r\0w\0t\0s\0n\03\02\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0 \0-\0g\0\0\0"}, 64, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (104, "Debugger", Partial, 64, ... TitleIdx=0, Type=1, Data="d\0r\0w\0t\0s\0n\03\02\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0 \0-\0g\0\0\0"}, 64, ) }, 64, ) == 0x0
 01365   444   NtQueryKey  (104, Basic, 24, ... ) == STATUS_BUFFER_OVERFLOW
 01366   444   NtQueryValueKey  (104,  (104, "Auto", Partial, 16, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 16, ... TitleIdx=0, Type=1, Data= (104, "Auto", Partial, 16, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01367   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\faultrep.dll"}, 1240220, ... ) }, 1240220, ... ) == 0x0
 01368   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\faultrep.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01369   444   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 112, ) == 0x0
 01370   444   NtClose  (108, ... ) == 0x0
 01371   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa60000), 0x0, 65536, ) == 0x0
 01372   444   NtClose  (112, ... ) == 0x0
 01373   444   NtUnmapViewOfSection  (-1, 0xa60000, ... ) == 0x0
 01374   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\faultrep.dll"}, 1240536, ... ) }, 1240536, ... ) == 0x0
 01375   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\faultrep.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01376   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 112, ... 108, ) == 0x0
 01377   444   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01378   444   NtClose  (112, ... ) == 0x0
 01379   444   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x69450000), 0x0, 73728, ) == 0x0
 01380   444   NtClose  (108, ... ) == 0x0
 01381   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 108, ) }, ... 108, ) == 0x0
 01382   444   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01383   444   NtClose  (108, ... ) == 0x0
 01384   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 108, ) }, ... 108, ) == 0x0
 01385   444   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 01386   444   NtClose  (108, ... ) == 0x0
 01387   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01388   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1239724, ... ) }, 1239724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01389   444   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINSTA.dll"}, 1239724, ... ) }, 1239724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01390   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 1239724, ... ) }, 1239724, ... ) == 0x0
 01391   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01392   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 112, ) == 0x0
 01393   444   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01394   444   NtClose  (108, ... ) == 0x0
 01395   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 01396   444   NtClose  (112, ... ) == 0x0
 01397   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01398   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1239724, ... ) }, 1239724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01399   444   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WTSAPI32.dll"}, 1239724, ... ) }, 1239724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01400   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 1239724, ... ) }, 1239724, ... ) == 0x0
 01401   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01402   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 112, ... 108, ) == 0x0
 01403   444   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01404   444   NtClose  (112, ... ) == 0x0
 01405   444   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 01406   444   NtClose  (108, ... ) == 0x0
 01407   444   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 108, ) }, ... 108, ) == 0x0
 01408   444   NtQueryValueKey  (108,  (108, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01409   444   NtClose  (108, ... ) == 0x0
 01410   444   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 108, ) }, ... 108, ) == 0x0
 01411   444   NtQueryValueKey  (108,  (108, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01412   444   NtClose  (108, ... ) == 0x0
 01413   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 108, ) }, ... 108, ) == 0x0
 01414   444   NtQueryValueKey  (108,  (108, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 01415   444   NtClose  (108, ... ) == 0x0
 01416   444   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1240152, 0,  (0x1f0003, {24, 52, 0x80, 1240152, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 108, ) }, 0, 1, ... 108, ) == STATUS_OBJECT_NAME_EXISTS
 01417   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01418   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01419   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01420   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01421   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01422   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01423   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01424   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01425   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01426   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01427   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01428   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01429   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01430   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01431   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01432   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01433   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01434   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01435   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01436   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01437   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01438   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01439   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01440   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01441   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01442   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01443   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01444   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 01445   444   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01446   444   NtClose  (112, ... ) == 0x0
 01447   444   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 112, ) }, ... 112, ) == 0x0
 01448   444   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 116, ) }, ... 116, ) == 0x0
 01449   444   NtQueryValueKey  (116,  (116, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (116, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01450   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01451   444   NtQueryValueKey  (116,  (116, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (116, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 01452   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01453   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01454   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01455   444   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01456   444   NtClose  (116, ... ) == 0x0
 01457   444   NtClose  (112, ... ) == 0x0
 01458   444   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 112, ) }, ... 112, ) == 0x0
 01459   444   NtQueryValueKey  (112,  (112, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460   444   NtClose  (112, ... ) == 0x0
 01461   444   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 112, ) }, ... 112, ) == 0x0
 01462   444   NtQueryValueKey  (112,  (112, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01463   444   NtQueryValueKey  (112,  (112, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464   444   NtClose  (112, ... ) == 0x0
 01465   444   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01466   444   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 112, ) }, ... 112, ) == 0x0
 01467   444   NtQueryValueKey  (112,  (112, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468   444   NtClose  (112, ... ) == 0x0
 01469   444   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01470   444   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\PCHealth\ErrorReporting"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01471   444   NtCreateKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\PCHealth\ErrorReporting"}, 0, 0x0, 0, ... 112, 2, ) }, 0, 0x0, 0, ... 112, 2, ) == 0x0
 01472   444   NtOpenKey  (0x10000, {24, 112, 0x40, 0, 0,  (0x10000, {24, 112, 0x40, 0, 0, "DW"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473   444   NtQueryValueKey  (112,  (112, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01474   444   NtQueryValueKey  (112,  (112, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01475   444   NtQueryValueKey  (112,  (112, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01476   444   NtQueryValueKey  (112,  (112, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01477   444   NtQueryValueKey  (112,  (112, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01478   444   NtQueryValueKey  (112,  (112, "DoTextLog", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479   444   NtQueryValueKey  (112,  (112, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01480   444   NtQueryValueKey  (112,  (112, "IncludeShutdownErrs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   444   NtQueryValueKey  (112,  (112, "NumberOfFaultPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482   444   NtQueryValueKey  (112,  (112, "NumberOfHangPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483   444   NtQueryValueKey  (112,  (112, "MaxUserQueueSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484   444   NtQueryValueKey  (112,  (112, "ForceQueueMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01485   444   NtQueryValueKey  (112,  (112, "UseInternalServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01486   444   NtCreateKey  (0x20119, {24, 112, 0x40, 0, 0,  (0x20119, {24, 112, 0x40, 0, 0, "ExclusionList"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 01487   444   NtCreateKey  (0x20119, {24, 112, 0x40, 0, 0,  (0x20119, {24, 112, 0x40, 0, 0, "InclusionList"}, 0, 0x0, 0, ... 120, 2, ) }, 0, 0x0, 0, ... 120, 2, ) == 0x0
 01488   444   NtClose  (112, ... ) == 0x0
 01489   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 112, ) }, ... 112, ) == 0x0
 01490   444   NtQueryValueKey  (112,  (112, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01491   444   NtClose  (112, ... ) == 0x0
 01492   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01493   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01494   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1236200, ... ) }, 1236200, ... ) == 0x0
 01495   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1235012, ... ) }, 1235012, ... ) == 0x0
 01496   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01497   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01498   444   NtQueryValueKey  (116,  (116, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499   444   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 01500   444   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01501   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01502   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 112, ) }, ... 112, ) == 0x0
 01504   444   NtQueryValueKey  (112,  (112, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505   444   NtClose  (112, ... ) == 0x0
 01506   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01507   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 01508   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 01509   444   NtQuerySystemTime  (... {1152291784, 29873146}, ) == 0x0
 01510   444   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 01511   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01512   444   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01513   444   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01514   444   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01515   444   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 132, ) == 0x0
 01516   444   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 136, ) == 0x0
 01517   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 01518   444   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ... 1437696, 4096, ) == 0x0
 01519   444   NtConnectPort  ( ("\RPC Control\IcaApi", {12, 2, 1, 0}, 0x0, 0x0, 1235416, 112, ... 144, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 0}, 0x0, 0x0, 1235416, 112, ... 144, 0x0, 0x0, 0x0, 112, ) == 0x0
 01520   444   NtRequestWaitReplyPort  (144, {128, 152, new_msg, 0, 120748, 1376256, 1235180, 2012750850}  (144, {128, 152, new_msg, 0, 120748, 1376256, 1235180, 2012750850} "\0\337\22\0\2$\370w\370T\367w`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w \360\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\20\334\22\04\334\22\0\210\1\25\0\370\357\25\0\4\0\0\0\360\357\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\0l\0\0\0\0\0\2\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 436, 444, 2578, 0} "\7\337\22\0\2$\370w\370T\367w`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\20\334\22\04\334\22\0\210\1\25\0\370\357\25\0\4\0\0\0\360\357\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\0l\0\0\0\0\0\2\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 436, 444, 2578, 0}  (144, {128, 152, new_msg, 0, 120748, 1376256, 1235180, 2012750850} "\0\337\22\0\2$\370w\370T\367w`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w \360\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\20\334\22\04\334\22\0\210\1\25\0\370\357\25\0\4\0\0\0\360\357\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\0l\0\0\0\0\0\2\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 436, 444, 2578, 0} "\7\337\22\0\2$\370w\370T\367w`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\20\334\22\04\334\22\0\210\1\25\0\370\357\25\0\4\0\0\0\360\357\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\0l\0\0\0\0\0\2\0\0\0\5\0\0\0" )  ) == 0x0
 01521   444   NtRequestWaitReplyPort  (144, {32, 56, new_msg, 0, 0, 0, 0, 0}  (144, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 436, 444, 2579, 0} "\2nEx\1\0\0\0\350\377\377\3777\0-\01\0-\02\00\00\01\0\0\0\10\0\0\0\0\0\0\0\0\0H\275X\202\355?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0ProviderName\0\0\0\0\330\377\377\377vk\16\0\10\0\0\0\300\353\0\0\3\0\0\0\1\0\0\0DriverDateData\0\0\360\377\377\377" )  ... {124, 148, reply, 0, 436, 444, 2579, 0}  (144, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 436, 444, 2579, 0} "\2nEx\1\0\0\0\350\377\377\3777\0-\01\0-\02\00\00\01\0\0\0\10\0\0\0\0\0\0\0\0\0H\275X\202\355?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0ProviderName\0\0\0\0\330\377\377\377vk\16\0\10\0\0\0\300\353\0\0\3\0\0\0\1\0\0\0DriverDateData\0\0\360\377\377\377" )  ) == 0x0
 01522   444   NtRequestWaitReplyPort  (144, {44, 68, new_msg, 56, 436, 444, 2579, 0}  (144, {44, 68, new_msg, 56, 436, 444, 2579, 0} "\1n\0\0B\2\5\0\350\377\377\3777\0-\01\0-\02\00\0\377\377\377\377\0\0\10\0\1\0\0\0\220\362\25\0\10\5\0\0" ... {40, 64, reply, 0, 436, 444, 2580, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\5\0\0\300\335\14\0" )  ... {40, 64, reply, 0, 436, 444, 2580, 0}  (144, {44, 68, new_msg, 56, 436, 444, 2579, 0} "\1n\0\0B\2\5\0\350\377\377\3777\0-\01\0-\02\00\0\377\377\377\377\0\0\10\0\1\0\0\0\220\362\25\0\10\5\0\0" ... {40, 64, reply, 0, 436, 444, 2580, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\5\0\0\300\335\14\0" )  ) == 0x0
 01523   444   NtRequestWaitReplyPort  (144, {64, 88, new_msg, 56, 0, 1438344, 1376632, 0}  (144, {64, 88, new_msg, 56, 0, 1438344, 1376632, 0} "\10\1\0\0@\0\0\0\210\361\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\0\220\362\25\0\14\5\0\0\14\5\0\0\300\335\14\0\0\0\0\0\0\0\0\0\0\0\25\0" ... {64, 88, reply, 56, 436, 444, 2581, 0} "\10\1\0\0@\0\0\0\210\361\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\0\220\362\25\0\14\5\0\0\14\5\0\0\300\335\14\0\0\0\0\0\0\0\0\0\0\0\25\0" )  ... {64, 88, reply, 56, 436, 444, 2581, 0}  (144, {64, 88, new_msg, 56, 0, 1438344, 1376632, 0} "\10\1\0\0@\0\0\0\210\361\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\0\220\362\25\0\14\5\0\0\14\5\0\0\300\335\14\0\0\0\0\0\0\0\0\0\0\0\25\0" ... {64, 88, reply, 56, 436, 444, 2581, 0} "\10\1\0\0@\0\0\0\210\361\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\0\220\362\25\0\14\5\0\0\14\5\0\0\300\335\14\0\0\0\0\0\0\0\0\0\0\0\25\0" )  ) == 0x0
 01524   444   NtRequestWaitReplyPort  (144, {44, 68, new_msg, 56, 436, 444, 2580, 0}  (144, {44, 68, new_msg, 56, 436, 444, 2580, 0} "\1\0\0\0B\2\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0`\367\25\0\10\5\0\0" ... {40, 64, reply, 0, 436, 444, 2582, 0} "\2nEx\4\0\0\0\350\377\377\3777\0-\01\0-\02\00\00\01\0\0\0\10\0\14\5\0\0\300\335\14\0" )  ... {40, 64, reply, 0, 436, 444, 2582, 0}  (144, {44, 68, new_msg, 56, 436, 444, 2580, 0} "\1\0\0\0B\2\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0`\367\25\0\10\5\0\0" ... {40, 64, reply, 0, 436, 444, 2582, 0} "\2nEx\4\0\0\0\350\377\377\3777\0-\01\0-\02\00\00\01\0\0\0\10\0\14\5\0\0\300\335\14\0" )  ) == 0x0
 01525   444   NtRequestWaitReplyPort  (144, {64, 88, new_msg, 56, 0, 1439576, 1376632, 0}  (144, {64, 88, new_msg, 56, 0, 1439576, 1376632, 0} "\10\1\0\0@\0\0\0\210\361\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\0`\367\25\0\14\5\0\0\14\5\0\0\300\335\14\0\0\0\0\0\0\0\0\0\0\0\25\0" ... {64, 88, reply, 56, 436, 444, 2583, 0} "\10\1\0\0@\0\0\0\210\361\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\0`\367\25\0\14\5\0\0\14\5\0\0\300\335\14\0\0\0\0\0\0\0\0\0\0\0\25\0" )  ... {64, 88, reply, 56, 436, 444, 2583, 0}  (144, {64, 88, new_msg, 56, 0, 1439576, 1376632, 0} "\10\1\0\0@\0\0\0\210\361\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\0`\367\25\0\14\5\0\0\14\5\0\0\300\335\14\0\0\0\0\0\0\0\0\0\0\0\25\0" ... {64, 88, reply, 56, 436, 444, 2583, 0} "\10\1\0\0@\0\0\0\210\361\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\0`\367\25\0\14\5\0\0\14\5\0\0\300\335\14\0\0\0\0\0\0\0\0\0\0\0\25\0" )  ) == 0x0
 01526   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 148, ) }, ... 148, ) == 0x0
 01527   444   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "ActiveComputerName"}, ... 152, ) }, ... 152, ) == 0x0
 01528   444   NtQueryValueKey  (152,  (152, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (152, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (152, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01529   444   NtClose  (152, ... ) == 0x0
 01530   444   NtClose  (148, ... ) == 0x0
 01531   444   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 148, ) == 0x0
 01532   444   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 152, ) == 0x0
 01533   444   NtDuplicateObject  (-1, 148, -1, 0x0, 0, 2, ... 156, ) == 0x0
 01534   444   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01535   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 01536   444   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01537   444   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01538   444   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235372,  (0xc0100080, {24, 0, 0x40, 0, 1235372, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0
 01539   444   NtSetInformationFile  (164, 1235428, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01540   444   NtSetInformationFile  (164, 1235420, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01541   444   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01542   444   NtWriteFile  (164, 133, 0, 0,  (164, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01543   444   NtReadFile  (164, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (164, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20x\32\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01544   444   NtFsControlFile  (164, 133, 0x0, 0x0, 0x11c017,  (164, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\340\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20x\32\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (164, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\340\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20x\32\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01545   444   NtFsControlFile  (164, 133, 0x0, 0x0, 0x11c017,  (164, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\200\0\0\0\2\0\0\0h\0\0\0\0\0D\0\0\0\0\0Z\344X\202\355?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0 \0"\0\4\343\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 128, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Z\344X\202\355?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0\4\343\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 (164, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\200\0\0\0\2\0\0\0h\0\0\0\0\0D\0\0\0\0\0Z\344X\202\355?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0 \0"\0\4\343\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 128, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Z\344X\202\355?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Z\344X\202\355?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01546   444   NtFsControlFile  (164, 133, 0x0, 0x0, 0x11c017,  (164, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Z\344X\202\355?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0@\264\25\0\1\0\0\0L\264\25\0 \0\0\0\1\0\0\0\16\0\20\0X\264\25\0h\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\20\341\25\0\1\0\0\0\1\0\0\0 \341\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (164, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Z\344X\202\355?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0@\264\25\0\1\0\0\0L\264\25\0 \0\0\0\1\0\0\0\16\0\20\0X\264\25\0h\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\20\341\25\0\1\0\0\0\1\0\0\0 \341\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01547   444   NtClose  (160, ... ) == 0x0
 01548   444   NtClose  (164, ... ) == 0x0
 01549   444   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01550   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 164, ) == 0x0
 01551   444   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01552   444   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01553   444   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235344,  (0xc0100080, {24, 0, 0x40, 0, 1235344, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01554   444   NtSetInformationFile  (160, 1235400, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01555   444   NtSetInformationFile  (160, 1235392, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01556   444   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01557   444   NtWriteFile  (160, 133, 0, 0,  (160, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01558   444   NtReadFile  (160, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (160, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20y\32\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01559   444   NtFsControlFile  (160, 133, 0x0, 0x0, 0x11c017,  (160, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0H\340\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20y\32\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (160, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0H\340\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20y\32\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01560   444   NtFsControlFile  (160, 133, 0x0, 0x0, 0x11c017,  (160, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\200\0\0\0\2\0\0\0h\0\0\0\0\0D\0\0\0\0\0[\344X\202\355?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0 \0"\0\4\343\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 128, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0[\344X\202\355?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0\4\343\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 (160, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\200\0\0\0\2\0\0\0h\0\0\0\0\0D\0\0\0\0\0[\344X\202\355?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0 \0"\0\4\343\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 128, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0[\344X\202\355?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0[\344X\202\355?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01561   444   NtFsControlFile  (160, 133, 0x0, 0x0, 0x11c017,  (160, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0[\344X\202\355?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0@\264\25\0\1\0\0\0L\264\25\0 \0\0\0\1\0\0\0\16\0\20\0X\264\25\0h\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\20\341\25\0\1\0\0\0\1\0\0\0 \341\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (160, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0[\344X\202\355?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0@\264\25\0\1\0\0\0L\264\25\0 \0\0\0\1\0\0\0\16\0\20\0X\264\25\0h\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\20\341\25\0\1\0\0\0\1\0\0\0 \341\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01562   444   NtClose  (164, ... ) == 0x0
 01563   444   NtClose  (160, ... ) == 0x0
 01564   444   NtOpenProcessToken  (-1, 0x20008, ... 160, ) == 0x0
 01565   444   NtQueryInformationToken  (160, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01566   444   NtQueryInformationToken  (160, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 01567   444   NtOpenDirectoryObject  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Windows\WindowStations"}, ... 164, ) }, ... 164, ) == 0x0
 01568   444   NtUserOpenWindowStation  ({24, 164, 0x40, 0, 0,  ({24, 164, 0x40, 0, 0, "winsta0"}, 0x37f, ... ) }, 0x37f, ... ) == 0xa8
 01569   444   NtClose  (164, ... ) == 0x0
 01570   444   NtUserCloseWindowStation  (168, ...
 01571   444   NtClose  (168, ... ) == 0x0
 01570   444   NtUserCloseWindowStation  ... ) == 0x1
 01572   444   NtClose  (160, ... ) == 0x0
 01573   444   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 160, ) == 0x0
 01574   444   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 168, ) == 0x0
 01575   444   NtCreateMutant  (0x1f0001, {24, 0, 0x2, 0, 0, 0x0}, 0, ... 164, ) == 0x0
 01576   444   NtDuplicateObject  (-1, -1, -1, 0x1f0fff, 2, 0, ... 172, ) == 0x0
 01577   444   NtCreateSection  (0xf0007, {24, 0, 0x2, 0, 0, 0x0}, {7248, 0}, 4, 134217728, 0, ... 176, ) == 0x0
 01578   444   NtMapViewOfSection  (176, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa60000), {0, 0}, 8192, ) == 0x0
 01579   444   NtQueryDefaultUILanguage  (1236544, ...
 01580   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01581   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482028, ) == 0x0
 01582   444   NtQueryInformationToken  (-2147482028, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01583   444   NtClose  (-2147482028, ... ) == 0x0
 01584   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 01585   444   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586   444   NtOpenKey  (0x80000000, {24, -2147482028, 0x640, 0, 0,  (0x80000000, {24, -2147482028, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 01587   444   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01588   444   NtClose  (-2147482024, ... ) == 0x0
 01589   444   NtClose  (-2147482028, ... ) == 0x0
 01579   444   NtQueryDefaultUILanguage  ... ) == 0x0
 01590   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01591   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01592   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01593   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234824, ... ) }, 1234824, ... ) == 0x0
 01594   444   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01595   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233636, ... ) }, 1233636, ... ) == 0x0
 01596   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01597   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01598   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1236052, ... ) }, 1236052, ... ) == 0x0
 01599   444   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2012563070, 1440720, 2012568802, 0}  (24, {20, 48, new_msg, 0, 2012563070, 1440720, 2012568802, 0} "\0\0\0\0\2\0\1\0\0\0\0\0D\0\0\0\24\336\22\0" ... {20, 48, reply, 0, 436, 444, 2584, 0} "\0\0\0\0\2\0\1\0\5\0\0\0D\0\0\0\5\0\0\0" )  ... {20, 48, reply, 0, 436, 444, 2584, 0}  (24, {20, 48, new_msg, 0, 2012563070, 1440720, 2012568802, 0} "\0\0\0\0\2\0\1\0\0\0\0\0D\0\0\0\24\336\22\0" ... {20, 48, reply, 0, 436, 444, 2584, 0} "\0\0\0\0\2\0\1\0\5\0\0\0D\0\0\0\5\0\0\0" )  ) == 0x0
 01600   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236060,  (0x80100080, {24, 0, 0x40, 0, 1236060, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\WER5.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... ) }, 0x0, 128, 0, 2, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION
 01601   444   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 436, 444, 2584, 0}  (24, {20, 48, new_msg, 0, 436, 444, 2584, 0} "\0\0\0\0\2\0\1\0\5\0\0\0D\0\0\0\5\0\0\0" ... {20, 48, reply, 0, 436, 444, 2585, 0} "\0\0\0\0\2\0\1\0\6\0\0\0D\0\0\0\6\0\0\0" )  ... {20, 48, reply, 0, 436, 444, 2585, 0}  (24, {20, 48, new_msg, 0, 436, 444, 2584, 0} "\0\0\0\0\2\0\1\0\5\0\0\0D\0\0\0\5\0\0\0" ... {20, 48, reply, 0, 436, 444, 2585, 0} "\0\0\0\0\2\0\1\0\6\0\0\0D\0\0\0\6\0\0\0" )  ) == 0x0
 01602   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236060,  (0x80100080, {24, 0, 0x40, 0, 1236060, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\WER6.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 180, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 180, {status=0x0, info=2}, ) == 0x0
 01603   444   NtClose  (180, ... ) == 0x0
 01604   444   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\WER6.tmp.dir00"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 180, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 180, {status=0x0, info=2}, ) == 0x0
 01605   444   NtClose  (180, ... ) == 0x0
 01606   444   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 180, ) == 0x0
 01607   444   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0xa70000), 0x0, 4194304, ) == 0x0
 01608   444   NtAllocateVirtualMemory  (-1, 10944512, 0, 1, 4096, 4, ... 10944512, 4096, ) == 0x0
 01609   444   NtAllocateVirtualMemory  (-1, 10948608, 0, 4240, 4096, 4, ... 10948608, 8192, ) == 0x0
 01610   444   NtCreateSection  (0xf0007, 0x0, {30908, 0}, 4, 134217728, 0, ... 184, ) == 0x0
 01611   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xe70000), {0, 0}, 32768, ) == 0x0
 01612   444   NtUnmapViewOfSection  (-1, 0xe70000, ... ) == 0x0
 01613   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xe70000), {0, 0}, 32768, ) == 0x0
 01614   444   NtClose  (180, ... ) == 0x0
 01615   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01616   444   NtUnmapViewOfSection  (-1, 0xe70000, ... ) == 0x0
 01617   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01618   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01619   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01620   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01621   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01622   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01623   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01624   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01625   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01626   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01627   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01628   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01629   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01630   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01631   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01632   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01633   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01634   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01635   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01636   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01637   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01638   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01639   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01640   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01641   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01642   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01643   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01644   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01645   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01646   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01647   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01648   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01649   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01650   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01651   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01652   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01653   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01654   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01655   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01656   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01657   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01658   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01659   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01660   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01661   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01662   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01663   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01664   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01665   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01666   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01667   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01668   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01669   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01670   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01671   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01672   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01673   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01674   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01675   444   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01676   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01677   444   NtClose  (184, ... ) == 0x0
 01678   444   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01679   444   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 184, {status=0x0, info=1}, ) }, 3, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01680   444   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 180, ) }, ... 180, ) == 0x0
 01681   444   NtQuerySymbolicLinkObject  (180, ...  (180, ... "\Device\WinDfs\U:00000000000091ea", 66, ) , 66, ) == 0x0
 01682   444   NtClose  (180, ... ) == 0x0
 01683   444   NtQueryVolumeInformationFile  (184, 1236160, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01684   444   NtClose  (184, ... ) == 0x0
 01685   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\apphelp.dll"}, 1234020, ... ) }, 1234020, ... ) == 0x0
 01686   444   NtAllocateVirtualMemory  (-1, 1441792, 0, 12288, 4096, 4, ... 1441792, 12288, ) == 0x0
 01687   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1235596, ... ) }, 1235596, ... ) == 0x0
 01688   444   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1235604,  (0x40100080, {24, 0, 0x40, 0, 1235604, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\WER6.tmp.dir00\appcompat.txt"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 01689   444   NtClose  (-2147482028, ... ) == 0x0
 01688   444   NtCreateFile  ... 184, {status=0x0, info=2}, ) == 0x0
 01690   444   NtAllocateVirtualMemory  (-1, 1454080, 0, 12288, 4096, 4, ... 1454080, 12288, ) == 0x0
 01691   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 180, {status=0x0, info=1}, ) }, 3, 16417, ... 180, {status=0x0, info=1}, ) == 0x0
 01692   444   NtQueryDirectoryFile  (180, 0, 0, 0, 1234196, 616, BothDirectory, 1,  (180, 0, 0, 0, 1234196, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01693   444   NtWriteFile  (184, 0, 0, 0,  (184, 0, 0, 0, "\377\376", 2, 0x0, 0, ... {status=0x0, info=2}, ) , 2, 0x0, 0, ... {status=0x0, info=2}, ) == 0x0
 01694   444   NtWriteFile  (184, 0, 0, 0,  (184, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \01\0.\00\0 (184, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \0U\0T\0F\0-\01\06\0 (184, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) , 106, 0x0, 0, ... {status=0x0, info=106}, ) == 0x0
 01695   444   NtWriteFile  (184, 0, 0, 0,  (184, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (184, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (184, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 01696   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234652, ... ) }, 1234652, ... ) == 0x0
 01697   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01698   444   NtQueryDirectoryFile  (188, 0, 0, 0, 1234212, 592, Directory, 1,  (188, 0, 0, 0, 1234212, 592, Directory, 1, "packed.exe", 0, ... {status=0x0, info=84}, ) , 0, ... {status=0x0, info=84}, ) == 0x0
 01699   444   NtClose  (188, ... ) == 0x0
 01700   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01701   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01702   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233576, ... ) }, 1233576, ... ) == 0x0
 01703   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232388, ... ) }, 1232388, ... ) == 0x0
 01704   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01705   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01706   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1234524, ... ) }, 1234524, ... ) == 0x0
 01707   444   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01708   444   NtSetInformationFile  (188, 1234500, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01709   444   NtClose  (188, ... ) == 0x0
 01710   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 188, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 188, {status=0x0, info=1}, ) == 0x0
 01711   444   NtQueryInformationFile  (188, 1234740, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01712   444   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 188, ... 192, ) == 0x0
 01713   444   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa70000), 0x0, 446464, ) == 0x0
 01714   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01715   444   NtClose  (192, ... ) == 0x0
 01716   444   NtClose  (188, ... ) == 0x0
 01717   444   NtWriteFile  (184, 0, 0, 0,  (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\04\04\03\03\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\04\07\08\09\0F\0C\0C\03\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\04\04\03\03\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\04\07\08\09\0F\0C\0C\03\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \04\04\03\03\09\02\0 (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\04\04\03\03\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\04\07\08\09\0F\0C\0C\03\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \00\0x\04\07\08\09\0F\0C\0C\03\0 (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\04\04\03\03\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\04\07\08\09\0F\0C\0C\03\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \0W\0I\0N\03\02\0 (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\04\04\03\03\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\04\07\08\09\0F\0C\0C\03\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \00\0x\00\0 (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\04\04\03\03\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\04\07\08\09\0F\0C\0C\03\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \00\0x\00\0 (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\04\04\03\03\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\04\07\08\09\0F\0C\0C\03\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0 (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\04\04\03\03\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\04\07\08\09\0F\0C\0C\03\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0 (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\04\04\03\03\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\04\07\08\09\0F\0C\0C\03\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\02\06\0/\02\00\00\07\0 \00\05\0:\05\00\0:\02\05\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) , 410, 0x0, 0, ... {status=0x0, info=410}, ) == 0x0
 01718   444   NtQueryDirectoryFile  (180, 0, 0, 0, 1458208, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01719   444   NtClose  (180, ... ) == 0x0
 01720   444   NtWriteFile  (184, 0, 0, 0,  (184, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0", 16, 0x0, 0, ... {status=0x0, info=16}, ) , 16, 0x0, 0, ... {status=0x0, info=16}, ) == 0x0
 01721   444   NtClose  (184, ... ) == 0x0
 01722   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1235596, ... ) }, 1235596, ... ) == 0x0
 01723   444   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1235604,  (0x40100080, {24, 0, 0x40, 0, 1235604, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\WER6.tmp.dir00\appcompat.txt"}, 0x0, 128, 0, 3, 96, 0, 0, ... 184, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 184, {status=0x0, info=1}, ) == 0x0
 01724   444   NtQueryInformationFile  (184, 1235628, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01725   444   NtSetInformationFile  (184, 1235660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01726   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 180, {status=0x0, info=1}, ) }, 3, 16417, ... 180, {status=0x0, info=1}, ) == 0x0
 01727   444   NtQueryDirectoryFile  (180, 0, 0, 0, 1234196, 616, BothDirectory, 1,  (180, 0, 0, 0, 1234196, 616, BothDirectory, 1, "kernel32.dll", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01728   444   NtWriteFile  (184, 0, 0, 0,  (184, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (184, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (184, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) , 126, 0x0, 0, ... {status=0x0, info=126}, ) == 0x0
 01729   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1234624, ... ) }, 1234624, ... ) == 0x0
 01730   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01731   444   NtQueryDirectoryFile  (188, 0, 0, 0, 1234212, 592, Directory, 1,  (188, 0, 0, 0, 1234212, 592, Directory, 1, "kernel32.dll", 0, ... {status=0x0, info=88}, ) , 0, ... {status=0x0, info=88}, ) == 0x0
 01732   444   NtClose  (188, ... ) == 0x0
 01733   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01734   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01735   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1233576, ... ) }, 1233576, ... ) == 0x0
 01736   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1232388, ... ) }, 1232388, ... ) == 0x0
 01737   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01738   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01739   444   NtQueryDefaultLocale  (1, 1234440, ... ) == 0x0
 01740   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01741   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01742   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1233568, ... ) }, 1233568, ... ) == 0x0
 01743   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1232380, ... ) }, 1232380, ... ) == 0x0
 01744   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01745   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01746   444   NtQueryDefaultLocale  (1, 1234432, ... ) == 0x0
 01747   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 188, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 188, {status=0x0, info=1}, ) == 0x0
 01748   444   NtQueryInformationFile  (188, 1234740, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01749   444   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 188, ... 192, ) == 0x0
 01750   444   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa70000), 0x0, 929792, ) == 0x0
 01751   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01752   444   NtClose  (192, ... ) == 0x0
 01753   444   NtClose  (188, ... ) == 0x0
 01754   444   NtQueryDefaultUILanguage  (1234104, ...
 01755   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01756   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482028, ) == 0x0
 01757   444   NtQueryInformationToken  (-2147482028, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01758   444   NtClose  (-2147482028, ... ) == 0x0
 01759   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 01760   444   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01761   444   NtOpenKey  (0x80000000, {24, -2147482028, 0x640, 0, 0,  (0x80000000, {24, -2147482028, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 01762   444   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01763   444   NtClose  (-2147482024, ... ) == 0x0
 01764   444   NtClose  (-2147482028, ... ) == 0x0
 01754   444   NtQueryDefaultUILanguage  ... ) == 0x0
 01765   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01766   444   NtWriteFile  (184, 0, 0, 0,  (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \09\02\06\07\02\00\0 (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \00\0x\06\02\06\02\0E\0E\0A\05\0 (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \05\0.\01\0.\02\06\00\00\0.\00\0 (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \05\0.\01\0.\02\06\00\00\0.\00\0 (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \05\0.\01\0.\02\06\00\00\0.\00\0 (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0 (184, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) == 0x0
 01767   444   NtQueryDirectoryFile  (180, 0, 0, 0, 1460776, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01768   444   NtClose  (180, ... ) == 0x0
 01769   444   NtWriteFile  (184, 0, 0, 0,  (184, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0<\0/\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 42, 0x0, 0, ... {status=0x0, info=42}, ) , 42, 0x0, 0, ... {status=0x0, info=42}, ) == 0x0
 01770   444   NtClose  (184, ... ) == 0x0
 01771   444   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01772   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 1233012, ... ) }, 1233012, ... ) == 0x0
 01773   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 1233704, ... ) }, 1233704, ... ) == 0x0
 01774   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DWWIN.EXE"}, 1233624, ... ) }, 1233624, ... ) == 0x0
 01775   444   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DWWIN.EXE"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 01776   444   NtSetInformationFile  (184, 1233600, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01777   444   NtClose  (184, ... ) == 0x0
 01778   444   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233604,  (0xc0100080, {24, 0, 0x40, 0, 1233604, "\??\C:\WINDOWS\SYSTEM32\DWWIN.EXE"}, 0x0, 0, 1, 1, 96, 0, 0, ... 184, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 96, 0, 0, ... 184, {status=0x0, info=1}, ) == 0x0
 01779   444   NtQueryInformationFile  (184, 1233656, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01780   444   NtQueryInformationFile  (184, 1233656, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01781   444   NtCreateSection  (0xf0007, 0x0, {162128, 0}, 4, 134217728, 184, ...
 01782   444   NtQueryVolumeInformationFile  (-2147482028, -135068612, 32, FullSize, ... {status=0x0, info=32}, ) == 0x0
 01783   444   NtQueryInformationFile  (-2147482028, -135068332, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01784   444   NtQueryInformationFile  (-2147482028, -135068380, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01785   444   NtQueryInformationFile  (-2147482028, -519618560, 4096, Stream, ... ) == STATUS_INVALID_PARAMETER
 01786   444   NtQueryInformationFile  (-2147482028, -135068688, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01787   444   NtQueryInformationFile  (-2147482024, -135068728, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01788   444   NtSetInformationFile  (-2147482024, -135068648, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01789   444   NtCreateSection  (0x5, 0x0, {162128, 0}, 2, 134217728, -2147482028, ... 180, ) == 0x0
 01790   444   NtMapViewOfSection  (180, -1, (0x0), 0, 0, {0, 0}, 65536, 2, 0, 2, ... (0xa70000), {0, 0}, 65536, ) == 0x0
 01791   444   NtWriteFile  (-2147482024, 0, 0, 0,  (-2147482024, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\270\277\220\252\374\336\376\371\374\336\376\371\374\336\376\371\24\301\365\371\375\336\376\371\177\302\360\371\365\336\376\371\24\301\364\371\325\336\376\371\252\301\355\371\364\336\376\371\202\374\342\371\373\336\376\371\14\301\365\371\354\336\376\371\374\336\376\371\343\337\376\371Rich\374\336\376\371\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0_\245\35;\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\24\00\2\0\0\220\0\0\0\0\0\0jr\0\0\0\20\0\0\0p\3\0\0\0\00\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\2\0\0\20\0\0\15"\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\31%\2\0:\1\0\0\0\300\2\0\200\12\0\0\0\0\0\0\0\0\0\0\0`\2\0P\31\0\0\0\0\0\0\0\0\0\0Z8\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\204\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222(\2\0\0\20\0\0\00\2\0", 65536, {0, 0}, 0, ... {status=0x0, info=65536}, ) \3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\31%\2\0:\1\0\0\0\300\2\0\200\12\0\0\0\0\0\0\0\0\0\0\0`\2\0P\31\0\0\0\0\0\0\0\0\0\0Z8\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\204\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222(\2\0\0\20\0\0\00\2\0", 65536, {0, 0}, 0, ... {status=0x0, info=65536}, ) == 0x0
 01792   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01793   444   NtMapViewOfSection  (180, -1, (0x0), 0, 0, {65536, 0}, 65536, 2, 0, 2, ... (0xa70000), {65536, 0}, 65536, ) == 0x0
 01794   444   NtWriteFile  (-2147482024, 0, 0, 0,  (-2147482024, 0, 0, 0, "\0\0HHtDHt \203\350\3\17\205V\2\0\0\270`\30\00P\211E\374\350T\365\0\0\213M\14\215D\10\26\353n\270h\30\00P\211E\374\350=\365\0\0\213M\24\213U\14\3\320\215LI\6\3\312\211M\14\353P\213u\243\300;\367v\17\213M\30\200<\10\0u\1G@;\306r\361Oh@\30\00\211}\370\307E\374L\30\00\350\375\364\0\0\3\307\3E\14\215D0\3\353\25\270\24\30\00P\211E\374\350\344\364\0\0\213M\14\215D\10\16\211E\14\213}\34\213u \213\7\3E\14;\6|*\273\0\200\0\0\213\6\3\303P\213E$\3770\350_\340\0\0\205\300t\22\213M$\1\36\211\1\213\17\3M\14\213\6;\310}\333\213E$\213\37\3\30\213E\10\203\370\5wk\203\370\4sT\205\300t6\17\206w\1\0\0\203\370\2v\16\203\370\3\17\204\205\0\0\0\351d\1\0\0\377u\30\377u\374\377u\20h8\377\00S\377\25\14\23\00\203\304\24\351#\1\0\0\377u\374\377u\20h\\377\00S\377\25\14\23\00\203\304\20\351\11\1\0\0\213E\30\3770\377u\374\377u\20h(\377\00\353\305\203\350\7\17\204\230\0\0\0Ht+\203\350\3\17\205\6\1\0\0\213E\30\213\0P@P\377u\374\377u\20hh\377\00S\377\25\14\23\00\203\304\30\351\300\0\0\0\377u\374\377u\20h\34\377\00S\377\25\14\23\00\203\304\20S\350\325\363\0\03\366\3\3309u\24v\37\215{\1\213E\30W\306\3 \212\4\6P\350\216\346\377\377\203\303\3\203\307\3F;u\24r\344\277$\377\00\203\311\3773\300\362\256\367\321+\371\213\301\213\367\213\373\301\351\2\363\245\213\310\203\341\3\363\244\213}\34\353V\377u\374\2135\14", 65536, {65536, 0}, 0, ... {status=0x0, info=65536}, ) , 65536, {65536, 0}, 0, ... {status=0x0, info=65536}, ) == 0x0
 01795   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01796   444   NtMapViewOfSection  (180, -1, (0x0), 0, 0, {131072, 0}, 31056, 2, 0, 2, ... (0xa70000), {131072, 0}, 32768, ) == 0x0
 01797   444   NtWriteFile  (-2147482024, 0, 0, 0,  (-2147482024, 0, 0, 0, "Fw\11%\377\0\0\0\203\3507\303\203\310\377\303S\213\331UV\212\3W\213\352P3\377\213\363\350\265\16\0\0\205\300t\16\212N\1FQ\350\247\16\0\0\205\300u\362\200>0u\11\200~\1xu\3\203\306\2\212\16\350\214\377\377\377\205\300|!\201\377\377\377\377\17r\7u#\203\370\17w\36\212N\1\301\347\4\3\370F\350k\377\377\377\205\300}\337\211}\0\213\306_^+\303][\303_^]3\300[\303S\213\$\34U\213l$\30V\213t$\20W\213|$$\205\366t\20\203\376\1t\13V\377\25\314\21\00\205\300t6\213D$\34\213L$\30SWUPQV\377\25\214\20\00\205\300\17\217\262\2\0\0u\30\377\25\24\21\00\203\350z_\367\330\33\300^\367\320#\303][\302\30\0\205\355}\21\213l$\34U\350\205\364\377\377@\211D$\24\353\12\213\305\213l$\34\211D$\24\201\376\351\375\0\0u\24S\215T$\30WRU\350\227\2\0\0_^][\302\30\0\205\333\17\204U\2\0\0;\303|\2\213\303\201\376\27'\0\0\17\207\33\1\0\0\17\204\16\1\0\0\201\376\346\4\0\0\17\207\263\0\0\0\17\204\243\0\0\0\201\376\342\4\0\0wkt_\203\356\2\17\204\342\0\0\0\203\356(t\26\201\356@\3\0\0\17\205\20\1\0\0\271P\36\00\351\10\1\0\0\205\377\17\204\365\1\0\0\205\300\17\204\355\1\0\0\2150\212M\0\200\371 \33\3223\333\200\342\20\203\307\2\201\302\360\0\0\0E\212\372N\212\331f\211_\376u\336_^][\302\30\0\271P\37\00\351\303\0\0\0\201\356\343\4\0\0t\36Nt\21N\17\205\257\0\0\0\271P"\00\351\247\0\0\0\271P!\00\351\235\0\0\0\271P \00\351\223\0\0\0\271P#", 31232, {131072, 0}, 0, ... {status=0x0, info=31232}, ) \00\351\247\0\0\0\271P!\00\351\235\0\0\0\271P \00\351\223\0\0\0\271P#", 31232, {131072, 0}, 0, ... {status=0x0, info=31232}, ) == 0x0
 01798   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01799   444   NtSetInformationFile  (-2147482024, -135068804, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01800   444   NtClose  (180, ... ) == 0x0
 01801   444   NtQueryVolumeInformationFile  (-2147482028, -135068500, 116, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01802   444   NtSetInformationFile  (-2147482024, -135068380, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01803   444   NtClose  (-2147482024, ... ) == 0x0
 01804   444   NtClose  (-2147482028, ... ) == 0x0
 01781   444   NtCreateSection  ... 180, ) == 0x0
 01805   444   NtMapViewOfSection  (180, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 163840, ) == 0x0
 01806   444   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01807   444   NtClose  (180, ... ) == 0x0
 01808   444   NtSetInformationFile  (184, 1233660, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01809   444   NtClose  (184, ... ) == 0x0
 01810   444   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DWWIN.EXE"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 01811   444   NtSetInformationFile  (184, 1233604, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01812   444   NtClose  (184, ... ) == 0x0
 01813   444   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01814   444   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01815   444   NtQueryVolumeInformationFile  (184, 1233012, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01816   444   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 188, ) }, ... 188, ) == 0x0
 01817   444   NtWaitForSingleObject  (188, 0, {-1000000, -1}, ... ) == 0x0
 01818   444   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 192, ) }, ... 192, ) == 0x0
 01819   444   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 57344, ) == 0x0
 01820   444   NtReleaseMutant  (188, ... 0x0, ) == 0x0
 01821   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01822   444   NtQueryInformationFile  (196, 1231600, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01823   444   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 196, ... 200, ) == 0x0
 01824   444   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa80000), 0x0, 1028096, ) == 0x0
 01825   444   NtQueryInformationFile  (196, 1231696, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01826   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01827   444   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01828   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01829   444   NtQueryDirectoryFile  (204, 0, 0, 0, 1229260, 616, BothDirectory, 1,  (204, 0, 0, 0, 1229260, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01830   444   NtClose  (204, ... ) == 0x0
 01831   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01832   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01833   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 1228648, ... ) }, 1228648, ... ) == 0x0
 01834   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01835   444   NtQueryDirectoryFile  (204, 0, 0, 0, 1228008, 616, BothDirectory, 1,  (204, 0, 0, 0, 1228008, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01836   444   NtClose  (204, ... ) == 0x0
 01837   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01838   444   NtQueryDirectoryFile  (204, 0, 0, 0, 1228008, 616, BothDirectory, 1,  (204, 0, 0, 0, 1228008, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01839   444   NtClose  (204, ... ) == 0x0
 01840   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01841   444   NtQueryDirectoryFile  (204, 0, 0, 0, 1228008, 616, BothDirectory, 1,  (204, 0, 0, 0, 1228008, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01842   444   NtClose  (204, ... ) == 0x0
 01843   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01844   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01845   444   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01846   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01847   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01848   444   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01849   444   NtClose  (204, ... ) == 0x0
 01850   444   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01851   444   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01852   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01853   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01854   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 1230928, ... ) }, 1230928, ... ) == 0x0
 01855   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01856   444   NtQueryDirectoryFile  (204, 0, 0, 0, 1230288, 616, BothDirectory, 1,  (204, 0, 0, 0, 1230288, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01857   444   NtClose  (204, ... ) == 0x0
 01858   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01859   444   NtQueryDirectoryFile  (204, 0, 0, 0, 1230288, 616, BothDirectory, 1,  (204, 0, 0, 0, 1230288, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01860   444   NtClose  (204, ... ) == 0x0
 01861   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01862   444   NtQueryDirectoryFile  (204, 0, 0, 0, 1230288, 616, BothDirectory, 1,  (204, 0, 0, 0, 1230288, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01863   444   NtClose  (204, ... ) == 0x0
 01864   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01865   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01866   444   NtWaitForSingleObject  (188, 0, {-1000000, -1}, ... ) == 0x0
 01867   444   NtQueryVolumeInformationFile  (184, 1231572, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01868   444   NtQueryInformationFile  (184, 1231552, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01869   444   NtQueryInformationFile  (184, 1231592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01870   444   NtReleaseMutant  (188, ... 0x0, ) == 0x0
 01871   444   NtUnmapViewOfSection  (-1, 0xa80000, ... ) == 0x0
 01872   444   NtClose  (200, ... ) == 0x0
 01873   444   NtClose  (196, ... ) == 0x0
 01874   444   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01875   444   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01876   444   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01877   444   NtOpenProcessToken  (-1, 0xa, ... 196, ) == 0x0
 01878   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 200, ) }, ... 200, ) == 0x0
 01879   444   NtQueryValueKey  (200,  (200, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01880   444   NtQueryValueKey  (200,  (200, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (200, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01881   444   NtClose  (200, ... ) == 0x0
 01882   444   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 200, ) }, ... 200, ) == 0x0
 01883   444   NtQuerySymbolicLinkObject  (200, ...  (200, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01884   444   NtClose  (200, ... ) == 0x0
 01885   444   NtQueryInformationFile  (184, 1231364, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 01886   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01887   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01888   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 1230044, ... ) }, 1230044, ... ) == 0x0
 01889   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01890   444   NtQueryDirectoryFile  (200, 0, 0, 0, 1229404, 616, BothDirectory, 1,  (200, 0, 0, 0, 1229404, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01891   444   NtClose  (200, ... ) == 0x0
 01892   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01893   444   NtQueryDirectoryFile  (200, 0, 0, 0, 1229404, 616, BothDirectory, 1,  (200, 0, 0, 0, 1229404, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01894   444   NtClose  (200, ... ) == 0x0
 01895   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01896   444   NtQueryDirectoryFile  (200, 0, 0, 0, 1229404, 616, BothDirectory, 1,  (200, 0, 0, 0, 1229404, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01897   444   NtClose  (200, ... ) == 0x0
 01898   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01899   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01900   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 200, ) }, ... 200, ) == 0x0
 01901   444   NtQueryValueKey  (200,  (200, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01902   444   NtClose  (200, ... ) == 0x0
 01903   444   NtQueryInformationToken  (196, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01904   444   NtQueryInformationToken  (196, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01905   444   NtClose  (196, ... ) == 0x0
 01906   444   NtCreateProcessEx  (1235640, 2035711, 0, -1, 4, 180, 0, 0, 0, ... ) == 0x0
 01907   444   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 200, ) }, ... 200, ) == 0x0
 01908   444   NtMapViewOfSection  (200, 196, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01909   444   NtClose  (200, ... ) == 0x0
 01910   444   NtProtectVirtualMemory  (196, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01911   444   NtWriteVirtualMemory  (196, 0x77f7e603,  (196, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01912   444   NtProtectVirtualMemory  (196, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01913   444   NtWriteVirtualMemory  (196, 0x77f7eaf3,  (196, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01914   444   NtProtectVirtualMemory  (196, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01915   444   NtWriteVirtualMemory  (196, 0x77f7e6a3,  (196, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01916   444   NtProtectVirtualMemory  (196, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01917   444   NtWriteVirtualMemory  (196, 0x77f7e6b3,  (196, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01918   444   NtSetInformationProcess  (196, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 01919   444   NtSetInformationProcess  (196, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01920   444   NtQueryInformationProcess  (196, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=112,ParentPid=436,}, 0x0, ) == 0x0
 01921   444   NtReadVirtualMemory  (196, 0x7ffdf008, 4, ...  (196, 0x7ffdf008, 4, ... "\0\0\00", 0x0, ) , 0x0, ) == 0x0
 01922   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01923   444   NtReadVirtualMemory  (196, 0x30000000, 4096, ...  (196, 0x30000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\270\277\220\252\374\336\376\371\374\336\376\371\374\336\376\371\24\301\365\371\375\336\376\371\177\302\360\371\365\336\376\371\24\301\364\371\325\336\376\371\252\301\355\371\364\336\376\371\202\374\342\371\373\336\376\371\14\301\365\371\354\336\376\371\374\336\376\371\343\337\376\371Rich\374\336\376\371\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0_\245\35;\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\24\00\2\0\0\220\0\0\0\0\0\0jr\0\0\0\20\0\0\0p\3\0\0\0\00\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\2\0\0\20\0\0\15"\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\31%\2\0:\1\0\0\0\300\2\0\200\12\0\0\0\0\0\0\0\0\0\0\0`\2\0P\31\0\0\0\0\0\0\0\0\0\0Z8\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\204\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222(\2\0\0\20\0\0\00\2\0", 4096, ) \3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\31%\2\0:\1\0\0\0\300\2\0\200\12\0\0\0\0\0\0\0\0\0\0\0`\2\0P\31\0\0\0\0\0\0\0\0\0\0Z8\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\204\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222(\2\0\0\20\0\0\00\2\0", 4096, ) == 0x0
 01924   444   NtReadVirtualMemory  (196, 0x3002c000, 256, ...  (196, 0x3002c000, 256, ... "\0\0\0\0Z\245\35;\0\0\0\0\0\0\3\0\5\0\0\0(\0\0\200\13\0\0\0@\0\0\200\20\0\0\0X\0\0\200\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0e\0\0\0p\0\0\200\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0\1\0\0\0\210\0\0\200\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0\1\0\0\0\240\0\0\200\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0\11\4\0\0\270\0\0\0\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0\11\4\0\0\310\0\0\0\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0\11\4\0\0\330\0\0\0\360\300\2\0\26\3\0\0\0\0\0\0\0\0\0\0\10\304\2\0\210\1\0\0\0\0\0\0\0\0\0\0\220\305\2\0\360\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\0\310\200\0\0\0\0\14\0\0\0\0\0f\1", 256, ) , 256, ) == 0x0
 01925   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01926   444   NtQueryInformationProcess  (196, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=112,ParentPid=436,}, 0x0, ) == 0x0
 01927   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1233704, ... ) }, 1233704, ... ) == 0x0
 01928   444   NtAllocateVirtualMemory  (-1, 0, 0, 1668, 4096, 4, ... 11010048, 4096, ) == 0x0
 01929   444   NtAllocateVirtualMemory  (196, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01930   444   NtWriteVirtualMemory  (196, 0x10000,  (196, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01931   444   NtAllocateVirtualMemory  (196, 0, 0, 1668, 4096, 4, ... 131072, 4096, ) == 0x0
 01932   444   NtWriteVirtualMemory  (196, 0x20000,  (196, 0x20000, "\0\20\0\0\204\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\374\0\376\0\230\4\0\0:\0<\0\230\5\0\0N\0P\0\324\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0$\6\0\0\36\0 \0`\6\0\0\0\0\2\0\200\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1668, ... 0x0, ) , 1668, ... 0x0, ) == 0x0
 01933   444   NtWriteVirtualMemory  (196, 0x7ffdf010,  (196, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01934   444   NtWriteVirtualMemory  (196, 0x7ffdf1e8,  (196, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01935   444   NtFreeVirtualMemory  (-1, (0xa80000), 0, 32768, ... (0xa80000), 4096, ) == 0x0
 01936   444   NtAllocateVirtualMemory  (196, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01937   444   NtAllocateVirtualMemory  (196, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01938   444   NtProtectVirtualMemory  (196, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01939   444   NtCreateThread  (0x1f03ff, 0x0, 196, 1233904, 1234624, 1, ... 200, {112, 120}, ) == 0x0
 01940   444   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 6684672, 909586793, 100, 0}  (24, {168, 196, new_msg, 0, 6684672, 909586793, 100, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\307\0\0\0\310\0\0\0p\0\0\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 436, 444, 2586, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\304\0\0\0\310\0\0\0p\0\0\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 436, 444, 2586, 0}  (24, {168, 196, new_msg, 0, 6684672, 909586793, 100, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\307\0\0\0\310\0\0\0p\0\0\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 436, 444, 2586, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\304\0\0\0\310\0\0\0p\0\0\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01941   444   NtResumeThread  (200, ... 1, ) == 0x0
 01942   444   NtClose  (184, ... ) == 0x0
 01943   444   NtClose  (180, ... ) == 0x0
 01944   444   NtClose  (200, ... ) == 0x0
 01945   444   NtWaitForMultipleObjects  (2, (168, 196, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 01946   444   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x102
 01947   444   NtWaitForMultipleObjects  (2, (168, 196, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 01948   444   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x102
 01949   444   NtWaitForMultipleObjects  (2, (168, 196, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 01950   444   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x102
 01951   444   NtWaitForMultipleObjects  (2, (168, 196, ), 1, 0, {-1200000000, -1}, ...