Summary:


NtAccessCheck(>)  1 
NtUserGetThreadDesktop(>)  1 
NtSetInformationFile(>)  5 
NtQueryVirtualMemory(>)  15 

NtCallbackReturn(>)  1 
NtUserOpenWindowStation(>)  1 
NtUserBuildHwndList(>)  5 
NtDeviceIoControlFile(>)  16 

NtCreateProcessEx(>)  1 
NtUserSystemParametersInfo(>)  1 
NtWriteVirtualMemory(>)  5 
NtRequestWaitReplyPort(>)  16 

NtCreateSemaphore(>)  1 
NtConnectPort(>)  2 
NtContinue(>)  6 
NtOpenSection(>)  24 

NtCreateThread(>)  1 
NtCreateIoCompletion(>)  2 
NtOpenProcessToken(>)  6 
NtQueryDirectoryFile(>)  24 

NtDuplicateToken(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryDefaultUILanguage(>)  6 
NtSetInformationProcess(>)  25 

NtGdiCreateBitmap(>)  1 
NtGdiHfontCreate(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtOpenProcessTokenEx(>)  28 

NtGdiCreatePatternBrushInternal(>)  1 
NtQueryInformationJobObject(>)  2 
NtWaitForSingleObject(>)  6 
NtOpenThreadTokenEx(>)  28 

NtGdiInit(>)  1 
NtReleaseMutant(>)  2 
NtFsControlFile(>)  7 
NtCreateSection(>)  29 

NtGdiQueryFontAssocInfo(>)  1 
NtTerminateProcess(>)  2 
NtOpenThreadToken(>)  7 
NtQueryInformationToken(>)  37 

NtGdiSelectBitmap(>)  1 
NtUserCloseWindowStation(>)  2 
NtQueryInformationFile(>)  7 
NtOpenFile(>)  41 

NtOpenEvent(>)  1 
NtUserGetObjectInformation(>)  2 
NtWaitForMultipleObjects(>)  7 
NtQueryInformationProcess(>)  44 

NtOpenKeyedEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtEnumerateKey(>)  8 
NtQueryDefaultLocale(>)  48 

NtOpenMutant(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtSetValueKey(>)  8 
NtUnmapViewOfSection(>)  48 

NtQueryDebugFilterState(>)  1 
NtOpenDirectoryObject(>)  3 
NtUserCallNoParam(>)  9 
NtAllocateVirtualMemory(>)  51 

NtQueryInstallUILanguage(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtUserFindExistingCursorIcon(>)  9 
NtQueryAttributesFile(>)  54 

NtQueryObject(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtUserGetWindowDC(>)  10 
NtFlushInstructionCache(>)  65 

NtQueryPerformanceCounter(>)  1 
NtReadVirtualMemory(>)  3 
NtCreateKey(>)  11 
NtMapViewOfSection(>)  69 

NtQuerySystemTime(>)  1 
NtSetEvent(>)  3 
NtFreeVirtualMemory(>)  11 
NtQuerySystemInformation(>)  76 

NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 
NtUserCallOneParam(>)  11 
NtQueryValueKey(>)  105 

NtResumeThread(>)  1 
NtUserOpenDesktop(>)  3 
NtWriteFile(>)  11 
NtUserValidateHandleSecure(>)  132 

NtSecureConnectPort(>)  1 
NtCreateMutant(>)  4 
NtQuerySection(>)  12 
NtOpenKey(>)  153 

NtTestAlert(>)  1 
NtDuplicateObject(>)  4 
NtSetInformationThread(>)  13 
NtProtectVirtualMemory(>)  156 

NtUserBuildNameList(>)  1 
NtQueryVolumeInformationFile(>)  4 
NtCreateEvent(>)  14 
NtUserQueryWindow(>)  160 

NtUserCloseDesktop(>)  1 
NtGdiGetStockObject(>)  5 
NtCreateFile(>)  14 
NtClose(>)  240 

NtUserGetGUIThreadInfo(>)  1 
NtReadFile(>)  5 
NtUserRegisterClassExWOW(>)  14 

Trace:
 00001   928   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   928   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   928   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   928   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   928   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010   928   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011   928   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012   928   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013   928   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014   928   NtClose  (12, ... ) == 0x0
 00015   928   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016   928   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020   928   NtClose  (16, ... ) == 0x0
 00021   928   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022   928   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023   928   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024   928   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025   928   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027   928   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028   928   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029   928   NtClose  (16, ... ) == 0x0
 00030   928   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031   928   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033   928   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034   928   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1972, 928, 57959, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57959, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1972, 928, 57959, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036   928   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037   928   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039   928   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040   928   NtClose  (16, ... ) == 0x0
 00041   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043   928   NtClose  (16, ... ) == 0x0
 00044   928   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047   928   NtClose  (16, ... ) == 0x0
 00048   928   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050   928   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051   928   NtClose  (16, ... ) == 0x0
 00052   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054   928   NtClose  (16, ... ) == 0x0
 00055   928   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   928   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059   928   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1972, 928, 57960, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 1972, 928, 57960, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1972, 928, 57960, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57961, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57961, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57961, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061   928   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 4, ... (0x47c000), 155648, 128, ) == 0x0
 00062   928   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 128, ... (0x47c000), 155648, 4, ) == 0x0
 00063   928   NtFlushInstructionCache  (-1, 4702208, 155648, ... ) == 0x0
 00064   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00065   928   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00066   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.DLL"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00067   928   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00068   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.DLL"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00069   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00070   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00071   928   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00072   928   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00073   928   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00074   928   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00076   928   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00077   928   NtClose  (36, ... ) == 0x0
 00078   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00079   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00080   928   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00081   928   NtClose  (36, ... ) == 0x0
 00082   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083   928   NtClose  (32, ... ) == 0x0
 00084   928   NtClose  (16, ... ) == 0x0
 00085   928   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00086   928   NtClose  (28, ... ) == 0x0
 00087   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00088   928   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00089   928   NtClose  (28, ... ) == 0x0
 00090   928   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00091   928   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00092   928   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00093   928   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00094   928   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00095   928   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00096   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00097   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == 0x0
 00099   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00100   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 16, ) == 0x0
 00101   928   NtQuerySection  (16, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00102   928   NtClose  (28, ... ) == 0x0
 00103   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00104   928   NtClose  (16, ... ) == 0x0
 00105   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00106   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00107   928   NtClose  (16, ... ) == 0x0
 00108   928   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00109   928   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00110   928   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00111   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00112   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00113   928   NtClose  (16, ... ) == 0x0
 00114   928   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00115   928   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00116   928   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00117   928   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00118   928   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00119   928   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00120   928   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00121   928   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00122   928   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00123   928   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00124   928   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00125   928   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00126   928   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00127   928   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00128   928   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00129   928   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00130   928   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00131   928   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00132   928   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 4, ... (0x47c000), 155648, 64, ) == 0x0
 00133   928   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 64, ... (0x47c000), 155648, 4, ) == 0x0
 00134   928   NtFlushInstructionCache  (-1, 4702208, 155648, ... ) == 0x0
 00135   928   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00136   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00137   928   NtReadFile  (16, 0, 0, 0, 4, {167932, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {167932, 0}, 0, ... {status=0x0, info=4}, "\300 \0\0", ) , ) == 0x0
 00138   928   NtReadFile  (16, 0, 0, 0, 8, {8380, 0}, 0, ... {status=0x0, info=8},  (16, 0, 0, 0, 8, {8380, 0}, 0, ... {status=0x0, info=8}, "\320J\233Dhs5\223", ) , ) == 0x0
 00139   928   NtReadFile  (16, 0, 0, 0, 8, {159540, 0}, 0, ... {status=0x0, info=8},  (16, 0, 0, 0, 8, {159540, 0}, 0, ... {status=0x0, info=8}, "\362;\213\12\257\312\207\325", ) , ) == 0x0
 00140   928   NtClose  (16, ... ) == 0x0
 00141   928   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00142   928   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00143   928   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00144   928   NtClose  (16, ... ) == 0x0
 00145   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00146   928   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00147   928   NtClose  (16, ... ) == 0x0
 00148   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00150   928   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00151   928   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00152   928   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00153   928   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00154   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 16, ) }, ... 16, ) == 0x0
 00155   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00156   928   NtClose  (16, ... ) == 0x0
 00157   928   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00158   928   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00159   928   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00160   928   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00161   928   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00162   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00163   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00165   928   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00166   928   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00167   928   NtClose  (16, ... ) == 0x0
 00168   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00169   928   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00170   928   NtClose  (16, ... ) == 0x0
 00171   928   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00172   928   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00173   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00174   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00177   928   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00178   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00180   928   NtTestAlert  (... ) == 0x0
 00181   928   NtContinue  (1244464, 1, ...
 00182   928   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x47c17a,}, 4, ... ) == 0x0
 00183   928   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 3407872, 4096, ) == 0x0
 00184   928   NtAllocateVirtualMemory  (-1, 0, 0, 15980, 4096, 4, ... 3473408, 16384, ) == 0x0
 00185   928   NtFreeVirtualMemory  (-1, (0x350000), 0, 32768, ... (0x350000), 16384, ) == 0x0
 00186   928   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00187   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00188   928   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   928   NtClose  (28, ... ) == 0x0
 00190   928   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00191   928   NtProtectVirtualMemory  (-1, (0x40e860), -1662053999, -238816909, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00192   928   NtProtectVirtualMemory  (-1, (0x3fff02), -1920137235, -2091057152, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00193   928   NtProtectVirtualMemory  (-1, (0x141c600), 148100, 251738496, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00194   928   NtProtectVirtualMemory  (-1, (0xfed68589), -362, -2060728949, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00195   928   NtProtectVirtualMemory  (-1, (0xff4ab58d), -314, -2063466497, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00196   928   NtProtectVirtualMemory  (-1, (0x500068), 1080710741, 100794367, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00197   928   NtProtectVirtualMemory  (-1, (0xff6e95ff), 6946816, 268462080, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00198   928   NtProtectVirtualMemory  (-1, (0x85c90000), 57246735, -1064960001, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00199   928   NtProtectVirtualMemory  (-1, (0x67f95b00), 232, -322, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00200   928   NtProtectVirtualMemory  (-1, (0x4002b0), -397192999, 50331651, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00201   928   NtProtectVirtualMemory  (-1, (0x3ffe86), -1123811957, 915103070, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00202   928   NtProtectVirtualMemory  (-1, (0xf904c7), -2096466688, 1065607051, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00203   928   NtProtectVirtualMemory  (-1, (0x3b430000), 112918, -352321536, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00204   928   NtProtectVirtualMemory  (-1, (0x33cb1301), 880017467, -2096839805, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00205   928   NtProtectVirtualMemory  (-1, (0x3fff32), -1241558191, 1459911427, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00206   928   NtProtectVirtualMemory  (-1, (0x85cbcf8b), -695468033, -13715969, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00207   928   NtProtectVirtualMemory  (-1, (0x5c10ff00), 371205, -322, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00208   928   NtProtectVirtualMemory  (-1, (0xc82b08c3), -2096794624, -108830887, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00209   928   NtProtectVirtualMemory  (-1, (0x3ebeb5), -16750080, 8388712, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00210   928   NtProtectVirtualMemory  (-1, (0x3ec6b5), -1912602625, 848691199, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00211   928   NtProtectVirtualMemory  (-1, (0x843e8b36), -1961863539, 139365375, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00212   928   NtProtectVirtualMemory  (-1, (0x77413ce8), 742852490, 1064567033, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00213   928   NtProtectVirtualMemory  (-1, (0x385a8a14), 1946157434, -2146989065, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00214   928   NtProtectVirtualMemory  (-1, (0xc10108e8), -1050278817, -1964411617, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00215   928   NtProtectVirtualMemory  (-1, (0xc101c486), 73370122, -339442160, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00216   928   NtAllocateVirtualMemory  (-1, 0, 0, 118784, 4096, 4, ... 3407872, 118784, ) == 0x0
 00217   928   NtAllocateVirtualMemory  (-1, 0, 0, 118784, 4096, 4, ... 3538944, 118784, ) == 0x0
 00218   928   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 118784, ) == 0x0
 00219   928   NtAllocateVirtualMemory  (-1, 0, 0, 1350, 4096, 4, ... 3407872, 4096, ) == 0x0
 00220   928   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00221   928   NtAllocateVirtualMemory  (-1, 0, 0, 79872, 4096, 4, ... 3407872, 81920, ) == 0x0
 00222   928   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 81920, ) == 0x0
 00223   928   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 4, ... 3407872, 4096, ) == 0x0
 00224   928   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00225   928   NtAllocateVirtualMemory  (-1, 0, 0, 2560, 4096, 4, ... 3407872, 4096, ) == 0x0
 00226   928   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00227   928   NtAllocateVirtualMemory  (-1, 0, 0, 5120, 4096, 4, ... 3407872, 8192, ) == 0x0
 00228   928   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 8192, ) == 0x0
 00229   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00230   928   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00231   928   NtClose  (28, ... ) == 0x0
 00232   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00233   928   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00234   928   NtClose  (28, ... ) == 0x0
 00235   928   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00236   928   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00237   928   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00238   928   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00239   928   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00240   928   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00241   928   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00242   928   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00243   928   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00244   928   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00245   928   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00246   928   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00247   928   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00248   928   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00249   928   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00250   928   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00251   928   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00252   928   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00253   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00256   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 7274606, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 7274606, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1972, 928, 57969, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57969, 0}  (24, {28, 56, new_msg, 0, 2089900645, 7274606, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1972, 928, 57969, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00257   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00258   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00259   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00260   928   NtClose  (28, ... ) == 0x0
 00261   928   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00262   928   NtClose  (32, ... ) == 0x0
 00263   928   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00264   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00265   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00266   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00267   928   NtClose  (32, ... ) == 0x0
 00268   928   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00269   928   NtClose  (28, ... ) == 0x0
 00270   928   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00271   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00272   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00273   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00274   928   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00275   928   NtClose  (28, ... ) == 0x0
 00276   928   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00277   928   NtClose  (32, ... ) == 0x0
 00278   928   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00279   928   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00280   928   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00281   928   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00282   928   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00283   928   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00284   928   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00285   928   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00286   928   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00287   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00288   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00289   928   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00290   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00291   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00292   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00294   928   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00295   928   NtClose  (32, ... ) == 0x0
 00296   928   NtMapViewOfSection  (-2147482584, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x580000), 0x0, 1060864, ) == 0x0
 00297   928   NtClose  (-2147482584, ... ) == 0x0
 00298   928   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00299   928   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00300   928   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482584, ) == 0x0
 00301   928   NtQueryInformationToken  (-2147482584, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00302   928   NtQueryInformationToken  (-2147482584, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00303   928   NtClose  (-2147482584, ... ) == 0x0
 00304   928   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00305   928   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00306   928   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00307   928   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00308   928   NtQueryValueKey  (-2147482584,  (-2147482584, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   928   NtClose  (-2147482584, ... ) == 0x0
 00310   928   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00311   928   NtQueryValueKey  (-2147482584,  (-2147482584, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   928   NtClose  (-2147482584, ... ) == 0x0
 00313   928   NtQueryDefaultLocale  (0, -106645172, ... ) == 0x0
 00314   928   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00315   928   NtUserCallNoParam  (24, ... ) == 0x0
 00316   928   NtGdiCreateCompatibleDC  (0, ...
 00317   928   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00316   928   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00318   928   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00319   928   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00320   928   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00321   928   NtGdiCreateSolidBrush  (0, 0, ...
 00322   928   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00321   928   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00323   928   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00324   928   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00325   928   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00326   928   NtUserGetThreadDesktop  (928, 0, ... ) == 0x24
 00327   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00328   928   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00329   928   NtClose  (44, ... ) == 0x0
 00330   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00331   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x816dc017
 00332   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00333   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x816dc01c
 00334   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00335   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x816dc01e
 00336   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00337   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x816d8002
 00338   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00339   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x816dc018
 00340   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00341   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x816dc01a
 00342   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00343   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x816dc01d
 00344   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00345   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x816dc026
 00346   928   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00347   928   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x816dc019
 00348   928   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x816dc020
 00349   928   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x816dc022
 00350   928   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x816dc023
 00351   928   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x816dc024
 00352   928   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x816dc025
 00353   928   NtCallbackReturn  (0, 0, 0, ...
 00354   928   NtGdiInit  (... ) == 0x1
 00355   928   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00356   928   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00357   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00358   928   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00359   928   NtClose  (44, ... ) == 0x0
 00360   928   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00361   928   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00362   928   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00363   928   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00364   928   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00365   928   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00366   928   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00367   928   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00368   928   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00369   928   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00370   928   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00371   928   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00372   928   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00373   928   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00374   928   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00375   928   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00376   928   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00377   928   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00378   928   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00379   928   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00380   928   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00381   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382   928   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00383   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 44, {status=0x0, info=0}, ) }, 7, 16, ... 44, {status=0x0, info=0}, ) == 0x0
 00384   928   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\273@\316\241\22\207\27\260s\254\35\22\251\272\223\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00385   928   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00386   928   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00387   928   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00388   928   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00389   928   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00390   928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00391   928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00392   928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482584, 2, ) }, 0, 0x0, 0, ... -2147482584, 2, ) == 0x0
 00393   928   NtSetValueKey  (-2147482584,  (-2147482584, "Seed", 0, 3, "\207\334#\0\270y*\353\21\256c\17\1\224$\355+@J\236\372\305\265\\367\3\237\334!*\246\310M\316\232\204\210P\272s\206\204\265\244'C:\366\201\367\220\232\277\267\333\370\377\314!\277\377\21\245\277x\251\236\247\375\355ApoEf\234\6\200O\345", 80, ... ) , 0, 3,  (-2147482584, "Seed", 0, 3, "\207\334#\0\270y*\353\21\256c\17\1\224$\355+@J\236\372\305\265\\367\3\237\334!*\246\310M\316\232\204\210P\272s\206\204\265\244'C:\366\201\367\220\232\277\267\333\370\377\314!\277\377\21\245\277x\251\236\247\375\355ApoEf\234\6\200O\345", 80, ... ) , 80, ... ) == 0x0
 00394   928   NtClose  (-2147482584, ... ) == 0x0
 00384   928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "o\327;\344e\263[\231\12;;J\233\304+\372\211&\221S\2033\374\32\3\2271.?\204\370\4\312\347\376\247\212\5\36\363\6\3348\6\10\211\231\325\w?vC\230,\266\324`\5\222{\31\2036\200\276\352f\250^\302d}\242\240W\2\2351\2661\206<\353\301\265\7\367\342\201\266\342\232\326E\357\201I\20-\342u6\10.\327\333\260R}'\240\30!\327F'\226;\11N\364S\222!\234\244P\35\211\326K\276E\266\210\365H\246 \341\231E\275\270d\334\337\24\266TK\13\316\331=y'\220$\354\10m\3707\17\217$n\22\272+'m\370JZ\21\222l\343\0 \213\33\274\370\246o\3\214\221\6\36=\214,\3oV\347X\360\326+\214\16\332\207\2623\324\312?:#,\215\212\374vct\215\351{\231F~*K\223\373\232\240\272>\243\373\335\33\35\213\352\273\362\305\203LO\255b\203\230{/", ) , ) == 0x0
 00395   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00396   928   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00397   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 48, ) }, ... 48, ) == 0x0
 00398   928   NtQueryValueKey  (48,  (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00399   928   NtClose  (48, ... ) == 0x0
 00400   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 48, ) }, ... 48, ) == 0x0
 00401   928   NtQueryValueKey  (48,  (48, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   928   NtClose  (48, ... ) == 0x0
 00403   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00404   928   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00405   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00406   928   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00407   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 48, ) }, ... 48, ) == 0x0
 00408   928   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00409   928   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00410   928   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00411   928   NtClose  (48, ... ) == 0x0
 00412   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 48, ) }, ... 48, ) == 0x0
 00413   928   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00414   928   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00415   928   NtClose  (48, ... ) == 0x0
 00416   928   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 48, ) }, ... 48, ) == 0x0
 00417   928   NtOpenEvent  (0x1f0003, {24, 48, 0x0, 0, 0,  (0x1f0003, {24, 48, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00419   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00420   928   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00421   928   NtClose  (52, ... ) == 0x0
 00422   928   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00423   928   NtSetInformationObject  (52, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00424   928   NtOpenKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00425   928   NtOpenKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00426   928   NtOpenProcessToken  (-1, 0x8, ... 56, ) == 0x0
 00427   928   NtQueryInformationToken  (56, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00428   928   NtClose  (56, ... ) == 0x0
 00429   928   NtUserCallOneParam  (0, 41, ... ) == 0x4
 00430   928   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00431   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 10027008, 1048576, ) == 0x0
 00432   928   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00433   928   NtAllocateVirtualMemory  (-1, 10027008, 0, 16384, 4096, 4, ... 10027008, 16384, ) == 0x0
 00434   928   NtUserCallNoParam  (29, ...
 00435   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242268, ... ) }, 1242268, ... ) == 0x0
 00436   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00437   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 60, ) == 0x0
 00438   928   NtClose  (56, ... ) == 0x0
 00439   928   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x380000), 0x0, 221184, ) == 0x0
 00440   928   NtClose  (60, ... ) == 0x0
 00441   928   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00442   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242576, ... ) }, 1242576, ... ) == 0x0
 00443   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00444   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 56, ) == 0x0
 00445   928   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00446   928   NtClose  (60, ... ) == 0x0
 00447   928   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 00448   928   NtClose  (56, ... ) == 0x0
 00449   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00450   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00451   928   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00452   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00453   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00454   928   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00455   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00456   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00457   928   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00458   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00459   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00460   928   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00461   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00462   928   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00463   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00464   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00465   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00466   928   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00467   928   NtClose  (56, ... ) == 0x0
 00468   928   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00469   928   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 60, ) }, ... 60, ) == 0x0
 00470   928   NtQueryValueKey  (60,  (60, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00471   928   NtClose  (60, ... ) == 0x0
 00472   928   NtClose  (56, ... ) == 0x0
 00473   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00474   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00475   928   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00476   928   NtClose  (56, ... ) == 0x0
 00477   928   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00478   928   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 60, ) }, ... 60, ) == 0x0
 00479   928   NtQueryValueKey  (60,  (60, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00480   928   NtClose  (60, ... ) == 0x0
 00481   928   NtClose  (56, ... ) == 0x0
 00482   928   NtUserGetProcessWindowStation  (... ) == 0x1c
 00483   928   NtUserGetObjectInformation  (28, 2, 1244364, 64, 1244360, ... ) == 0x1
 00484   928   NtUserGetGUIThreadInfo  (928, 1244384, ... ) == 0x1
 00485   928   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1244228, 64, ... 56, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1244228, 64, ... 56, 0x0, 0x0, 0x0, 64, ) == 0x0
 00486   928   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1972, 928, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1972, 928, 57971, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1972, 928, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00487   928   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1972, 928, 57972, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1972, 928, 57972, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1972, 928, 57972, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00488   928   NtUserCallNoParam  (29, ...
 00489   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241624, ... ) }, 1241624, ... ) == 0x0
 00488   928   NtUserCallNoParam  ... ) == 0x0
 00490   928   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ... ) == 0x1
 00491   928   NtGdiHfontCreate  (1243752, 356, 0, 0, 1340336, ... ) == 0x330a04e1
 00492   928   NtGdiHfontCreate  (1243752, 356, 0, 0, 1340328, ... ) == 0x520a0634
 00493   928   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1972, 928, 57973, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1972, 928, 57973, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1972, 928, 57973, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00494   928   NtMapViewOfSection  (60, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x380000), {0, 0}, 327680, ) == 0x0
 00495   928   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00496   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00497   928   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00498   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00499   928   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00500   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00501   928   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00502   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00503   928   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00504   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00505   928   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00506   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00507   928   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00508   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00509   928   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00510   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00511   928   NtAllocateVirtualMemory  (-1, 3297280, 0, 4096, 4096, 4, ... 3297280, 4096, ) == 0x0
 00512   928   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00513   928   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ... ) == 0x72100798
 00514   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00515   928   NtUserCallNoParam  (29, ...
 00516   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241064, ... ) }, 1241064, ... ) == 0x0
 00515   928   NtUserCallNoParam  ... ) == 0x0
 00517   928   NtUserCallNoParam  (29, ...
 00518   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241060, ... ) }, 1241060, ... ) == 0x0
 00517   928   NtUserCallNoParam  ... ) == 0x0
 00434   928   NtUserCallNoParam  ... ) == 0x1
 00519   928   NtQueryVirtualMemory  (-1, 0x373313, Basic, 28, ... {BaseAddress=0x373000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xa000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00520   928   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00521   928   NtContinue  (1244356, 0, ...
 00522   928   NtQueryVirtualMemory  (-1, 0x372d5c, Basic, 28, ... {BaseAddress=0x372000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xb000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00523   928   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00524   928   NtContinue  (1244032, 0, ...
 00525   928   NtQueryVirtualMemory  (-1, 0x372dc0, Basic, 28, ... {BaseAddress=0x372000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xb000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00526   928   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00527   928   NtContinue  (1244032, 0, ...
 00528   928   NtQueryVirtualMemory  (-1, 0x370d71, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xd000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00529   928   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00530   928   NtQueryVirtualMemory  (-1, 0x373132, Basic, 28, ... {BaseAddress=0x373000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xa000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00531   928   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00532   928   NtQueryVirtualMemory  (-1, 0x7c816fe0, Basic, 28, ... {BaseAddress=0x7c816000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x6e000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00533   928   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 00534   928   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00535   928   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00536   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00537   928   NtQueryInformationJobObject  (0, BasicLimit, 48, ... ) == STATUS_ACCESS_DENIED
 00538   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"}, ... 64, ) }, ... 64, ) == 0x0
 00539   928   NtQueryValueKey  (64,  (64, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) , Partial, 526, ... TitleIdx=0, Type=1, Data= (64, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00540   928   NtQueryValueKey  (64,  (64, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) , Partial, 526, ... TitleIdx=0, Type=1, Data=" (64, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) \0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) == 0x0
 00541   928   NtClose  (64, ... ) == 0x0
 00542   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1239712, ... ) }, 1239712, ... ) == 0x0
 00543   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00544   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 64, ... 68, ) == 0x0
 00545   928   NtClose  (64, ... ) == 0x0
 00546   928   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3d0000), 0x0, 81920, ) == 0x0
 00547   928   NtClose  (68, ... ) == 0x0
 00548   928   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 00549   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1240020, ... ) }, 1240020, ... ) == 0x0
 00550   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00551   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 64, ) == 0x0
 00552   928   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00553   928   NtClose  (68, ... ) == 0x0
 00554   928   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x69450000), 0x0, 90112, ) == 0x0
 00555   928   NtClose  (64, ... ) == 0x0
 00556   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00557   928   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 00558   928   NtClose  (64, ... ) == 0x0
 00559   928   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 00560   928   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 00561   928   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 00562   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00563   928   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 733184, ) == 0x0
 00564   928   NtClose  (64, ... ) == 0x0
 00565   928   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00566   928   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00567   928   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00568   928   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00569   928   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00570   928   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00571   928   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00572   928   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00573   928   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00574   928   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00575   928   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00576   928   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00577   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00578   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1239196, ... ) }, 1239196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 00580   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00581   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00582   928   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00583   928   NtClose  (64, ... ) == 0x0
 00584   928   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 65536, ) == 0x0
 00585   928   NtClose  (68, ... ) == 0x0
 00586   928   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00587   928   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00588   928   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00589   928   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00590   928   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00591   928   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00592   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00593   928   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 00594   928   NtClose  (68, ... ) == 0x0
 00595   928   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00596   928   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00597   928   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00598   928   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00599   928   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00600   928   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00601   928   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00602   928   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00603   928   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00604   928   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00605   928   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00606   928   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00607   928   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00608   928   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00609   928   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00610   928   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00611   928   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00612   928   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00613   928   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00614   928   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00615   928   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00616   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00617   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1239196, ... ) }, 1239196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00618   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 00619   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00620   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 64, ) == 0x0
 00621   928   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00622   928   NtClose  (68, ... ) == 0x0
 00623   928   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 00624   928   NtClose  (64, ... ) == 0x0
 00625   928   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00626   928   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00627   928   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00628   928   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00629   928   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00630   928   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00631   928   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00632   928   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00633   928   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00634   928   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00635   928   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00636   928   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00637   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00638   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1239196, ... ) }, 1239196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00639   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 00640   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00641   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00642   928   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00643   928   NtClose  (64, ... ) == 0x0
 00644   928   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 00645   928   NtClose  (68, ... ) == 0x0
 00646   928   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00647   928   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00648   928   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00649   928   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00650   928   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00651   928   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00652   928   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00653   928   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00654   928   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00655   928   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00656   928   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00657   928   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00658   928   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00659   928   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00660   928   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00661   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00662   928   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00663   928   NtClose  (68, ... ) == 0x0
 00664   928   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00665   928   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00666   928   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00667   928   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00668   928   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00669   928   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00670   928   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00671   928   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00672   928   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00673   928   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00674   928   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00675   928   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00676   928   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00677   928   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00678   928   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00679   928   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 00680   928   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 00681   928   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 00682   928   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 00683   928   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 00684   928   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 00685   928   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 00686   928   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 00687   928   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 00688   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00689   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00690   928   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 68, ) }, ... 68, ) == 0x0
 00691   928   NtQueryValueKey  (68,  (68, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00692   928   NtClose  (68, ... ) == 0x0
 00693   928   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 68, ) }, ... 68, ) == 0x0
 00694   928   NtQueryValueKey  (68,  (68, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00695   928   NtClose  (68, ... ) == 0x0
 00696   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 68, ) }, ... 68, ) == 0x0
 00697   928   NtQueryValueKey  (68,  (68, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 00698   928   NtClose  (68, ... ) == 0x0
 00699   928   NtCreateEvent  (0x1f0003, {24, 48, 0x80, 1237788, 0,  (0x1f0003, {24, 48, 0x80, 1237788, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 68, ) }, 0, 1, ... 68, ) == STATUS_OBJECT_NAME_EXISTS
 00700   928   NtQueryDefaultUILanguage  (2090319928, ...
 00701   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00702   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482584, ) == 0x0
 00703   928   NtQueryInformationToken  (-2147482584, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00704   928   NtClose  (-2147482584, ... ) == 0x0
 00705   928   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00706   928   NtOpenKey  (0x80000000, {24, -2147482584, 0x240, 0, 0,  (0x80000000, {24, -2147482584, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00707   928   NtOpenKey  (0x80000000, {24, -2147482584, 0x640, 0, 0,  (0x80000000, {24, -2147482584, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481332, ) }, ... -2147481332, ) == 0x0
 00708   928   NtQueryValueKey  (-2147481332,  (-2147481332, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00709   928   NtClose  (-2147481332, ... ) == 0x0
 00710   928   NtClose  (-2147482584, ... ) == 0x0
 00700   928   NtQueryDefaultUILanguage  ... ) == 0x0
 00711   928   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00712   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00713   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00714   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00715   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00716   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00717   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00718   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00719   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00720   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00721   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00722   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00723   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00724   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00725   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00726   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00727   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00728   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00729   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00730   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00731   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00732   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00733   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00734   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00735   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00736   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00737   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00738   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00739   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00740   928   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00741   928   NtClose  (64, ... ) == 0x0
 00742   928   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00743   928   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 72, ) }, ... 72, ) == 0x0
 00744   928   NtQueryValueKey  (72,  (72, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (72, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 00745   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00746   928   NtQueryValueKey  (72,  (72, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (72, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 00747   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00748   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00749   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00750   928   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00751   928   NtClose  (72, ... ) == 0x0
 00752   928   NtClose  (64, ... ) == 0x0
 00753   928   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 64, ) }, ... 64, ) == 0x0
 00754   928   NtQueryValueKey  (64,  (64, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00755   928   NtClose  (64, ... ) == 0x0
 00756   928   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 64, ) }, ... 64, ) == 0x0
 00757   928   NtQueryValueKey  (64,  (64, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00758   928   NtQueryValueKey  (64,  (64, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00759   928   NtClose  (64, ... ) == 0x0
 00760   928   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761   928   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 64, ) }, ... 64, ) == 0x0
 00762   928   NtQueryValueKey  (64,  (64, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00763   928   NtClose  (64, ... ) == 0x0
 00764   928   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00765   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00766   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00767   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00768   928   NtQueryPerformanceCounter  (... {934898769, 10}, {3579545, 0}, ) == 0x0
 00769   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770   928   NtQueryDefaultLocale  (1, 1239916, ... ) == 0x0
 00771   928   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00772   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00773   928   NtQueryValueKey  (64,  (64, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00774   928   NtClose  (64, ... ) == 0x0
 00775   928   NtUserGetProcessWindowStation  (... ) == 0x1c
 00776   928   NtUserGetObjectInformation  (28, 1, 1239512, 12, 1239524, ... ) == 0x1
 00777   928   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\WPA\PnP"}, ... 64, ) }, ... 64, ) == 0x0
 00779   928   NtQueryValueKey  (64,  (64, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 00780   928   NtClose  (64, ... ) == 0x0
 00781   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00782   928   NtQueryValueKey  (64,  (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00783   928   NtQueryValueKey  (64,  (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00784   928   NtClose  (64, ... ) == 0x0
 00785   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00786   928   NtQueryValueKey  (64,  (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00787   928   NtQueryValueKey  (64,  (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00788   928   NtClose  (64, ... ) == 0x0
 00789   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00790   928   NtQueryValueKey  (64,  (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00791   928   NtQueryValueKey  (64,  (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00792   928   NtClose  (64, ... ) == 0x0
 00793   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00794   928   NtQueryValueKey  (64,  (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00795   928   NtQueryValueKey  (64,  (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00796   928   NtClose  (64, ... ) == 0x0
 00797   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00798   928   NtQueryValueKey  (64,  (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 00799   928   NtQueryValueKey  (64,  (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 00800   928   NtClose  (64, ... ) == 0x0
 00801   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00802   928   NtQueryValueKey  (64,  (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00803   928   NtQueryValueKey  (64,  (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00804   928   NtClose  (64, ... ) == 0x0
 00805   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 64, ) }, ... 64, ) == 0x0
 00806   928   NtQueryValueKey  (64,  (64, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00807   928   NtQueryValueKey  (64,  (64, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (64, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 00808   928   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00809   928   NtClose  (64, ... ) == 0x0
 00810   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00811   928   NtCreateMutant  (0x1f0001, 0x0, 0, ... 72, ) == 0x0
 00812   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 76, ) == 0x0
 00813   928   NtCreateMutant  (0x1f0001, 0x0, 0, ... 80, ) == 0x0
 00814   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00815   928   NtCreateMutant  (0x1f0001, 0x0, 0, ... 88, ) == 0x0
 00816   928   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 92, ) }, ... 92, ) == 0x0
 00817   928   NtQueryValueKey  (92,  (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00818   928   NtQueryValueKey  (92,  (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00819   928   NtQueryValueKey  (92,  (92, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820   928   NtOpenKey  (0x1, {24, 92, 0x40, 0, 0,  (0x1, {24, 92, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00821   928   NtClose  (92, ... ) == 0x0
 00822   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1239428, ... ) }, 1239428, ... ) == 0x0
 00823   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 92, ) }, ... 92, ) == 0x0
 00824   928   NtQueryValueKey  (92,  (92, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (92, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (92, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00825   928   NtClose  (92, ... ) == 0x0
 00826   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00827   928   NtQueryValueKey  (92,  (92, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (92, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (92, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 00828   928   NtClose  (92, ... ) == 0x0
 00829   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00830   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00831   928   NtQueryValueKey  (92,  (92, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (92, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (92, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 00832   928   NtClose  (92, ... ) == 0x0
 00833   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00834   928   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   928   NtCreateSemaphore  (0x1f0003, {24, 48, 0x80, 1343256, 0,  (0x1f0003, {24, 48, 0x80, 1343256, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 92, ) }, 0, 2147483647, ... 92, ) == STATUS_OBJECT_NAME_EXISTS
 00836   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\faultrep.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837   928   NtOpenKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\PCHealth\ErrorReporting"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00838   928   NtCreateKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Microsoft\PCHealth\ErrorReporting"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00839   928   NtOpenKey  (0x10000, {24, 96, 0x40, 0, 0,  (0x10000, {24, 96, 0x40, 0, 0, "DW"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00840   928   NtQueryValueKey  (96,  (96, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00841   928   NtQueryValueKey  (96,  (96, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00842   928   NtQueryValueKey  (96,  (96, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00843   928   NtQueryValueKey  (96,  (96, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00844   928   NtQueryValueKey  (96,  (96, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00845   928   NtQueryValueKey  (96,  (96, "DoTextLog", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00846   928   NtQueryValueKey  (96,  (96, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00847   928   NtQueryValueKey  (96,  (96, "IncludeShutdownErrs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00848   928   NtQueryValueKey  (96,  (96, "NumberOfFaultPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00849   928   NtQueryValueKey  (96,  (96, "NumberOfHangPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00850   928   NtQueryValueKey  (96,  (96, "MaxUserQueueSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   928   NtQueryValueKey  (96,  (96, "ForceQueueMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00852   928   NtCreateKey  (0x20119, {24, 96, 0x40, 0, 0,  (0x20119, {24, 96, 0x40, 0, 0, "ExclusionList"}, 0, 0x0, 0, ... 100, 2, ) }, 0, 0x0, 0, ... 100, 2, ) == 0x0
 00853   928   NtCreateKey  (0x20119, {24, 96, 0x40, 0, 0,  (0x20119, {24, 96, 0x40, 0, 0, "InclusionList"}, 0, 0x0, 0, ... 104, 2, ) }, 0, 0x0, 0, ... 104, 2, ) == 0x0
 00854   928   NtClose  (96, ... ) == 0x0
 00855   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 96, ) }, ... 96, ) == 0x0
 00856   928   NtQueryValueKey  (96,  (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00857   928   NtClose  (96, ... ) == 0x0
 00858   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00859   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00860   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1236956, ... ) }, 1236956, ... ) == 0x0
 00861   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 96, {status=0x0, info=1}, ) }, 3, 16417, ... 96, {status=0x0, info=1}, ) == 0x0
 00862   928   NtQueryDirectoryFile  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1,  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 00863   928   NtClose  (96, ... ) == 0x0
 00864   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 96, {status=0x0, info=1}, ) }, 3, 16417, ... 96, {status=0x0, info=1}, ) == 0x0
 00865   928   NtQueryDirectoryFile  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1,  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 00866   928   NtClose  (96, ... ) == 0x0
 00867   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00868   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00869   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00870   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00871   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1235604, ... ) }, 1235604, ... ) == 0x0
 00872   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234376, ... ) }, 1234376, ... ) == 0x0
 00873   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00874   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00875   928   NtQueryValueKey  (100,  (100, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876   928   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 00877   928   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00878   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00879   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 96, ) }, ... 96, ) == 0x0
 00881   928   NtQueryValueKey  (96,  (96, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   928   NtClose  (96, ... ) == 0x0
 00883   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884   928   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 96, ) == 0x0
 00885   928   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00886   928   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00887   928   NtQuerySystemTime  (... {-1523161488, 29918852}, ) == 0x0
 00888   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 00889   928   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   928   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00891   928   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00892   928   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00893   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00894   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 120, ) == 0x0
 00895   928   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\273@\316\241\22\207\27T\2654\250\314*\271?\23\350\6\372Q\246\224-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00896   928   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00897   928   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00898   928   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00899   928   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00900   928   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00901   928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00902   928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00903   928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482584, 2, ) }, 0, 0x0, 0, ... -2147482584, 2, ) == 0x0
 00904   928   NtSetValueKey  (-2147482584,  (-2147482584, "Seed", 0, 3, "[\337\12\3434C\264(\275\221\23&\255C\207\243\231\15\31\202P\207\1\216\320\15\273\3665\117d}\251_\210\212|\20\22Iu\353\236t\362\307\345\331\264\323\346\204\251{|\304\232\216\277dU\266\362\227b\342\325<\335=\246\252\240\236n\310t\266\34", 80, ... ) , 0, 3,  (-2147482584, "Seed", 0, 3, "[\337\12\3434C\264(\275\221\23&\255C\207\243\231\15\31\202P\207\1\216\320\15\273\3665\117d}\251_\210\212|\20\22Iu\353\236t\362\307\345\331\264\323\346\204\251{|\304\232\216\277dU\266\362\227b\342\325<\335=\246\252\240\236n\310t\266\34", 80, ... ) , 80, ... ) == 0x0
 00905   928   NtClose  (-2147482584, ... ) == 0x0
 00895   928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "f\242\321/\35U#\230\0\210uD\315\15@=\313\204>\254\357\350\230\266\3015a\270g\327KBgq\10fP\273\270\10\250\330\363\12\304\317v\322\320Nc\217G)a\246V'\221\23\11\332\376\324\237$\277S\361\222B\66\351\237\323\331v\272\34Y\325w\305\14\330\314$[\17\272b\231'\22\23\3663\6\252\270\247\345\275!\344\26\21\312(0\337\273m\226\245q84*\256$\242"/\236JP4\332i\2660\374\36~\325{Y \366qnY\233Q\370\335\325\225\335!.\237\257l\2765G\273\328\334\327>\304\34\201\226\315N\257\36\230Q\225\31\332\212\307\3560\327h_\354vU\216\212\16\177\363op4\375\226\35\4\336\244\364z\377\3354\367d\27\336\220\220\263\375\230*9\323\377\217}wR\334\234\34\334\273<\272e\3242\263\247\2565~\34\22RZ\372\343-\13\11\213j\235\37r\356\35\267", ) /\236JP4\332i\2660\374\36~\325{Y \366qnY\233Q\370\335\325\225\335!.\237\257l\2765G\273\328\334\327>\304\34\201\226\315N\257\36\230Q\225\31\332\212\307\3560\327h_\354vU\216\212\16\177\363op4\375\226\35\4\336\244\364z\377\3354\367d\27\336\220\220\263\375\230*9\323\377\217}wR\334\234\34\334\273<\272e\3242\263\247\2565~\34\22RZ\372\343-\13\11\213j\235\37r\356\35\267", ) == 0x0
 00906   928   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\273@\316\241\22\207\27T\2654\250\314*\271\333\325p\2634I\266\21\255\350\6\372Q\246\224-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00907   928   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00908   928   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00909   928   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00910   928   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00911   928   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00912   928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00913   928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00914   928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482584, 2, ) }, 0, 0x0, 0, ... -2147482584, 2, ) == 0x0
 00915   928   NtSetValueKey  (-2147482584,  (-2147482584, "Seed", 0, 3, "\247>\5X\355\306l\306_\350g\211\23E\263\30\314\270\200\206\361,U\263\202\245\3112\277\307\253\254\221\235\377wn\251\207*f\246\321\370\265\37$\243L\371\312^D\201\2wGc}\270\247\11\26\13\247j\343l8\347\363\330\6\354\234.tvs\10", 80, ... ) , 0, 3,  (-2147482584, "Seed", 0, 3, "\247>\5X\355\306l\306_\350g\211\23E\263\30\314\270\200\206\361,U\263\202\245\3112\277\307\253\254\221\235\377wn\251\207*f\246\321\370\265\37$\243L\371\312^D\201\2wGc}\270\247\11\26\13\247j\343l8\347\363\330\6\354\234.tvs\10", 80, ... ) , 80, ... ) == 0x0
 00916   928   NtClose  (-2147482584, ... ) == 0x0
 00906   928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\266\31\230\233\327\231W\362{'\14 *\240\207\350\263\23\323\302!)|\324\177\321\300n\346\256\263\231\244\30\340\6\355\30s76,\15\15\207\242\250\376\236\3167\2\226\240\307\337\320\200\302g\272\16,o\336\321->M\270[\14\275)\320\340\317\276!DBj\221a\353\244\256-\26\274\224r\3167\272\306\311;T\311eN\321`\357\376P"\23\272\301\212Ze\365\236]\363\3302t\16\357\275{\333,k\250\327\205\374\334Y\3\4\344\236\305Y\356\350\352\351\362\227\266\324\371\337\34`~\2103c\11\346\333\241\215\340\217\37\213\354T&\220\240p'j\251\374\12\24\235\351\7X\2244\236u\154\234\237Q\204\213\223#w0e\315n\211@0\332\202[\224\262\227\27ti\271a\37\241\351\201x\204Bf\364>\233H\307+\200\236\373\230`\205\22\327\314\333\R\313g\336\274\240WC\354\313&I\326\32#\233", ) \23\272\301\212Ze\365\236]\363\3302t\16\357\275{\333,k\250\327\205\374\334Y\3\4\344\236\305Y\356\350\352\351\362\227\266\324\371\337\34`~\2103c\11\346\333\241\215\340\217\37\213\354T&\220\240p'j\251\374\12\24\235\351\7X\2244\236u\154\234\237Q\204\213\223#w0e\315n\211@0\332\202[\224\262\227\27ti\271a\37\241\351\201x\204Bf\364>\233H\307+\200\236\373\230`\205\22\327\314\333\R\313g\336\274\240WC\354\313&I\326\32#\233", ) == 0x0
 00917   928   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\273@\316\241\22\207\27T\2654\250\314*\271\333\325p\2634I\266\365kp\2634I\266\21\255\350\6\372Q\246\224-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00918   928   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00919   928   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00920   928   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00921   928   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00922   928   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00923   928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00924   928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00925   928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482584, 2, ) }, 0, 0x0, 0, ... -2147482584, 2, ) == 0x0
 00926   928   NtSetValueKey  (-2147482584,  (-2147482584, "Seed", 0, 3, "\21P\345\5\344h\376\332?\212]\314\244G\371Se\204\37\321{\306\15\214!\16\341\264J \37\265\302\202\34\226Zz\267$c\370\227\361Pc\3675\206\231\360n"\365\15{-\340D2\370\360i\265\351\177\376\252\6f\26\215\232\243wf\30q\273\314", 80, ... ) , 0, 3,  (-2147482584, "Seed", 0, 3, "\21P\345\5\344h\376\332?\212]\314\244G\371Se\204\37\321{\306\15\214!\16\341\264J \37\265\302\202\34\226Zz\267$c\370\227\361Pc\3675\206\231\360n"\365\15{-\340D2\370\360i\265\351\177\376\252\6f\26\215\232\243wf\30q\273\314", 80, ... ) \365\15{-\340D2\370\360i\265\351\177\376\252\6f\26\215\232\243wf\30q\273\314", 80, ... ) == 0x0
 00927   928   NtClose  (-2147482584, ... ) == 0x0
 00917   928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\264\3067\316\34\213\263(\264n\3339o\177\375\250\304V\376@w\211@\245\250\20i6\325X\275x\177\25\32]\320'\211\254\2541HP\342Q\362\247\3213\240\254\271\326\272\33\265\257oC\376QL\377\355\240&\274\224\320\177A\326\352e\276Z\201>\332|q\128\215\364Vz}\177\223,\25\336\241\343\216\20\217*&\35-vG\213y3S\247\342\242\36\306\373\331t3\242p\244\364\301\361\332\347\207\303@\14\264VZv\264<\277\233As\2150\37|\242l\344\227+.\255/-h\223j\15n\354\252sj\366\316\275\374Z\301\31Ct\203E,\211\332\3672\303=\14\335\336\3632r\341\337T7ZO\222\30b\245\225\246V\214\5H\242^\367p, ) , ) == 0x0
 00928   928   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\273@\316\241\22\207\27T\2654\250\314*\271\333\325p\2634I\266\365kp\2634I\266\365kp\2634I\266\21\255\350\6\372Q\246\224-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00929   928   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00930   928   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00931   928   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00932   928   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00933   928   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00934   928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00935   928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00936   928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482584, 2, ) }, 0, 0x0, 0, ... -2147482584, 2, ) == 0x0
 00937   928   NtSetValueKey  (-2147482584,  (-2147482584, "Seed", 0, 3, "Ju\371\37\354\337\247`\345\312\300-\0P3\273\1\342|\324\321\370\343A\317r)\331\11\376\204\341zD\217%\255\336\314\266>\334\372\200\331\346\\263"\34\5\250X2\215\332"\206\242\213\240ke\332k$\247*>2\216\7{\377\366\327Uq\376`", 80, ... ) , 0, 3,  (-2147482584, "Seed", 0, 3, "Ju\371\37\354\337\247`\345\312\300-\0P3\273\1\342|\324\321\370\343A\317r)\331\11\376\204\341zD\217%\255\336\314\266>\334\372\200\331\346\\263"\34\5\250X2\215\332"\206\242\213\240ke\332k$\247*>2\216\7{\377\366\327Uq\376`", 80, ... ) \34\5\250X2\215\332 (-2147482584, "Seed", 0, 3, "Ju\371\37\354\337\247`\345\312\300-\0P3\273\1\342|\324\321\370\343A\317r)\331\11\376\204\341zD\217%\255\336\314\266>\334\372\200\331\346\\263"\34\5\250X2\215\332"\206\242\213\240ke\332k$\247*>2\216\7{\377\366\327Uq\376`", 80, ... ) , 80, ... ) == 0x0
 00938   928   NtClose  (-2147482584, ... ) == 0x0
 00928   928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\345V\13Z!,\3132V\206\236\354\3/s;\4\317\277\325\4i\255\310\200\5j\224\322x\333\6\237\306r\274\251\321b\234[\266g\330.\235\322\266sn{\323A\211v\300l\212\211/L\366\365y\223$\311)*\252\342\274\246Y\24\6\253m\250&k%\245\362/\323k\202\314\355\352x\313>[\273e\3307h\371O\245\232\263\2403Uj\223\227\341\225\13\217\322xO^B;\376\6\325\337}\306\347wA\20c\207\363@\304\334I\276\203\247:\4\11\317\310\223\346\335\1\27\313$\277\332-\345\363\323;\7\214\263\211)!\343\235 o]\1\324Cj\347\225\322^\332]\234\373\21\4\314=\351\234\351\362_\220\365O\220-\340\360\272L\243\215=\255t\256\254\272(E\277\226\202\26q\337\226\205$X\251-\31E%H\362)|\274\321\17\35+\303\300s\33C\15\307\257Y\307>d\237\260hL\222\257t", ) , ) == 0x0
 00939   928   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\273@\316\241\22\207\27T\2654\250\314*\271\333\325p\2634I\266\365kp\2634I\266\365kp\2634I\266\365kp\2634I\266\21\255\350\6\372Q\246\224-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00940   928   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00941   928   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00942   928   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00943   928   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00944   928   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00945   928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00946   928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00947   928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482584, 2, ) }, 0, 0x0, 0, ... -2147482584, 2, ) == 0x0
 00948   928   NtSetValueKey  (-2147482584,  (-2147482584, "Seed", 0, 3, "\16\203\33\377Gi\364y\333\263\177\360\306\13\333>\25\250\27\316\235\6\303\237\274\23n\324!\301l'j\310\21\274\371u\203\203\364\344\322Sx\343g\257\316\344|\311;\365{\235\34aU\273C\262\272^\3155\214\303\267\321\377\305\0vX\2[k0g", 80, ... ) , 0, 3,  (-2147482584, "Seed", 0, 3, "\16\203\33\377Gi\364y\333\263\177\360\306\13\333>\25\250\27\316\235\6\303\237\274\23n\324!\301l'j\310\21\274\371u\203\203\364\344\322Sx\343g\257\316\344|\311;\365{\235\34aU\273C\262\272^\3155\214\303\267\321\377\305\0vX\2[k0g", 80, ... ) , 80, ... ) == 0x0
 00949   928   NtClose  (-2147482584, ... ) == 0x0
 00939   928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\302'\363n>\301\320u\304]\215;b\227\177\24Oa4\314\245\370\235\275\261\341\217\364'=vu\254\371y9\33\331\357j\213\312\254F\242\311B)\260\265\223\31\361>\30>E0\245u\364\26\275\233D`\263t\3012[\7.\374\216\205.U\13\334\7\27\333\323\37\273\32\366\3641\210\223g\360\30\277\35\352\366;G\375\331&\34\345#Z\23*C?\14\225\330\254\302\255\223Q\307\307 \311\247%\246\272w\252\264\25\337\211\0\2072\350m#\252\303-\255\241\250r\254P\20?\241\234%\3\236c\235\353h\247'\2431\257d1\0\323\216\230M\252F\32s\267\16\240\246\330\300G\206\12\255&\345LIy\332I\342\331\37\212\266\304\256\5\58\336\177\241>\236.\262nN/\237\32c\212A\316\357h\3443xx\16\270\373L\246\273\366\25\310\233\374m\232\226f\225JV~\231\335\327x&\352\266\35j\364\247", ) , ) == 0x0
 00950   928   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\273@\316\241\22\207\27T\2654\250\314*\271\333\325p\2634I\266\365kp\2634I\266\365kp\2634I\266\365kp\2634I\266\365kp\2634I\266\21\255\350\6\372Q\246\224-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00951   928   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00952   928   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00953   928   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00954   928   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00955   928   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00956   928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00957   928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00958   928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482584, 2, ) }, 0, 0x0, 0, ... -2147482584, 2, ) == 0x0
 00959   928   NtSetValueKey  (-2147482584,  (-2147482584, "Seed", 0, 3, "\13\334+LNme\314\333\300\352\340\33-K[I\250\237\336\13\226\317\336\373\6]%3\340ERa\362\367\274I)W\241\260\22\242\250@q"\324\241V\337\342\3340F\304\276\14\364\373\3?ou\4\253\276;\273&8\312\225\212\206\335\241\272^\337", 80, ... ) , 0, 3,  (-2147482584, "Seed", 0, 3, "\13\334+LNme\314\333\300\352\340\33-K[I\250\237\336\13\226\317\336\373\6]%3\340ERa\362\367\274I)W\241\260\22\242\250@q"\324\241V\337\342\3340F\304\276\14\364\373\3?ou\4\253\276;\273&8\312\225\212\206\335\241\272^\337", 80, ... ) \324\241V\337\342\3340F\304\276\14\364\373\3?ou\4\253\276;\273&8\312\225\212\206\335\241\272^\337", 80, ... ) == 0x0
 00960   928   NtClose  (-2147482584, ... ) == 0x0
 00950   928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "W\213\254\2`i\326\260\250\354\370\361\3J\3137/\366 S\375.\"ReU\226\322\321\210\27\341\212\241\266\2\354\205\320\212`\362\33\355\274{\332\230\304\211\330vp\352dwvn\372\210\245\271E>3\362a\30\2\2\266[\231\310\366\245\13i\267\35r\326\313F\224\335\3754\212\254Og5$\232'\1\265\234\352\37\275icr\79\222"\202-\247q\245\263\233\222\374`:A\303g\363z\370/\350\357f\263/\260P\347z\301\22\305Vy\205AB\330\273A\332\363\305\276\206\177_\215y\237\336\3"|\257\224\273w\341r\222\245\343'i7\30\364\17\306\376U\7\301\335b\271\360:[\215\317\255H\332^^\362V\206\236L\336\234D\346\326\361P\322\251\262\264\345\363\215\21\312\215\361{A9m\272\312\260\215\7\337\330\213\232\35{\5\34\326\377\217Z\324\261_+\344\2125\245Zw\274\10m&\326t", ) ReU\226\322\321\210\27\341\212\241\266\2\354\205\320\212`\362\33\355\274{\332\230\304\211\330vp\352dwvn\372\210\245\271E>3\362a\30\2\2\266[\231\310\366\245\13i\267\35r\326\313F\224\335\3754\212\254Og5$\232'\1\265\234\352\37\275icr\79\222 ... {status=0x0, info=256}, "W\213\254\2`i\326\260\250\354\370\361\3J\3137/\366 S\375.\"ReU\226\322\321\210\27\341\212\241\266\2\354\205\320\212`\362\33\355\274{\332\230\304\211\330vp\352dwvn\372\210\245\271E>3\362a\30\2\2\266[\231\310\366\245\13i\267\35r\326\313F\224\335\3754\212\254Og5$\232'\1\265\234\352\37\275icr\79\222"\202-\247q\245\263\233\222\374`:A\303g\363z\370/\350\357f\263/\260P\347z\301\22\305Vy\205AB\330\273A\332\363\305\276\206\177_\215y\237\336\3"|\257\224\273w\341r\222\245\343'i7\30\364\17\306\376U\7\301\335b\271\360:[\215\317\255H\332^^\362V\206\236L\336\234D\346\326\361P\322\251\262\264\345\363\215\21\312\215\361{A9m\272\312\260\215\7\337\330\213\232\35{\5\34\326\377\217Z\324\261_+\344\2125\245Zw\274\10m&\326t", ) |\257\224\273w\341r\222\245\343'i7\30\364\17\306\376U\7\301\335b\271\360:[\215\317\255H\332^^\362V\206\236L\336\234D\346\326\361P\322\251\262\264\345\363\215\21\312\215\361{A9m\272\312\260\215\7\337\330\213\232\35{\5\34\326\377\217Z\324\261_+\344\2125\245Zw\274\10m&\326t", ) == 0x0
 00961   928   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\273@\316\241\22\207\27T\2654\250\314*\271\333\325p\2634I\266\365kp\2634I\266\365kp\2634I\266\365kp\2634I\266\365kp\2634I\266\365kp\2634I\266\21\255\350\6\372Q\246\224-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00962   928   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00963   928   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00964   928   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00965   928   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00966   928   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00967   928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00968   928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00969   928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482584, 2, ) }, 0, 0x0, 0, ... -2147482584, 2, ) == 0x0
 00970   928   NtSetValueKey  (-2147482584,  (-2147482584, "Seed", 0, 3, "yY]\32\302\250\271=\3411Y\35KK\233\227$eTJg\35@\36%\232N\1\35#Fq7\275\220\233\203\11\211rPD\265J\240\334\227\34\377f}K9q\223\240\213\23*\13,\12F\242\222\252\7Ia\355\3208\15u\29V\230N\321", 80, ... ) , 0, 3,  (-2147482584, "Seed", 0, 3, "yY]\32\302\250\271=\3411Y\35KK\233\227$eTJg\35@\36%\232N\1\35#Fq7\275\220\233\203\11\211rPD\265J\240\334\227\34\377f}K9q\223\240\213\23*\13,\12F\242\222\252\7Ia\355\3208\15u\29V\230N\321", 80, ... ) , 80, ... ) == 0x0
 00971   928   NtClose  (-2147482584, ... ) == 0x0
 00961   928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "4\360\27\323\243\267\335\373\177\30\376\310V\330|.\363}U\20*[\231\2124P5\345\325\360\323\235\233pd\237\340\33\23{~\324\210\314\2746\202Swo\12x)\242\317\324\212\265\203xD\310\310\16\360E*\244\27\6\2\6\270Hf\333\376{\311\260\232\277J\307u\334\204\234I\314\22\262c\32`\30t{\2136G\333#W^(\27\13\20\233n\241G\312tR\216\270\340\232}\255T|\205\177\260\242rHA\300\377jv\270@ bC\316\234}N\365\21L^\323F\\235t\331\3046\17", ) , ) == 0x0
 00972   928   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 00973   928   NtConnectPort  ( ("\RPC Control\IcaApi", {12, 2, 1, 0}, 0x0, 0x0, 1234748, 188, ... 128, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1234748, 188, ... 128, 0x0, 0x0, 0x0, 188, ) == 0x0
 00974   928   NtRequestWaitReplyPort  (128, {200, 224, new_msg, 0, 1350664, 12, 2, 1310721}  (128, {200, 224, new_msg, 0, 1350664, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\08\232\24\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\357O\30\242hBY\303\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0\251&w\375x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1972, 928, 57975, 0} "\7\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\357O\30\242hBY\303\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0\251&w\375x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1972, 928, 57975, 0}  (128, {200, 224, new_msg, 0, 1350664, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\08\232\24\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\357O\30\242hBY\303\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0\251&w\375x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1972, 928, 57975, 0} "\7\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\357O\30\242hBY\303\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0\251&w\375x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 00975   928   NtRequestWaitReplyPort  (128, {32, 56, new_msg, 0, 0, 0, 0, 0}  (128, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 1972, 928, 57976, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201\0;\251\201\1`\202\201\0\0\0\0\0\376?\300\344\243n\371\20W\271\201\2\0\0\0\240V\271\201\240V\271\201" )  ... {124, 148, reply, 0, 1972, 928, 57976, 0}  (128, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 1972, 928, 57976, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201\0;\251\201\1`\202\201\0\0\0\0\0\376?\300\344\243n\371\20W\271\201\2\0\0\0\240V\271\201\240V\271\201" )  ) == 0x0
 00976   928   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00977   928   NtRequestWaitReplyPort  (128, {44, 68, new_msg, 56, 1972, 928, 57976, 0}  (128, {44, 68, new_msg, 56, 1972, 928, 57976, 0} "\1\356\0\0B\2\5\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 1972, 928, 57977, 0} "\2\31\221|\4\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 1972, 928, 57977, 0}  (128, {44, 68, new_msg, 56, 1972, 928, 57976, 0} "\1\356\0\0B\2\5\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 1972, 928, 57977, 0} "\2\31\221|\4\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\14\5\0\0\320\371\15\0" )  ) == 0x0
 00978   928   NtRequestWaitReplyPort  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1972, 928, 57978, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 1972, 928, 57978, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1972, 928, 57978, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 00979   928   NtRequestWaitReplyPort  (128, {44, 68, new_msg, 56, 1972, 928, 57977, 0}  (128, {44, 68, new_msg, 56, 1972, 928, 57977, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 1972, 928, 57979, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 1972, 928, 57979, 0}  (128, {44, 68, new_msg, 56, 1972, 928, 57977, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 1972, 928, 57979, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\14\5\0\0\320\371\15\0" )  ) == 0x0
 00980   928   NtRequestWaitReplyPort  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1972, 928, 57980, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 1972, 928, 57980, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1972, 928, 57980, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 00981   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00982   928   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "ActiveComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00983   928   NtQueryValueKey  (136,  (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00984   928   NtClose  (136, ... ) == 0x0
 00985   928   NtClose  (132, ... ) == 0x0
 00986   928   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 132, ) == 0x0
 00987   928   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 136, ) == 0x0
 00988   928   NtDuplicateObject  (-1, 132, -1, 0x0, 0, 2, ... 140, ) == 0x0
 00989   928   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00990   928   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00991   928   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00992   928   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00993   928   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234784,  (0xc0100080, {24, 0, 0x40, 0, 1234784, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 00994   928   NtSetInformationFile  (148, 1234840, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00995   928   NtSetInformationFile  (148, 1234828, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00996   928   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00997   928   NtWriteFile  (148, 117, 0, 0,  (148, 117, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00998   928   NtReadFile  (148, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (148, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00999   928   NtFsControlFile  (148, 117, 0x0, 0x0, 0x11c017,  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01000   928   NtFsControlFile  (148, 117, 0x0, 0x0, 0x11c017,  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , ) == 0x103
 01001   928   NtFsControlFile  (148, 117, 0x0, 0x0, 0x11c017,  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01002   928   NtClose  (144, ... ) == 0x0
 01003   928   NtClose  (148, ... ) == 0x0
 01004   928   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01005   928   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01006   928   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01007   928   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01008   928   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234756,  (0xc0100080, {24, 0, 0x40, 0, 1234756, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 01009   928   NtSetInformationFile  (144, 1234812, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01010   928   NtSetInformationFile  (144, 1234800, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01011   928   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01012   928   NtWriteFile  (144, 117, 0, 0,  (144, 117, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01013   928   NtReadFile  (144, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (144, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01014   928   NtFsControlFile  (144, 117, 0x0, 0x0, 0x11c017,  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01015   928   NtFsControlFile  (144, 117, 0x0, 0x0, 0x11c017,  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , ) == 0x103
 01016   928   NtFsControlFile  (144, 117, 0x0, 0x0, 0x11c017,  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01017   928   NtClose  (148, ... ) == 0x0
 01018   928   NtClose  (144, ... ) == 0x0
 01019   928   NtOpenProcessToken  (-1, 0x20008, ... 144, ) == 0x0
 01020   928   NtQueryInformationToken  (144, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01021   928   NtQueryInformationToken  (144, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 01022   928   NtOpenDirectoryObject  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Windows\WindowStations"}, ... 148, ) }, ... 148, ) == 0x0
 01023   928   NtUserOpenWindowStation  ({24, 148, 0x40, 0, 0,  ({24, 148, 0x40, 0, 0, "winsta0"}, 0x37f, ... ) }, 0x37f, ... ) == 0x98
 01024   928   NtClose  (148, ... ) == 0x0
 01025   928   NtUserCloseWindowStation  (152, ...
 01026   928   NtClose  (152, ... ) == 0x0
 01025   928   NtUserCloseWindowStation  ... ) == 0x1
 01027   928   NtClose  (144, ... ) == 0x0
 01028   928   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 144, ) == 0x0
 01029   928   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 152, ) == 0x0
 01030   928   NtCreateMutant  (0x1f0001, {24, 0, 0x2, 0, 0, 0x0}, 0, ... 148, ) == 0x0
 01031   928   NtDuplicateObject  (-1, -1, -1, 0x1f0fff, 2, 0, ... 156, ) == 0x0
 01032   928   NtCreateSection  (0xf0007, {24, 0, 0x2, 0, 0, 0x0}, {7248, 0}, 4, 134217728, 0, ... 160, ) == 0x0
 01033   928   NtMapViewOfSection  (160, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3d0000), {0, 0}, 8192, ) == 0x0
 01034   928   NtQueryDefaultUILanguage  (1235448, ...
 01035   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01036   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482584, ) == 0x0
 01037   928   NtQueryInformationToken  (-2147482584, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01038   928   NtClose  (-2147482584, ... ) == 0x0
 01039   928   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 01040   928   NtOpenKey  (0x80000000, {24, -2147482584, 0x240, 0, 0,  (0x80000000, {24, -2147482584, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   928   NtOpenKey  (0x80000000, {24, -2147482584, 0x640, 0, 0,  (0x80000000, {24, -2147482584, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481332, ) }, ... -2147481332, ) == 0x0
 01042   928   NtQueryValueKey  (-2147481332,  (-2147481332, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01043   928   NtClose  (-2147481332, ... ) == 0x0
 01044   928   NtClose  (-2147482584, ... ) == 0x0
 01034   928   NtQueryDefaultUILanguage  ... ) == 0x0
 01045   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01046   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01047   928   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01048   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233692, ... ) }, 1233692, ... ) == 0x0
 01049   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232464, ... ) }, 1232464, ... ) == 0x0
 01050   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01051   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01052   928   NtCreateFile  (0x10100080, {24, 0, 0x40, 0, 1234800,  (0x10100080, {24, 0, 0x40, 0, 1234800, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\145c_appcompat.txt"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 01053   928   NtQueryDirectoryFile  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 01054   928   NtClose  (-2147482584, ... ) == 0x0
 01055   928   NtQueryDirectoryFile  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01056   928   NtClose  (-2147482584, ... ) == 0x0
 01057   928   NtQueryDirectoryFile  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01058   928   NtClose  (-2147482584, ... ) == 0x0
 01052   928   NtCreateFile  ... 164, {status=0x0, info=2}, ) == 0x0
 01059   928   NtClose  (164, ... ) == 0x0
 01060   928   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 164, ) == 0x0
 01061   928   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0xa90000), 0x0, 4194304, ) == 0x0
 01062   928   NtAllocateVirtualMemory  (-1, 11075584, 0, 1, 4096, 4, ... 11075584, 4096, ) == 0x0
 01063   928   NtAllocateVirtualMemory  (-1, 11079680, 0, 1968, 4096, 4, ... 11079680, 4096, ) == 0x0
 01064   928   NtCreateSection  (0xf0007, 0x0, {22396, 0}, 4, 134217728, 0, ... 168, ) == 0x0
 01065   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01066   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01067   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01068   928   NtClose  (164, ... ) == 0x0
 01069   928   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01070   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01071   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01072   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01073   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01074   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01075   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01076   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01077   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01078   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01079   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01080   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01081   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01082   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01083   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01084   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01085   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01086   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01087   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01088   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01089   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01090   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01091   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01092   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01093   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01094   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01095   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01096   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01097   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01098   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01099   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01100   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01101   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01102   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01103   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01104   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01105   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01106   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01107   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01108   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01109   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01110   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01111   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01112   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01113   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01114   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01115   928   NtClose  (168, ... ) == 0x0
 01116   928   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01117   928   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 168, {status=0x0, info=1}, ) }, 3, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01118   928   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 164, ) }, ... 164, ) == 0x0
 01119   928   NtQuerySymbolicLinkObject  (164, ...  (164, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0
 01120   928   NtClose  (164, ... ) == 0x0
 01121   928   NtQueryVolumeInformationFile  (168, 1234016, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01122   928   NtClose  (168, ... ) == 0x0
 01123   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1232812, ... ) }, 1232812, ... ) == 0x0
 01124   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01125   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 168, ... 164, ) == 0x0
 01126   928   NtClose  (168, ... ) == 0x0
 01127   928   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 126976, ) == 0x0
 01128   928   NtClose  (164, ... ) == 0x0
 01129   928   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01130   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1233120, ... ) }, 1233120, ... ) == 0x0
 01131   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 164, {status=0x0, info=1}, ) }, 5, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 01132   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 164, ... 168, ) == 0x0
 01133   928   NtQuerySection  (168, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01134   928   NtClose  (164, ... ) == 0x0
 01135   928   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 01136   928   NtClose  (168, ... ) == 0x0
 01137   928   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 01138   928   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 01139   928   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 01140   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01141   928   NtAllocateVirtualMemory  (-1, 1355776, 0, 12288, 4096, 4, ... 1355776, 12288, ) == 0x0
 01142   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234508, ... ) }, 1234508, ... ) == 0x0
 01143   928   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234516,  (0x40100080, {24, 0, 0x40, 0, 1234516, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\145c_appcompat.txt"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 01144   928   NtClose  (-2147482584, ... ) == 0x0
 01145   928   NtQueryDirectoryFile  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 01146   928   NtClose  (-2147482584, ... ) == 0x0
 01147   928   NtQueryDirectoryFile  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01148   928   NtClose  (-2147482584, ... ) == 0x0
 01149   928   NtQueryDirectoryFile  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01150   928   NtClose  (-2147482584, ... ) == 0x0
 01143   928   NtCreateFile  ... 168, {status=0x0, info=3}, ) == 0x0
 01151   928   NtAllocateVirtualMemory  (-1, 1368064, 0, 12288, 4096, 4, ... 1368064, 12288, ) == 0x0
 01152   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 164, {status=0x0, info=1}, ) }, 3, 16417, ... 164, {status=0x0, info=1}, ) == 0x0
 01153   928   NtQueryDirectoryFile  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1,  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01154   928   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "\377\376", 2, 0x0, 0, ... {status=0x0, info=2}, ) , 2, 0x0, 0, ... {status=0x0, info=2}, ) == 0x0
 01155   928   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \01\0.\00\0 (168, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \0U\0T\0F\0-\01\06\0 (168, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) , 106, 0x0, 0, ... {status=0x0, info=106}, ) == 0x0
 01156   928   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 01157   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233600, ... ) }, 1233600, ... ) == 0x0
 01158   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01159   928   NtQueryDirectoryFile  (172, 0, 0, 0, 1233212, 592, Directory, 1,  (172, 0, 0, 0, 1233212, 592, Directory, 1, "packed.exe", 0, ... {status=0x0, info=84}, ) , 0, ... {status=0x0, info=84}, ) == 0x0
 01160   928   NtClose  (172, ... ) == 0x0
 01161   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01162   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01163   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232132, ... ) }, 1232132, ... ) == 0x0
 01164   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1230904, ... ) }, 1230904, ... ) == 0x0
 01165   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01166   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01167   928   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0
 01168   928   NtQueryInformationFile  (172, 1233688, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01169   928   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 172, ... 176, ) == 0x0
 01170   928   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 167936, ) == 0x0
 01171   928   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01172   928   NtClose  (176, ... ) == 0x0
 01173   928   NtClose  (172, ... ) == 0x0
 01174   928   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\06\07\09\03\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\06\07\09\03\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\06\07\09\03\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\06\07\09\03\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\01\03\08\07\07\0E\01\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\06\07\09\03\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0W\0I\0N\03\02\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\06\07\09\03\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\02\09\04\0A\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\06\07\09\03\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\00\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\06\07\09\03\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\06\07\09\03\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\06\07\09\03\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... , 418, 0x0, 0, ...
 01175   928   NtContinue  (-106648108, 0, ...
 01174   928   NtWriteFile  ... {status=0x0, info=418}, ) == 0x0
 01176   928   NtQueryDirectoryFile  (164, 0, 0, 0, 1371248, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01177   928   NtClose  (164, ... ) == 0x0
 01178   928   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0", 16, 0x0, 0, ... {status=0x0, info=16}, ) , 16, 0x0, 0, ... {status=0x0, info=16}, ) == 0x0
 01179   928   NtClose  (168, ... ) == 0x0
 01180   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1234508, ... ) }, 1234508, ... ) == 0x0
 01181   928   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234516,  (0x40100080, {24, 0, 0x40, 0, 1234516, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\145c_appcompat.txt"}, 0x0, 128, 0, 3, 96, 0, 0, ... 168, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 168, {status=0x0, info=1}, ) == 0x0
 01182   928   NtQueryInformationFile  (168, 1234540, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01183   928   NtSetInformationFile  (168, 1234572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01184   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 164, {status=0x0, info=1}, ) }, 3, 16417, ... 164, {status=0x0, info=1}, ) == 0x0
 01185   928   NtQueryDirectoryFile  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1,  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1, "kernel32.dll", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01186   928   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) , 126, 0x0, 0, ... {status=0x0, info=126}, ) == 0x0
 01187   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1233572, ... ) }, 1233572, ... ) == 0x0
 01188   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01189   928   NtQueryDirectoryFile  (172, 0, 0, 0, 1233212, 592, Directory, 1,  (172, 0, 0, 0, 1233212, 592, Directory, 1, "kernel32.dll", 0, ... {status=0x0, info=88}, ) , 0, ... {status=0x0, info=88}, ) == 0x0
 01190   928   NtClose  (172, ... ) == 0x0
 01191   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01192   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01193   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232132, ... ) }, 1232132, ... ) == 0x0
 01194   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230904, ... ) }, 1230904, ... ) == 0x0
 01195   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01196   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01197   928   NtQueryDefaultLocale  (1, 1233092, ... ) == 0x0
 01198   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01199   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01200   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232124, ... ) }, 1232124, ... ) == 0x0
 01201   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230896, ... ) }, 1230896, ... ) == 0x0
 01202   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01203   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01204   928   NtQueryDefaultLocale  (1, 1233084, ... ) == 0x0
 01205   928   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0
 01206   928   NtQueryInformationFile  (172, 1233688, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01207   928   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 172, ... 176, ) == 0x0
 01208   928   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 987136, ) == 0x0
 01209   928   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01210   928   NtClose  (176, ... ) == 0x0
 01211   928   NtClose  (172, ... ) == 0x0
 01212   928   NtQueryDefaultUILanguage  (1233044, ...
 01213   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01214   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482584, ) == 0x0
 01215   928   NtQueryInformationToken  (-2147482584, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01216   928   NtClose  (-2147482584, ... ) == 0x0
 01217   928   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 01218   928   NtOpenKey  (0x80000000, {24, -2147482584, 0x240, 0, 0,  (0x80000000, {24, -2147482584, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   928   NtOpenKey  (0x80000000, {24, -2147482584, 0x640, 0, 0,  (0x80000000, {24, -2147482584, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481332, ) }, ... -2147481332, ) == 0x0
 01220   928   NtQueryValueKey  (-2147481332,  (-2147481332, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221   928   NtClose  (-2147481332, ... ) == 0x0
 01222   928   NtClose  (-2147482584, ... ) == 0x0
 01212   928   NtQueryDefaultUILanguage  ... ) == 0x0
 01223   928   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \09\08\04\05\07\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \00\0x\0F\00\0B\03\03\01\0F\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) == 0x0
 01224   928   NtQueryDirectoryFile  (164, 0, 0, 0, 1362544, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01225   928   NtClose  (164, ... ) == 0x0
 01226   928   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0<\0/\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 42, 0x0, 0, ... {status=0x0, info=42}, ) , 42, 0x0, 0, ... {status=0x0, info=42}, ) == 0x0
 01227   928   NtClose  (168, ... ) == 0x0
 01228   928   NtUnmapViewOfSection  (-1, 0x77b40000, ... ) == 0x0
 01229   928   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01230   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1231780, ... ) }, 1231780, ... ) == 0x0
 01231   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1232516, ... ) }, 1232516, ... ) == 0x0
 01232   928   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01233   928   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 168, ... 164, ) == 0x0
 01234   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 172, ) }, ... 172, ) == 0x0
 01236   928   NtQueryValueKey  (172,  (172, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   928   NtClose  (172, ... ) == 0x0
 01238   928   NtQueryVolumeInformationFile  (168, 1231792, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01239   928   NtOpenMutant  (0x120001, {24, 48, 0x0, 0, 0,  (0x120001, {24, 48, 0x0, 0, 0, "ShimCacheMutex"}, ... 172, ) }, ... 172, ) == 0x0
 01240   928   NtWaitForSingleObject  (172, 0, {-1000000, -1}, ... ) == 0x0
 01241   928   NtOpenSection  (0x2, {24, 48, 0x0, 0, 0,  (0x2, {24, 48, 0x0, 0, 0, "ShimSharedMemory"}, ... 176, ) }, ... 176, ) == 0x0
 01242   928   NtMapViewOfSection  (176, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 57344, ) == 0x0
 01243   928   NtReleaseMutant  (172, ... 0x0, ) == 0x0
 01244   928   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01245   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229724, ... ) }, 1229724, ... ) == 0x0
 01246   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01247   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 180, ... 184, ) == 0x0
 01248   928   NtClose  (180, ... ) == 0x0
 01249   928   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa90000), 0x0, 126976, ) == 0x0
 01250   928   NtClose  (184, ... ) == 0x0
 01251   928   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01252   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1230032, ... ) }, 1230032, ... ) == 0x0
 01253   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01254   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01255   928   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01256   928   NtClose  (184, ... ) == 0x0
 01257   928   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 01258   928   NtClose  (180, ... ) == 0x0
 01259   928   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 01260   928   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 01261   928   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 01262   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263   928   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 180, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 180, {status=0x0, info=1}, ) == 0x0
 01264   928   NtQueryInformationFile  (180, 1230048, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01265   928   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 180, ... 184, ) == 0x0
 01266   928   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 1191936, ) == 0x0
 01267   928   NtQueryInformationFile  (180, 1230148, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01268   928   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01269   928   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01270   928   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01271   928   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272   928   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 188, ) }, ... 188, ) == 0x0
 01273   928   NtQueryValueKey  (188,  (188, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (188, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01274   928   NtClose  (188, ... ) == 0x0
 01275   928   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01276   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01277   928   NtQueryDirectoryFile  (188, 0, 0, 0, 1227744, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227744, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01278   928   NtClose  (188, ... ) == 0x0
 01279   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01280   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01281   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228120, ... ) }, 1228120, ... ) == 0x0
 01282   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01283   928   NtQueryDirectoryFile  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01284   928   NtClose  (188, ... ) == 0x0
 01285   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01286   928   NtQueryDirectoryFile  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01287   928   NtClose  (188, ... ) == 0x0
 01288   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01289   928   NtQueryDirectoryFile  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01290   928   NtClose  (188, ... ) == 0x0
 01291   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01292   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01293   928   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01294   928   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01296   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01297   928   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01298   928   NtClose  (188, ... ) == 0x0
 01299   928   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   928   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228952, ... ) }, 1228952, ... ) == 0x0
 01302   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01303   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01304   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227820, ... ) }, 1227820, ... ) == 0x0
 01305   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 188, {status=0x0, info=1}, ) }, 5, 96, ... 188, {status=0x0, info=1}, ) == 0x0
 01306   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 188, ... 192, ) == 0x0
 01307   928   NtClose  (188, ... ) == 0x0
 01308   928   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbc0000), 0x0, 180224, ) == 0x0
 01309   928   NtClose  (192, ... ) == 0x0
 01310   928   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01311   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227416, ... ) }, 1227416, ... ) == 0x0
 01312   928   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228160,  (0x80100080, {24, 0, 0x40, 0, 1228160, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01313   928   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 192, ... 188, ) == 0x0
 01314   928   NtClose  (192, ... ) == 0x0
 01315   928   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbc0000), {0, 0}, 180224, ) == 0x0
 01316   928   NtClose  (188, ... ) == 0x0
 01317   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01318   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01319   928   NtQueryDefaultLocale  (1, 1228780, ... ) == 0x0
 01320   928   NtQueryVirtualMemory  (-1, 0xbc0000, Basic, 28, ... {BaseAddress=0xbc0000,AllocationBase=0xbc0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01321   928   NtQueryVirtualMemory  (-1, 0xbc0000, Basic, 28, ... {BaseAddress=0xbc0000,AllocationBase=0xbc0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01322   928   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01323   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01324   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01325   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227812, ... ) }, 1227812, ... ) == 0x0
 01326   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 188, {status=0x0, info=1}, ) }, 5, 96, ... 188, {status=0x0, info=1}, ) == 0x0
 01327   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 188, ... 192, ) == 0x0
 01328   928   NtClose  (188, ... ) == 0x0
 01329   928   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbc0000), 0x0, 180224, ) == 0x0
 01330   928   NtClose  (192, ... ) == 0x0
 01331   928   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01332   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227408, ... ) }, 1227408, ... ) == 0x0
 01333   928   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228152,  (0x80100080, {24, 0, 0x40, 0, 1228152, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01334   928   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 192, ... 188, ) == 0x0
 01335   928   NtClose  (192, ... ) == 0x0
 01336   928   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbc0000), {0, 0}, 180224, ) == 0x0
 01337   928   NtClose  (188, ... ) == 0x0
 01338   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01339   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01340   928   NtQueryDefaultLocale  (1, 1228772, ... ) == 0x0
 01341   928   NtQueryVirtualMemory  (-1, 0xbc0000, Basic, 28, ... {BaseAddress=0xbc0000,AllocationBase=0xbc0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01342   928   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01343   928   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01345   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01346   928   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01347   928   NtClose  (188, ... ) == 0x0
 01348   928   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01350   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01351   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1229372, ... ) }, 1229372, ... ) == 0x0
 01352   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01353   928   NtQueryDirectoryFile  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01354   928   NtClose  (188, ... ) == 0x0
 01355   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01356   928   NtQueryDirectoryFile  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01357   928   NtClose  (188, ... ) == 0x0
 01358   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01359   928   NtQueryDirectoryFile  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01360   928   NtClose  (188, ... ) == 0x0
 01361   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01362   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01363   928   NtWaitForSingleObject  (172, 0, {-1000000, -1}, ... ) == 0x0
 01364   928   NtReleaseMutant  (172, ... 0x0, ) == 0x0
 01365   928   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01366   928   NtClose  (184, ... ) == 0x0
 01367   928   NtClose  (180, ... ) == 0x0
 01368   928   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01369   928   NtOpenProcessToken  (-1, 0xa, ... 180, ) == 0x0
 01370   928   NtQueryInformationToken  (180, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01371   928   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01372   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01373   928   NtQueryValueKey  (184,  (184, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (184, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01374   928   NtQueryValueKey  (184,  (184, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (184, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01375   928   NtClose  (184, ... ) == 0x0
 01376   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01377   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01378   928   NtQueryValueKey  (184,  (184, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379   928   NtClose  (184, ... ) == 0x0
 01380   928   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01381   928   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01382   928   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01383   928   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01384   928   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01385   928   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01386   928   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01387   928   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01388   928   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01389   928   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01390   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 184, ) }, ... 184, ) == 0x0
 01391   928   NtEnumerateKey  (184, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (184, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01392   928   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 188, ) }, ... 188, ) == 0x0
 01393   928   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01394   928   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01395   928   NtClose  (188, ... ) == 0x0
 01396   928   NtEnumerateKey  (184, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01397   928   NtClose  (184, ... ) == 0x0
 01398   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 184, ) }, ... 184, ) == 0x0
 01399   928   NtEnumerateKey  (184, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 01400   928   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 188, ) }, ... 188, ) == 0x0
 01401   928   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 01402   928   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01403   928   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01404   928   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01405   928   NtClose  (188, ... ) == 0x0
 01406   928   NtEnumerateKey  (184, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 01407   928   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 188, ) }, ... 188, ) == 0x0
 01408   928   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 01409   928   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01410   928   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01411   928   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01412   928   NtClose  (188, ... ) == 0x0
 01413   928   NtEnumerateKey  (184, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 01414   928   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 188, ) }, ... 188, ) == 0x0
 01415   928   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 01416   928   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01417   928   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01418   928   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01419   928   NtClose  (188, ... ) == 0x0
 01420   928   NtEnumerateKey  (184, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 01421   928   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 188, ) }, ... 188, ) == 0x0
 01422   928   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 01423   928   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01424   928   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01425   928   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01426   928   NtClose  (188, ... ) == 0x0
 01427   928   NtEnumerateKey  (184, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 01428   928   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 188, ) }, ... 188, ) == 0x0
 01429   928   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 01430   928   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01431   928   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01432   928   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01433   928   NtClose  (188, ... ) == 0x0
 01434   928   NtEnumerateKey  (184, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01435   928   NtClose  (184, ... ) == 0x0
 01436   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01437   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01447   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01450   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01451   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01452   928   NtClose  (184, ... ) == 0x0
 01453   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01454   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01455   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01456   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01457   928   NtClose  (184, ... ) == 0x0
 01458   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01460   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01461   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01462   928   NtClose  (184, ... ) == 0x0
 01463   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01465   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01466   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01467   928   NtClose  (184, ... ) == 0x0
 01468   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01470   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01471   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01472   928   NtClose  (184, ... ) == 0x0
 01473   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01475   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01476   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01477   928   NtClose  (184, ... ) == 0x0
 01478   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01480   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01481   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01482   928   NtClose  (184, ... ) == 0x0
 01483   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01485   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01486   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01487   928   NtClose  (184, ... ) == 0x0
 01488   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01490   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01491   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01492   928   NtClose  (184, ... ) == 0x0
 01493   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01495   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01496   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01497   928   NtClose  (184, ... ) == 0x0
 01498   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01500   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01501   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01502   928   NtClose  (184, ... ) == 0x0
 01503   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01505   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01506   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01507   928   NtClose  (184, ... ) == 0x0
 01508   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01510   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01511   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01512   928   NtClose  (184, ... ) == 0x0
 01513   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01515   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01516   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01517   928   NtClose  (184, ... ) == 0x0
 01518   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01519   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01520   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01521   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01522   928   NtClose  (184, ... ) == 0x0
 01523   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01525   928   NtQueryValueKey  (184,  (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01526   928   NtClose  (184, ... ) == 0x0
 01527   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01528   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01529   928   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01530   928   NtClose  (184, ... ) == 0x0
 01531   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   928   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01533   928   NtOpenProcessToken  (-1, 0xa, ... 184, ) == 0x0
 01534   928   NtDuplicateToken  (184, 0xc, {24, 0, 0x0, 0, 1231652, 0x0}, 0, 2, ... 188, ) == 0x0
 01535   928   NtClose  (184, ... ) == 0x0
 01536   928   NtAccessCheck  (1379984, 188, 0x1, 1231728, 1231780, 56, 1231760, ... (0x1), ) == 0x0
 01537   928   NtClose  (188, ... ) == 0x0
 01538   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 188, ) }, ... 188, ) == 0x0
 01539   928   NtQueryValueKey  (188,  (188, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (188, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01540   928   NtClose  (188, ... ) == 0x0
 01541   928   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 188, ) }, ... 188, ) == 0x0
 01542   928   NtQuerySymbolicLinkObject  (188, ...  (188, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01543   928   NtClose  (188, ... ) == 0x0
 01544   928   NtQueryVolumeInformationFile  (168, 1229484, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01545   928   NtQueryInformationFile  (168, 1229600, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 01546   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01547   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01548   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228772, ... ) }, 1228772, ... ) == 0x0
 01549   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01550   928   NtQueryDirectoryFile  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01551   928   NtClose  (188, ... ) == 0x0
 01552   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01553   928   NtQueryDirectoryFile  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01554   928   NtClose  (188, ... ) == 0x0
 01555   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01556   928   NtQueryDirectoryFile  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01557   928   NtClose  (188, ... ) == 0x0
 01558   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01559   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01560   928   NtQueryInformationFile  (168, 1231640, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01561   928   NtCreateSection  (0xf0005, 0x0, {180224, 0}, 2, 134217728, 168, ... 188, ) == 0x0
 01562   928   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 180224, 1, 0, 2, ... (0xa90000), {0, 0}, 180224, ) == 0x0
 01563   928   NtClose  (188, ... ) == 0x0
 01564   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01565   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01566   928   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01567   928   NtClose  (188, ... ) == 0x0
 01568   928   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 188, ) }, ... 188, ) == 0x0
 01569   928   NtOpenKey  (0x20019, {24, 188, 0x40, 0, 0,  (0x20019, {24, 188, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 184, ) }, ... 184, ) == 0x0
 01570   928   NtClose  (188, ... ) == 0x0
 01571   928   NtQueryValueKey  (184,  (184, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01572   928   NtQueryValueKey  (184,  (184, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (184, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 01573   928   NtClose  (184, ... ) == 0x0
 01574   928   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01575   928   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 4128768, 4096, ) == 0x0
 01576   928   NtAllocateVirtualMemory  (-1, 4128768, 0, 4096, 4096, 4, ... 4128768, 4096, ) == 0x0
 01577   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01578   928   NtQueryValueKey  (184,  (184, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579   928   NtClose  (184, ... ) == 0x0
 01580   928   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581   928   NtQueryInformationToken  (180, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01582   928   NtQueryInformationToken  (180, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01583   928   NtClose  (180, ... ) == 0x0
 01584   928   NtQuerySection  (164, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01585   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586   928   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 01587   928   NtCreateProcessEx  (1233564, 2035711, 0, -1, 4, 164, 0, 0, 0, ... ) == 0x0
 01588   928   NtSetInformationProcess  (180, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 01589   928   NtSetInformationProcess  (180, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01590   928   NtQueryInformationProcess  (180, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=860,ParentPid=1972,}, 0x0, ) == 0x0
 01591   928   NtReadVirtualMemory  (180, 0x7ffdf008, 4, ...  (180, 0x7ffdf008, 4, ... "\0\0\00", 0x0, ) , 0x0, ) == 0x0
 01592   928   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593   928   NtReadVirtualMemory  (180, 0x30000000, 4096, ...  (180, 0x30000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0$\206\244\23`\347\312@`\347\312@`\347\312@9\304\331@b\347\312@`\347\313@d\347\312@\210\370\301@a\347\312@\343\373\304@j\347\312@\210\370\300@I\347\312@6\370\331@h\347\312@\272\304\326@i\347\312@\220\370\301@p\347\312@`\347\312@H\346\312@Rich`\347\312@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0N\23\216?\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\24\0\220\2\0\0\240\0\0\0\0\0\0\232t\0\0\0\20\0\0\0\320\3\0\0\0\00\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\3\0\0\20\0\0\237*\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\327\211\2\0z\1\0\0\00\3\0\244\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Z\236\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0\370\0\0\0\0\20\0\0\270\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222\216\2\0", 4096, ) , 4096, ) == 0x0
 01594   928   NtReadVirtualMemory  (180, 0x30033000, 256, ...  (180, 0x30033000, 256, ... "\0\0\0\0J\23\216?\0\0\0\0\0\0\3\0\5\0\0\0(\0\0\200\13\0\0\0@\0\0\200\20\0\0\0X\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0e\0\0\0p\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\210\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\240\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\270\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\310\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\330\0\0\0\3600\3\0\26\3\0\0\0\0\0\0\0\0\0\0\104\3\0\254\1\0\0\0\0\0\0\0\0\0\0\2645\3\0\360\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\0\310\200\0\0\0\0\14\0\0\0\0\0f\1", 256, ) , 256, ) == 0x0
 01595   928   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01596   928   NtQueryInformationProcess  (180, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=860,ParentPid=1972,}, 0x0, ) == 0x0
 01597   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 1232516, ... ) }, 1232516, ... ) == 0x0
 01598   928   NtAllocateVirtualMemory  (-1, 0, 0, 2428, 4096, 4, ... 11075584, 4096, ) == 0x0
 01599   928   NtAllocateVirtualMemory  (180, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 01600   928   NtWriteVirtualMemory  (180, 0x10000,  (180, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 01601   928   NtAllocateVirtualMemory  (180, 0, 0, 2428, 4096, 4, ... 131072, 4096, ) == 0x0
 01602   928   NtWriteVirtualMemory  (180, 0x20000,  (180, 0x20000, "\0\20\0\0|\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\364\3\366\3\230\4\0\0:\0<\0\220\10\0\0N\0P\0\314\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\34\11\0\0\36\0 \0X\11\0\0\0\0\2\0x\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2428, ... 0x0, ) , 2428, ... 0x0, ) == 0x0
 01603   928   NtWriteVirtualMemory  (180, 0x7ffdf010,  (180, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01604   928   NtAllocateVirtualMemory  (180, 0, 0, 388, 4096, 4, ... 196608, 4096, ) == 0x0
 01605   928   NtWriteVirtualMemory  (180, 0x30000,  (180, 0x30000, "S\0h\0i\0m\0E\0n\0g\0.\0d\0l\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\1\0\0\253\355\15\254\210\255\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 388, ... 0x0, ) , 388, ... 0x0, ) == 0x0
 01606   928   NtWriteVirtualMemory  (180, 0x7ffdf1e8,  (180, 0x7ffdf1e8, "\0\0\3\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01607   928   NtFreeVirtualMemory  (-1, (0xa90000), 0, 32768, ... (0xa90000), 4096, ) == 0x0
 01608   928   NtAllocateVirtualMemory  (180, 0, 0, 1048576, 8192, 4, ... 262144, 1048576, ) == 0x0
 01609   928   NtAllocateVirtualMemory  (180, 1302528, 0, 8192, 4096, 4, ... 1302528, 8192, ) == 0x0
 01610   928   NtProtectVirtualMemory  (180, (0x13e000), 4096, 260, ... (0x13e000), 4096, 4, ) == 0x0
 01611   928   NtCreateThread  (0x1f03ff, 0x0, 180, 1233572, 1233236, 1, ... 184, {860, 484}, ) == 0x0
 01612   928   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 2147340288, 2008285840, 0}  (24, {168, 196, new_msg, 0, 0, 2147340288, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\267\0\0\0\270\0\0\0\\3\0\0\344\1\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 1972, 928, 57983, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\264\0\0\0\270\0\0\0\\3\0\0\344\1\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ... {168, 196, reply, 0, 1972, 928, 57983, 0}  (24, {168, 196, new_msg, 0, 0, 2147340288, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\267\0\0\0\270\0\0\0\\3\0\0\344\1\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 1972, 928, 57983, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\264\0\0\0\270\0\0\0\\3\0\0\344\1\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ) == 0x0
 01613   928   NtResumeThread  (184, ... 1, ) == 0x0
 01614   928   NtClose  (168, ... ) == 0x0
 01615   928   NtClose  (164, ... ) == 0x0
 01616   928   NtClose  (184, ... ) == 0x0
 01617   928   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01618   928   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x102
 01619   928   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01620   928   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x102
 01621   928   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01622   928   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x102
 01623   928   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01624   928   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x0
 01625   928   NtClose  (180, ... ) == 0x0
 01626   928   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 01627   928   NtClose  (160, ... ) == 0x0
 01628   928   NtClose  (144, ... ) == 0x0
 01629   928   NtClose  (152, ... ) == 0x0
 01630   928   NtClose  (148, ... ) == 0x0
 01631   928   NtClose  (156, ... ) == 0x0
 01632   928   NtClose  (100, ... ) == 0x0
 01633   928   NtClose  (104, ... ) == 0x0
 01634   928   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 01635   928   NtWaitForMultipleObjects  (2, (64, 72, ), 1, 0, 0x0, ... ) == 0x1
 01636   928   NtClose  (72, ... ) == 0x0
 01637   928   NtSetEvent  (64, ... 0x0, ) == 0x0
 01638   928   NtClose  (64, ... ) == 0x0
 01639   928   NtWaitForMultipleObjects  (2, (76, 80, ), 1, 0, 0x0, ... ) == 0x1
 01640   928   NtClose  (80, ... ) == 0x0
 01641   928   NtSetEvent  (76, ... 0x0, ) == 0x0
 01642   928   NtClose  (76, ... ) == 0x0
 01643   928   NtWaitForMultipleObjects  (2, (84, 88, ), 1, 0, 0x0, ... ) == 0x1
 01644   928   NtClose  (88, ... ) == 0x0
 01645   928   NtSetEvent  (84, ... 0x0, ) == 0x0
 01646   928   NtClose  (84, ... ) == 0x0
 01647   928   NtRequestWaitReplyPort  (128, {88, 112, new_msg, 0, 1972, 928, 57979, 0}  (128, {88, 112, new_msg, 0, 1972, 928, 57979, 0} "\1\356\0\0A\2<\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201" ... {124, 148, reply, 0, 1972, 928, 58107, 0} "\2\376\255\201\1\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371R\250S\200\304;\350\371\4\0\0\0\0\0\0\0\220\276u\201<(\255\201\7\0\0\0\304\277u\201]\0\0\0" )  ... {124, 148, reply, 0, 1972, 928, 58107, 0}  (128, {88, 112, new_msg, 0, 1972, 928, 57979, 0} "\1\356\0\0A\2<\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201" ... {124, 148, reply, 0, 1972, 928, 58107, 0} "\2\376\255\201\1\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371R\250S\200\304;\350\371\4\0\0\0\0\0\0\0\220\276u\201<(\255\201\7\0\0\0\304\277u\201]\0\0\0" )  ) == 0x0
 01648   928   NtClose  (124, ... ) == 0x0
 01649   928   NtClose  (128, ... ) == 0x0
 01650   928   NtClose  (68, ... ) == 0x0
 01651   928   NtUnmapViewOfSection  (-1, 0x69450000, ... ) == 0x0
 01652   928   NtUnmapViewOfSection  (-1, 0x77920000, ... ) == 0x0
 01653   928   NtUnmapViewOfSection  (-1, 0x76f50000, ... ) == 0x0
 01654   928   NtUnmapViewOfSection  (-1, 0x76360000, ... ) == 0x0
 01655   928   NtUnmapViewOfSection  (-1, 0x5b860000, ... ) == 0x0
 01656   928   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 01657   928   NtContinue  (1242900, 0, ...
 01658   928   NtTerminateProcess  (0, -1073741682, ... ) == 0x0
 01659   928   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01660   928   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 01661   928   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01662   928   NtClose  (92, ... ) == 0x0
 01663   928   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 01664   928   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01665   928   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 01666   928   NtClose  (60, ... ) == 0x0
 01667   928   NtGdiDeleteObjectApp  (1913653144, ... ) == 0x1
 01668   928   NtUserGetProcessWindowStation  (... ) == 0x1c
 01669   928   NtUserBuildNameList  (28, 522, 1379448, 1244228, ... ) == 0x0
 01670   928   NtUserGetProcessWindowStation  (... ) == 0x1c
 01671   928   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x3c
 01672   928   NtUserBuildHwndList  (60, 0, 0, 0, 64, ... (0x5009e, 0x400fa, 0x10074, 0x10080, 0x10070, 0x10084, 0x30048, 0x10072, 0x20052, 0x5009c, 0x10090, 0x500a2, 0x100d0, 0x200b0, 0x100cc, 0xa0102, 0x70104, 0x70100, 0x20118, 0x3014c, 0x1011c, 0x100e6, 0x100d6, 0x100d2, 0x100ca, 0x100c8, 0x100ba, 0x100ae, 0x100ac, 0x300a6, 0x10078, 0x30062, 0x50036, 0x5005c, 0x100be, 0x400fe, 0x10092, 0x10086, 0x40034, 0x50050, 0x1013c, 0x10120, 0x100c2, 0x100bc, 0x2014e, 0x100d8, 0x100b6, 0x100b8, 0x100b4, 0x100c0, 0x1009a, 0x5005e, 0x1, ), 53, ) == 0x0
 01673   928   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 01674   928   NtUserQueryWindow  (327838, 0, ... ) == 0x6b8
 01675   928   NtUserQueryWindow  (327838, 1, ... ) == 0x6d4
 01676   928   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 01677   928   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 01678   928   NtUserQueryWindow  (262394, 0, ... ) == 0x6b8
 01679   928   NtUserQueryWindow  (262394, 1, ... ) == 0x6d4
 01680   928   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 01681   928   NtUserBuildHwndList  (0, 262394, 1, 0, 64, ... (0x80064, 0x60068, 0x6006c, 0x50094, 0x50096, 0x60066, 0x7006a, 0x90058, 0x6006e, 0x5008a, 0x50088, 0x500a0, 0x1, ), 13, ) == 0x0
 01682   928   NtUserValidateHandleSecure  (524388, ... ) == 0x1
 01683   928   NtUserQueryWindow  (524388, 0, ... ) == 0x6b8
 01684   928   NtUserQueryWindow  (524388, 1, ... ) == 0x6d4
 01685   928   NtUserValidateHandleSecure  (393320, ... ) == 0x1
 01686   928   NtUserQueryWindow  (393320, 0, ... ) == 0x6b8
 01687   928   NtUserQueryWindow  (393320, 1, ... ) == 0x6d4
 01688   928   NtUserValidateHandleSecure  (393324, ... ) == 0x1
 01689   928   NtUserQueryWindow  (393324, 0, ... ) == 0x6b8
 01690   928   NtUserQueryWindow  (393324, 1, ... ) == 0x6d4
 01691   928   NtUserValidateHandleSecure  (327828, ... ) == 0x1
 01692   928   NtUserQueryWindow  (327828, 0, ... ) == 0x6b8
 01693   928   NtUserQueryWindow  (327828, 1, ... ) == 0x6d4
 01694   928   NtUserValidateHandleSecure  (327830, ... ) == 0x1
 01695   928   NtUserQueryWindow  (327830, 0, ... ) == 0x6b8
 01696   928   NtUserQueryWindow  (327830, 1, ... ) == 0x6d4
 01697   928   NtUserValidateHandleSecure  (393318, ... ) == 0x1
 01698   928   NtUserQueryWindow  (393318, 0, ... ) == 0x6b8
 01699   928   NtUserQueryWindow  (393318, 1, ... ) == 0x6d4
 01700   928   NtUserValidateHandleSecure  (458858, ... ) == 0x1
 01701   928   NtUserQueryWindow  (458858, 0, ... ) == 0x6b8
 01702   928   NtUserQueryWindow  (458858, 1, ... ) == 0x6d4
 01703   928   NtUserValidateHandleSecure  (589912, ... ) == 0x1
 01704   928   NtUserQueryWindow  (589912, 0, ... ) == 0x6b8
 01705   928   NtUserQueryWindow  (589912, 1, ... ) == 0x6d4
 01706   928   NtUserValidateHandleSecure  (393326, ... ) == 0x1
 01707   928   NtUserQueryWindow  (393326, 0, ... ) == 0x6b8
 01708   928   NtUserQueryWindow  (393326, 1, ... ) == 0x6d4
 01709   928   NtUserValidateHandleSecure  (327818, ... ) == 0x1
 01710   928   NtUserQueryWindow  (327818, 0, ... ) == 0x6b8
 01711   928   NtUserQueryWindow  (327818, 1, ... ) == 0x6d4
 01712   928   NtUserValidateHandleSecure  (327816, ... ) == 0x1
 01713   928   NtUserQueryWindow  (327816, 0, ... ) == 0x6b8
 01714   928   NtUserQueryWindow  (327816, 1, ... ) == 0x6d4
 01715   928   NtUserValidateHandleSecure  (327840, ... ) == 0x1
 01716   928   NtUserQueryWindow  (327840, 0, ... ) == 0x6b8
 01717   928   NtUserQueryWindow  (327840, 1, ... ) == 0x6d4
 01718   928   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 01719   928   NtUserQueryWindow  (65652, 0, ... ) == 0x6b8
 01720   928   NtUserQueryWindow  (65652, 1, ... ) == 0x6d4
 01721   928   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 01722   928   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 01723   928   NtUserQueryWindow  (65664, 0, ... ) == 0x6b8
 01724   928   NtUserQueryWindow  (65664, 1, ... ) == 0x6d4
 01725   928   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 01726   928   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 01727   928   NtUserQueryWindow  (65648, 0, ... ) == 0x6b8
 01728   928   NtUserQueryWindow  (65648, 1, ... ) == 0x6d4
 01729   928   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 01730   928   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 01731   928   NtUserQueryWindow  (65668, 0, ... ) == 0x6b8
 01732   928   NtUserQueryWindow  (65668, 1, ... ) == 0x6d4
 01733   928   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 01734   928   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 01735   928   NtUserQueryWindow  (196680, 0, ... ) == 0x6b8
 01736   928   NtUserQueryWindow  (196680, 1, ... ) == 0x6d4
 01737   928   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 01738   928   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 01739   928   NtUserQueryWindow  (65650, 0, ... ) == 0x6b8
 01740   928   NtUserQueryWindow  (65650, 1, ... ) == 0x6d4
 01741   928   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 01742   928   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 01743   928   NtUserQueryWindow  (131154, 0, ... ) == 0x6b8
 01744   928   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 01745   928   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 01746   928   NtUserBuildHwndList  (0, 131154, 1, 0, 64, ... (0x3003e, 0x3003c, 0x30040, 0x30042, 0x30044, 0x30046, 0x10076, 0x10082, 0x1007a, 0x1007e, 0x1, ), 11, ) == 0x0
 01747   928   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 01748   928   NtUserQueryWindow  (196670, 0, ... ) == 0x6b8
 01749   928   NtUserQueryWindow  (196670, 1, ... ) == 0x6d4
 01750   928   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 01751   928   NtUserQueryWindow  (196668, 0, ... ) == 0x6b8
 01752   928   NtUserQueryWindow  (196668, 1, ... ) == 0x6d4
 01753   928   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 01754   928   NtUserQueryWindow  (196672, 0, ... ) == 0x6b8
 01755   928   NtUserQueryWindow  (196672, 1, ... ) == 0x6d4
 01756   928   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 01757   928   NtUserQueryWindow  (196674, 0, ... ) == 0x6b8
 01758   928   NtUserQueryWindow  (196674, 1, ... ) == 0x6d4
 01759   928   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 01760   928   NtUserQueryWindow  (196676, 0, ... ) == 0x6b8
 01761   928   NtUserQueryWindow  (196676, 1, ... ) == 0x6d4
 01762   928   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 01763   928   NtUserQueryWindow  (196678, 0, ... ) == 0x6b8
 01764   928   NtUserQueryWindow  (196678, 1, ... ) == 0x6d4
 01765   928   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 01766   928   NtUserQueryWindow  (65654, 0, ... ) == 0x6b8
 01767   928   NtUserQueryWindow  (65654, 1, ... ) == 0x6d4
 01768   928   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 01769   928   NtUserQueryWindow  (65666, 0, ... ) == 0x6b8
 01770   928   NtUserQueryWindow  (65666, 1, ... ) == 0x6d4
 01771   928   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 01772   928   NtUserQueryWindow  (65658, 0, ... ) == 0x6b8
 01773   928   NtUserQueryWindow  (65658, 1, ... ) == 0x6d4
 01774   928   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 01775   928   NtUserQueryWindow  (65662, 0, ... ) == 0x6b8
 01776   928   NtUserQueryWindow  (65662, 1, ... ) == 0x6d4
 01777   928   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 01778   928   NtUserQueryWindow  (327836, 0, ... ) == 0x6b8
 01779   928   NtUserQueryWindow  (327836, 1, ... ) == 0x6d4
 01780   928   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 01781   928   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 01782   928   NtUserQueryWindow  (65680, 0, ... ) == 0x6b8
 01783   928   NtUserQueryWindow  (65680, 1, ... ) == 0x6bc
 01784   928   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 01785   928   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 01786   928   NtUserQueryWindow  (327842, 0, ... ) == 0x6b8
 01787   928   NtUserQueryWindow  (327842, 1, ... ) == 0x6d4
 01788   928   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 01789   928   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 01790   928   NtUserQueryWindow  (65744, 0, ... ) == 0x19c
 01791   928   NtUserQueryWindow  (65744, 1, ... ) == 0x1a0
 01792   928   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 01793   928   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 01794   928   NtUserQueryWindow  (131248, 0, ... ) == 0xa0
 01795   928   NtUserQueryWindow  (131248, 1, ... ) == 0xe4
 01796   928   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 01797   928   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 01798   928   NtUserQueryWindow  (65740, 0, ... ) == 0x19c
 01799   928   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 01800   928   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 01801   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01802   928   NtUserQueryWindow  (655618, 0, ... ) == 0x35c
 01803   928   NtUserQueryWindow  (655618, 1, ... ) == 0x1e4
 01804   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01805   928   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 01806   928   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 01807   928   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 01808   928   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 01809   928   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 01810   928   NtUserQueryWindow  (459008, 0, ... ) == 0x5e8
 01811   928   NtUserQueryWindow  (459008, 1, ... ) == 0x1dc
 01812   928   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 01813   928   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 01814   928   NtUserQueryWindow  (131352, 0, ... ) == 0x6ac
 01815   928   NtUserQueryWindow  (131352, 1, ... ) == 0x7f4
 01816   928   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 01817   928   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 01818   928   NtUserQueryWindow  (196940, 0, ... ) == 0x4b4
 01819   928   NtUserQueryWindow  (196940, 1, ... ) == 0x474
 01820   928   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 01821   928   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 01822   928   NtUserQueryWindow  (65820, 0, ... ) == 0x22c
 01823   928   NtUserQueryWindow  (65820, 1, ... ) == 0x220
 01824   928   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 01825   928   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 01826   928   NtUserQueryWindow  (65766, 0, ... ) == 0x6b8
 01827   928   NtUserQueryWindow  (65766, 1, ... ) == 0x13c
 01828   928   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 01829   928   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 01830   928   NtUserQueryWindow  (65750, 0, ... ) == 0x6b8
 01831   928   NtUserQueryWindow  (65750, 1, ... ) == 0x13c
 01832   928   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 01833   928   NtUserBuildHwndList  (0, 65750, 1, 0, 64, ... (0x100da, 0x100dc, 0x100de, 0x100e0, 0x1, ), 5, ) == 0x0
 01834   928   NtUserValidateHandleSecure  (65754, ... ) == 0x1
 01835   928   NtUserQueryWindow  (65754, 0, ... ) == 0x6b8
 01836   928   NtUserQueryWindow  (65754, 1, ... ) == 0x13c
 01837   928   NtUserValidateHandleSecure  (65756, ... ) == 0x1
 01838   928   NtUserQueryWindow  (65756, 0, ... ) == 0x6b8
 01839   928   NtUserQueryWindow  (65756, 1, ... ) == 0x13c
 01840   928   NtUserValidateHandleSecure  (65758, ... ) == 0x1
 01841   928   NtUserQueryWindow  (65758, 0, ... ) == 0x6b8
 01842   928   NtUserQueryWindow  (65758, 1, ... ) == 0x13c
 01843   928   NtUserValidateHandleSecure  (65760, ... ) == 0x1
 01844   928   NtUserQueryWindow  (65760, 0, ... ) == 0x6b8
 01845   928   NtUserQueryWindow  (65760, 1, ... ) == 0x13c
 01846   928   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 01847   928   NtUserQueryWindow  (65746, 0, ... ) == 0x6b8
 01848   928   NtUserQueryWindow  (65746, 1, ... ) == 0x6d4
 01849   928   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 01850   928   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 01851   928   NtUserQueryWindow  (65738, 0, ... ) == 0x19c
 01852   928   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 01853   928   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 01854   928   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 01855   928   NtUserQueryWindow  (65736, 0, ... ) == 0xa0
 01856   928   NtUserQueryWindow  (65736, 1, ... ) == 0xe4
 01857   928   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 01858   928   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 01859   928   NtUserQueryWindow  (65722, 0, ... ) == 0x104
 01860   928   NtUserQueryWindow  (65722, 1, ... ) == 0x108
 01861   928   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 01862   928   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 01863   928   NtUserQueryWindow  (65710, 0, ... ) == 0x104
 01864   928   NtUserQueryWindow  (65710, 1, ... ) == 0x108
 01865   928   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 01866   928   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 01867   928   NtUserQueryWindow  (65708, 0, ... ) == 0x120
 01868   928   NtUserQueryWindow  (65708, 1, ... ) == 0x124
 01869   928   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 01870   928   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 01871   928   NtUserQueryWindow  (196774, 0, ... ) == 0xc4
 01872   928   NtUserQueryWindow  (196774, 1, ... ) == 0xc8
 01873   928   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 01874   928   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 01875   928   NtUserQueryWindow  (65656, 0, ... ) == 0x6b8
 01876   928   NtUserQueryWindow  (65656, 1, ... ) == 0x6ec
 01877   928   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 01878   928   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 01879   928   NtUserQueryWindow  (196706, 0, ... ) == 0x6b8
 01880   928   NtUserQueryWindow  (196706, 1, ... ) == 0x6bc
 01881   928   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 01882   928   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 01883   928   NtUserQueryWindow  (327734, 0, ... ) == 0x6b8
 01884   928   NtUserQueryWindow  (327734, 1, ... ) == 0x6bc
 01885   928   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 01886   928   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 01887   928   NtUserQueryWindow  (327772, 0, ... ) == 0x6b8
 01888   928   NtUserQueryWindow  (327772, 1, ... ) == 0x6bc
 01889   928   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 01890   928   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 01891   928   NtUserQueryWindow  (65726, 0, ... ) == 0x19c
 01892   928   NtUserQueryWindow  (65726, 1, ... ) == 0x1a0
 01893   928   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 01894   928   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 01895   928   NtUserQueryWindow  (262398, 0, ... ) == 0x6b8
 01896   928   NtUserQueryWindow  (262398, 1, ... ) == 0x6d4
 01897   928   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 01898   928   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 01899   928   NtUserQueryWindow  (65682, 0, ... ) == 0x6b8
 01900   928   NtUserQueryWindow  (65682, 1, ... ) == 0x6bc
 01901   928   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 01902   928   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 01903   928   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 01904   928   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 01905   928   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 01906   928   NtUserBuildHwndList  (0, 65670, 1, 0, 64, ... (0x1008c, 0x1008e, 0x1, ), 3, ) == 0x0
 01907   928   NtUserValidateHandleSecure  (65676, ... ) == 0x1
 01908   928   NtUserQueryWindow  (65676, 0, ... ) == 0x6b8
 01909   928   NtUserQueryWindow  (65676, 1, ... ) == 0x6bc
 01910   928   NtUserValidateHandleSecure  (65678, ... ) == 0x1
 01911   928   NtUserQueryWindow  (65678, 0, ... ) == 0x6b8
 01912   928   NtUserQueryWindow  (65678, 1, ... ) == 0x6bc
 01913   928   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 01914   928   NtUserQueryWindow  (262196, 0, ... ) == 0x6b8
 01915   928   NtUserQueryWindow  (262196, 1, ... ) == 0x6d4
 01916   928   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 01917   928   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 01918   928   NtUserQueryWindow  (327760, 0, ... ) == 0x6b8
 01919   928   NtUserQueryWindow  (327760, 1, ... ) == 0x6d4
 01920   928   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 01921   928   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 01922   928   NtUserQueryWindow  (65852, 0, ... ) == 0x22c
 01923   928   NtUserQueryWindow  (65852, 1, ... ) == 0x220
 01924   928   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 01925   928   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 01926   928   NtUserQueryWindow  (65824, 0, ... ) == 0x22c
 01927   928   NtUserQueryWindow  (65824, 1, ... ) == 0x220
 01928   928   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 01929   928   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 01930   928   NtUserQueryWindow  (65730, 0, ... ) == 0xa0
 01931   928   NtUserQueryWindow  (65730, 1, ... ) == 0xe4
 01932   928   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 01933   928   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 01934   928   NtUserQueryWindow  (65724, 0, ... ) == 0xa0
 01935   928   NtUserQueryWindow  (65724, 1, ... ) == 0xe4
 01936   928   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 01937   928   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 01938   928   NtUserQueryWindow  (131406, 0, ... ) == 0x4b4
 01939   928   NtUserQueryWindow  (131406, 1, ... ) == 0x474
 01940   928   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 01941   928   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 01942   928   NtUserQueryWindow  (65752, 0, ... ) == 0x6b8
 01943   928   NtUserQueryWindow  (65752, 1, ... ) == 0x13c
 01944   928   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 01945   928   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 01946   928   NtUserQueryWindow  (65718, 0, ... ) == 0x104
 01947   928   NtUserQueryWindow  (65718, 1, ... ) == 0x108
 01948   928   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 01949   928   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 01950   928   NtUserQueryWindow  (65720, 0, ... ) == 0x120
 01951   928   NtUserQueryWindow  (65720, 1, ... ) == 0x124
 01952   928   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 01953   928   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 01954   928   NtUserQueryWindow  (65716, 0, ... ) == 0xc4
 01955   928   NtUserQueryWindow  (65716, 1, ... ) == 0xc8
 01956   928   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 01957   928   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 01958   928   NtUserQueryWindow  (65728, 0, ... ) == 0x19c
 01959   928   NtUserQueryWindow  (65728, 1, ... ) == 0x1a0
 01960   928   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 01961   928   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 01962   928   NtUserQueryWindow  (65690, 0, ... ) == 0x6b8
 01963   928   NtUserQueryWindow  (65690, 1, ... ) == 0x6bc
 01964   928   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 01965   928   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 01966   928   NtUserQueryWindow  (327774, 0, ... ) == 0x6b8
 01967   928   NtUserQueryWindow  (327774, 1, ... ) == 0x6bc
 01968   928   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 01969   928   NtUserCloseDesktop  (60, ... ) == 0x1
 01970   928   NtUserGetProcessWindowStation  (... ) == 0x1c
 01971   928   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01972   928   NtUserGetProcessWindowStation  (... ) == 0x1c
 01973   928   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01974   928   NtGdiDeleteObjectApp  (856294625, ... ) == 0x1
 01975   928   NtGdiDeleteObjectApp  (1376388660, ... ) == 0x1
 01976   928   NtClose  (56, ... ) == 0x0
 01977   928   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01978   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 56, ) }, ... 56, ) == 0x0
 01979   928   NtQueryValueKey  (56,  (56, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01980   928   NtClose  (56, ... ) == 0x0
 01981   928   NtClose  (44, ... ) == 0x0
 01982   928   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 01983   928   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01984   928   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01985   928   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01986   928   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1177968, 2011678370, 1178092, 1177980}  (24, {20, 48, new_msg, 0, 1177968, 2011678370, 1178092, 1177980} "\0\0\0\0\3\0\1\0\214\371\21\0\320\220\347w\216\0\0\300" ... {20, 48, reply, 0, 1972, 928, 58110, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\320\220\347w\216\0\0\300" )  ... {20, 48, reply, 0, 1972, 928, 58110, 0}  (24, {20, 48, new_msg, 0, 1177968, 2011678370, 1178092, 1177980} "\0\0\0\0\3\0\1\0\214\371\21\0\320\220\347w\216\0\0\300" ... {20, 48, reply, 0, 1972, 928, 58110, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\320\220\347w\216\0\0\300" )  ) == 0x0
 01987   928   NtTerminateProcess  (-1, -1073741682, ...
NtAccessCheck(>)	1	NtUserGetThreadDesktop(>)	1	NtSetInformationFile(>)	5	NtQueryVirtualMemory(>)	15
NtCallbackReturn(>)	1	NtUserOpenWindowStation(>)	1	NtUserBuildHwndList(>)	5	NtDeviceIoControlFile(>)	16
NtCreateProcessEx(>)	1	NtUserSystemParametersInfo(>)	1	NtWriteVirtualMemory(>)	5	NtRequestWaitReplyPort(>)	16
NtCreateSemaphore(>)	1	NtConnectPort(>)	2	NtContinue(>)	6	NtOpenSection(>)	24
NtCreateThread(>)	1	NtCreateIoCompletion(>)	2	NtOpenProcessToken(>)	6	NtQueryDirectoryFile(>)	24
NtDuplicateToken(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryDefaultUILanguage(>)	6	NtSetInformationProcess(>)	25
NtGdiCreateBitmap(>)	1	NtGdiHfontCreate(>)	2	NtUserGetProcessWindowStation(>)	6	NtOpenProcessTokenEx(>)	28
NtGdiCreatePatternBrushInternal(>)	1	NtQueryInformationJobObject(>)	2	NtWaitForSingleObject(>)	6	NtOpenThreadTokenEx(>)	28
NtGdiInit(>)	1	NtReleaseMutant(>)	2	NtFsControlFile(>)	7	NtCreateSection(>)	29
NtGdiQueryFontAssocInfo(>)	1	NtTerminateProcess(>)	2	NtOpenThreadToken(>)	7	NtQueryInformationToken(>)	37
NtGdiSelectBitmap(>)	1	NtUserCloseWindowStation(>)	2	NtQueryInformationFile(>)	7	NtOpenFile(>)	41
NtOpenEvent(>)	1	NtUserGetObjectInformation(>)	2	NtWaitForMultipleObjects(>)	7	NtQueryInformationProcess(>)	44
NtOpenKeyedEvent(>)	1	NtGdiCreateCompatibleDC(>)	3	NtEnumerateKey(>)	8	NtQueryDefaultLocale(>)	48
NtOpenMutant(>)	1	NtGdiDeleteObjectApp(>)	3	NtSetValueKey(>)	8	NtUnmapViewOfSection(>)	48
NtQueryDebugFilterState(>)	1	NtOpenDirectoryObject(>)	3	NtUserCallNoParam(>)	9	NtAllocateVirtualMemory(>)	51
NtQueryInstallUILanguage(>)	1	NtOpenSymbolicLinkObject(>)	3	NtUserFindExistingCursorIcon(>)	9	NtQueryAttributesFile(>)	54
NtQueryObject(>)	1	NtQuerySymbolicLinkObject(>)	3	NtUserGetWindowDC(>)	10	NtFlushInstructionCache(>)	65
NtQueryPerformanceCounter(>)	1	NtReadVirtualMemory(>)	3	NtCreateKey(>)	11	NtMapViewOfSection(>)	69
NtQuerySystemTime(>)	1	NtSetEvent(>)	3	NtFreeVirtualMemory(>)	11	NtQuerySystemInformation(>)	76
NtRegisterThreadTerminatePort(>)	1	NtSetInformationObject(>)	3	NtUserCallOneParam(>)	11	NtQueryValueKey(>)	105
NtResumeThread(>)	1	NtUserOpenDesktop(>)	3	NtWriteFile(>)	11	NtUserValidateHandleSecure(>)	132
NtSecureConnectPort(>)	1	NtCreateMutant(>)	4	NtQuerySection(>)	12	NtOpenKey(>)	153
NtTestAlert(>)	1	NtDuplicateObject(>)	4	NtSetInformationThread(>)	13	NtProtectVirtualMemory(>)	156
NtUserBuildNameList(>)	1	NtQueryVolumeInformationFile(>)	4	NtCreateEvent(>)	14	NtUserQueryWindow(>)	160
NtUserCloseDesktop(>)	1	NtGdiGetStockObject(>)	5	NtCreateFile(>)	14	NtClose(>)	240
NtUserGetGUIThreadInfo(>)	1	NtReadFile(>)	5	NtUserRegisterClassExWOW(>)	14