Summary:


NtAddAtom(>)  1 
NtUserCallNoParam(>)  1 
NtDuplicateObject(>)  3 
NtQueryDefaultLocale(>)  13 

NtAdjustPrivilegesToken(>)  1 
NtUserCallOneParam(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtOpenFile(>)  15 

NtCallbackReturn(>)  1 
NtUserGetDC(>)  1 
NtQuerySection(>)  3 
NtQuerySystemInformation(>)  16 

NtContinue(>)  1 
NtUserGetThreadDesktop(>)  1 
NtSetInformationObject(>)  3 
NtFlushInstructionCache(>)  19 

NtCreateProcessEx(>)  1 
NtWaitForSingleObject(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtOpenProcess(>)  19 

NtDelayExecution(>)  1 
NtWriteFile(>)  1 
NtFsControlFile(>)  4 
NtOpenProcessTokenEx(>)  24 

NtDuplicateToken(>)  1 
NtAccessCheck(>)  2 
NtOpenThreadToken(>)  4 
NtOpenThreadTokenEx(>)  24 

NtEnumerateValueKey(>)  1 
NtCreateIoCompletion(>)  2 
NtReadFile(>)  4 
NtQueryInformationToken(>)  30 

NtGdiCreateBitmap(>)  1 
NtCreateThread(>)  2 
NtReadVirtualMemory(>)  4 
NtAllocateVirtualMemory(>)  33 

NtGdiInit(>)  1 
NtEnumerateKey(>)  2 
NtGdiGetStockObject(>)  5 
NtUnmapViewOfSection(>)  34 

NtGdiQueryFontAssocInfo(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtFreeVirtualMemory(>)  6 
NtOpenSection(>)  38 

NtGdiSelectBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtOpenProcessToken(>)  6 
NtQueryValueKey(>)  39 

NtGetContextThread(>)  1 
NtOpenMutant(>)  2 
NtQueryDefaultUILanguage(>)  6 
NtUserUnregisterClass(>)  45 

NtOpenEvent(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtQueryInformationFile(>)  6 
NtUserFindExistingCursorIcon(>)  48 

NtOpenKeyedEvent(>)  1 
NtQueryDirectoryFile(>)  2 
NtSetInformationFile(>)  6 
NtUserRegisterClassExWOW(>)  63 

NtQueryInformationJobObject(>)  1 
NtQueryInstallUILanguage(>)  2 
NtCreateEvent(>)  7 
NtWriteVirtualMemory(>)  66 

NtQueryObject(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtQueryAttributesFile(>)  7 
NtMapViewOfSection(>)  69 

NtQuerySystemTime(>)  1 
NtQueryVirtualMemory(>)  2 
NtQueryInformationProcess(>)  7 
NtUserGetClassInfo(>)  82 

NtRegisterThreadTerminatePort(>)  1 
NtQueryVolumeInformationFile(>)  2 
NtRequestWaitReplyPort(>)  8 
NtOpenKey(>)  94 

NtReleaseMutant(>)  1 
NtResumeThread(>)  2 
NtSetInformationThread(>)  8 
NtProtectVirtualMemory(>)  100 

NtSecureConnectPort(>)  1 
NtSetInformationProcess(>)  2 
NtQueryDebugFilterState(>)  9 
NtClose(>)  149 

NtSetContextThread(>)  1 
NtTerminateProcess(>)  2 
NtCreateSection(>)  10 

NtTestAlert(>)  1 
NtCreateFile(>)  3 

Trace:
 00001   532   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   532   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   532   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   532   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   532   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   532   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   532   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   532   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   532   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   532   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   532   NtClose  (12, ... ) == 0x0
 00014   532   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   532   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   532   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   532   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   532   NtClose  (16, ... ) == 0x0
 00021   532   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   532   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   532   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   532   NtClose  (16, ... ) == 0x0
 00026   532   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   532   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   532   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   532   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   532   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 520, 532, 1527, 0} "X\257\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 520, 532, 1527, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 520, 532, 1527, 0} "X\257\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   532   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   532   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   532   NtClose  (16, ... ) == 0x0
 00036   532   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00037   532   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00038   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00039   532   NtClose  (28, ... ) == 0x0
 00040   532   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00041   532   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00042   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00043   532   NtClose  (28, ... ) == 0x0
 00044   532   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00045   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00046   532   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00047   532   NtClose  (28, ... ) == 0x0
 00048   532   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00049   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00050   532   NtClose  (28, ... ) == 0x0
 00051   532   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00052   532   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00053   532   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   532   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 520, 532, 1531, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 520, 532, 1531, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 520, 532, 1531, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00055   532   NtProtectVirtualMemory  (-1, (0x407000), 1514, 4, ... (0x407000), 4096, 8, ) == 0x0
 00056   532   NtProtectVirtualMemory  (-1, (0x407000), 4096, 8, ... (0x407000), 4096, 4, ) == 0x0
 00057   532   NtFlushInstructionCache  (-1, 4222976, 1514, ... ) == 0x0
 00058   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00059   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00060   532   NtClose  (28, ... ) == 0x0
 00061   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00062   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00063   532   NtClose  (28, ... ) == 0x0
 00064   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00065   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00066   532   NtClose  (28, ... ) == 0x0
 00067   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00068   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00069   532   NtClose  (28, ... ) == 0x0
 00070   532   NtProtectVirtualMemory  (-1, (0x407000), 1514, 4, ... (0x407000), 4096, 4, ) == 0x0
 00071   532   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00072   532   NtFlushInstructionCache  (-1, 4222976, 1514, ... ) == 0x0
 00073   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00074   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00075   532   NtClose  (28, ... ) == 0x0
 00076   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00077   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00078   532   NtClose  (28, ... ) == 0x0
 00079   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00080   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00081   532   NtClose  (28, ... ) == 0x0
 00082   532   NtProtectVirtualMemory  (-1, (0x407000), 1514, 4, ... (0x407000), 4096, 4, ) == 0x0
 00083   532   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00084   532   NtFlushInstructionCache  (-1, 4222976, 1514, ... ) == 0x0
 00085   532   NtProtectVirtualMemory  (-1, (0x407000), 1514, 4, ... (0x407000), 4096, 4, ) == 0x0
 00086   532   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00087   532   NtFlushInstructionCache  (-1, 4222976, 1514, ... ) == 0x0
 00088   532   NtProtectVirtualMemory  (-1, (0x407000), 1514, 4, ... (0x407000), 4096, 4, ) == 0x0
 00089   532   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00090   532   NtFlushInstructionCache  (-1, 4222976, 1514, ... ) == 0x0
 00091   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00092   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00093   532   NtClose  (28, ... ) == 0x0
 00094   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00095   532   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00096   532   NtClose  (28, ... ) == 0x0
 00097   532   NtProtectVirtualMemory  (-1, (0x407000), 1514, 4, ... (0x407000), 4096, 4, ) == 0x0
 00098   532   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00099   532   NtFlushInstructionCache  (-1, 4222976, 1514, ... ) == 0x0
 00100   532   NtProtectVirtualMemory  (-1, (0x407000), 1514, 4, ... (0x407000), 4096, 4, ) == 0x0
 00101   532   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00102   532   NtFlushInstructionCache  (-1, 4222976, 1514, ... ) == 0x0
 00103   532   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00104   532   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00105   532   NtClose  (28, ... ) == 0x0
 00106   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00107   532   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00108   532   NtClose  (28, ... ) == 0x0
 00109   532   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00110   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00111   532   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00112   532   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00113   532   NtClose  (28, ... ) == 0x0
 00114   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00115   532   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00116   532   NtClose  (28, ... ) == 0x0
 00117   532   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00118   532   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00119   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00120   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00121   532   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\32\1\0\0\0\0\314\4\23\0Ck\314\235\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 520, 532, 1561, 0} "XQ\26\0\0\0\0\0\0\0\0\0Ck\314\235\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 520, 532, 1561, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\32\1\0\0\0\0\314\4\23\0Ck\314\235\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 520, 532, 1561, 0} "XQ\26\0\0\0\0\0\0\0\0\0Ck\314\235\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00122   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   532   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x430000), 0x0, 1060864, ) == 0x0
 00124   532   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00125   532   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00126   532   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00127   532   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00128   532   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00129   532   NtClose  (-2147482020, ... ) == 0x0
 00130   532   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00131   532   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00132   532   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00133   532   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00134   532   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00135   532   NtClose  (-2147482020, ... ) == 0x0
 00136   532   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00137   532   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   532   NtClose  (-2147482020, ... ) == 0x0
 00139   532   NtQueryDefaultLocale  (0, -135230964, ... ) == 0x0
 00140   532   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00141   532   NtUserCallNoParam  (24, ... ) == 0x0
 00142   532   NtGdiCreateCompatibleDC  (0, ...
 00143   532   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00142   532   NtGdiCreateCompatibleDC  ... ) == 0xf010451
 00144   532   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00145   532   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00146   532   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb050458
 00147   532   NtGdiCreateSolidBrush  (0, 0, ...
 00148   532   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8650752, 4096, ) == 0x0
 00147   532   NtGdiCreateSolidBrush  ... ) == 0x810045b
 00149   532   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00150   532   NtGdiCreateCompatibleDC  (0, ... ) == 0x601045c
 00151   532   NtGdiSelectBitmap  (100729948, 184878168, ... ) == 0x185000f
 00152   532   NtUserGetThreadDesktop  (532, 0, ... ) == 0x2c
 00153   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00154   532   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00155   532   NtClose  (52, ... ) == 0x0
 00156   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00157   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00158   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00159   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00160   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00161   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00162   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00163   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00164   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00165   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00166   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00167   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00168   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00169   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00170   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00171   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00172   532   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00173   532   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00174   532   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc020
 00175   532   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00176   532   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc023
 00177   532   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc024
 00178   532   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00179   532   NtAllocateVirtualMemory  (-1, 5615616, 0, 4096, 4096, 32, ... 5615616, 4096, ) == 0x0
 00178   532   NtUserRegisterClassExWOW  ... ) == 0x810cc025
 00180   532   NtCallbackReturn  (0, 0, 0, ...
 00181   532   NtGdiInit  (... ) == 0x1
 00182   532   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00183   532   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00184   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00185   532   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8716288, 65536, ) == 0x0
 00186   532   NtAllocateVirtualMemory  (-1, 8716288, 0, 4096, 4096, 4, ... 8716288, 4096, ) == 0x0
 00187   532   NtAllocateVirtualMemory  (-1, 8720384, 0, 8192, 4096, 4, ... 8720384, 8192, ) == 0x0
 00188   532   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00189   532   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x860000), 0x0, 12288, ) == 0x0
 00190   532   NtClose  (52, ... ) == 0x0
 00191   532   NtAllocateVirtualMemory  (-1, 8728576, 0, 4096, 4096, 4, ... 8728576, 4096, ) == 0x0
 00192   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00193   532   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00194   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00195   532   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00196   532   NtClose  (52, ... ) == 0x0
 00197   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00198   532   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00199   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00200   532   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00201   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00202   532   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203   532   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00204   532   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00205   532   NtClose  (52, ... ) == 0x0
 00206   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00207   532   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   532   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00209   532   NtClose  (52, ... ) == 0x0
 00210   532   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00211   532   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00212   532   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00213   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214   532   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00215   532   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00216   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00217   532   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00218   532   NtClose  (56, ... ) == 0x0
 00219   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00220   532   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00221   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 56, ) }, ... 56, ) == 0x0
 00222   532   NtQueryValueKey  (56,  (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00223   532   NtClose  (56, ... ) == 0x0
 00224   532   NtQueryDefaultUILanguage  (1241756, ...
 00225   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00226   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00227   532   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00228   532   NtClose  (-2147482020, ... ) == 0x0
 00229   532   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00230   532   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00231   532   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00232   532   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   532   NtClose  (-2147482032, ... ) == 0x0
 00234   532   NtClose  (-2147482020, ... ) == 0x0
 00224   532   NtQueryDefaultUILanguage  ... ) == 0x0
 00235   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00236   532   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00237   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00238   532   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 60, ) == 0x0
 00239   532   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x870000), 0x0, 8323072, ) == 0x0
 00240   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00241   532   NtQueryDefaultUILanguage  (2013024600, ...
 00242   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00243   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00244   532   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00245   532   NtClose  (-2147482020, ... ) == 0x0
 00246   532   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00247   532   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   532   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00249   532   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250   532   NtClose  (-2147482032, ... ) == 0x0
 00251   532   NtClose  (-2147482020, ... ) == 0x0
 00241   532   NtQueryDefaultUILanguage  ... ) == 0x0
 00252   532   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00253   532   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00254   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255   532   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\18\0\0\0\377\377\377\377\0\0\0\0\20\311\276\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 520, 532, 1562, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\18\0\0\0\377\377\377\377\0\0\0\0\20\311\276\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 520, 532, 1562, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\18\0\0\0\377\377\377\377\0\0\0\0\20\311\276\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 520, 532, 1562, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\18\0\0\0\377\377\377\377\0\0\0\0\20\311\276\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00256   532   NtClose  (56, ... ) == 0x0
 00257   532   NtClose  (60, ... ) == 0x0
 00258   532   NtUnmapViewOfSection  (-1, 0x870000, ... ) == 0x0
 00259   532   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00260   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00261   532   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00263   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00264   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00265   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00266   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00267   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00268   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00269   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 60, {status=0x0, info=1}, ) }, 3, 33, ... 60, {status=0x0, info=1}, ) == 0x0
 00270   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00271   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00272   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00273   532   NtClose  (56, ... ) == 0x0
 00274   532   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x870000), 0x0, 921600, ) == 0x0
 00275   532   NtClose  (64, ... ) == 0x0
 00276   532   NtUnmapViewOfSection  (-1, 0x870000, ... ) == 0x0
 00277   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00278   532   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 56, ) == 0x0
 00279   532   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00280   532   NtOpenProcessToken  (-1, 0x8, ... 68, ) == 0x0
 00281   532   NtQueryInformationToken  (68, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00282   532   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 72, ) }, ... 72, ) == 0x0
 00284   532   NtQueryValueKey  (72,  (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00285   532   NtClose  (72, ... ) == 0x0
 00286   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00287   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 72, ) == 0x0
 00288   532   NtQueryInformationToken  (72, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00289   532   NtClose  (72, ... ) == 0x0
 00290   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00291   532   NtClose  (68, ... ) == 0x0
 00292   532   NtClose  (64, ... ) == 0x0
 00293   532   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00294   532   NtClose  (56, ... ) == 0x0
 00295   532   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00296   532   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00297   532   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00298   532   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00299   532   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00300   532   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00301   532   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00302   532   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00303   532   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00304   532   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00305   532   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00306   532   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00307   532   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00308   532   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00309   532   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00310   532   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00311   532   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00312   532   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00313   532   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00314   532   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00315   532   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00316   532   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00317   532   NtQueryDefaultUILanguage  (1239368, ...
 00318   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00319   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00320   532   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00321   532   NtClose  (-2147482020, ... ) == 0x0
 00322   532   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00323   532   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00324   532   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00325   532   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00326   532   NtClose  (-2147482032, ... ) == 0x0
 00327   532   NtClose  (-2147482020, ... ) == 0x0
 00317   532   NtQueryDefaultUILanguage  ... ) == 0x0
 00328   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00330   532   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00331   532   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00332   532   NtClose  (56, ... ) == 0x0
 00333   532   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x870000), 0x0, 4096, ) == 0x0
 00334   532   NtClose  (64, ... ) == 0x0
 00335   532   NtUnmapViewOfSection  (-1, 0x870000, ... ) == 0x0
 00336   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00337   532   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00338   532   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00339   532   NtClose  (64, ... ) == 0x0
 00340   532   NtMapViewOfSection  (56, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x870000), {0, 0}, 4096, ) == 0x0
 00341   532   NtClose  (56, ... ) == 0x0
 00342   532   NtUnmapViewOfSection  (-1, 0x870000, ... ) == 0x0
 00343   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00344   532   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 64, ) == 0x0
 00345   532   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x870000), 0x0, 4096, ) == 0x0
 00346   532   NtQueryInformationFile  (56, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00347   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00348   532   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 520, 532, 1563, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 520, 532, 1563, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 520, 532, 1563, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00349   532   NtClose  (56, ... ) == 0x0
 00350   532   NtClose  (64, ... ) == 0x0
 00351   532   NtUnmapViewOfSection  (-1, 0x870000, ... ) == 0x0
 00352   532   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00353   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00354   532   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00355   532   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00356   532   NtUserGetDC  (0, ... ) == 0x1010050
 00357   532   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00358   532   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00359   532   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00360   532   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00361   532   NtAccessCheck  (1326824, 64, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00362   532   NtClose  (64, ... ) == 0x0
 00363   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00364   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00365   532   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00366   532   NtClose  (64, ... ) == 0x0
 00367   532   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00368   532   NtSetInformationObject  (64, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00369   532   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00370   532   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   532   NtClose  (56, ... ) == 0x0
 00372   532   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00373   532   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00374   532   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 56, ) }, ... 56, ) == 0x0
 00375   532   NtQueryValueKey  (56,  (56, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00376   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00377   532   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00378   532   NtClose  (68, ... ) == 0x0
 00379   532   NtClose  (56, ... ) == 0x0
 00380   532   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00381   532   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00382   532   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 56, ) }, ... 56, ) == 0x0
 00383   532   NtEnumerateValueKey  (56, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00384   532   NtClose  (56, ... ) == 0x0
 00385   532   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00386   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc03b
 00387   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc03d
 00388   532   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00389   532   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc03f
 00390   532   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00391   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc041
 00392   532   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00393   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc043
 00394   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc045
 00395   532   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00396   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc047
 00397   532   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00398   532   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc049
 00399   532   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00400   532   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00401   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc04b
 00402   532   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00403   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc04d
 00404   532   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00405   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc04f
 00406   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc051
 00407   532   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00408   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc053
 00409   532   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00410   532   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc055
 00411   532   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc057
 00412   532   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00413   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc059
 00414   532   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00415   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc05b
 00416   532   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00417   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc05d
 00418   532   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00419   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc05f
 00420   532   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00421   532   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc017
 00422   532   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00423   532   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc019
 00424   532   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00425   532   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc018
 00426   532   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00427   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc01a
 00428   532   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00429   532   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc01c
 00430   532   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00431   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc01e
 00432   532   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00433   532   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810cc01b
 00434   532   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00435   532   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810cc068
 00436   532   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00437   532   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ...
 00438   532   NtAllocateVirtualMemory  (-1, 5619712, 0, 4096, 4096, 32, ... 5619712, 4096, ) == 0x0
 00437   532   NtUserRegisterClassExWOW  ... ) == 0x810cc06a
 00439   532   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00440   532   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00441   532   NtClose  (56, ... ) == 0x0
 00442   532   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {520, 0}, ... 56, ) == 0x0
 00443   532   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00444   532   NtClose  (56, ... ) == 0x0
 00445   532   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00446   532   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00447   532   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00448   532   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00449   532   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00450   532   NtClose  (56, ... ) == 0x0
 00451   532   NtUserSystemParametersInfo  (41, 500, 1241332, 0, ... ) == 0x1
 00452   532   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00453   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00454   532   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00455   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc03b
 00456   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00457   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc03d
 00458   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00459   532   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00460   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc03f
 00461   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00462   532   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00463   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc041
 00464   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00465   532   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00466   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc043
 00467   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00468   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc045
 00469   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00470   532   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00471   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc047
 00472   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00473   532   NtUserFindExistingCursorIcon  (1241120, 1241136, 1241704, ... ) == 0x10011
 00474   532   NtUserRegisterClassExWOW  (1241572, 1241652, 1241636, 1241668, 0, 384, 0, ... ) == 0x810cc049
 00475   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00476   532   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00477   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc04b
 00478   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00479   532   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00480   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc04d
 00481   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00482   532   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00483   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc04f
 00484   532   NtUserGetClassInfo  (1999896576, 1241744, 1241696, 1241772, 0, ... ) == 0x0
 00485   532   NtUserRegisterClassExWOW  (1241580, 1241660, 1241644, 1241676, 0, 384, 0, ... ) == 0x810cc051
 00486   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00487   532   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00488   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc053
 00489   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00490   532   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00491   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc055
 00492   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc057
 00493   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00494   532   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00495   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc059
 00496   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00497   532   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10013
 00498   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc05b
 00499   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00500   532   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00501   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc05d
 00502   532   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00503   532   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00504   532   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc05f
 00505   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03b
 00506   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03d
 00507   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03f
 00508   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc041
 00509   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc043
 00510   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc045
 00511   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc047
 00512   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc049
 00513   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04b
 00514   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04d
 00515   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04f
 00516   532   NtUserGetClassInfo  (1999896576, 1243496, 1243448, 1243524, 0, ... ) == 0xc051
 00517   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc053
 00518   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc055
 00519   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc059
 00520   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05b
 00521   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05d
 00522   532   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05f
 00523   532   NtTestAlert  (... ) == 0x0
 00524   532   NtContinue  (1244464, 1, ...
 00525   532   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x429400,}, 4, ... ) == 0x0
 00526   532   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1245092, 0,  (0x1f0003, {24, 52, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 56, ) }, 1, 0, ... 56, ) == 0x0
 00527   532   NtCreateSection  (0xf0007, {24, 52, 0x80, 1245092, 0,  (0xf0007, {24, 52, 0x80, 1245092, 0, "W32_Virtu"}, {22585, 0}, 4, 134217728, 0, ... 68, ) }, {22585, 0}, 4, 134217728, 0, ... 68, ) == 0x0
 00528   532   NtMapViewOfSection  (68, -1, (0x0), 0, 22585, 0x0, 22585, 2, 0, 4, ... (0x870000), 0x0, 24576, ) == 0x0
 00529   532   NtOpenProcessToken  (-1, 0x20, ... 72, ) == 0x0
 00530   532   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00531   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00532   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 76, ) }, ... 76, ) == 0x0
 00533   532   NtQueryValueKey  (76,  (76, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00534   532   NtClose  (76, ... ) == 0x0
 00535   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00536   532   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 76, ) == 0x0
 00537   532   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 80, ) == 0x0
 00538   532   NtQuerySystemTime  (... {-472146290, 29889239}, ) == 0x0
 00539   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00540   532   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00541   532   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00542   532   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00543   532   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00544   532   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00545   532   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 92, ) == 0x0
 00546   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 96, ) }, ... 96, ) == 0x0
 00547   532   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "ActiveComputerName"}, ... 100, ) }, ... 100, ) == 0x0
 00548   532   NtQueryValueKey  (100,  (100, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (100, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (100, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00549   532   NtClose  (100, ... ) == 0x0
 00550   532   NtClose  (96, ... ) == 0x0
 00551   532   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 96, ) == 0x0
 00552   532   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 100, ) == 0x0
 00553   532   NtDuplicateObject  (-1, 96, -1, 0x0, 0, 2, ... 104, ) == 0x0
 00554   532   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00555   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00556   532   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00557   532   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00558   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00559   532   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243268,  (0xc0100080, {24, 0, 0x40, 0, 1243268, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00560   532   NtSetInformationFile  (112, 1243324, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00561   532   NtSetInformationFile  (112, 1243316, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00562   532   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00563   532   NtWriteFile  (112, 89, 0, 0,  (112, 89, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00564   532   NtReadFile  (112, 89, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (112, 89, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\365\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00565   532   NtFsControlFile  (112, 89, 0x0, 0x0, 0x11c017,  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\365\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\365\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00566   532   NtFsControlFile  (112, 89, 0x0, 0x0, 0x11c017,  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0!Z\251\34\313~\334\21\261\310\0\14)\371\246\305 \0"\0\250D\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0!Z\251\34\313~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0\250D\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0!Z\251\34\313~\334\21\261\310\0\14)\371\246\305 \0"\0\250D\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0!Z\251\34\313~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0!Z\251\34\313~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 00567   532   NtFsControlFile  (112, 89, 0x0, 0x0, 0x11c017,  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0!Z\251\34\313~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (112, 89, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0!Z\251\34\313~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00568   532   NtClose  (108, ... ) == 0x0
 00569   532   NtClose  (112, ... ) == 0x0
 00570   532   NtAdjustPrivilegesToken  (72, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00571   532   NtClose  (72, ... ) == 0x0
 00572   532   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 8978432, 65536, ) == 0x0
 00573   532   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00574   532   NtCreateSection  (0xf0007, 0x0, {12284, 0}, 4, 134217728, 0, ... 72, ) == 0x0
 00575   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8a0000), {0, 0}, 12288, ) == 0x0
 00576   532   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 00577   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8a0000), {0, 0}, 12288, ) == 0x0
 00578   532   NtFreeVirtualMemory  (-1, (0x890000), 0, 32768, ... (0x890000), 65536, ) == 0x0
 00579   532   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 00580   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00581   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00582   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00583   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00584   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00585   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00586   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00587   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00588   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00589   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00590   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 112, ) == 0x0
 00591   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00592   532   NtMapViewOfSection  (108, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 00593   532   NtClose  (108, ... ) == 0x0
 00594   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00595   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00596   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00597   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00598   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00599   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00600   532   NtAllocateVirtualMemory  (112, 0, 0, 1048576, 8192, 4, ... 22020096, 1048576, ) == 0x0
 00601   532   NtAllocateVirtualMemory  (112, 23048192, 0, 20480, 4096, 4, ... 23048192, 20480, ) == 0x0
 00602   532   NtProtectVirtualMemory  (112, (0x15fb000), 4096, 260, ... (0x15fb000), 4096, 4, ) == 0x0
 00603   532   NtCreateThread  (0x1f03ff, 0x0, 112, 1244008, 1244724, 1, ... 108, {616, 900}, ) == 0x0
 00604   532   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\24\0\0\0\0\0l\0\0\0h\2\0\0\204\3\0\0" ... {28, 56, reply, 0, 520, 532, 1564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\0\0\0h\2\0\0\204\3\0\0" )  ... {28, 56, reply, 0, 520, 532, 1564, 0}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\24\0\0\0\0\0l\0\0\0h\2\0\0\204\3\0\0" ... {28, 56, reply, 0, 520, 532, 1564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\0\0\0h\2\0\0\204\3\0\0" )  ) == 0x0
 00605   532   NtResumeThread  (108, ... 1, ) == 0x0
 00606   532   NtClose  (112, ... ) == 0x0
 00607   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00608   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00609   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {660, 0}, ... 112, ) == 0x0
 00610   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00611   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 00612   532   NtClose  (116, ... ) == 0x0
 00613   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00614   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00615   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00616   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00617   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00618   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00619   532   NtClose  (112, ... ) == 0x0
 00620   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00621   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00622   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {672, 0}, ... 112, ) == 0x0
 00623   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00624   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 00625   532   NtClose  (116, ... ) == 0x0
 00626   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00627   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00628   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00629   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00630   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00631   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00632   532   NtClose  (112, ... ) == 0x0
 00633   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00634   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00635   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {856, 0}, ... 112, ) == 0x0
 00636   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00637   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00638   532   NtClose  (116, ... ) == 0x0
 00639   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00640   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00641   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00642   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00643   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00644   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00645   532   NtClose  (112, ... ) == 0x0
 00646   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00647   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00648   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {976, 0}, ... 112, ) == 0x0
 00649   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00650   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff70000), 0x0, 24576, ) == 0x0
 00651   532   NtClose  (116, ... ) == 0x0
 00652   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00653   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00654   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00655   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00656   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00657   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00658   532   NtClose  (112, ... ) == 0x0
 00659   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00660   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00661   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1060, 0}, ... 112, ) == 0x0
 00662   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00663   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00664   532   NtClose  (116, ... ) == 0x0
 00665   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00666   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00667   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00668   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00669   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00670   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00671   532   NtClose  (112, ... ) == 0x0
 00672   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00673   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00674   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1080, 0}, ... 112, ) == 0x0
 00675   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00676   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00677   532   NtClose  (116, ... ) == 0x0
 00678   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00679   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00680   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00681   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00682   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00683   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00684   532   NtClose  (112, ... ) == 0x0
 00685   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00686   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00687   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1400, 0}, ... 112, ) == 0x0
 00688   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00689   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00690   532   NtClose  (116, ... ) == 0x0
 00691   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00692   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00693   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00694   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00695   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00696   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00697   532   NtClose  (112, ... ) == 0x0
 00698   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00699   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00700   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1644, 0}, ... 112, ) == 0x0
 00701   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00702   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00703   532   NtClose  (116, ... ) == 0x0
 00704   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00705   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00706   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00707   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00708   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00709   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00710   532   NtClose  (112, ... ) == 0x0
 00711   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00712   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00713   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1796, 0}, ... 112, ) == 0x0
 00714   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00715   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00716   532   NtClose  (116, ... ) == 0x0
 00717   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00718   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00719   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00720   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00721   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00722   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00723   532   NtClose  (112, ... ) == 0x0
 00724   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00725   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00726   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1856, 0}, ... 112, ) == 0x0
 00727   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00728   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00729   532   NtClose  (116, ... ) == 0x0
 00730   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00731   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00732   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00733   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00734   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00735   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00736   532   NtClose  (112, ... ) == 0x0
 00737   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00738   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00739   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1992, 0}, ... 112, ) == 0x0
 00740   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00741   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00742   532   NtClose  (116, ... ) == 0x0
 00743   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00744   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00745   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00746   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00747   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00748   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00749   532   NtClose  (112, ... ) == 0x0
 00750   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00751   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00752   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2000, 0}, ... 112, ) == 0x0
 00753   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00754   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00755   532   NtClose  (116, ... ) == 0x0
 00756   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00757   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00758   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00759   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00760   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00761   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00762   532   NtClose  (112, ... ) == 0x0
 00763   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00764   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00765   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2008, 0}, ... 112, ) == 0x0
 00766   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00767   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00768   532   NtClose  (116, ... ) == 0x0
 00769   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00770   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00771   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00772   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00773   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00774   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00775   532   NtClose  (112, ... ) == 0x0
 00776   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00777   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00778   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2020, 0}, ... 112, ) == 0x0
 00779   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00780   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00781   532   NtClose  (116, ... ) == 0x0
 00782   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00783   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00784   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00785   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00786   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00787   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00788   532   NtClose  (112, ... ) == 0x0
 00789   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00790   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00791   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {212, 0}, ... 112, ) == 0x0
 00792   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00793   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00794   532   NtClose  (116, ... ) == 0x0
 00795   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00796   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00797   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00798   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00799   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00800   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00801   532   NtClose  (112, ... ) == 0x0
 00802   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00803   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00804   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {380, 0}, ... 112, ) == 0x0
 00805   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00806   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00807   532   NtClose  (116, ... ) == 0x0
 00808   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00809   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00810   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00811   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00812   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00813   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00814   532   NtClose  (112, ... ) == 0x0
 00815   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00816   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00817   532   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {520, 0}, ... 112, ) == 0x0
 00818   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 116, ) }, ... 116, ) == 0x0
 00819   532   NtMapViewOfSection  (116, 112, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00820   532   NtClose  (116, ... ) == 0x0
 00821   532   NtProtectVirtualMemory  (112, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00822   532   NtWriteVirtualMemory  (112, 0x77f7e603,  (112, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00823   532   NtProtectVirtualMemory  (112, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00824   532   NtWriteVirtualMemory  (112, 0x77f7e6a3,  (112, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00825   532   NtProtectVirtualMemory  (112, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00826   532   NtWriteVirtualMemory  (112, 0x77f7e6b3,  (112, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00827   532   NtClose  (112, ... ) == 0x0
 00828   532   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 12288, ) == 0x0
 00829   532   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00830   532   NtClose  (72, ... ) == 0x0
 00831   532   NtClose  (56, ... ) == 0x0
 00832   532   NtAllocateVirtualMemory  (-1, 1339392, 0, 122880, 4096, 4, ... 1339392, 122880, ) == 0x0
 00833   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1244212, ... ) }, 1244212, ... ) == 0x0
 00834   532   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 56, {status=0x0, info=1}, ) }, 7, 2113568, ... 56, {status=0x0, info=1}, ) == 0x0
 00835   532   NtSetInformationFile  (56, 1244188, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 00836   532   NtClose  (56, ... ) == 0x0
 00837   532   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244456,  (0x80100080, {24, 0, 0x40, 0, 1244456, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) == 0x0
 00838   532   NtSetInformationFile  (56, 1244548, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00839   532   NtReadFile  (56, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64},  (56, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64}, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0", ) , ) == 0x0
 00840   532   NtSetInformationFile  (56, 1244548, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00841   532   NtReadFile  (56, 0, 0, 0, 248, 0x0, 0, ... {status=0x0, info=248},  (56, 0, 0, 0, 248, 0x0, 0, ... {status=0x0, info=248}, "PE\0\0L\1\10\0\31^B*\0\0\0\0\0\0\0\0\340\0\216\201\13\1\2\31\0:\0\0\0\362\1\0\0\0\0\0\0\224\2\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\3\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0@\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\352\5\0\0\0\260\0\0<\342\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\0\0\364\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00842   532   NtQueryInformationFile  (56, 1244548, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00843   532   NtSetInformationFile  (56, 1244548, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00844   532   NtReadFile  (56, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40},  (56, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40}, ".rsrc\0\0\0\0D\2\0\0\260\0\0\0\372\1\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\360", ) , ) == 0x0
 00845   532   NtQueryInformationFile  (56, 1244508, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00846   532   NtClose  (56, ... ) == 0x0
 00847   532   NtAllocateVirtualMemory  (-1, 1462272, 0, 122880, 4096, 4, ... 1462272, 122880, ) == 0x0
 00848   532   NtFreeVirtualMemory  (-1, (0x147000), 118784, 16384, ... (0x147000), 118784, ) == 0x0
 00849   532   NtAllocateVirtualMemory  (-1, 1585152, 0, 122880, 4096, 4, ... 1585152, 122880, ) == 0x0
 00850   532   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00851   532   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00852   532   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 56, ... 72, ) == 0x0
 00853   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 112, ) }, ... 112, ) == 0x0
 00855   532   NtQueryValueKey  (112,  (112, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00856   532   NtClose  (112, ... ) == 0x0
 00857   532   NtQueryVolumeInformationFile  (56, 1240988, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00858   532   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 112, ) }, ... 112, ) == 0x0
 00859   532   NtWaitForSingleObject  (112, 0, {-1000000, -1}, ... ) == 0x0
 00860   532   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 116, ) }, ... 116, ) == 0x0
 00861   532   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 57344, ) == 0x0
 00862   532   NtQueryInformationFile  (56, 1240952, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00863   532   NtQueryInformationFile  (56, 1240992, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00864   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00865   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00866   532   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00867   532   NtClose  (120, ... ) == 0x0
 00868   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00869   532   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00870   532   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00871   532   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00872   532   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00873   532   NtOpenProcessToken  (-1, 0xa, ... 120, ) == 0x0
 00874   532   NtQueryInformationToken  (120, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00875   532   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 00877   532   NtQueryValueKey  (124,  (124, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (124, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00878   532   NtQueryValueKey  (124,  (124, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (124, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00879   532   NtClose  (124, ... ) == 0x0
 00880   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 00881   532   NtQueryValueKey  (124,  (124, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00882   532   NtQueryValueKey  (124,  (124, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (124, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00883   532   NtClose  (124, ... ) == 0x0
 00884   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 00886   532   NtQueryValueKey  (124,  (124, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00887   532   NtClose  (124, ... ) == 0x0
 00888   532   NtQueryDefaultLocale  (1, 1240360, ... ) == 0x0
 00889   532   NtQueryDefaultLocale  (1, 1240360, ... ) == 0x0
 00890   532   NtQueryDefaultLocale  (1, 1240360, ... ) == 0x0
 00891   532   NtQueryDefaultLocale  (1, 1240360, ... ) == 0x0
 00892   532   NtQueryDefaultLocale  (1, 1240360, ... ) == 0x0
 00893   532   NtQueryDefaultLocale  (1, 1240360, ... ) == 0x0
 00894   532   NtQueryDefaultLocale  (1, 1240360, ... ) == 0x0
 00895   532   NtQueryDefaultLocale  (1, 1240360, ... ) == 0x0
 00896   532   NtQueryDefaultLocale  (1, 1240360, ... ) == 0x0
 00897   532   NtQueryDefaultLocale  (1, 1240360, ... ) == 0x0
 00898   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 124, ) }, ... 124, ) == 0x0
 00899   532   NtEnumerateKey  (124, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (124, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00900   532   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 128, ) }, ... 128, ) == 0x0
 00901   532   NtQueryValueKey  (128,  (128, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (128, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00902   532   NtQueryValueKey  (128,  (128, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (128, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00903   532   NtClose  (128, ... ) == 0x0
 00904   532   NtEnumerateKey  (124, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00905   532   NtClose  (124, ... ) == 0x0
 00906   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00907   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00909   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00913   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00921   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00922   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00923   532   NtClose  (124, ... ) == 0x0
 00924   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00926   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00927   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00928   532   NtClose  (124, ... ) == 0x0
 00929   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00931   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00932   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00933   532   NtClose  (124, ... ) == 0x0
 00934   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00936   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00937   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00938   532   NtClose  (124, ... ) == 0x0
 00939   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00941   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00942   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00943   532   NtClose  (124, ... ) == 0x0
 00944   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00946   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00947   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00948   532   NtClose  (124, ... ) == 0x0
 00949   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00951   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00952   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00953   532   NtClose  (124, ... ) == 0x0
 00954   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00956   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00957   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00958   532   NtClose  (124, ... ) == 0x0
 00959   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00961   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00962   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00963   532   NtClose  (124, ... ) == 0x0
 00964   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00966   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00967   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00968   532   NtClose  (124, ... ) == 0x0
 00969   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00971   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00972   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00973   532   NtClose  (124, ... ) == 0x0
 00974   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00976   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00977   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00978   532   NtClose  (124, ... ) == 0x0
 00979   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00981   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00982   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00983   532   NtClose  (124, ... ) == 0x0
 00984   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00985   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00986   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00987   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00988   532   NtClose  (124, ... ) == 0x0
 00989   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00990   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00991   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00992   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00993   532   NtClose  (124, ... ) == 0x0
 00994   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00995   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 00996   532   NtQueryValueKey  (124,  (124, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (124, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (124, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 00997   532   NtClose  (124, ... ) == 0x0
 00998   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00999   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01000   532   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01001   532   NtClose  (124, ... ) == 0x0
 01002   532   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01003   532   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01004   532   NtOpenProcessToken  (-1, 0xa, ... 124, ) == 0x0
 01005   532   NtDuplicateToken  (124, 0xc, {24, 0, 0x0, 0, 1240880, 0x0}, 0, 2, ... 128, ) == 0x0
 01006   532   NtClose  (124, ... ) == 0x0
 01007   532   NtAccessCheck  (1701888, 128, 0x1, 1241008, 1240952, 56, 1241036, ... (0x1), ) == 0x0
 01008   532   NtClose  (128, ... ) == 0x0
 01009   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 128, ) }, ... 128, ) == 0x0
 01010   532   NtQueryValueKey  (128,  (128, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (128, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01011   532   NtClose  (128, ... ) == 0x0
 01012   532   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 128, ) }, ... 128, ) == 0x0
 01013   532   NtQuerySymbolicLinkObject  (128, ...  (128, ... "\Device\WinDfs\U:00000000000091f3", 66, ) , 66, ) == 0x0
 01014   532   NtClose  (128, ... ) == 0x0
 01015   532   NtQueryInformationFile  (56, 1239340, 528, Name, ... {status=0x0, info=72}, ) == 0x0
 01016   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01017   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01018   532   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\packed.exe"}, 1238020, ... ) }, 1238020, ... ) == 0x0
 01019   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01020   532   NtQueryDirectoryFile  (128, 0, 0, 0, 1237380, 616, BothDirectory, 1,  (128, 0, 0, 0, 1237380, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01021   532   NtClose  (128, ... ) == 0x0
 01022   532   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01023   532   NtQueryDirectoryFile  (128, 0, 0, 0, 1237380, 616, BothDirectory, 1,  (128, 0, 0, 0, 1237380, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01024   532   NtClose  (128, ... ) == 0x0
 01025   532   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01026   532   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01027   532   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01028   532   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01029   532   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01030   532   NtClose  (128, ... ) == 0x0
 01031   532   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 128, ) }, ... 128, ) == 0x0
 01032   532   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 124, ) }, ... 124, ) == 0x0
 01033   532   NtClose  (128, ... ) == 0x0
 01034   532   NtQueryValueKey  (124,  (124, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01035   532   NtQueryValueKey  (124,  (124, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (124, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01036   532   NtClose  (124, ... ) == 0x0
 01037   532   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 9043968, 4096, ) == 0x0
 01038   532   NtAllocateVirtualMemory  (-1, 9043968, 0, 4096, 4096, 4, ... 9043968, 4096, ) == 0x0
 01039   532   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01040   532   NtQueryValueKey  (124,  (124, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   532   NtClose  (124, ... ) == 0x0
 01042   532   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01043   532   NtQueryInformationToken  (120, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01044   532   NtQueryInformationToken  (120, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01045   532   NtClose  (120, ... ) == 0x0
 01046   532   NtCreateProcessEx  (1243616, 2035711, 0, -1, 0, 72, 0, 0, 0, ... ) == 0x0
 01047   532   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 124, ) }, ... 124, ) == 0x0
 01048   532   NtMapViewOfSection  (124, 120, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01049   532   NtClose  (124, ... ) == 0x0
 01050   532   NtProtectVirtualMemory  (120, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01051   532   NtWriteVirtualMemory  (120, 0x77f7e603,  (120, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01052   532   NtProtectVirtualMemory  (120, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01053   532   NtWriteVirtualMemory  (120, 0x77f7e6a3,  (120, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01054   532   NtProtectVirtualMemory  (120, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01055   532   NtWriteVirtualMemory  (120, 0x77f7e6b3,  (120, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01056   532   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=924,ParentPid=520,}, 0x0, ) == 0x0
 01057   532   NtReadVirtualMemory  (120, 0x7ffdf008, 4, ...  (120, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 01058   532   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01059   532   NtReadVirtualMemory  (120, 0x400000, 4096, ...  (120, 0x400000, 4096, ... "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\10\0\31^B*\0\0\0\0\0\0\0\0\340\0\216\201\13\1\2\31\0:\0\0\0\362\1\0\0\0\0\0\0\224\2\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\3\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0@\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\352\5\0\0\0\260\0\0<\342\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\0\0\364\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 01060   532   NtReadVirtualMemory  (120, 0x40b000, 256, ...  (120, 0x40b000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\3\0\3\0\0\0(\0\0\200\12\0\0\0H\0\0\200\16\0\0\0x\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\2\0\1\0\0\0\220\0\0\200\2\0\0\0\250\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\250\1\0\200\300\0\0\200\266\1\0\200\330\0\0\200\304\1\0\200\360\0\0\200\334\1\0\200\10\1\0\200\0\0\0\0\0\0\0\0\4\0\0\0\1\0\0\0\344\1\0\200 \1\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\35\4\0\08\1\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\35\4\0\0H\1\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\0\0\0\0X\1\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\0\0\0\0h\1\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0", 256, ) , 256, ) == 0x0
 01061   532   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01062   532   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=924,ParentPid=520,}, 0x0, ) == 0x0
 01063   532   NtAllocateVirtualMemory  (-1, 0, 0, 1568, 4096, 4, ... 9109504, 4096, ) == 0x0
 01064   532   NtAllocateVirtualMemory  (120, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01065   532   NtWriteVirtualMemory  (120, 0x10000,  (120, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01066   532   NtAllocateVirtualMemory  (120, 0, 0, 1568, 4096, 4, ... 131072, 4096, ) == 0x0
 01067   532   NtWriteVirtualMemory  (120, 0x20000,  (120, 0x20000, "\0\20\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\344\0\346\0\230\4\0\0$\0&\0\200\5\0\0(\0*\0\250\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\324\5\0\0\36\0 \0\374\5\0\0\0\0\2\0\34\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1568, ... 0x0, ) , 1568, ... 0x0, ) == 0x0
 01068   532   NtWriteVirtualMemory  (120, 0x7ffdf010,  (120, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01069   532   NtWriteVirtualMemory  (120, 0x7ffdf1e8,  (120, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01070   532   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 4096, ) == 0x0
 01071   532   NtAllocateVirtualMemory  (120, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01072   532   NtAllocateVirtualMemory  (120, 1224704, 0, 20480, 4096, 4, ... 1224704, 20480, ) == 0x0
 01073   532   NtProtectVirtualMemory  (120, (0x12b000), 4096, 260, ... (0x12b000), 4096, 4, ) == 0x0
 01074   532   NtCreateThread  (0x1f03ff, 0x0, 120, 1241880, 1242600, 1, ... 124, {924, 928}, ) == 0x0
 01075   532   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1328296, 1243700}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1328296, 1243700} "\0\0\0\0\0\0\1\0\2$\370w U\367w{\0\0\0|\0\0\0\234\3\0\0\240\3\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 520, 532, 1577, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wx\0\0\0|\0\0\0\234\3\0\0\240\3\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 520, 532, 1577, 0}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1328296, 1243700} "\0\0\0\0\0\0\1\0\2$\370w U\367w{\0\0\0|\0\0\0\234\3\0\0\240\3\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 520, 532, 1577, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wx\0\0\0|\0\0\0\234\3\0\0\240\3\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01076   532   NtClose  (56, ... ) == 0x0
 01077   532   NtClose  (72, ... ) == 0x0
 01078   532   NtGetContextThread  (124, 1244644, ... ) == 0x0
 01079   532   NtReadVirtualMemory  (120, 0x7ffdf008, 4, ...  (120, 0x7ffdf008, 4, ... "\0\0@\0", 4, ) , 4, ) == 0x0
 01080   532   NtUnmapViewOfSection  (120, 0x400000, ... ) == 0x0
 01081   532   NtAllocateVirtualMemory  (120, 4194304, 0, 131072, 12288, 4, ... 4194304, 131072, ) == 0x0
 01082   532   NtProtectVirtualMemory  (120, (0x400000), 1024, 64, ... (0x400000), 4096, 4, ) == 0x0
 01083   532   NtProtectVirtualMemory  (120, (0x400000), 4096, 4, ... (0x400000), 4096, 64, ) == 0x0
 01084   532   NtWriteVirtualMemory  (120, 0x400000,  (120, 0x400000, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\31\212PF\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0`\1\0\0\202\0\0\0\0\0\0\361g\1\0\0\20\0\0\0p\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\310s\1\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\1\0p\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\347_\1\0", 1024, ... 1024, ) , 1024, ... 1024, ) == 0x0
 01085   532   NtFlushInstructionCache  (120, 4194304, 1024, ... ) == 0x0
 01086   532   NtProtectVirtualMemory  (120, (0x401000), 90112, 64, ... (0x401000), 90112, 4, ) == 0x0
 01087   532   NtProtectVirtualMemory  (120, (0x401000), 90112, 4, ... (0x401000), 90112, 64, ) == 0x0
 01088   532   NtWriteVirtualMemory  (120, 0x401000,  (120, 0x401000, "U\213\354\201\354h\2\0\0\203e\370\0\203e\374\0\353\7\213E\374@\211E\374\213E\374\203<\205\0\200A\0\0\17\204\26\1\0\0\213E\374\3774\205\0\200A\0\215\205\240\375\377\377P\350\371Z\1\0YY\215\205\240\375\377\377P\350\254\365\0\0Y\215\205\360\376\377\377Pj\3j\0\215\205\240\375\377\377P\377u\10\377\25\10pA\0\203\245\340\375\377\377\0\353\15\213\205\340\375\377\377@\211\205\340\375\377\377\307\205\344\375\377\377\4\1\0\0\307\205\334\375\377\377\4\1\0\0\215\205\334\375\377\377P\215\205\364\376\377\377P\215\205\354\376\377\377Pj\0\215\205\344\375\377\377P\215\205\350\375\377\377P\377\265\340\375\377\377\377\265\360\376\377\377\377\25\0pA\0\211\205\234\375\377\377\203\275\234\375\377\377\0t\2\353S\203\275\354\376\377\377\1uE\377u\14\377\265\334\375\377\377\215\205\364\376\377\377P\350\317i\0\0\203\304\14\211\205\230\375\377\377\203\275\230\375\377\377\0t\36\215\205\350\375\377\377P\377\265\360\376\377\377\377\25\4pA\0\205\300u\7\213E\370@\211E\370\351D\377\377\377\377\265\360\376\377\377\377\25(pA\0\351\322\376\377\377\213E\370\311\303U\213\354\201\354\14\1\0\0h\200\0\0\0\377u\10\377\25\250pA\0\205\300u\5\351\334\0\0\0\377u\10\377\25\254pA\0\377u\10h\1\0\0\200\350\204\376\377\377YY\211E\374\377u\10h\2\0\0\200\350r\376\377\377YY\213M\374\3\310\211M\374\203}\374\0\17\205\240\0\0\0h\4\1\0\0\377u\10\215\205\370\376\377\377P\350\240h\0\0\203\304\14\215\205\370\376\377\377P\350{Y\1\0Y\211\205\364\376\377\377\353\15\213\205\364\376\377\377H\211\205\364\376\377\377\203\275\364\376\377\377\0t8\213E\10\3\205\364\376\377\377\17\276@\377\203\370\", 90112, ... 90112, ) , 90112, ... 90112, ) == 0x0
 01089   532   NtFlushInstructionCache  (120, 4198400, 90112, ... ) == 0x0
 01090   532   NtProtectVirtualMemory  (120, (0x401000), 90087, 64, ... (0x401000), 90112, 4, ) == 0x0
 01091   532   NtProtectVirtualMemory  (120, (0x417000), 4096, 64, ... (0x417000), 4096, 4, ) == 0x0
 01092   532   NtProtectVirtualMemory  (120, (0x417000), 4096, 4, ... (0x417000), 4096, 64, ) == 0x0
 01093   532   NtWriteVirtualMemory  (120, 0x417000,  (120, 0x417000, "\22}\1\0\0}\1\0"}\1\02}\1\0F}\1\0X}\1\0j}\1\0z}\1\0\220}\1\0\242}\1\0\362|\1\0\0\0\0\0\266z\1\0\244z\1\0\214z\1\0\200z\1\0hz\1\0Zz\1\0Lz\1\0>z\1\0(z\1\0\30z\1\0\6z\1\0\370y\1\0\354y\1\0\334y\1\0\320y\1\0\302y\1\0\264y\1\0\240y\1\0\306z\1\0|y\1\0ly\1\0Vy\1\0Jy\1\0 y\1\0\12y\1\0\374x\1\0\350x\1\0\340x\1\0\314x\1\0\276x\1\0\250x\1\0\232x\1\02~\1\0\312{\1\0\332{\1\0\354{\1\0\374{\1\0\332z\1\0\360z\1\0\6{\1\0\26{\1\0&{\1\0B{\1\0\{\1\0l{\1\0~{\1\04y\1\0\232{\1\0\216y\1\0`|\1\0P|\1\0D|\1\08|\1\0\36|\1\0\22|\1\0\262{\1\0\0\0\0\0\360}\1\0\370}\1\0\4~\1\0\32~\1\0bx\1\0Xx\1\0\330v\1\0Px\1\0Hx\1\0:x\1\00x\1\0&x\1\0\34x\1\0\22x\1\0\2x\1\0\362w\1\0\346w\1\0\324w\1\0\300w\1\0\270w\1\0\260w\1\0\250w\1\0\236w\1\0\224w\1\0\210w\1\0~w\1\0tw\1\0lw\1\0dw\1\0\w\1\0Tw\1\0Jw\1\0@w\1\08w\1\0.w\1\0$w\1\0\34w\1\0\22w\1\0\10w\1\0\376v\1\0\366v\1\0\354v\1\0\342v\1\0\344}\1\0\0\0\0\0\310\0\0\200\0\0\0\0\310}\1\0\0\0\0\0\234|\1\0\320|\1\0~|\1\0\212|\1\0\262|\1\0\300|\1\0\0\0\0\0", 4096, ... 4096, ) }\1\02}\1\0F}\1\0X}\1\0j}\1\0z}\1\0\220}\1\0\242}\1\0\362|\1\0\0\0\0\0\266z\1\0\244z\1\0\214z\1\0\200z\1\0hz\1\0Zz\1\0Lz\1\0>z\1\0(z\1\0\30z\1\0\6z\1\0\370y\1\0\354y\1\0\334y\1\0\320y\1\0\302y\1\0\264y\1\0\240y\1\0\306z\1\0|y\1\0ly\1\0Vy\1\0Jy\1\0 y\1\0\12y\1\0\374x\1\0\350x\1\0\340x\1\0\314x\1\0\276x\1\0\250x\1\0\232x\1\02~\1\0\312{\1\0\332{\1\0\354{\1\0\374{\1\0\332z\1\0\360z\1\0\6{\1\0\26{\1\0&{\1\0B{\1\0\{\1\0l{\1\0~{\1\04y\1\0\232{\1\0\216y\1\0`|\1\0P|\1\0D|\1\08|\1\0\36|\1\0\22|\1\0\262{\1\0\0\0\0\0\360}\1\0\370}\1\0\4~\1\0\32~\1\0bx\1\0Xx\1\0\330v\1\0Px\1\0Hx\1\0:x\1\00x\1\0&x\1\0\34x\1\0\22x\1\0\2x\1\0\362w\1\0\346w\1\0\324w\1\0\300w\1\0\270w\1\0\260w\1\0\250w\1\0\236w\1\0\224w\1\0\210w\1\0~w\1\0tw\1\0lw\1\0dw\1\0\w\1\0Tw\1\0Jw\1\0@w\1\08w\1\0.w\1\0$w\1\0\34w\1\0\22w\1\0\10w\1\0\376v\1\0\366v\1\0\354v\1\0\342v\1\0\344}\1\0\0\0\0\0\310\0\0\200\0\0\0\0\310}\1\0\0\0\0\0\234|\1\0\320|\1\0~|\1\0\212|\1\0\262|\1\0\300|\1\0\0\0\0\0", 4096, ... 4096, ) == 0x0
 01094   532   NtFlushInstructionCache  (120, 4288512, 4096, ... ) == 0x0
 01095   532   NtProtectVirtualMemory  (120, (0x417000), 3660, 2, ... (0x417000), 4096, 4, ) == 0x0
 01096   532   NtProtectVirtualMemory  (120, (0x418000), 24576, 64, ... (0x418000), 24576, 4, ) == 0x0
 01097   532   NtProtectVirtualMemory  (120, (0x418000), 24576, 4, ... (0x418000), 24576, 64, ) == 0x0
 01098   532   NtWriteVirtualMemory  (120, 0x418000,  (120, 0x418000, "\230\200A\0\\200A\0@\200A\0\24\200A\0\0\0\0\0\214\245\274\305\306\301\316\341\240\376\232\253\243\355\203\357\261\210\235\376\357\337\367\326\211\317\207\240\271\353\257\354\203\260\234\360\0\0\0\0\0\0\0\0\214\223\211\345\364\355\340\307\211\301\201\255\277\366\263\357\271\210\263\336\317\311\0\0\0\0\0\0\214\223\211\345\364\355\340\307\211\301\201\255\277\366\263\357\271\210\263\306\352\342\366\315\242\377\264\215\270\353\262\345\261\210\271\364\361\377\373\315\273\320\272\273\243\312\245\362\251\225\214\364\360\0\0\0\0\0\0\0\214\223\211\345\364\355\340\307\211\301\201\255\277\366\263\357\271\210\263\306\352\342\366\315\242\377\264\215\270\353\262\345\261\210\271\364\361\377\373\315\273\320\272\273\243\0\0\0\0\0\0\0\304\2%u\3\2 bot(s) found with string \304\2%s\3\2.\0No bots found with string \304\2%s\3\2.\0found string \304\2%s\3\2 in %s (\304\2%i\3\2)\0\0-\304\2%u\3\2- Listing bots with string \304\2%s\3\2:\0\0\0%s bots with string \304\2%s\3\2\0\0\0\0Killing\0Listing\0\3\3\0\0Cmd.exe process has terminated.\0Could not read data from process.\0\0\0cmd.exe\0", 24576, ... 24576, ) , 24576, ... 24576, ) == 0x0
 01099   532   NtFlushInstructionCache  (120, 4292608, 24576, ... ) == 0x0
 01100   532   NtProtectVirtualMemory  (120, (0x418000), 29096, 4, ... (0x418000), 32768, 4, ) == 0x0
 01101   532   NtProtectVirtualMemory  (120, (0x7ffdf008), 4, 64, ... (0x7ffdf000), 4096, 64, ) == 0x0
 01102   532   NtProtectVirtualMemory  (120, (0x7ffdf000), 4096, 64, ... (0x7ffdf000), 4096, 64, ) == 0x0
 01103   532   NtWriteVirtualMemory  (120, 0x7ffdf008,  (120, 0x7ffdf008, "\0\0@\0", 4, ... 4, ) , 4, ... 4, ) == 0x0
 01104   532   NtFlushInstructionCache  (120, 2147348488, 4, ... ) == 0x0
 01105   532   NtSetContextThread  (124, 1244644, ... ) == 0x0
 01106   532   NtResumeThread  (124, ... 1, ) == 0x0
 01107   532   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 01108   532   NtFreeVirtualMemory  (-1, (0x165000), 114688, 16384, ... (0x165000), 114688, ) == 0x0
 01109   532   NtTerminateProcess  (0, 0, ... ) == 0x0
 01110   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc03b
 01111   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01112   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc03d
 01113   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01114   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc03f
 01115   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01116   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc041
 01117   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01118   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc043
 01119   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01120   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc045
 01121   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01122   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc047
 01123   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01124   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc049
 01125   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01126   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc04b
 01127   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01128   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc04d
 01129   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01130   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc04f
 01131   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01132   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc051
 01133   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01134   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc053
 01135   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01136   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc057
 01137   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01138   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc059
 01139   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01140   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc05b
 01141   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01142   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc05d
 01143   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01144   532   NtUserGetClassInfo  (1999896576, 1244456, 1244408, 1244484, 0, ... ) == 0xc05f
 01145   532   NtUserUnregisterClass  (1244460, 1999896576, 1244448, ... ) == 0x1
 01146   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc03b
 01147   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01148   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc03d
 01149   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01150   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc03f
 01151   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01152   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc041
 01153   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01154   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc043
 01155   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01156   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc045
 01157   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01158   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc047
 01159   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01160   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc049
 01161   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01162   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc04b
 01163   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01164   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc04d
 01165   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01166   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc04f
 01167   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01168   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc051
 01169   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01170   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc053
 01171   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01172   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc057
 01173   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01174   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc059
 01175   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01176   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc05b
 01177   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01178   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc05d
 01179   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01180   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc05f
 01181   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01182   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc017
 01183   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01184   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc019
 01185   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01186   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc018
 01187   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01188   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc01a
 01189   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01190   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc01c
 01191   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01192   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc01e
 01193   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01194   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc01b
 01195   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01196   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc068
 01197   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01198   532   NtUserGetClassInfo  (1905590272, 1244456, 1244408, 1244484, 0, ... ) == 0xc06a
 01199   532   NtUserUnregisterClass  (1244460, 1905590272, 1244448, ... ) == 0x1
 01200   532   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 01201   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01202   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01203   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01204   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01205   532   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01206   532   NtFreeVirtualMemory  (-1, (0x8a0000), 4096, 32768, ... (0x8a0000), 4096, ) == 0x0
 01207   532   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1336024, 2012550769, 1312632, 2012550797}  (24, {20, 48, new_msg, 0, 1336024, 2012550769, 1312632, 2012550797} "\0\0\0\0\3\0\1\0\340b\24\0\370d@\0\0\0\0\0" ... {20, 48, reply, 0, 520, 532, 8690, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370d@\0\0\0\0\0" )  ... {20, 48, reply, 0, 520, 532, 8690, 0}  (24, {20, 48, new_msg, 0, 1336024, 2012550769, 1312632, 2012550797} "\0\0\0\0\3\0\1\0\340b\24\0\370d@\0\0\0\0\0" ... {20, 48, reply, 0, 520, 532, 8690, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370d@\0\0\0\0\0" )  ) == 0x0
 01208   532   NtTerminateProcess  (-1, 0, ...
 01209   532   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtUserCallNoParam(>)	1	NtDuplicateObject(>)	3	NtQueryDefaultLocale(>)	13
NtAdjustPrivilegesToken(>)	1	NtUserCallOneParam(>)	1	NtGdiCreateCompatibleDC(>)	3	NtOpenFile(>)	15
NtCallbackReturn(>)	1	NtUserGetDC(>)	1	NtQuerySection(>)	3	NtQuerySystemInformation(>)	16
NtContinue(>)	1	NtUserGetThreadDesktop(>)	1	NtSetInformationObject(>)	3	NtFlushInstructionCache(>)	19
NtCreateProcessEx(>)	1	NtWaitForSingleObject(>)	1	NtUserRegisterWindowMessage(>)	3	NtOpenProcess(>)	19
NtDelayExecution(>)	1	NtWriteFile(>)	1	NtFsControlFile(>)	4	NtOpenProcessTokenEx(>)	24
NtDuplicateToken(>)	1	NtAccessCheck(>)	2	NtOpenThreadToken(>)	4	NtOpenThreadTokenEx(>)	24
NtEnumerateValueKey(>)	1	NtCreateIoCompletion(>)	2	NtReadFile(>)	4	NtQueryInformationToken(>)	30
NtGdiCreateBitmap(>)	1	NtCreateThread(>)	2	NtReadVirtualMemory(>)	4	NtAllocateVirtualMemory(>)	33
NtGdiInit(>)	1	NtEnumerateKey(>)	2	NtGdiGetStockObject(>)	5	NtUnmapViewOfSection(>)	34
NtGdiQueryFontAssocInfo(>)	1	NtGdiCreateSolidBrush(>)	2	NtFreeVirtualMemory(>)	6	NtOpenSection(>)	38
NtGdiSelectBitmap(>)	1	NtOpenDirectoryObject(>)	2	NtOpenProcessToken(>)	6	NtQueryValueKey(>)	39
NtGetContextThread(>)	1	NtOpenMutant(>)	2	NtQueryDefaultUILanguage(>)	6	NtUserUnregisterClass(>)	45
NtOpenEvent(>)	1	NtOpenSymbolicLinkObject(>)	2	NtQueryInformationFile(>)	6	NtUserFindExistingCursorIcon(>)	48
NtOpenKeyedEvent(>)	1	NtQueryDirectoryFile(>)	2	NtSetInformationFile(>)	6	NtUserRegisterClassExWOW(>)	63
NtQueryInformationJobObject(>)	1	NtQueryInstallUILanguage(>)	2	NtCreateEvent(>)	7	NtWriteVirtualMemory(>)	66
NtQueryObject(>)	1	NtQuerySymbolicLinkObject(>)	2	NtQueryAttributesFile(>)	7	NtMapViewOfSection(>)	69
NtQuerySystemTime(>)	1	NtQueryVirtualMemory(>)	2	NtQueryInformationProcess(>)	7	NtUserGetClassInfo(>)	82
NtRegisterThreadTerminatePort(>)	1	NtQueryVolumeInformationFile(>)	2	NtRequestWaitReplyPort(>)	8	NtOpenKey(>)	94
NtReleaseMutant(>)	1	NtResumeThread(>)	2	NtSetInformationThread(>)	8	NtProtectVirtualMemory(>)	100
NtSecureConnectPort(>)	1	NtSetInformationProcess(>)	2	NtQueryDebugFilterState(>)	9	NtClose(>)	149
NtSetContextThread(>)	1	NtTerminateProcess(>)	2	NtCreateSection(>)	10
NtTestAlert(>)	1	NtCreateFile(>)	3