Summary:


NtAddAtom(>)  1 
NtAccessCheck(>)  2 
NtUserGetObjectInformation(>)  3 
NtQueryDebugFilterState(>)  15 

NtConnectPort(>)  1 
NtCallbackReturn(>)  2 
NtUserOpenDesktop(>)  3 
NtQueryDefaultLocale(>)  15 

NtCreateProcessEx(>)  1 
NtCreateThread(>)  2 
NtCreateKey(>)  4 
NtRequestWaitReplyPort(>)  15 

NtDuplicateToken(>)  1 
NtEnumerateKey(>)  2 
NtCreateSemaphore(>)  4 
NtUnmapViewOfSection(>)  16 

NtEnumerateValueKey(>)  1 
NtGdiCreateBitmap(>)  2 
NtGdiCreateCompatibleDC(>)  4 
NtQueryInformationFile(>)  17 

NtFsControlFile(>)  1 
NtGdiCreatePatternBrushInternal(>)  2 
NtQueryVirtualMemory(>)  4 
NtQueryDirectoryFile(>)  19 

NtGdiBitBlt(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtReleaseMutant(>)  4 
NtUserGetWindowDC(>)  19 

NtGdiCreateCompatibleBitmap(>)  1 
NtGdiDoPalette(>)  2 
NtSetEventBoostPriority(>)  4 
NtUserRegisterWindowMessage(>)  19 

NtGdiCreateDIBitmapInternal(>)  1 
NtGdiGetDIBitsInternal(>)  2 
NtUserFindWindowEx(>)  4 
NtUserCallOneParam(>)  23 

NtGdiInit(>)  1 
NtGdiStretchDIBitsInternal(>)  2 
NtWriteVirtualMemory(>)  4 
NtCreateSection(>)  24 

NtGdiQueryFontAssocInfo(>)  1 
NtOpenDirectoryObject(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenProcessTokenEx(>)  27 

NtNotifyChangeKey(>)  1 
NtOpenEvent(>)  2 
NtOpenProcessToken(>)  5 
NtOpenThreadTokenEx(>)  27 

NtOpenKeyedEvent(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtReadVirtualMemory(>)  28 

NtQueryInformationJobObject(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtQuerySystemInformation(>)  30 

NtQueryInformationThread(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtWriteFile(>)  6 
NtOpenSection(>)  34 

NtQueryObject(>)  1 
NtRaiseException(>)  2 
NtFreeVirtualMemory(>)  7 
NtQueryInformationToken(>)  34 

NtQueryPerformanceCounter(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtOpenProcess(>)  7 
NtQueryValueKey(>)  41 

NtReleaseSemaphore(>)  1 
NtResumeThread(>)  2 
NtSetInformationProcess(>)  7 
NtOpenFile(>)  45 

NtSecureConnectPort(>)  1 
NtSetInformationFile(>)  2 
NtUserCallNoParam(>)  7 
NtUserUnregisterClass(>)  45 

NtSetEvent(>)  1 
NtTestAlert(>)  2 
NtCreateEvent(>)  8 
NtMapViewOfSection(>)  46 

NtSetSecurityObject(>)  1 
NtUserCloseDesktop(>)  2 
NtCreateFile(>)  8 
NtProtectVirtualMemory(>)  50 

NtSetValueKey(>)  1 
NtUserCreateWindowEx(>)  2 
NtGdiDeleteObjectApp(>)  8 
NtQueryAttributesFile(>)  50 

NtUserBuildNameList(>)  1 
NtUserGetThreadDesktop(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtUserFindExistingCursorIcon(>)  51 

NtUserGetAncestor(>)  1 
NtUserMessageCall(>)  2 
NtUserBuildHwndList(>)  8 
NtUserRegisterClassExWOW(>)  64 

NtUserGetClassName(>)  1 
NtCreateMutant(>)  3 
NtContinue(>)  9 
NtUserGetClassInfo(>)  82 

NtUserGetGUIThreadInfo(>)  1 
NtDelayExecution(>)  3 
NtGdiSelectBitmap(>)  9 
NtAllocateVirtualMemory(>)  83 

NtUserGetIconInfo(>)  1 
NtDuplicateObject(>)  3 
NtWaitForSingleObject(>)  9 
NtOpenKey(>)  106 

NtUserGetIconSize(>)  1 
NtGdiExtGetObjectW(>)  3 
NtSetInformationThread(>)  10 
NtClose(>)  181 

NtUserGetThreadState(>)  1 
NtGdiHfontCreate(>)  3 
NtFlushInstructionCache(>)  11 
NtOpenMutant(>)  201 

NtUserRemoveProp(>)  1 
NtOpenThreadToken(>)  3 
NtUserSystemParametersInfo(>)  11 
NtUserQueryWindow(>)  244 

NtUserSetCursorIconData(>)  1 
NtSetInformationObject(>)  3 
NtQueryInformationProcess(>)  12 

NtUserSetProp(>)  1 
NtTerminateProcess(>)  3 
NtQuerySection(>)  13 

NtUserSetWindowPos(>)  1 

Trace:
 00001   456   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   456   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 5046272, 2097152, ) == 0x0
 00005   456   NtAllocateVirtualMemory  (-1, 5046272, 0, 4096, 4096, 4, ... 5046272, 4096, ) == 0x0
 00006   456   NtAllocateVirtualMemory  (-1, 5050368, 0, 8192, 4096, 4, ... 5050368, 8192, ) == 0x0
 00007   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   456   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   456   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   456   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   456   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   456   NtClose  (12, ... ) == 0x0
 00014   456   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   456   NtQueryVolumeInformationFile  (12, 2292424, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   456   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 2292408, ... ) }, 2292408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   456   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   456   NtClose  (16, ... ) == 0x0
 00021   456   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   456   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   456   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 5055288, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 5055288, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   456   NtClose  (16, ... ) == 0x0
 00026   456   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   456   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   456   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   456   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 448, 456, 1474, 0} "\0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 448, 456, 1474, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 448, 456, 1474, 0} "\0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   456   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   456   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   456   NtClose  (16, ... ) == 0x0
 00036   456   NtAllocateVirtualMemory  (-1, 2281472, 0, 4096, 4096, 260, ... 2281472, 4096, ) == 0x0
 00037   456   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   456   NtClose  (28, ... ) == 0x0
 00041   456   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   456   NtClose  (28, ... ) == 0x0
 00045   456   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   456   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   456   NtClose  (28, ... ) == 0x0
 00049   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   456   NtClose  (28, ... ) == 0x0
 00052   456   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 448, 456, 1476, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 448, 456, 1476, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 448, 456, 1476, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   456   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 128, ) == 0x0
 00057   456   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 128, ... (0x45d000), 204800, 4, ) == 0x0
 00058   456   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00059   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   456   NtClose  (28, ... ) == 0x0
 00062   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   456   NtClose  (28, ... ) == 0x0
 00065   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   456   NtClose  (28, ... ) == 0x0
 00068   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   456   NtClose  (28, ... ) == 0x0
 00071   456   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 64, ) == 0x0
 00072   456   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 64, ... (0x45d000), 204800, 4, ) == 0x0
 00073   456   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00074   456   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   456   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   456   NtClose  (28, ... ) == 0x0
 00077   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   456   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   456   NtClose  (28, ... ) == 0x0
 00080   456   NtAllocateVirtualMemory  (-1, 5058560, 0, 4096, 4096, 4, ... 5058560, 4096, ) == 0x0
 00081   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   456   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   456   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   456   NtClose  (28, ... ) == 0x0
 00085   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   456   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   456   NtClose  (28, ... ) == 0x0
 00088   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   456   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 2294988, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 2294988, 0} "\210\6\31\1\0\0\0\0\314\4#\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 448, 456, 1479, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 448, 456, 1479, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 2294988, 0} "\210\6\31\1\0\0\0\0\314\4#\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 448, 456, 1479, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00093   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   456   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x6d0000), 0x0, 1060864, ) == 0x0
 00095   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   456   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   456   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00098   456   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   456   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   456   NtClose  (-2147482208, ... ) == 0x0
 00101   456   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 8257536, 4096, ) == 0x0
 00102   456   NtFreeVirtualMemory  (-1, (0x7e0000), 4096, 32768, ... (0x7e0000), 4096, ) == 0x0
 00103   456   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   456   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00105   456   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   456   NtClose  (-2147482208, ... ) == 0x0
 00107   456   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00108   456   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   456   NtClose  (-2147482208, ... ) == 0x0
 00110   456   NtQueryDefaultLocale  (0, -132412916, ... ) == 0x0
 00111   456   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   456   NtUserCallNoParam  (24, ... ) == 0x0
 00113   456   NtGdiCreateCompatibleDC  (0, ...
 00114   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8257536, 4096, ) == 0x0
 00113   456   NtGdiCreateCompatibleDC  ... ) == 0x100103cb
 00115   456   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   456   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   456   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x13050404
 00118   456   NtGdiCreateSolidBrush  (0, 0, ...
 00119   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 11468800, 4096, ) == 0x0
 00118   456   NtGdiCreateSolidBrush  ... ) == 0xe10040a
 00120   456   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   456   NtGdiCreateCompatibleDC  (0, ... ) == 0x70010383
 00122   456   NtGdiSelectBitmap  (1879114627, 319095812, ... ) == 0x185000f
 00123   456   NtUserGetThreadDesktop  (456, 0, ... ) == 0x2c
 00124   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   456   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   456   NtClose  (52, ... ) == 0x0
 00127   456   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00128   456   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 673, 128, 0, ... ) == 0x810dc017
 00129   456   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00130   456   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 674, 128, 0, ... ) == 0x810dc01c
 00131   456   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00132   456   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 675, 128, 0, ... ) == 0x810dc01e
 00133   456   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00134   456   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 676, 128, 0, ... ) == 0x810d8002
 00135   456   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10013
 00136   456   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 677, 128, 0, ... ) == 0x810dc018
 00137   456   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00138   456   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 678, 128, 0, ... ) == 0x810dc01a
 00139   456   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00140   456   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 679, 128, 0, ... ) == 0x810dc01d
 00141   456   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00142   456   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 681, 128, 0, ...
 00143   456   NtAllocateVirtualMemory  (-1, 8417280, 0, 4096, 4096, 32, ... 8417280, 4096, ) == 0x0
 00142   456   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00144   456   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00145   456   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 680, 128, 0, ... ) == 0x810dc019
 00146   456   NtUserRegisterClassExWOW  (2290252, 2290332, 2290316, 2290348, 0, 128, 0, ... ) == 0x810dc020
 00147   456   NtUserRegisterClassExWOW  (2290252, 2290328, 2290344, 2290316, 0, 130, 0, ... ) == 0x810dc022
 00148   456   NtUserRegisterClassExWOW  (2290252, 2290332, 2290316, 2290348, 0, 128, 0, ... ) == 0x810dc023
 00149   456   NtUserRegisterClassExWOW  (2290252, 2290328, 2290344, 2290316, 0, 130, 0, ... ) == 0x810dc024
 00150   456   NtUserRegisterClassExWOW  (2290252, 2290332, 2290316, 2290348, 0, 128, 0, ... ) == 0x810dc025
 00151   456   NtCallbackReturn  (0, 0, 0, ...
 00152   456   NtGdiInit  (... ) == 0x1
 00153   456   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   456   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   456   NtAllocateVirtualMemory  (-1, 0, 0, 17506, 4096, 4, ... 11534336, 20480, ) == 0x0
 00156   456   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 20480, ) == 0x0
 00157   456   NtQueryVirtualMemory  (-1, 0x401000, Basic, 52, ... {BaseAddress=0x401000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x23000,State=0x1000,Protect=0x80,Type=0x1000000,}, 28, ) == 0x0
 00158   456   NtQueryVirtualMemory  (-1, 0x45754c, Basic, 28, ... {BaseAddress=0x457000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x6000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00159   456   NtAllocateVirtualMemory  (-1, 5062656, 0, 4096, 4096, 4, ... 5062656, 4096, ) == 0x0
 00160   456   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00161   456   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00162   456   NtProtectVirtualMemory  (-1, (0x400218), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00163   456   NtProtectVirtualMemory  (-1, (0x400218), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00164   456   NtProtectVirtualMemory  (-1, (0x400240), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00165   456   NtProtectVirtualMemory  (-1, (0x400240), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00166   456   NtProtectVirtualMemory  (-1, (0x400268), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00167   456   NtProtectVirtualMemory  (-1, (0x400268), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00168   456   NtProtectVirtualMemory  (-1, (0x400290), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00169   456   NtProtectVirtualMemory  (-1, (0x400290), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00170   456   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00171   456   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00172   456   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00173   456   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00174   456   NtProtectVirtualMemory  (-1, (0x400308), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00175   456   NtProtectVirtualMemory  (-1, (0x400308), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00176   456   NtProtectVirtualMemory  (-1, (0x400330), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00177   456   NtProtectVirtualMemory  (-1, (0x400330), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00178   456   NtProtectVirtualMemory  (-1, (0x400358), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00179   456   NtProtectVirtualMemory  (-1, (0x400358), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00180   456   NtProtectVirtualMemory  (-1, (0x400380), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00181   456   NtProtectVirtualMemory  (-1, (0x400380), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00182   456   NtProtectVirtualMemory  (-1, (0x4003a8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00183   456   NtProtectVirtualMemory  (-1, (0x4003a8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00184   456   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00185   456   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00186   456   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00187   456   NtUserQueryWindow  (65706, 0, ... ) == 0x7d4
 00188   456   NtUserQueryWindow  (65706, 1, ... ) == 0x7d8
 00189   456   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2004, 0}, ... 52, ) == 0x0
 00190   456   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \1\0\0", 64, ) , 64, ) == 0x0
 00191   456   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00192   456   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00193   456   NtClose  (52, ... ) == 0x0
 00194   456   NtUserQueryWindow  (65704, 0, ... ) == 0x7d4
 00195   456   NtUserQueryWindow  (65704, 1, ... ) == 0x7d8
 00196   456   NtUserQueryWindow  (65702, 0, ... ) == 0x7d4
 00197   456   NtUserQueryWindow  (65702, 1, ... ) == 0x7d8
 00198   456   NtUserQueryWindow  (131168, 0, ... ) == 0x7d4
 00199   456   NtUserQueryWindow  (131168, 1, ... ) == 0x7d8
 00200   456   NtUserQueryWindow  (65696, 0, ... ) == 0x760
 00201   456   NtUserQueryWindow  (65696, 1, ... ) == 0x778
 00202   456   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1888, 0}, ... 52, ) == 0x0
 00203   456   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00204   456   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00205   456   NtContinue  (-132416356, 0, ...
 00204   456   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00206   456   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00207   456   NtContinue  (-132416356, 0, ...
 00206   456   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00208   456   NtClose  (52, ... ) == 0x0
 00209   456   NtUserQueryWindow  (65662, 0, ... ) == 0x760
 00210   456   NtUserQueryWindow  (65662, 1, ... ) == 0x778
 00211   456   NtUserQueryWindow  (65652, 0, ... ) == 0x760
 00212   456   NtUserQueryWindow  (65652, 1, ... ) == 0x778
 00213   456   NtUserQueryWindow  (65640, 0, ... ) == 0x760
 00214   456   NtUserQueryWindow  (65640, 1, ... ) == 0x778
 00215   456   NtUserQueryWindow  (196682, 0, ... ) == 0x760
 00216   456   NtUserQueryWindow  (196682, 1, ... ) == 0x778
 00217   456   NtUserQueryWindow  (65638, 0, ... ) == 0x760
 00218   456   NtUserQueryWindow  (65638, 1, ... ) == 0x778
 00219   456   NtUserQueryWindow  (196684, 0, ... ) == 0x760
 00220   456   NtUserQueryWindow  (196684, 1, ... ) == 0x778
 00221   456   NtUserQueryWindow  (196668, 0, ... ) == 0x760
 00222   456   NtUserQueryWindow  (196668, 1, ... ) == 0x778
 00223   456   NtUserQueryWindow  (65688, 0, ... ) == 0x760
 00224   456   NtUserQueryWindow  (65688, 1, ... ) == 0x778
 00225   456   NtUserQueryWindow  (65676, 0, ... ) == 0x760
 00226   456   NtUserQueryWindow  (65676, 1, ... ) == 0x778
 00227   456   NtUserQueryWindow  (65660, 0, ... ) == 0x760
 00228   456   NtUserQueryWindow  (65660, 1, ... ) == 0x764
 00229   456   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00230   456   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 00231   456   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 52, ) == 0x0
 00232   456   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00233   456   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00234   456   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00235   456   NtClose  (52, ... ) == 0x0
 00236   456   NtUserQueryWindow  (65726, 0, ... ) == 0x7dc
 00237   456   NtUserQueryWindow  (65726, 1, ... ) == 0x7e0
 00238   456   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2012, 0}, ... 52, ) == 0x0
 00239   456   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0", 64, ) , 64, ) == 0x0
 00240   456   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\377\0\377\377", 4, ) , 4, ) == 0x0
 00241   456   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\210fvx\210x\206wfvGe$\306d\21\26\210ls\210\210\250g\207\210hhx\207xhvwdfF|d\21\27\210\206hx\250\252\206\210\207v\207\210x\207\207gfv4F\306G\21\21\210\206\207\210\212\250\250h\210\207x\210\210wvwgFD$d!\21\21x\250g\210\212\252\250\206\210\207w\210\207\207wvvgBGd\21\21\21\210\212\203\210\250\252\212\210x\210w\210\210xwgcd%F\1\21\21\21\27\212\250\210\212\252\252\210f\210\207x\210\207w7fR@`\21\21\21\21\21\210\2508\212\252\250\250\210gw\21088vvu$$!\21\21\21\21\21\30\210\210\210\212\252\210\206vgw\210\203wsb`\7\21\21\21\21\21\21\21\210\203\210\210\210\210\207vvwwwsf4\7\21\21\21\21\21\21\21\21\30\210\210\210\210\210wGwvwww5\2\21\21\21\21\21\21", 256, ) , 256, ) == 0x0
 00242   456   NtClose  (52, ... ) == 0x0
 00243   456   NtUserQueryWindow  (65724, 0, ... ) == 0x7dc
 00244   456   NtUserQueryWindow  (65724, 1, ... ) == 0x7e0
 00245   456   NtUserQueryWindow  (65722, 0, ... ) == 0x7dc
 00246   456   NtUserQueryWindow  (65722, 1, ... ) == 0x7e0
 00247   456   NtUserQueryWindow  (65720, 0, ... ) == 0x7dc
 00248   456   NtUserQueryWindow  (65720, 1, ... ) == 0x7e0
 00249   456   NtUserQueryWindow  (65718, 0, ... ) == 0x7dc
 00250   456   NtUserQueryWindow  (65718, 1, ... ) == 0x7e0
 00251   456   NtUserQueryWindow  (65716, 0, ... ) == 0x7dc
 00252   456   NtUserQueryWindow  (65716, 1, ... ) == 0x7e0
 00253   456   NtUserQueryWindow  (65712, 0, ... ) == 0x7dc
 00254   456   NtUserQueryWindow  (65712, 1, ... ) == 0x7e0
 00255   456   NtUserQueryWindow  (65710, 0, ... ) == 0x7dc
 00256   456   NtUserQueryWindow  (65710, 1, ... ) == 0x7e0
 00257   456   NtUserQueryWindow  (131172, 0, ... ) == 0x7e8
 00258   456   NtUserQueryWindow  (131172, 1, ... ) == 0x7ec
 00259   456   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 52, ) == 0x0
 00260   456   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\301\0\0\0\0\1\0\0\377\356\377\356\11\0\0\0\11\0\0\0\0\376\0\0\0\0\20\0\0 \0\0\0\2\0\0\0 \0\0q\0\0\0\377\357\375\177\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00261   456   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00262   456   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00263   456   NtClose  (52, ... ) == 0x0
 00264   456   NtUserQueryWindow  (65708, 0, ... ) == 0x7d4
 00265   456   NtUserQueryWindow  (65708, 1, ... ) == 0x7d8
 00266   456   NtUserQueryWindow  (131170, 0, ... ) == 0x7cc
 00267   456   NtUserQueryWindow  (131170, 1, ... ) == 0x7d0
 00268   456   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1996, 0}, ... 52, ) == 0x0
 00269   456   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0", 64, ) , 64, ) == 0x0
 00270   456   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00271   456   NtContinue  (-132416356, 0, ...
 00270   456   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00272   456   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00273   456   NtContinue  (-132416356, 0, ...
 00272   456   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00274   456   NtClose  (52, ... ) == 0x0
 00275   456   NtUserQueryWindow  (65644, 0, ... ) == 0x760
 00276   456   NtUserQueryWindow  (65644, 1, ... ) == 0x794
 00277   456   NtUserQueryWindow  (327760, 0, ... ) == 0x760
 00278   456   NtUserQueryWindow  (327760, 1, ... ) == 0x764
 00279   456   NtUserQueryWindow  (262228, 0, ... ) == 0x760
 00280   456   NtUserQueryWindow  (262228, 1, ... ) == 0x764
 00281   456   NtUserQueryWindow  (327758, 0, ... ) == 0x760
 00282   456   NtUserQueryWindow  (327758, 1, ... ) == 0x764
 00283   456   NtUserQueryWindow  (65666, 0, ... ) == 0x760
 00284   456   NtUserQueryWindow  (65666, 1, ... ) == 0x764
 00285   456   NtUserQueryWindow  (65654, 0, ... ) == 0x760
 00286   456   NtUserQueryWindow  (65654, 1, ... ) == 0x764
 00287   456   NtRaiseException  (2291272, 2290532, 1, ...
 00288   456   NtContinue  (2289328, 0, ...
 00289   456   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00290   456   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 56, ) }, ... 56, ) == 0x0
 00291   456   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00292   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293   456   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00294   456   NtDuplicateObject  (-1, 2877, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00295   456   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00296   456   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00297   456   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00298   456   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00299   456   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00300   456   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00301   456   NtUserQueryWindow  (65706, 0, ... ) == 0x7d4
 00302   456   NtUserQueryWindow  (65706, 1, ... ) == 0x7d8
 00303   456   NtUserQueryWindow  (65704, 0, ... ) == 0x7d4
 00304   456   NtUserQueryWindow  (65704, 1, ... ) == 0x7d8
 00305   456   NtUserQueryWindow  (65702, 0, ... ) == 0x7d4
 00306   456   NtUserQueryWindow  (65702, 1, ... ) == 0x7d8
 00307   456   NtUserQueryWindow  (131168, 0, ... ) == 0x7d4
 00308   456   NtUserQueryWindow  (131168, 1, ... ) == 0x7d8
 00309   456   NtUserQueryWindow  (65696, 0, ... ) == 0x760
 00310   456   NtUserQueryWindow  (65696, 1, ... ) == 0x778
 00311   456   NtUserQueryWindow  (65662, 0, ... ) == 0x760
 00312   456   NtUserQueryWindow  (65662, 1, ... ) == 0x778
 00313   456   NtUserQueryWindow  (65652, 0, ... ) == 0x760
 00314   456   NtUserQueryWindow  (65652, 1, ... ) == 0x778
 00315   456   NtUserQueryWindow  (65640, 0, ... ) == 0x760
 00316   456   NtUserQueryWindow  (65640, 1, ... ) == 0x778
 00317   456   NtUserQueryWindow  (196682, 0, ... ) == 0x760
 00318   456   NtUserQueryWindow  (196682, 1, ... ) == 0x778
 00319   456   NtUserQueryWindow  (65638, 0, ... ) == 0x760
 00320   456   NtUserQueryWindow  (65638, 1, ... ) == 0x778
 00321   456   NtUserQueryWindow  (196684, 0, ... ) == 0x760
 00322   456   NtUserQueryWindow  (196684, 1, ... ) == 0x778
 00323   456   NtUserQueryWindow  (196668, 0, ... ) == 0x760
 00324   456   NtUserQueryWindow  (196668, 1, ... ) == 0x778
 00325   456   NtUserQueryWindow  (65688, 0, ... ) == 0x760
 00326   456   NtUserQueryWindow  (65688, 1, ... ) == 0x778
 00327   456   NtUserQueryWindow  (65676, 0, ... ) == 0x760
 00328   456   NtUserQueryWindow  (65676, 1, ... ) == 0x778
 00329   456   NtUserQueryWindow  (65660, 0, ... ) == 0x760
 00330   456   NtUserQueryWindow  (65660, 1, ... ) == 0x764
 00331   456   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00332   456   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 00333   456   NtUserQueryWindow  (65726, 0, ... ) == 0x7dc
 00334   456   NtUserQueryWindow  (65726, 1, ... ) == 0x7e0
 00335   456   NtUserQueryWindow  (65724, 0, ... ) == 0x7dc
 00336   456   NtUserQueryWindow  (65724, 1, ... ) == 0x7e0
 00337   456   NtUserQueryWindow  (65722, 0, ... ) == 0x7dc
 00338   456   NtUserQueryWindow  (65722, 1, ... ) == 0x7e0
 00339   456   NtUserQueryWindow  (65720, 0, ... ) == 0x7dc
 00340   456   NtUserQueryWindow  (65720, 1, ... ) == 0x7e0
 00341   456   NtUserQueryWindow  (65718, 0, ... ) == 0x7dc
 00342   456   NtUserQueryWindow  (65718, 1, ... ) == 0x7e0
 00343   456   NtUserQueryWindow  (65716, 0, ... ) == 0x7dc
 00344   456   NtUserQueryWindow  (65716, 1, ... ) == 0x7e0
 00345   456   NtUserQueryWindow  (65712, 0, ... ) == 0x7dc
 00346   456   NtUserQueryWindow  (65712, 1, ... ) == 0x7e0
 00347   456   NtUserQueryWindow  (65710, 0, ... ) == 0x7dc
 00348   456   NtUserQueryWindow  (65710, 1, ... ) == 0x7e0
 00349   456   NtUserQueryWindow  (131172, 0, ... ) == 0x7e8
 00350   456   NtUserQueryWindow  (131172, 1, ... ) == 0x7ec
 00351   456   NtUserQueryWindow  (65708, 0, ... ) == 0x7d4
 00352   456   NtUserQueryWindow  (65708, 1, ... ) == 0x7d8
 00353   456   NtUserQueryWindow  (131170, 0, ... ) == 0x7cc
 00354   456   NtUserQueryWindow  (131170, 1, ... ) == 0x7d0
 00355   456   NtUserQueryWindow  (65644, 0, ... ) == 0x760
 00356   456   NtUserQueryWindow  (65644, 1, ... ) == 0x794
 00357   456   NtUserQueryWindow  (327760, 0, ... ) == 0x760
 00358   456   NtUserQueryWindow  (327760, 1, ... ) == 0x764
 00359   456   NtUserQueryWindow  (262228, 0, ... ) == 0x760
 00360   456   NtUserQueryWindow  (262228, 1, ... ) == 0x764
 00361   456   NtUserQueryWindow  (327758, 0, ... ) == 0x760
 00362   456   NtUserQueryWindow  (327758, 1, ... ) == 0x764
 00363   456   NtUserQueryWindow  (65666, 0, ... ) == 0x760
 00364   456   NtUserQueryWindow  (65666, 1, ... ) == 0x764
 00365   456   NtUserQueryWindow  (65654, 0, ... ) == 0x760
 00366   456   NtUserQueryWindow  (65654, 1, ... ) == 0x764
 00367   456   NtRaiseException  (2291216, 2290476, 1, ...
 00368   456   NtContinue  (2289272, 0, ...
 00369   456   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00370   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   456   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00372   456   NtDuplicateObject  (-1, 3156, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00373   456   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00374   456   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00375   456   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00376   456   NtSetSecurityObject  (-1, 4, {1, 0, 0x4, 0, 0, 0, 2291052}, ... ) == 0x0
 00377   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00378   456   NtQueryValueKey  (60,  (60, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00379   456   NtClose  (60, ... ) == 0x0
 00380   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00381   456   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00382   456   NtClose  (60, ... ) == 0x0
 00383   456   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 60, ) == 0x0
 00384   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00385   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 68, ) }, ... 68, ) == 0x0
 00386   456   NtNotifyChangeKey  (68, 64, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00387   456   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00388   456   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00389   456   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00390   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00391   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 2290060, ... ) }, 2290060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00392   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 2290060, ... ) }, 2290060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00393   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 2290060, ... ) }, 2290060, ... ) == 0x0
 00394   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00395   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 84, ) == 0x0
 00396   456   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00397   456   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00398   456   NtQueryInformationToken  (88, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00399   456   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 92, ) }, ... 92, ) == 0x0
 00401   456   NtQueryValueKey  (92,  (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00402   456   NtClose  (92, ... ) == 0x0
 00403   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00404   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00405   456   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00406   456   NtClose  (92, ... ) == 0x0
 00407   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   456   NtClose  (88, ... ) == 0x0
 00409   456   NtClose  (80, ... ) == 0x0
 00410   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00411   456   NtClose  (84, ... ) == 0x0
 00412   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00413   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00414   456   NtClose  (84, ... ) == 0x0
 00415   456   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00416   456   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00417   456   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00418   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00419   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00420   456   NtClose  (84, ... ) == 0x0
 00421   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00422   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00423   456   NtClose  (84, ... ) == 0x0
 00424   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00425   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00426   456   NtClose  (84, ... ) == 0x0
 00427   456   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00428   456   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00429   456   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00430   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00431   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00432   456   NtClose  (84, ... ) == 0x0
 00433   456   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {448, 0}, ... 84, ) == 0x0
 00434   456   NtQueryInformationProcess  (84, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00435   456   NtClose  (84, ... ) == 0x0
 00436   456   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00437   456   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00438   456   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00439   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00440   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00441   456   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00442   456   NtClose  (84, ... ) == 0x0
 00443   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 84, ) }, ... 84, ) == 0x0
 00444   456   NtSetInformationObject  (84, Handle, {Inherit=0,ProtectFromClose=1,}, 2228480, ... ) == 0x0
 00445   456   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00446   456   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00447   456   NtClose  (80, ... ) == 0x0
 00448   456   NtUserSystemParametersInfo  (41, 500, 2289792, 0, ... ) == 0x1
 00449   456   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00450   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00451   456   NtUserFindExistingCursorIcon  (2289584, 2289600, 2290168, ... ) == 0x10011
 00452   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc03b
 00453   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00454   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc03d
 00455   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00456   456   NtUserFindExistingCursorIcon  (2289584, 2289600, 2290168, ... ) == 0x10011
 00457   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc03f
 00458   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00459   456   NtUserFindExistingCursorIcon  (2289584, 2289600, 2290168, ... ) == 0x10011
 00460   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc041
 00461   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00462   456   NtUserFindExistingCursorIcon  (2289584, 2289600, 2290168, ... ) == 0x10011
 00463   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc043
 00464   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00465   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc045
 00466   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00467   456   NtUserFindExistingCursorIcon  (2289584, 2289600, 2290168, ... ) == 0x10011
 00468   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc047
 00469   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00470   456   NtUserFindExistingCursorIcon  (2289580, 2289596, 2290164, ... ) == 0x10011
 00471   456   NtUserRegisterClassExWOW  (2290032, 2290112, 2290096, 2290128, 0, 384, 0, ... ) == 0x810dc049
 00472   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00473   456   NtUserFindExistingCursorIcon  (2289584, 2289600, 2290168, ... ) == 0x10011
 00474   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc04b
 00475   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00476   456   NtUserFindExistingCursorIcon  (2289584, 2289600, 2290168, ... ) == 0x10011
 00477   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc04d
 00478   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00479   456   NtUserFindExistingCursorIcon  (2289584, 2289600, 2290168, ... ) == 0x10011
 00480   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc04f
 00481   456   NtUserGetClassInfo  (1999896576, 2290204, 2290156, 2290232, 0, ... ) == 0x0
 00482   456   NtUserRegisterClassExWOW  (2290040, 2290120, 2290104, 2290136, 0, 384, 0, ... ) == 0x810dc051
 00483   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00484   456   NtUserFindExistingCursorIcon  (2289584, 2289600, 2290168, ... ) == 0x10011
 00485   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc053
 00486   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00487   456   NtUserFindExistingCursorIcon  (2289584, 2289600, 2290168, ... ) == 0x10011
 00488   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc055
 00489   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc057
 00490   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00491   456   NtUserFindExistingCursorIcon  (2289584, 2289600, 2290168, ... ) == 0x10011
 00492   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc059
 00493   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00494   456   NtUserFindExistingCursorIcon  (2289584, 2289600, 2290168, ... ) == 0x10013
 00495   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc05b
 00496   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00497   456   NtUserFindExistingCursorIcon  (2289584, 2289600, 2290168, ... ) == 0x10011
 00498   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc05d
 00499   456   NtUserGetClassInfo  (1999896576, 2290200, 2290152, 2290228, 0, ... ) == 0x0
 00500   456   NtUserFindExistingCursorIcon  (2289584, 2289600, 2290168, ... ) == 0x10011
 00501   456   NtUserRegisterClassExWOW  (2290036, 2290116, 2290100, 2290132, 0, 384, 0, ... ) == 0x810dc05f
 00502   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00503   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 00504   456   NtAllocateVirtualMemory  (-1, 11534336, 0, 4096, 4096, 4, ... 11534336, 4096, ) == 0x0
 00505   456   NtAllocateVirtualMemory  (-1, 11538432, 0, 8192, 4096, 4, ... 11538432, 8192, ) == 0x0
 00506   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 80, ) }, ... 80, ) == 0x0
 00507   456   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xb10000), 0x0, 12288, ) == 0x0
 00508   456   NtClose  (80, ... ) == 0x0
 00509   456   NtAllocateVirtualMemory  (-1, 11546624, 0, 4096, 4096, 4, ... 11546624, 4096, ) == 0x0
 00510   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00511   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 00512   456   NtQueryValueKey  (80,  (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00513   456   NtClose  (80, ... ) == 0x0
 00514   456   NtQueryDefaultUILanguage  (2288416, ...
 00515   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00516   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00517   456   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00518   456   NtClose  (-2147482208, ... ) == 0x0
 00519   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00520   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00521   456   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00522   456   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   456   NtClose  (-2147482196, ... ) == 0x0
 00524   456   NtClose  (-2147482208, ... ) == 0x0
 00514   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00525   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00526   456   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00527   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00528   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 88, ) == 0x0
 00529   456   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xb20000), 0x0, 8323072, ) == 0x0
 00530   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00531   456   NtQueryDefaultUILanguage  (2013024600, ...
 00532   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00533   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00534   456   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00535   456   NtClose  (-2147482208, ... ) == 0x0
 00536   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00537   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538   456   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00539   456   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00540   456   NtClose  (-2147482196, ... ) == 0x0
 00541   456   NtClose  (-2147482208, ... ) == 0x0
 00531   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00542   456   NtAllocateVirtualMemory  (-1, 2277376, 0, 4096, 4096, 260, ... 2277376, 4096, ) == 0x0
 00543   456   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00544   456   NtQueryDefaultLocale  (1, 2286452, ... ) == 0x0
 00545   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00546   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2287308, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2287308, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\351\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355"\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1490, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\351\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\351\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355 (24, {128, 156, new_msg, 0, 2287308, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\351\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355"\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1490, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\351\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355"\0\0\0\0\0" )  ... {128, 156, reply, 0, 448, 456, 1490, 0}  (24, {128, 156, new_msg, 0, 2287308, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\351\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355"\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1490, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\351\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\351\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355 (24, {128, 156, new_msg, 0, 2287308, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\351\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355"\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1490, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\351\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355"\0\0\0\0\0" )  ) == 0x0
 00547   456   NtClose  (80, ... ) == 0x0
 00548   456   NtClose  (88, ... ) == 0x0
 00549   456   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 00550   456   NtUnmapViewOfSection  (-1, 0x22edcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00551   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00552   456   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00553   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00554   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00555   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 2285536, ... ) }, 2285536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00556   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00557   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00558   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00559   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 2286128, ... ) }, 2286128, ... ) == 0x0
 00560   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 88, {status=0x0, info=1}, ) }, 3, 33, ... 88, {status=0x0, info=1}, ) == 0x0
 00561   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00562   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00563   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00564   456   NtClose  (80, ... ) == 0x0
 00565   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb20000), 0x0, 921600, ) == 0x0
 00566   456   NtClose  (92, ... ) == 0x0
 00567   456   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 00568   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00569   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 80, ) == 0x0
 00570   456   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00571   456   NtClose  (92, ... ) == 0x0
 00572   456   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00573   456   NtClose  (80, ... ) == 0x0
 00574   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00575   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00576   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00577   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00578   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00579   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00580   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00581   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00582   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00583   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00584   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00585   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00586   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00587   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00588   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00589   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00590   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00591   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00592   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00593   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00594   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00595   456   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 2287312, ... ) , 42, 2287312, ... ) == 0x0
 00596   456   NtQueryDefaultUILanguage  (2286028, ...
 00597   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00598   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00599   456   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00600   456   NtClose  (-2147482208, ... ) == 0x0
 00601   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00602   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00603   456   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00604   456   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00605   456   NtClose  (-2147482196, ... ) == 0x0
 00606   456   NtClose  (-2147482208, ... ) == 0x0
 00596   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00607   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00608   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 2284880, ... ) }, 2284880, ... ) == 0x0
 00609   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00610   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00611   456   NtClose  (80, ... ) == 0x0
 00612   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb20000), 0x0, 4096, ) == 0x0
 00613   456   NtClose  (92, ... ) == 0x0
 00614   456   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 00615   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 2284520, ... ) }, 2284520, ... ) == 0x0
 00616   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2285220,  (0x80100080, {24, 0, 0x40, 0, 2285220, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00617   456   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 92, ... 80, ) == 0x0
 00618   456   NtClose  (92, ... ) == 0x0
 00619   456   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xb20000), {0, 0}, 4096, ) == 0x0
 00620   456   NtClose  (80, ... ) == 0x0
 00621   456   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 00622   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00623   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 92, ) == 0x0
 00624   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xb20000), 0x0, 4096, ) == 0x0
 00625   456   NtQueryInformationFile  (80, 2284840, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00626   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00627   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2284920, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2284920, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344"\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1491, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344"\0\0\0\0\0" ) \0\0\0\0\0 (24, {128, 156, new_msg, 0, 2284920, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344"\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1491, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344"\0\0\0\0\0" ) h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344 (24, {128, 156, new_msg, 0, 2284920, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344"\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1491, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344"\0\0\0\0\0" )  ) == 0x0
 00628   456   NtClose  (80, ... ) == 0x0
 00629   456   NtClose  (92, ... ) == 0x0
 00630   456   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 00631   456   NtUnmapViewOfSection  (-1, 0x22e478, ... ) == STATUS_NOT_MAPPED_VIEW
 00632   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00633   456   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00634   456   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00635   456   NtUserGetDC  (0, ... ) == 0x1010052
 00636   456   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00637   456   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00638   456   NtUserSystemParametersInfo  (66, 12, 2287332, 0, ... ) == 0x1
 00639   456   NtOpenProcessToken  (-1, 0x8, ... 92, ) == 0x0
 00640   456   NtAccessCheck  (5063656, 92, 0x1, 2286736, 2286680, 56, 2286764, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00641   456   NtClose  (92, ... ) == 0x0
 00642   456   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 92, ) }, ... 92, ) == 0x0
 00643   456   NtQueryValueKey  (92,  (92, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00644   456   NtClose  (92, ... ) == 0x0
 00645   456   NtUserSystemParametersInfo  (41, 500, 2286832, 0, ... ) == 0x1
 00646   456   NtAllocateVirtualMemory  (-1, 5066752, 0, 4096, 4096, 4, ... 5066752, 4096, ) == 0x0
 00647   456   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 92, ) }, ... 92, ) == 0x0
 00648   456   NtQueryValueKey  (92,  (92, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00649   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 80, ) }, ... 80, ) == 0x0
 00650   456   NtQueryValueKey  (80,  (80, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00651   456   NtClose  (80, ... ) == 0x0
 00652   456   NtClose  (92, ... ) == 0x0
 00653   456   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00654   456   NtUserSystemParametersInfo  (4130, 0, 2287356, 0, ... ) == 0x1
 00655   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 92, ) }, ... 92, ) == 0x0
 00656   456   NtEnumerateValueKey  (92, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00657   456   NtClose  (92, ... ) == 0x0
 00658   456   NtUserFindExistingCursorIcon  (2286640, 2286656, 2287224, ... ) == 0x10011
 00659   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc03b
 00660   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc03d
 00661   456   NtUserFindExistingCursorIcon  (2286636, 2286652, 2287220, ... ) == 0x10011
 00662   456   NtUserRegisterClassExWOW  (2287088, 2287168, 2287152, 2287184, 0, 384, 0, ... ) == 0x810dc03f
 00663   456   NtUserFindExistingCursorIcon  (2286640, 2286656, 2287224, ... ) == 0x10011
 00664   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc041
 00665   456   NtUserFindExistingCursorIcon  (2286640, 2286656, 2287224, ... ) == 0x10011
 00666   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ...
 00667   456   NtAllocateVirtualMemory  (-1, 8421376, 0, 4096, 4096, 32, ... 8421376, 4096, ) == 0x0
 00666   456   NtUserRegisterClassExWOW  ... ) == 0x810dc043
 00668   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc045
 00669   456   NtUserFindExistingCursorIcon  (2286640, 2286656, 2287224, ... ) == 0x10011
 00670   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc047
 00671   456   NtUserFindExistingCursorIcon  (2286636, 2286652, 2287220, ... ) == 0x10011
 00672   456   NtUserRegisterClassExWOW  (2287088, 2287168, 2287152, 2287184, 0, 384, 0, ... ) == 0x810dc049
 00673   456   NtUserGetClassInfo  (1905590272, 2287252, 2287204, 2287280, 0, ... ) == 0xc049
 00674   456   NtUserFindExistingCursorIcon  (2286640, 2286656, 2287224, ... ) == 0x10011
 00675   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc04b
 00676   456   NtUserFindExistingCursorIcon  (2286640, 2286656, 2287224, ... ) == 0x10011
 00677   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc04d
 00678   456   NtUserFindExistingCursorIcon  (2286640, 2286656, 2287224, ... ) == 0x10011
 00679   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc04f
 00680   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc051
 00681   456   NtUserFindExistingCursorIcon  (2286640, 2286656, 2287224, ... ) == 0x10011
 00682   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc053
 00683   456   NtUserFindExistingCursorIcon  (2286636, 2286652, 2287220, ... ) == 0x10011
 00684   456   NtUserRegisterClassExWOW  (2287088, 2287168, 2287152, 2287184, 0, 384, 0, ... ) == 0x810dc055
 00685   456   NtUserRegisterClassExWOW  (2287088, 2287168, 2287152, 2287184, 0, 384, 0, ... ) == 0x810dc057
 00686   456   NtUserFindExistingCursorIcon  (2286640, 2286656, 2287224, ... ) == 0x10011
 00687   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc059
 00688   456   NtUserFindExistingCursorIcon  (2286640, 2286656, 2287224, ... ) == 0x10013
 00689   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc05b
 00690   456   NtUserFindExistingCursorIcon  (2286640, 2286656, 2287224, ... ) == 0x10011
 00691   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc05d
 00692   456   NtUserFindExistingCursorIcon  (2286640, 2286656, 2287224, ... ) == 0x10011
 00693   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc05f
 00694   456   NtUserFindExistingCursorIcon  (2286636, 2286652, 2287220, ... ) == 0x10011
 00695   456   NtUserRegisterClassExWOW  (2287088, 2287168, 2287152, 2287184, 0, 384, 0, ... ) == 0x810dc017
 00696   456   NtUserFindExistingCursorIcon  (2286636, 2286652, 2287220, ... ) == 0x10011
 00697   456   NtUserRegisterClassExWOW  (2287088, 2287168, 2287152, 2287184, 0, 384, 0, ... ) == 0x810dc019
 00698   456   NtUserFindExistingCursorIcon  (2286636, 2286652, 2287220, ... ) == 0x10013
 00699   456   NtUserRegisterClassExWOW  (2287088, 2287168, 2287152, 2287184, 0, 384, 0, ... ) == 0x810dc018
 00700   456   NtUserFindExistingCursorIcon  (2286640, 2286656, 2287224, ... ) == 0x10011
 00701   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc01a
 00702   456   NtUserFindExistingCursorIcon  (2286636, 2286652, 2287220, ... ) == 0x10011
 00703   456   NtUserRegisterClassExWOW  (2287088, 2287168, 2287152, 2287184, 0, 384, 0, ... ) == 0x810dc01c
 00704   456   NtUserFindExistingCursorIcon  (2286640, 2286656, 2287224, ... ) == 0x10011
 00705   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc01e
 00706   456   NtUserFindExistingCursorIcon  (2286636, 2286652, 2287220, ... ) == 0x10011
 00707   456   NtUserRegisterClassExWOW  (2287148, 2287228, 2287212, 2287244, 0, 384, 0, ... ) == 0x810dc01b
 00708   456   NtUserFindExistingCursorIcon  (2286632, 2286648, 2287216, ... ) == 0x10011
 00709   456   NtUserRegisterClassExWOW  (2287144, 2287224, 2287208, 2287240, 0, 384, 0, ... ) == 0x810dc068
 00710   456   NtUserFindExistingCursorIcon  (2286640, 2286656, 2287224, ... ) == 0x10011
 00711   456   NtUserRegisterClassExWOW  (2287092, 2287172, 2287156, 2287188, 0, 384, 0, ... ) == 0x810dc06a
 00712   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc03b
 00713   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc03d
 00714   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc03f
 00715   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc041
 00716   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc043
 00717   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc045
 00718   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc047
 00719   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc049
 00720   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc04b
 00721   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc04d
 00722   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc04f
 00723   456   NtUserGetClassInfo  (1999896576, 2290156, 2290108, 2290184, 0, ... ) == 0xc051
 00724   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc053
 00725   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc055
 00726   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc059
 00727   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc05b
 00728   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc05d
 00729   456   NtUserGetClassInfo  (1999896576, 2290152, 2290104, 2290180, 0, ... ) == 0xc05f
 00730   456   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00731   456   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00732   456   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00733   456   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00734   456   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00735   456   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00736   456   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00737   456   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00738   456   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00739   456   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00740   456   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00741   456   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00742   456   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00743   456   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00744   456   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00745   456   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00746   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00747   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00748   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00749   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00750   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 11796480, 262144, ) == 0x0
 00751   456   NtAllocateVirtualMemory  (-1, 11796480, 0, 4096, 4096, 4, ... 11796480, 4096, ) == 0x0
 00752   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00753   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 12058624, 262144, ) == 0x0
 00754   456   NtAllocateVirtualMemory  (-1, 12058624, 0, 4096, 4096, 4, ... 12058624, 4096, ) == 0x0
 00755   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00756   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 12320768, 262144, ) == 0x0
 00757   456   NtAllocateVirtualMemory  (-1, 12320768, 0, 4096, 4096, 4, ... 12320768, 4096, ) == 0x0
 00758   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00759   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 12582912, 262144, ) == 0x0
 00760   456   NtAllocateVirtualMemory  (-1, 12582912, 0, 4096, 4096, 4, ... 12582912, 4096, ) == 0x0
 00761   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00762   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00763   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00764   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00765   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 2286032, ... ) }, 2286032, ... ) == 0x0
 00766   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00767   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 80, ) == 0x0
 00768   456   NtClose  (92, ... ) == 0x0
 00769   456   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc40000), 0x0, 90112, ) == 0x0
 00770   456   NtClose  (80, ... ) == 0x0
 00771   456   NtUnmapViewOfSection  (-1, 0xc40000, ... ) == 0x0
 00772   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 2286348, ... ) }, 2286348, ... ) == 0x0
 00773   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00774   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 92, ) == 0x0
 00775   456   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00776   456   NtClose  (80, ... ) == 0x0
 00777   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00778   456   NtClose  (92, ... ) == 0x0
 00779   456   NtQueryDefaultLocale  (1, 2288036, ... ) == 0x0
 00780   456   NtAllocateVirtualMemory  (-1, 11800576, 0, 4096, 4096, 4, ... 11800576, 4096, ) == 0x0
 00781   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 92, ) }, ... 92, ) == 0x0
 00782   456   NtClose  (92, ... ) == 0x0
 00783   456   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00784   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00785   456   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00786   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00787   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00788   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00789   456   NtClose  (92, ... ) == 0x0
 00790   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00791   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00792   456   NtClose  (92, ... ) == 0x0
 00793   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00794   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00795   456   NtClose  (92, ... ) == 0x0
 00796   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00797   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00798   456   NtClose  (92, ... ) == 0x0
 00799   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 92, ) }, ... 92, ) == 0x0
 00800   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00801   456   NtClose  (92, ... ) == 0x0
 00802   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00803   456   NtAllocateVirtualMemory  (-1, 5070848, 0, 4096, 4096, 4, ... 5070848, 4096, ) == 0x0
 00804   456   NtAllocateVirtualMemory  (-1, 5074944, 0, 4096, 4096, 4, ... 5074944, 4096, ) == 0x0
 00805   456   NtAllocateVirtualMemory  (-1, 5079040, 0, 4096, 4096, 4, ... 5079040, 4096, ) == 0x0
 00806   456   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 2290192, 0,  (0x1f0003, {24, 52, 0x80, 2290192, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00807   456   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 92, ) }, ... 92, ) == 0x0
 00808   456   NtAllocateVirtualMemory  (-1, 5083136, 0, 4096, 4096, 4, ... 5083136, 4096, ) == 0x0
 00809   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00810   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00811   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 80, ) }, ... 80, ) == 0x0
 00812   456   NtQueryValueKey  (80,  (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00813   456   NtClose  (80, ... ) == 0x0
 00814   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00815   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00816   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00817   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00818   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 80, ) }, ... 80, ) == 0x0
 00819   456   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820   456   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00821   456   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00822   456   NtClose  (80, ... ) == 0x0
 00823   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 80, ) }, ... 80, ) == 0x0
 00824   456   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00825   456   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00826   456   NtClose  (80, ... ) == 0x0
 00827   456   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00828   456   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00829   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00830   456   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00831   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00832   456   NtAllocateVirtualMemory  (-1, 5087232, 0, 8192, 4096, 4, ... 5087232, 8192, ) == 0x0
 00833   456   NtCreateKey  (0xf003f, {24, 84, 0x40, 0, 0,  (0xf003f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 80, 2, ) }, 0, 0x0, 0, ... 80, 2, ) == 0x0
 00834   456   NtQueryDefaultUILanguage  (2288428, ...
 00835   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00836   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00837   456   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00838   456   NtClose  (-2147482208, ... ) == 0x0
 00839   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00840   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00841   456   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00842   456   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00843   456   NtClose  (-2147482196, ... ) == 0x0
 00844   456   NtClose  (-2147482208, ... ) == 0x0
 00834   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00845   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00846   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00847   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00848   456   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xc40000), 0x0, 593920, ) == 0x0
 00849   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00850   456   NtQueryDefaultLocale  (1, 2286464, ... ) == 0x0
 00851   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00852   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2287320, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2287320, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\313\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355"\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1492, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\313\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\313\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355 (24, {128, 156, new_msg, 0, 2287320, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\313\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355"\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1492, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\313\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355"\0\0\0\0\0" )  ... {128, 156, reply, 0, 448, 456, 1492, 0}  (24, {128, 156, new_msg, 0, 2287320, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\313\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355"\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1492, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\313\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\313\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355 (24, {128, 156, new_msg, 0, 2287320, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\313\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355"\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1492, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\313\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355"\0\0\0\0\0" )  ) == 0x0
 00853   456   NtClose  (96, ... ) == 0x0
 00854   456   NtClose  (100, ... ) == 0x0
 00855   456   NtUnmapViewOfSection  (-1, 0xc40000, ... ) == 0x0
 00856   456   NtUnmapViewOfSection  (-1, 0x22edd8, ... ) == STATUS_NOT_MAPPED_VIEW
 00857   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00858   456   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00859   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00860   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00861   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 2285004, ... ) }, 2285004, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00862   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00863   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00864   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00865   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 2285596, ... ) }, 2285596, ... ) == 0x0
 00866   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00867   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00868   456   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00869   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00870   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 2290060, ... ) }, 2290060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00871   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 2290060, ... ) }, 2290060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00872   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 2290060, ... ) }, 2290060, ... ) == 0x0
 00873   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00874   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00875   456   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00876   456   NtClose  (104, ... ) == 0x0
 00877   456   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00878   456   NtClose  (108, ... ) == 0x0
 00879   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 2289256, ... ) }, 2289256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00881   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 2289256, ... ) }, 2289256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 2289256, ... ) }, 2289256, ... ) == 0x0
 00883   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00884   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00885   456   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00886   456   NtClose  (108, ... ) == 0x0
 00887   456   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00888   456   NtClose  (104, ... ) == 0x0
 00889   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00890   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00891   456   NtTestAlert  (... ) == 0x0
 00892   456   NtContinue  (2293040, 1, ...
 00893   456   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x490000,}, 4, ... ) == 0x0
 00894   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "crtdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\crtdll.dll"}, 2291300, ... ) }, 2291300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00896   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "crtdll.dll"}, 2291300, ... ) }, 2291300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\crtdll.dll"}, 2291300, ... ) }, 2291300, ... ) == 0x0
 00898   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\crtdll.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00899   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00900   456   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00901   456   NtClose  (104, ... ) == 0x0
 00902   456   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73d90000), 0x0, 159744, ) == 0x0
 00903   456   NtClose  (108, ... ) == 0x0
 00904   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\crtdll.dll"}, 2288964, ... ) }, 2288964, ... ) == 0x0
 00905   456   NtAllocateVirtualMemory  (-1, 5095424, 0, 4096, 4096, 4, ... 5095424, 4096, ) == 0x0
 00906   456   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00907   456   NtRequestWaitReplyPort  (24, {40, 68, new_msg, 0, 6357092, 5095816, 5505056, 7143529}  (24, {40, 68, new_msg, 0, 6357092, 5095816, 5505056, 7143529} "\0\0\0\0\0\2\2\0D[\351w\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 448, 456, 1493, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" )  ... {40, 68, reply, 0, 448, 456, 1493, 0}  (24, {40, 68, new_msg, 0, 6357092, 5095816, 5505056, 7143529} "\0\0\0\0\0\2\2\0D[\351w\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 448, 456, 1493, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" )  ) == 0x0
 00908   456   NtRequestWaitReplyPort  (24, {40, 68, new_msg, 0, 448, 456, 1493, 0}  (24, {40, 68, new_msg, 0, 448, 456, 1493, 0} "\0\0\0\0\0\2\2\0d[\351w\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 448, 456, 1494, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" )  ... {40, 68, reply, 0, 448, 456, 1494, 0}  (24, {40, 68, new_msg, 0, 448, 456, 1493, 0} "\0\0\0\0\0\2\2\0d[\351w\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 448, 456, 1494, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" )  ) == 0x0
 00909   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00913   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00924   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00926   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00929   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00936   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00937   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00957   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00959   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00966   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00968   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00972   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00977   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00978   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00982   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00985   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00987   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00989   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00990   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00992   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00993   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00995   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00996   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00997   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00998   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00999   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01000   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01001   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01003   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01004   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01005   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01006   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01007   456   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01008   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 12845056, 2097152, ) == 0x0
 01009   456   NtAllocateVirtualMemory  (-1, 14934016, 0, 8192, 4096, 4, ... 14934016, 8192, ) == 0x0
 01010   456   NtProtectVirtualMemory  (-1, (0xe3e000), 4096, 260, ... (0xe3e000), 4096, 4, ) == 0x0
 01011   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292500, 2293216, 1, ... 108, {448, 580}, ) == 0x0
 01012   456   NtQueryInformationThread  (108, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=448,Tid=580,}, 0x0, ) == 0x0
 01013   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2010382446, 2292280, 4779962, 4575536}  (24, {28, 56, new_msg, 0, 2010382446, 2292280, 4779962, 4575536} "\0\0\0\0\1\0\1\0KQ\324w \373"\0l\0\0\0\300\1\0\0D\2\0\0" ... {28, 56, reply, 0, 448, 456, 1495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0 \373"\0l\0\0\0\300\1\0\0D\2\0\0" ) \0l\0\0\0\300\1\0\0D\2\0\0 (24, {28, 56, new_msg, 0, 2010382446, 2292280, 4779962, 4575536} "\0\0\0\0\1\0\1\0KQ\324w \373"\0l\0\0\0\300\1\0\0D\2\0\0" ... {28, 56, reply, 0, 448, 456, 1495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0 \373"\0l\0\0\0\300\1\0\0D\2\0\0" ) \0\0\0\0\1\0\1\0\0\0\0\0 \373 (24, {28, 56, new_msg, 0, 2010382446, 2292280, 4779962, 4575536} "\0\0\0\0\1\0\1\0KQ\324w \373"\0l\0\0\0\300\1\0\0D\2\0\0" ... {28, 56, reply, 0, 448, 456, 1495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0 \373"\0l\0\0\0\300\1\0\0D\2\0\0" )  ) == 0x0
 01014   456   NtResumeThread  (108, ... 1, ) == 0x0
 01015   456   NtQueryPerformanceCounter  (... {91824156, 0}, {3579545, 0}, ) == 0x0
 01016   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01017   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 01018   580   NtTestAlert  (... ) == 0x0
 01019   580   NtContinue  (14941488, 1, ...
 01020   580   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01021   580   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01022   580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc.dll"}, 14939740, ... }, 14939740, ...
 01017   456   NtAllocateVirtualMemory  ... 14942208, 65536, ) == 0x0
 01023   456   NtAllocateVirtualMemory  (-1, 14942208, 0, 4096, 4096, 4, ... 14942208, 4096, ) == 0x0
 01024   456   NtAllocateVirtualMemory  (-1, 14946304, 0, 8192, 4096, 4, ... 14946304, 8192, ) == 0x0
 01025   456   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 104, ) == 0x0
 01026   456   NtWaitForSingleObject  (104, 0, 0x0, ...
 01022   580   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027   580   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc.dll"}, 14939740, ... ) }, 14939740, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01028   580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 14939740, ... ) }, 14939740, ... ) == 0x0
 01029   580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01030   580   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 112, ... 116, ) == 0x0
 01031   580   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01032   580   NtClose  (112, ... ) == 0x0
 01033   580   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bb0000), 0x0, 16384, ) == 0x0
 01034   580   NtClose  (116, ... ) == 0x0
 01035   580   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc_os.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01036   580   NtAllocateVirtualMemory  (-1, 14929920, 0, 4096, 4096, 260, ... 14929920, 4096, ) == 0x0
 01037   580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc_os.dll"}, 14938936, ... ) }, 14938936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01038   580   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc_os.dll"}, 14938936, ... ) }, 14938936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 14938936, ... ) }, 14938936, ... ) == 0x0
 01040   580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 01041   580   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 112, ) == 0x0
 01042   580   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01043   580   NtClose  (116, ... ) == 0x0
 01044   580   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c60000), 0x0, 167936, ) == 0x0
 01045   580   NtClose  (112, ... ) == 0x0
 01046   580   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01047   580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 14938132, ... ) }, 14938132, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01048   580   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINTRUST.dll"}, 14938132, ... ) }, 14938132, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01049   580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 14938132, ... ) }, 14938132, ... ) == 0x0
 01050   580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01051   580   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 112, ... 116, ) == 0x0
 01052   580   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01053   580   NtClose  (112, ... ) == 0x0
 01054   580   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 01055   580   NtClose  (116, ... ) == 0x0
 01056   580   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 116, ) }, ... 116, ) == 0x0
 01057   580   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 01058   580   NtClose  (116, ... ) == 0x0
 01059   580   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01060   580   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 15007744, 262144, ) == 0x0
 01061   580   NtAllocateVirtualMemory  (-1, 15007744, 0, 4096, 4096, 4, ... 15007744, 4096, ) == 0x0
 01062   580   NtAllocateVirtualMemory  (-1, 15011840, 0, 8192, 4096, 4, ... 15011840, 8192, ) == 0x0
 01063   580   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01064   580   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15269888, 1048576, ) == 0x0
 01065   580   NtAllocateVirtualMemory  (-1, 15269888, 0, 1048576, 4096, 4, ... 15269888, 1048576, ) == 0x0
 01066   580   NtCreateMutant  (0x1f0001, 0x0, 0, ... 116, ) == 0x0
 01067   580   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 112, ) == 0x0
 01068   580   NtCreateMutant  (0x1f0001, 0x0, 0, ... 120, ) == 0x0
 01069   580   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 124, ) == 0x0
 01070   580   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 128, ) == 0x0
 01071   580   NtSetEvent  (128, ... 0x0, ) == 0x0
 01072   580   NtSetEventBoostPriority  (104, ...
 01026   456   NtWaitForSingleObject  ... ) == 0x0
 01073   456   NtAllocateVirtualMemory  (-1, 14954496, 0, 4096, 4096, 4, ... 14954496, 4096, ) == 0x0
 01074   456   NtAllocateVirtualMemory  (-1, 14958592, 0, 4096, 4096, 4, ... 14958592, 4096, ) == 0x0
 01075   456   NtAllocateVirtualMemory  (-1, 0, 0, 6, 12288, 64, ... 16318464, 4096, ) == 0x0
 01076   456   NtProtectVirtualMemory  (-1, (0xf90000), 6, 64, ...
 01077   456   NtContinue  (-132415700, 0, ...
 01072   580   NtSetEventBoostPriority  ... ) == 0x0
 01076   456   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 01078   456   NtFreeVirtualMemory  (-1, (0xf90000), 0, 32768, ... (0xf90000), 4096, ) == 0x0
 01079   456   NtWaitForSingleObject  (104, 0, 0x0, ...
 01080   580   NtSetEventBoostPriority  (104, ...
 01079   456   NtWaitForSingleObject  ... ) == 0x0
 01081   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2290508,  (0x80100080, {24, 0, 0x40, 0, 2290508, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... }, 0x0, 0, 1, 1, 2097252, 0, 0, ...
 01080   580   NtSetEventBoostPriority  ... ) == 0x0
 01082   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01083   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01084   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01085   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01086   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01087   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01088   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01089   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01090   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01091   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01093   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01094   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01096   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01097   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01098   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01099   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01100   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01101   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01102   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01103   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01104   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01105   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01108   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01109   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01110   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01111   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01112   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01113   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01114   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01116   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01118   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01119   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01121   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01123   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01125   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01127   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01128   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01129   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01130   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01131   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01132   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01133   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01134   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01135   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01136   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01137   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01138   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01139   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01140   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01141   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01142   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01143   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01144   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01146   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01148   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01149   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01150   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01151   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01152   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01153   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01154   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01156   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01157   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01159   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01160   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01161   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01162   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01163   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01164   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01165   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01166   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01167   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01171   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01175   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01177   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01178   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01179   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01081   456   NtCreateFile  ... 132, {status=0x0, info=1}, ) == 0x0
 01180   456   NtQueryInformationFile  (132, 2291444, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01181   456   NtQueryInformationFile  (132, 2291416, 24, Standard, ...
 01182   580   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183   580   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "kkq-vx_mtx1"}, 0, ... 136, ) }, 0, ... 136, ) == 0x0
 01184   580   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 01181   456   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 01185   580   NtCallbackReturn  (0, 0, 0, ...
 01186   580   NtUserGetThreadState  (18, ... ) == 0x1
 01187   580   NtUserFindExistingCursorIcon  (14941096, 14941112, 14941680, ... ) == 0x10011
 01188   580   NtUserFindExistingCursorIcon  (14941096, 14941112, 14941680, ... ) == 0x10005
 01189   580   NtUserRegisterClassExWOW  (14941548, 14941624, 14941640, 14941612, 0, 386, 0, ... ) == 0x810bc0cb
 01190   580   NtUserCreateWindowEx  (-2147483648, 14941584, 14941396, "13238272, 0, 0, 0, 0, 0, 0, 4194304, 0, 1073742848, 0, ...
 01191   580   NtUserGetIconSize  (65541, 0, 14940112, 14940120, ... ) == 0x1
 01192   456   NtQueryInformationFile  (132, 2291368, 40, Basic, ...
 01193   580   NtUserGetIconInfo  (65541, 14940088, 14940080, 14940072, 14940108, 1, ... ) == 0x1
 01194   580   NtUserFindExistingCursorIcon  (14938820, 14938836, 14940052, ... ) == 0x10005
 01195   580   NtGdiExtGetObjectW  (369427329, 24, 14938828, ... ) == 0x18
 01196   580   NtGdiGetDIBitsInternal  (268501963, 369427329, 0, 64, 5097760, 5097712, 0, 256, 0, ... ) == 0x40
 01197   580   NtUserGetDC  (0, ... ) == 0x1010052
 01198   580   NtGdiCreateDIBitmapInternal  (16842834, 16, 32, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x8050407
 01199   580   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01200   580   NtGdiSelectBitmap  (268501963, 134546439, ... ) == 0x185000f
 01201   580   NtGdiDoPalette  (268501963, 0, 1, 14938680, 4, 0, ... ) == 0x1
 01202   580   NtGdiStretchDIBitsInternal  (268501963, 0, 0, 16, 32, 0, 0, 32, 64, 5097760, 5098024, 0, 13369376, 48, 256, 0, ... ) == 0x40
 01203   580   NtGdiSelectBitmap  (268501963, 25493519, ... ) == 0x8050407
 01204   580   NtGdiCreateCompatibleDC  (268501963, ... ) == 0xa010408
 01205   580   NtGdiExtGetObjectW  (134546439, 24, 14938704, ... ) == 0x18
 01206   580   NtGdiCreateBitmap  (16, 32, 1, 1, 0, ... ) == 0x7050405
 01207   580   NtGdiSelectBitmap  (268501963, 134546439, ... ) == 0x185000f
 01208   580   NtGdiSelectBitmap  (167838728, 117769221, ... ) == 0x185000f
 01209   580   NtGdiBitBlt  (167838728, 0, 0, 16, 32, 268501963, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01210   580   NtGdiSelectBitmap  (268501963, 25493519, ... ) == 0x8050407
 01211   580   NtGdiSelectBitmap  (167838728, 25493519, ... ) == 0x7050405
 01212   580   NtGdiDeleteObjectApp  (134546439, ... ) == 0x1
 01213   580   NtGdiDeleteObjectApp  (167838728, ... ) == 0x1
 01214   580   NtGdiExtGetObjectW  (134546444, 24, 14938828, ... ) == 0x18
 01215   580   NtAllocateVirtualMemory  (-1, 5099520, 0, 8192, 4096, 4, ... 5099520, 8192, ) == 0x0
 01216   580   NtGdiGetDIBitsInternal  (268501963, 134546444, 0, 32, 5098140, 5098088, 0, 4096, 0, ... ) == 0x20
 01217   580   NtUserGetDC  (0, ... ) == 0x1010052
 01218   580   NtGdiCreateCompatibleBitmap  (16842834, 16, 16, ... ) == 0xc050408
 01219   580   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01192   456   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 01220   456   NtQueryInformationFile  (132, 5102248, 4094, Stream, ...
 01221   580   NtGdiSelectBitmap  (268501963, 201655304, ... ) == 0x185000f
 01222   580   NtGdiDoPalette  (268501963, 0, 1, 14938680, 4, 0, ... ) == 0x0
 01223   580   NtGdiStretchDIBitsInternal  (268501963, 0, 0, 16, 16, 0, 0, 32, 32, 5098140, 5098024, 0, 13369376, 40, 4096, 0, ... ) == 0x20
 01220   456   NtQueryInformationFile  ... {status=0x0, info=38}, ) == 0x0
 01224   456   NtQueryInformationFile  (132, 2289912, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01225   456   NtQueryInformationFile  (132, 2289756, 4, Ea, ...
 01226   580   NtGdiSelectBitmap  (268501963, 25493519, ... ) == 0xc050408
 01227   580   NtGdiDeleteObjectApp  (369427329, ... ) == 0x1
 01228   580   NtGdiDeleteObjectApp  (134546444, ... ) == 0x1
 01229   580   NtUserCallOneParam  (0, 33, ... ) == 0x3004d
 01230   580   NtUserSetCursorIconData  (196685, 14938864, 14938880, 14939964, ... ) == 0x1
 01231   580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 14937780, ... ) }, 14937780, ... ) == 0x0
 01232   580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 144, {status=0x0, info=1}, ) }, 5, 96, ... 144, {status=0x0, info=1}, ) == 0x0
 01233   580   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 144, ... 148, ) == 0x0
 01234   580   NtClose  (144, ... ) == 0x0
 01235   580   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xf90000), 0x0, 204800, ) == 0x0
 01236   580   NtClose  (148, ... ) == 0x0
 01237   580   NtUnmapViewOfSection  (-1, 0xf90000, ... ) == 0x0
 01238   580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 14938096, ... ) }, 14938096, ... ) == 0x0
 01239   580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01240   580   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 148, ... 144, ) == 0x0
 01241   580   NtQuerySection  (144, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01242   580   NtClose  (148, ... ) == 0x0
 01243   580   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01244   580   NtClose  (144, ... ) == 0x0
 01245   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01246   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01247   580   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01248   580   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01249   580   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01250   580   NtClose  (144, ... ) == 0x0
 01251   580   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 144, ) }, ... 144, ) == 0x0
 01252   580   NtOpenKey  (0x1, {24, 144, 0x40, 0, 0,  (0x1, {24, 144, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 148, ) }, ... 148, ) == 0x0
 01253   580   NtQueryValueKey  (148,  (148, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01254   580   NtClose  (148, ... ) == 0x0
 01255   580   NtClose  (144, ... ) == 0x0
 01256   580   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01257   580   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01258   580   NtQueryInformationToken  (144, User, 80, ...
 01225   456   NtQueryInformationFile  ... {status=0x0, info=4}, ) == 0x0
 01259   456   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 2289764,  (0x40110080, {24, 0, 0x40, 0, 2289764, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01260   456   NtClose  (-2147482208, ... ) == 0x0
 01259   456   NtCreateFile  ... 148, {status=0x0, info=2}, ) == 0x0
 01261   456   NtQueryVolumeInformationFile  (148, 2289136, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01262   456   NtQueryInformationFile  (148, 2289096, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01258   580   NtQueryInformationToken  ... {token info, class 1, size 36}, 36, ) == 0x0
 01263   580   NtClose  (144, ... ) == 0x0
 01264   580   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 144, ) }, ... 144, ) == 0x0
 01265   580   NtOpenKey  (0x1, {24, 144, 0x40, 0, 0,  (0x1, {24, 144, 0x40, 0, 0, "Control Panel\Desktop"}, ... 152, ) }, ... 152, ) == 0x0
 01266   580   NtQueryValueKey  (152,  (152, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01267   580   NtClose  (152, ... ) == 0x0
 01268   580   NtClose  (144, ...
 01269   456   NtQueryVolumeInformationFile  (132, 2289136, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01270   456   NtQueryVolumeInformationFile  (132, 2288820, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01271   456   NtSetInformationFile  (148, 2288924, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01272   456   NtAllocateVirtualMemory  (-1, 5107712, 0, 65536, 4096, 4, ... 5107712, 65536, ) == 0x0
 01273   456   NtReadFile  (132, 0, 0, 0, 61440, 0x0, 0, ...
 01268   580   NtClose  ... ) == 0x0
 01274   580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 14937596, ... }, 14937596, ...
 01273   456   NtReadFile  ... {status=0x0, info=61440},  ... {status=0x0, info=61440}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\14\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\1\0\4\0\0\0\0\0\0\0\34*\14\0\0\20\0\0\4=\4\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\14\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\1\0\4\0\0\0\0\0\0\0\34*\14\0\0\20\0\0\4=\4\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", ) == 0x0
 01275   456   NtWriteFile  (148, 0, 0, 0,  (148, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\14\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\1\0\4\0\0\0\0\0\0\0\34*\14\0\0\20\0\0\4=\4\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\14\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\1\0\4\0\0\0\0\0\0\0\34*\14\0\0\20\0\0\4=\4\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01276   456   NtReadFile  (132, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (132, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", ) \236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352 (132, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", ) b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353 (132, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", ) Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", ) == 0x0
 01277   456   NtWriteFile  (148, 0, 0, 0,  (148, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352 (148, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353 (148, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01278   456   NtReadFile  (132, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (132, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\353`m\263\222\16Zi\373\3759\377Al:\306\233\30\21!g\226\254j\14Q\312\366P)6\252\361\374wR\276\216\30\3\6\310\255\6\303'tiZ\357L\17{\272\303\341\201\245\20\361\323yf&\17\6\11\261\207\300\303\321\17\30\367u@\301\324\371\356-\253.S\255\244"O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", ) O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", ) == 0x0
 01279   456   NtWriteFile  (148, 0, 0, 0,  (148, 0, 0, 0, "\353`m\263\222\16Zi\373\3759\377Al:\306\233\30\21!g\226\254j\14Q\312\366P)6\252\361\374wR\276\216\30\3\6\310\255\6\303'tiZ\357L\17{\272\303\341\201\245\20\361\323yf&\17\6\11\261\207\300\303\321\17\30\367u@\301\324\371\356-\253.S\255\244"O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01280   456   NtReadFile  (132, 0, 0, 0, 61440, 0x0, 0, ...
 01274   580   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   580   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 14937596, ... }, 14937596, ...
 01280   456   NtReadFile  ... {status=0x0, info=61440},  ... {status=0x0, info=61440}, "\25\313\36\270\214\226\21B\304\243`\371\275\66-:\177\243\35\264OQ\207\273\321\2559\243/O\202\300\216\234\3505\315D*\27+\220\360\354\201\205G\337\266\240\331\221\303\273\333\242\5w\247\254\25_\376\332\12\240\26\4!\212e\22e\344\276/Y\341\235] \362\240!YK\343F\36\370\36\13\255\270\361\316\245\210#\16\3\332\215\371fC\263\243\253\262\220\323]\21\37\12\277o\222\252\231\316T\354\207U\205\334\25-r\251\274\373%\22\251\66\313\2534g}S\177\17\271\232\360~\313E\234U\305\2515z\252\226\376g\211\15\203\364\316\275\314\310\237Iz\227+\233\317\270f\21\310?\266\367\213\251\24\34\365\321\307\370;\31?\334+\232\231~\30\0i\231c\303\36\325\253\361[\276\205lp\264O\224<\365\353\200B@\247\4\360\225\366B\212H9\336\252\242Ui\265\330\331\364\371\305a\3663\347\213[\315\250\343m\321\273$\203\210\350\27\234\271"\16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", ) \16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", ) == 0x0
 01282   456   NtWriteFile  (148, 0, 0, 0,  (148, 0, 0, 0, "\25\313\36\270\214\226\21B\304\243`\371\275\66-:\177\243\35\264OQ\207\273\321\2559\243/O\202\300\216\234\3505\315D*\27+\220\360\354\201\205G\337\266\240\331\221\303\273\333\242\5w\247\254\25_\376\332\12\240\26\4!\212e\22e\344\276/Y\341\235] \362\240!YK\343F\36\370\36\13\255\270\361\316\245\210#\16\3\332\215\371fC\263\243\253\262\220\323]\21\37\12\277o\222\252\231\316T\354\207U\205\334\25-r\251\274\373%\22\251\66\313\2534g}S\177\17\271\232\360~\313E\234U\305\2515z\252\226\376g\211\15\203\364\316\275\314\310\237Iz\227+\233\317\270f\21\310?\266\367\213\251\24\34\365\321\307\370;\31?\334+\232\231~\30\0i\231c\303\36\325\253\361[\276\205lp\264O\224<\365\353\200B@\247\4\360\225\366B\212H9\336\252\242Ui\265\330\331\364\371\305a\3663\347\213[\315\250\343m\321\273$\203\210\350\27\234\271"\16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01283   456   NtReadFile  (132, 0, 0, 0, 61440, 0x0, 0, ...
 01281   580   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01284   580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 14937596, ... ) }, 14937596, ... ) == 0x0
 01283   456   NtReadFile  ... {status=0x0, info=61440},  ... {status=0x0, info=61440}, "\177_N\335\236Z\16\377:\177_N\335\236N][\376~_N\16\241K\16\254^N\327\333\236\240\241\2414_\164n\241\353\226\240\241\241\241KJ\236^N4^\241\353\252\240\241\2414^\241\353\232\240\241\241\377\256~_N[\263^^^][*\177_NQ\341K6\177_N\335\264Zw\216\16\325\333\276\240\241\241\325K\346\177_NQ\341S\342~_N_\224\335\264Vw\216\16Q\341[\342\177_N][B\177_N\335\266V\16\377\262~_N\335\266Z\166^^^\166\371p_N6\367p_N\377\352~_N\335\266V\16\241K\26X_N\327\3336\243\241\241\346n^^^\251\270\327\333:\243\241\241\325\3436\243\241\241\327\235\327bC"\255^N\377\372~_NQ\341K\226~_N_\216\336\342[\246\240\241\241j+M6\374p_N\323\333\363\243\241\241\16\2661l^^\265F6\312p_N\266\232U^^\7\16\323\343\363\243\241\241\11\266\13l^^6|p_N\266\362U^^\323\343_\241\241\241\11\323\343\363\243\241\241\11\16\323\343\237\243\241\241\11\241KjH_N6Fp_N\266\330U^^\335\232F\327\333>\243\241\2414^\241\353\252\240\241\2414^\346n^^^\251\270\327\333\2\243\241\241\327\231\241jc"\255^N\325c\32\177_N\335\231u\11\241\353\276\240\241\241\325c\316\177_N\335\231Y\11\325c\232\177_N\335\231[\116^^^\16\323\343\237\243\241\241\11\325\343>\243\241\241\11\325c\306~_NQ\341C\206~_N_\201\335\261R\11\241K\26X_N\327\333\366\243\241\2414^4\4^4^4[4_\377\346~_N\335\266Z\16\377\6\177_N][\322\177_N\26\16Q\341[^\177_N\335\266W\16", ) \255^N\377\372~_NQ\341K\226~_N_\216\336\342[\246\240\241\241j+M6\374p_N\323\333\363\243\241\241\16\2661l^^\265F6\312p_N\266\232U^^\7\16\323\343\363\243\241\241\11\266\13l^^6|p_N\266\362U^^\323\343_\241\241\241\11\323\343\363\243\241\241\11\16\323\343\237\243\241\241\11\241KjH_N6Fp_N\266\330U^^\335\232F\327\333>\243\241\2414^\241\353\252\240\241\2414^\346n^^^\251\270\327\333\2\243\241\241\327\231\241jc ... {status=0x0, info=61440}, "\177_N\335\236Z\16\377:\177_N\335\236N][\376~_N\16\241K\16\254^N\327\333\236\240\241\2414_\164n\241\353\226\240\241\241\241KJ\236^N4^\241\353\252\240\241\2414^\241\353\232\240\241\241\377\256~_N[\263^^^][*\177_NQ\341K6\177_N\335\264Zw\216\16\325\333\276\240\241\241\325K\346\177_NQ\341S\342~_N_\224\335\264Vw\216\16Q\341[\342\177_N][B\177_N\335\266V\16\377\262~_N\335\266Z\166^^^\166\371p_N6\367p_N\377\352~_N\335\266V\16\241K\26X_N\327\3336\243\241\241\346n^^^\251\270\327\333:\243\241\241\325\3436\243\241\241\327\235\327bC"\255^N\377\372~_NQ\341K\226~_N_\216\336\342[\246\240\241\241j+M6\374p_N\323\333\363\243\241\241\16\2661l^^\265F6\312p_N\266\232U^^\7\16\323\343\363\243\241\241\11\266\13l^^6|p_N\266\362U^^\323\343_\241\241\241\11\323\343\363\243\241\241\11\16\323\343\237\243\241\241\11\241KjH_N6Fp_N\266\330U^^\335\232F\327\333>\243\241\2414^\241\353\252\240\241\2414^\346n^^^\251\270\327\333\2\243\241\241\327\231\241jc"\255^N\325c\32\177_N\335\231u\11\241\353\276\240\241\241\325c\316\177_N\335\231Y\11\325c\232\177_N\335\231[\116^^^\16\323\343\237\243\241\241\11\325\343>\243\241\241\11\325c\306~_NQ\341C\206~_N_\201\335\261R\11\241K\26X_N\327\333\366\243\241\2414^4\4^4^4[4_\377\346~_N\335\266Z\16\377\6\177_N][\322\177_N\26\16Q\341[^\177_N\335\266W\16", ) , ) == 0x0
 01285   456   NtWriteFile  (148, 0, 0, 0,  (148, 0, 0, 0, "\177_N\335\236Z\16\377:\177_N\335\236N][\376~_N\16\241K\16\254^N\327\333\236\240\241\2414_\164n\241\353\226\240\241\241\241KJ\236^N4^\241\353\252\240\241\2414^\241\353\232\240\241\241\377\256~_N[\263^^^][*\177_NQ\341K6\177_N\335\264Zw\216\16\325\333\276\240\241\241\325K\346\177_NQ\341S\342~_N_\224\335\264Vw\216\16Q\341[\342\177_N][B\177_N\335\266V\16\377\262~_N\335\266Z\166^^^\166\371p_N6\367p_N\377\352~_N\335\266V\16\241K\26X_N\327\3336\243\241\241\346n^^^\251\270\327\333:\243\241\241\325\3436\243\241\241\327\235\327bC"\255^N\377\372~_NQ\341K\226~_N_\216\336\342[\246\240\241\241j+M6\374p_N\323\333\363\243\241\241\16\2661l^^\265F6\312p_N\266\232U^^\7\16\323\343\363\243\241\241\11\266\13l^^6|p_N\266\362U^^\323\343_\241\241\241\11\323\343\363\243\241\241\11\16\323\343\237\243\241\241\11\241KjH_N6Fp_N\266\330U^^\335\232F\327\333>\243\241\2414^\241\353\252\240\241\2414^\346n^^^\251\270\327\333\2\243\241\241\327\231\241jc"\255^N\325c\32\177_N\335\231u\11\241\353\276\240\241\241\325c\316\177_N\335\231Y\11\325c\232\177_N\335\231[\116^^^\16\323\343\237\243\241\241\11\325\343>\243\241\241\11\325c\306~_NQ\341C\206~_N_\201\335\261R\11\241K\26X_N\327\333\366\243\241\2414^4\4^4^4[4_\377\346~_N\335\266Z\16\377\6\177_N][\322\177_N\26\16Q\341[^\177_N\335\266W\16", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \255^N\377\372~_NQ\341K\226~_N_\216\336\342[\246\240\241\241j+M6\374p_N\323\333\363\243\241\241\16\2661l^^\265F6\312p_N\266\232U^^\7\16\323\343\363\243\241\241\11\266\13l^^6|p_N\266\362U^^\323\343_\241\241\241\11\323\343\363\243\241\241\11\16\323\343\237\243\241\241\11\241KjH_N6Fp_N\266\330U^^\335\232F\327\333>\243\241\2414^\241\353\252\240\241\2414^\346n^^^\251\270\327\333\2\243\241\241\327\231\241jc (148, 0, 0, 0, "\177_N\335\236Z\16\377:\177_N\335\236N][\376~_N\16\241K\16\254^N\327\333\236\240\241\2414_\164n\241\353\226\240\241\241\241KJ\236^N4^\241\353\252\240\241\2414^\241\353\232\240\241\241\377\256~_N[\263^^^][*\177_NQ\341K6\177_N\335\264Zw\216\16\325\333\276\240\241\241\325K\346\177_NQ\341S\342~_N_\224\335\264Vw\216\16Q\341[\342\177_N][B\177_N\335\266V\16\377\262~_N\335\266Z\166^^^\166\371p_N6\367p_N\377\352~_N\335\266V\16\241K\26X_N\327\3336\243\241\241\346n^^^\251\270\327\333:\243\241\241\325\3436\243\241\241\327\235\327bC"\255^N\377\372~_NQ\341K\226~_N_\216\336\342[\246\240\241\241j+M6\374p_N\323\333\363\243\241\241\16\2661l^^\265F6\312p_N\266\232U^^\7\16\323\343\363\243\241\241\11\266\13l^^6|p_N\266\362U^^\323\343_\241\241\241\11\323\343\363\243\241\241\11\16\323\343\237\243\241\241\11\241KjH_N6Fp_N\266\330U^^\335\232F\327\333>\243\241\2414^\241\353\252\240\241\2414^\346n^^^\251\270\327\333\2\243\241\241\327\231\241jc"\255^N\325c\32\177_N\335\231u\11\241\353\276\240\241\241\325c\316\177_N\335\231Y\11\325c\232\177_N\335\231[\116^^^\16\323\343\237\243\241\241\11\325\343>\243\241\241\11\325c\306~_NQ\341C\206~_N_\201\335\261R\11\241K\26X_N\327\333\366\243\241\2414^4\4^4^4[4_\377\346~_N\335\266Z\16\377\6\177_N][\322\177_N\26\16Q\341[^\177_N\335\266W\16", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01286   456   NtReadFile  (132, 0, 0, 0, 61440, 0x0, 0, ...
 01287   580   NtUserGetProcessWindowStation  (... ) == 0x28
 01288   580   NtUserGetObjectInformation  (40, 2, 0, 0, 14939892, ... ) == 0x0
 01289   580   NtUserGetObjectInformation  (40, 2, 5097592, 16, 14939892, ... ) == 0x1
 01290   580   NtUserGetGUIThreadInfo  (580, 14939848, ... ) == 0x1
 01291   580   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 14939668, 64, ... 144, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 14939668, 64, ... 144, 0x0, 0x0, 0x0, 64, ) == 0x0
 01292   580   NtRequestWaitReplyPort  (144, {32, 56, new_msg, 0, 0, 0, 0, 0}  (144, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 448, 580, 1497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 448, 580, 1497, 0}  (144, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 448, 580, 1497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01293   580   NtRequestWaitReplyPort  (144, {32, 56, new_msg, 0, 0, 0, 0, 0}  (144, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 448, 580, 1498, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 448, 580, 1498, 0}  (144, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 448, 580, 1498, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01294   580   NtUserCallNoParam  (29, ...
 01295   580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 14937140, ... ) }, 14937140, ... ) == 0x0
 01294   580   NtUserCallNoParam  ... ) == 0x0
 01296   580   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01297   580   NtGdiHfontCreate  (14939220, 356, 0, 0, 5098360, ...
 01286   456   NtReadFile  ... {status=0x0, info=18944},  ... {status=0x0, info=18944}, "D\21L\0\203\356\12\353 \200\2745\1\360\377\377#u\25\241\370\20L\0\3\5\30\21L\0\203\350\3\210\2045\1\360\377\377F\201\376\377\17\0\0r\330\241\370\20L\0\3\5\204\21L\0\203\350\10\211\205\374\357\377\377\241\10\21L\0\211\303\3\35,\21L\0\203\353\5\203}\10\0uY\213E\149\205\374\357\377\377u\27\215\204\35\1\360\377\377Php\6L\0\350\350*\0\0\351\226\2\0\0\215\214\35\1\360\377\377\203\310\377@\200<\1\0u\371\1\303\203\303\1\377\205\374\357\377\377\17\276\204\35\1\360\377\377\213\25\240\21L\0\203\352\69\320\17\204a\2\0\0\353\247\241\220\22L\0\211\205\370\357\377\377\241\224\20L\0\17\277\25\340\20L\0\1\320\203\350\6\213U\10\17\277\15\220\20L\0I\210\14\2\17\277\5\200\21L\0\17\277\25\250\21L\0\211\303\1\323\203\353\6\241\244\21L\0\211\205\374\357\377\377hs\31L\0\350\271\3\0\0P\215\275\365\356\377\377W\350K*\0\0\215\204\35\1\360\377\377P\215\205\365\356\377\377P\377\25 \260K\0\203\304\14\377\25\254\13L\0\271\24\0\0\0\231\367\371\211\225\364\357\377\377\241\264\20L\0\203\350\69\302\17\203\345\0\0\0\377\265\370\357\377\377\215\205\366\355\377\377P\350i\300\377\377\241\230\21L\0\3\5\324\20L\0\203\350\10P\215\205\365\356\377\377P\377u\10\350\303\265\377\377\203\304\24\213=\270\20L\0\201\307\363\377\0\0\17\277\25\260\20L\0\1\3279\370u'\215\205\365\356\377\377P\377u\10\377\25 \260K\0hn\31L\0\350\12\3\0\0P\377u\10\377\25 \260K\0\203\304\24\241|\21L\0\203\350\5P\215\205\366\355\377\377P\377u\10\350h\265\377\377\203\304\14\213=d\21L\0\201\307\375\377\0\0\3=\310\21L\09\370u", ) , ) == 0x0
 01298   456   NtWriteFile  (148, 0, 0, 0,  (148, 0, 0, 0, "D\21L\0\203\356\12\353 \200\2745\1\360\377\377#u\25\241\370\20L\0\3\5\30\21L\0\203\350\3\210\2045\1\360\377\377F\201\376\377\17\0\0r\330\241\370\20L\0\3\5\204\21L\0\203\350\10\211\205\374\357\377\377\241\10\21L\0\211\303\3\35,\21L\0\203\353\5\203}\10\0uY\213E\149\205\374\357\377\377u\27\215\204\35\1\360\377\377Php\6L\0\350\350*\0\0\351\226\2\0\0\215\214\35\1\360\377\377\203\310\377@\200<\1\0u\371\1\303\203\303\1\377\205\374\357\377\377\17\276\204\35\1\360\377\377\213\25\240\21L\0\203\352\69\320\17\204a\2\0\0\353\247\241\220\22L\0\211\205\370\357\377\377\241\224\20L\0\17\277\25\340\20L\0\1\320\203\350\6\213U\10\17\277\15\220\20L\0I\210\14\2\17\277\5\200\21L\0\17\277\25\250\21L\0\211\303\1\323\203\353\6\241\244\21L\0\211\205\374\357\377\377hs\31L\0\350\271\3\0\0P\215\275\365\356\377\377W\350K*\0\0\215\204\35\1\360\377\377P\215\205\365\356\377\377P\377\25 \260K\0\203\304\14\377\25\254\13L\0\271\24\0\0\0\231\367\371\211\225\364\357\377\377\241\264\20L\0\203\350\69\302\17\203\345\0\0\0\377\265\370\357\377\377\215\205\366\355\377\377P\350i\300\377\377\241\230\21L\0\3\5\324\20L\0\203\350\10P\215\205\365\356\377\377P\377u\10\350\303\265\377\377\203\304\24\213=\270\20L\0\201\307\363\377\0\0\17\277\25\260\20L\0\1\3279\370u'\215\205\365\356\377\377P\377u\10\377\25 \260K\0hn\31L\0\350\12\3\0\0P\377u\10\377\25 \260K\0\203\304\24\241|\21L\0\203\350\5P\215\205\366\355\377\377P\377u\10\350h\265\377\377\203\304\14\213=d\21L\0\201\307\375\377\0\0\3=\310\21L\09\370u", 18944, 0x0, 0, ... {status=0x0, info=18944}, ) , 18944, 0x0, 0, ... {status=0x0, info=18944}, ) == 0x0
 01299   456   NtReadFile  (132, 0, 0, 0, 61440, 0x0, 0, ...
 01297   580   NtGdiHfontCreate  ... ) == 0x190a0381
 01300   580   NtGdiHfontCreate  (14939220, 356, 0, 0, 5098352, ... ) == 0xf0a03ff
 01301   580   NtRequestWaitReplyPort  (144, {32, 56, new_msg, 0, 0, 0, 0, 0}  (144, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 448, 580, 1499, 0} "\0\0\0\0\0\0\0\0\230\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 448, 580, 1499, 0}  (144, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 448, 580, 1499, 0} "\0\0\0\0\0\0\0\0\230\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01302   580   NtMapViewOfSection  (152, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xf90000), {0, 0}, 331776, ) == 0x0
 01303   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01304   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01305   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01306   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01307   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01308   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01309   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01310   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01311   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01312   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01313   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01314   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01315   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01316   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01317   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01318   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01319   580   NtAllocateVirtualMemory  (-1, 11550720, 0, 4096, 4096, 4, ... 11550720, 4096, ) == 0x0
 01320   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01321   580   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x6100406
 01322   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01323   580   NtUserCallNoParam  (29, ...
 01324   580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 14936584, ... ) }, 14936584, ... ) == 0x0
 01323   580   NtUserCallNoParam  ... ) == 0x0
 01325   580   NtUserCallNoParam  (29, ...
 01326   580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 14936580, ... ) }, 14936580, ... ) == 0x0
 01325   580   NtUserCallNoParam  ... ) == 0x0
 01327   580   NtUserMessageCall  (0x200b2, WM_NCCREATE, 0x0, 0xe3f800, 0, 670, 1, ... ) == 0x1
 01328   580   NtUserMessageCall  (0x200b2, WM_NCCALCSIZE, 0x0, 0xe3f834, 0, 670, 1, ... ) == 0x0
 01329   580   NtUserGetClassName  (131250, 0, 14939372, ... ) == 0x6
 01330   580   NtUserRemoveProp  (131250, 43282, ... ) == 0x0
 01331   580   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 4194366, 14938964, 35020, 28}  (24, {24, 52, new_msg, 0, 4194366, 14938964, 35020, 28} "\0\0\0\0\5\4\3\0I\0N\0D\0O\0D\2\0\0\0\0\0\0" ... {24, 52, reply, 0, 448, 580, 1500, 0} "\0\0\0\0\5\4\3\0\0\0\0\0D\0O\0D\2\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 448, 580, 1500, 0}  (24, {24, 52, new_msg, 0, 4194366, 14938964, 35020, 28} "\0\0\0\0\5\4\3\0I\0N\0D\0O\0D\2\0\0\0\0\0\0" ... {24, 52, reply, 0, 448, 580, 1500, 0} "\0\0\0\0\5\4\3\0\0\0\0\0D\0O\0D\2\0\0\0\0\0\0" )  ) == 0x0
 01332   580   NtUserGetThreadDesktop  (580, 0, ... ) == 0x2c
 01333   580   NtUserGetObjectInformation  (44, 2, 14939048, 520, 0, ... ) == 0x1
 01334   580   NtGdiDeleteObjectApp  (101712902, ... ) == 0x1
 01335   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01336   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01337   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01338   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01339   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01340   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01341   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01342   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01343   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01344   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01345   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01346   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01347   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01348   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01349   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01350   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01351   580   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01352   580   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x7100406
 01353   580   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01354   580   NtUserSetProp  (131250, 43288, 11551128, ... ) == 0x1
 01355   580   NtUserGetAncestor  (131250, 1, ... ) == 0x10014
 01356   580   NtUserSetWindowPos  (131250, 0, 0, 0, 123, 34, 1047, ... ) == 0x1
 01190   580   NtUserCreateWindowEx  ... ) == 0x200b2
 01299   456   NtReadFile  ... ) == STATUS_END_OF_FILE
 01357   456   NtFreeVirtualMemory  (-1, (0x4df000), 65536, 16384, ... (0x4df000), 65536, ) == 0x0
 01358   456   NtSetInformationFile  (148, 2291368, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01359   456   NtClose  (132, ... ) == 0x0
 01360   456   NtClose  (148, ... ) == 0x0
 01361   456   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01362   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 2287660, ... ) }, 2287660, ... ) == 0x0
 01363   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 2288352, ... ) }, 2288352, ... ) == 0x0
 01364   456   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01365   456   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 148, ...
 01366   580   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01367   580   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 5107192, 0,  (0x1f0003, {24, 52, 0x80, 5107192, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 132, ) }, 0, 2147483647, ... 132, ) == STATUS_OBJECT_NAME_EXISTS
 01368   580   NtReleaseSemaphore  (132, 1, ... 0, ) == 0x0
 01369   580   NtWaitForSingleObject  (132, 0, {0, 0}, ... ) == 0x0
 01370   580   NtCreateKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 156, 2, ) }, 0, 0x0, 0, ... 156, 2, ) == 0x0
 01371   580   NtQueryValueKey  (156,  (156, "Programs", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "Programs", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0"}, 80, ) }, 80, ) == 0x0
 01372   580   NtClose  (156, ... ) == 0x0
 01373   580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs"}, 14940084, ... ) }, 14940084, ... ) == 0x0
 01374   580   NtCreateKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 156, 2, ) }, 0, 0x0, 0, ... 156, 2, ) == 0x0
 01375   580   NtSetValueKey  (156,  (156, "Programs", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0", 110, ... ) , 0, 1,  (156, "Programs", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0", 110, ... ) , 110, ... ) == 0x0
 01376   580   NtClose  (156, ... ) == 0x0
 01377   580   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\"}, 3, 16417, ... 156, {status=0x0, info=1}, ) }, 3, 16417, ... 156, {status=0x0, info=1}, ) == 0x0
 01378   580   NtQueryDirectoryFile  (156, 0, 0, 0, 14939500, 616, BothDirectory, 1,  (156, 0, 0, 0, 14939500, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01379   580   NtQueryDirectoryFile  (156, 0, 0, 0, 5098416, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1118}, ) == 0x0
 01380   580   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01381   580   NtQueryDirectoryFile  (160, 0, 0, 0, 14938856, 616, BothDirectory, 1,  (160, 0, 0, 0, 14938856, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01382   580   NtAllocateVirtualMemory  (-1, 5107712, 0, 8192, 4096, 4, ... 5107712, 8192, ) == 0x0
 01383   580   NtQueryDirectoryFile  (160, 0, 0, 0, 5107608, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1380}, ) == 0x0
 01384   580   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Entertainment\"}, 3, 16417, ... 164, {status=0x0, info=1}, ) }, 3, 16417, ... 164, {status=0x0, info=1}, ) == 0x0
 01385   580   NtQueryDirectoryFile  (164, 0, 0, 0, 14938212, 616, BothDirectory, 1,  (164, 0, 0, 0, 14938212, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01386   580   NtQueryDirectoryFile  (164, 0, 0, 0, 5111712, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=220}, ) == 0x0
 01387   580   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Entertainment\desktop.ini\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_NOT_A_DIRECTORY
 01388   580   NtQueryDirectoryFile  (164, 0, 0, 0, 5111712, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01389   580   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 01390   580   NtClose  (164, ... ) == 0x0
 01391   580   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Accessibility\"}, 3, 16417, ... 164, {status=0x0, info=1}, ) }, 3, 16417, ... 164, {status=0x0, info=1}, ) == 0x0
 01392   580   NtQueryDirectoryFile  (164, 0, 0, 0, 14938212, 616, BothDirectory, 1,  (164, 0, 0, 0, 14938212, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01393   580   NtQueryDirectoryFile  (164, 0, 0, 0, 5111712, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=724}, ) == 0x0
 01394   580   NtAllocateVirtualMemory  (-1, 14925824, 0, 4096, 4096, 260, ... 14925824, 4096, ) == 0x0
 01395   580   NtAllocateVirtualMemory  (-1, 14921728, 0, 4096, 4096, 260, ... 14921728, 4096, ) == 0x0
 01396   580   NtAllocateVirtualMemory  (-1, 14917632, 0, 4096, 4096, 260, ... 14917632, 4096, ) == 0x0
 01397   580   NtAllocateVirtualMemory  (-1, 14913536, 0, 4096, 4096, 260, ... 14913536, 4096, ) == 0x0
 01398   580   NtAllocateVirtualMemory  (-1, 14909440, 0, 4096, 4096, 260, ... 14909440, 4096, ) == 0x0
 01399   580   NtAllocateVirtualMemory  (-1, 14905344, 0, 4096, 4096, 260, ... 14905344, 4096, ) == 0x0
 01400   580   NtAllocateVirtualMemory  (-1, 14901248, 0, 4096, 4096, 260, ... 14901248, 4096, ) == 0x0
 01401   580   NtAllocateVirtualMemory  (-1, 14897152, 0, 4096, 4096, 260, ... 14897152, 4096, ) == 0x0
 01402   580   NtAllocateVirtualMemory  (-1, 14893056, 0, 4096, 4096, 260, ... 14893056, 4096, ) == 0x0
 01403   580   NtAllocateVirtualMemory  (-1, 14888960, 0, 4096, 4096, 260, ... 14888960, 4096, ) == 0x0
 01404   580   NtAllocateVirtualMemory  (-1, 14884864, 0, 4096, 4096, 260, ... 14884864, 4096, ) == 0x0
 01405   580   NtAllocateVirtualMemory  (-1, 14880768, 0, 4096, 4096, 260, ... 14880768, 4096, ) == 0x0
 01406   580   NtAllocateVirtualMemory  (-1, 14876672, 0, 4096, 4096, 260, ... 14876672, 4096, ) == 0x0
 01407   580   NtAllocateVirtualMemory  (-1, 14872576, 0, 4096, 4096, 260, ... 14872576, 4096, ) == 0x0
 01408   580   NtAllocateVirtualMemory  (-1, 14868480, 0, 4096, 4096, 260, ... 14868480, 4096, ) == 0x0
 01409   580   NtAllocateVirtualMemory  (-1, 14864384, 0, 4096, 4096, 260, ... 14864384, 4096, ) == 0x0
 01410   580   NtAllocateVirtualMemory  (-1, 14860288, 0, 4096, 4096, 260, ... 14860288, 4096, ) == 0x0
 01411   580   NtAllocateVirtualMemory  (-1, 14856192, 0, 4096, 4096, 260, ... 14856192, 4096, ) == 0x0
 01412   580   NtCreateFile  (0x80100081, {24, 0, 0x40, 0, 14864776,  (0x80100081, {24, 0, 0x40, 0, 14864776, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk"}, 0x0, 0, 0, 1, 96, 0, 0, ... 168, {status=0x0, info=1}, ) }, 0x0, 0, 0, 1, 96, 0, 0, ... 168, {status=0x0, info=1}, ) == 0x0
 01413   580   NtReadFile  (168, 0, 0, 0, 8191, 0x0, 0, ... {status=0x0, info=1443},  (168, 0, 0, 0, 8191, 0x0, 0, ... {status=0x0, info=1443}, "L\0\0\0\1\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\277\2\0\0 \0\0\0\0`\2370\16,\301\1\0\300\233'{8\307\1\0`\2370\16,\301\1\0\266\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\363\0\24\0\37P\340O\320 \352:i\20\242\330\10\0+00\235\31\0/C:\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\01\0\0\0\0\006T\10\20\0WINDOWS\0&\0\3\0\4\0\357\27606T\1006\0@\24\0\0\0W\0I\0N\0D\0O\0W\0S\0\0\0\26\0@\01\0\0\0\0\006T\10\20\0system32\0\0(\0\3\0\4\0\357\27606T\1006\0@\24\0\0\0s\0y\0s\0t\0e\0m\03\02\0\0\0\30\0H\02\0\0\266\0\0\27+\0\240 \0utilman.exe\0.\0\3\0\4\0\357\276\27+\0\240/6\0@\24\0\0\0u\0t\0i\0l\0m\0a\0n\0.\0e\0x\0e\0\0\0\32\0\0\0N\0\0\0\34\0\0\0\1\0\0\0\34\0\0\0-\0\0\0\0\0\0\0M\0\0\0\21\0\0\0\3\0\0\0\350\35\361<\20\0\0\0\0C:\WINDOWS\system32\utilman.exe\0\0)\0@\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0,\0-\02\02\05\07\07\0.\0.\0.\0\\0.\0.\0\\0.\0.", ) , ) == 0x0
 01414   580   NtClose  (168, ... ) == 0x0
 01415   580   NtDelayExecution  (0, {-10000, -1}, ...
 01365   456   NtCreateSection  ... 168, ) == 0x0
 01416   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01417   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 172, ) }, ... 172, ) == 0x0
 01418   456   NtQueryValueKey  (172,  (172, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01419   456   NtClose  (172, ... ) == 0x0
 01420   456   NtQueryVolumeInformationFile  (148, 2287660, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01421   456   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 172, ) }, ... 172, ) == 0x0
 01422   456   NtWaitForSingleObject  (172, 0, {-1000000, -1}, ... ) == 0x0
 01423   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 176, ) }, ... 176, ) == 0x0
 01424   456   NtMapViewOfSection  (176, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xff0000), {0, 0}, 57344, ) == 0x0
 01425   456   NtReleaseMutant  (172, ... 0x0, ) == 0x0
 01426   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 2285644, ... ) }, 2285644, ... ) == 0x0
 01427   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01428   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 180, ... 184, ) == 0x0
 01429   456   NtClose  (180, ... ) == 0x0
 01430   456   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1000000), 0x0, 106496, ) == 0x0
 01431   456   NtClose  (184, ... ) == 0x0
 01432   456   NtUnmapViewOfSection  (-1, 0x1000000, ... ) == 0x0
 01433   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 2285960, ... ) }, 2285960, ... ) == 0x0
 01434   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01435   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01436   456   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01437   456   NtClose  (184, ... ) == 0x0
 01438   456   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01439   456   NtClose  (180, ... ) == 0x0
 01440   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 180, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 180, {status=0x0, info=1}, ) == 0x0
 01441   456   NtQueryInformationFile  (180, 2286248, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01442   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 180, ... 184, ) == 0x0
 01443   456   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1000000), 0x0, 1028096, ) == 0x0
 01444   456   NtQueryInformationFile  (180, 2286344, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01445   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01447   456   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01448   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01449   456   NtQueryDirectoryFile  (188, 0, 0, 0, 2283908, 616, BothDirectory, 1,  (188, 0, 0, 0, 2283908, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01450   456   NtClose  (188, ... ) == 0x0
 01451   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01452   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01453   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 2283296, ... ) }, 2283296, ... ) == 0x0
 01454   456   NtAllocateVirtualMemory  (-1, 2273280, 0, 4096, 4096, 260, ... 2273280, 4096, ) == 0x0
 01455   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01456   456   NtQueryDirectoryFile  (188, 0, 0, 0, 2282656, 616, BothDirectory, 1,  (188, 0, 0, 0, 2282656, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01457   456   NtClose  (188, ... ) == 0x0
 01458   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01459   456   NtQueryDirectoryFile  (188, 0, 0, 0, 2282656, 616, BothDirectory, 1,  (188, 0, 0, 0, 2282656, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01460   456   NtClose  (188, ... ) == 0x0
 01461   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01462   456   NtQueryDirectoryFile  (188, 0, 0, 0, 2282656, 616, BothDirectory, 1,  (188, 0, 0, 0, 2282656, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01463   456   NtClose  (188, ... ) == 0x0
 01464   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01465   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01466   456   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01467   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01468   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01469   456   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01470   456   NtClose  (188, ... ) == 0x0
 01471   456   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01472   456   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\eupsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01474   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01475   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 2285576, ... ) }, 2285576, ... ) == 0x0
 01476   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01477   456   NtQueryDirectoryFile  (188, 0, 0, 0, 2284936, 616, BothDirectory, 1,  (188, 0, 0, 0, 2284936, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01478   456   NtClose  (188, ... ) == 0x0
 01479   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01480   456   NtQueryDirectoryFile  (188, 0, 0, 0, 2284936, 616, BothDirectory, 1,  (188, 0, 0, 0, 2284936, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01481   456   NtClose  (188, ... ) == 0x0
 01482   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01483   456   NtQueryDirectoryFile  (188, 0, 0, 0, 2284936, 616, BothDirectory, 1,  (188, 0, 0, 0, 2284936, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01484   456   NtClose  (188, ... ) == 0x0
 01485   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01486   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01487   456   NtWaitForSingleObject  (172, 0, {-1000000, -1}, ... ) == 0x0
 01488   456   NtQueryVolumeInformationFile  (148, 2286220, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01489   456   NtAllocateVirtualMemory  (-1, 5115904, 0, 4096, 4096, 4, ... 5115904, 4096, ) == 0x0
 01490   456   NtQueryInformationFile  (148, 2286200, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01491   456   NtQueryInformationFile  (148, 2286240, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01492   456   NtReleaseMutant  (172, ... 0x0, ) == 0x0
 01493   456   NtUnmapViewOfSection  (-1, 0x1000000, ... ) == 0x0
 01494   456   NtClose  (184, ... ) == 0x0
 01495   456   NtClose  (180, ... ) == 0x0
 01496   456   NtQuerySection  (168, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01497   456   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eupsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01498   456   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01499   456   NtOpenProcessToken  (-1, 0xa, ... 180, ) == 0x0
 01500   456   NtQueryInformationToken  (180, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01501   456   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01502   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01503   456   NtQueryValueKey  (184,  (184, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (184, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01504   456   NtQueryValueKey  (184,  (184, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (184, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01505   456   NtClose  (184, ... ) == 0x0
 01506   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01507   456   NtQueryValueKey  (184,  (184, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01508   456   NtQueryValueKey  (184,  (184, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (184, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01509   456   NtClose  (184, ... ) == 0x0
 01510   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01511   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01512   456   NtQueryValueKey  (184,  (184, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01513   456   NtClose  (184, ... ) == 0x0
 01514   456   NtQueryDefaultLocale  (1, 2287032, ... ) == 0x0
 01515   456   NtQueryDefaultLocale  (1, 2287032, ... ) == 0x0
 01516   456   NtQueryDefaultLocale  (1, 2287032, ... ) == 0x0
 01517   456   NtQueryDefaultLocale  (1, 2287032, ... ) == 0x0
 01518   456   NtQueryDefaultLocale  (1, 2287032, ... ) == 0x0
 01519   456   NtQueryDefaultLocale  (1, 2287032, ... ) == 0x0
 01520   456   NtQueryDefaultLocale  (1, 2287032, ... ) == 0x0
 01521   456   NtQueryDefaultLocale  (1, 2287032, ... ) == 0x0
 01522   456   NtQueryDefaultLocale  (1, 2287032, ... ) == 0x0
 01523   456   NtQueryDefaultLocale  (1, 2287032, ... ) == 0x0
 01524   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 184, ) }, ... 184, ) == 0x0
 01525   456   NtEnumerateKey  (184, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (184, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01526   456   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 188, ) }, ... 188, ) == 0x0
 01527   456   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01528   456   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01529   456   NtClose  (188, ... ) == 0x0
 01530   456   NtEnumerateKey  (184, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01531   456   NtClose  (184, ... ) == 0x0
 01532   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01533   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01537   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01538   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01539   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01540   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01541   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01542   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01543   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01544   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01545   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01546   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01547   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01548   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01549   456   NtClose  (184, ... ) == 0x0
 01550   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01551   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01552   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01553   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01554   456   NtClose  (184, ... ) == 0x0
 01555   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01556   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01557   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01558   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01559   456   NtClose  (184, ... ) == 0x0
 01560   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01561   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01562   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01563   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01564   456   NtClose  (184, ... ) == 0x0
 01565   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01566   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01567   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01568   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01569   456   NtClose  (184, ... ) == 0x0
 01570   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01571   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01572   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01573   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01574   456   NtClose  (184, ... ) == 0x0
 01575   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01576   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01577   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01578   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01579   456   NtClose  (184, ... ) == 0x0
 01580   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01582   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01583   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01584   456   NtClose  (184, ... ) == 0x0
 01585   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01587   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01588   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01589   456   NtClose  (184, ... ) == 0x0
 01590   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01591   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01592   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01593   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01594   456   NtClose  (184, ... ) == 0x0
 01595   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01596   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01597   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01598   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01599   456   NtClose  (184, ... ) == 0x0
 01600   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01601   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01602   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01603   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01604   456   NtClose  (184, ... ) == 0x0
 01605   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01606   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01607   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01608   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01609   456   NtClose  (184, ... ) == 0x0
 01610   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01611   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01612   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01613   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01614   456   NtClose  (184, ... ) == 0x0
 01615   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01616   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01617   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01618   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01619   456   NtClose  (184, ... ) == 0x0
 01620   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01621   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01622   456   NtQueryValueKey  (184,  (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01623   456   NtClose  (184, ... ) == 0x0
 01624   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01625   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01626   456   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01627   456   NtClose  (184, ... ) == 0x0
 01628   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01629   456   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01630   456   NtOpenProcessToken  (-1, 0xa, ... 184, ) == 0x0
 01631   456   NtDuplicateToken  (184, 0xc, {24, 0, 0x0, 0, 2287552, 0x0}, 0, 2, ... 188, ) == 0x0
 01632   456   NtClose  (184, ... ) == 0x0
 01633   456   NtAccessCheck  (5119080, 188, 0x1, 2287680, 2287624, 56, 2287708, ... (0x1), ) == 0x0
 01634   456   NtClose  (188, ... ) == 0x0
 01635   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 188, ) }, ... 188, ) == 0x0
 01636   456   NtQueryValueKey  (188,  (188, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (188, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01637   456   NtClose  (188, ... ) == 0x0
 01638   456   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 188, ) }, ... 188, ) == 0x0
 01639   456   NtQuerySymbolicLinkObject  (188, ...  (188, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01640   456   NtClose  (188, ... ) == 0x0
 01641   456   NtQueryInformationFile  (148, 2286012, 528, Name, ... {status=0x0, info=60}, ) == 0x0
 01642   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01643   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01644   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 2284692, ... ) }, 2284692, ... ) == 0x0
 01645   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01646   456   NtQueryDirectoryFile  (188, 0, 0, 0, 2284052, 616, BothDirectory, 1,  (188, 0, 0, 0, 2284052, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01647   456   NtClose  (188, ... ) == 0x0
 01648   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01649   456   NtQueryDirectoryFile  (188, 0, 0, 0, 2284052, 616, BothDirectory, 1,  (188, 0, 0, 0, 2284052, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01650   456   NtClose  (188, ... ) == 0x0
 01651   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01652   456   NtQueryDirectoryFile  (188, 0, 0, 0, 2284052, 616, BothDirectory, 1,  (188, 0, 0, 0, 2284052, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01653   456   NtClose  (188, ... ) == 0x0
 01654   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01655   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01656   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01657   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01658   456   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01659   456   NtClose  (188, ... ) == 0x0
 01660   456   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 188, ) }, ... 188, ) == 0x0
 01661   456   NtOpenKey  (0x20019, {24, 188, 0x40, 0, 0,  (0x20019, {24, 188, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 184, ) }, ... 184, ) == 0x0
 01662   456   NtClose  (188, ... ) == 0x0
 01663   456   NtQueryValueKey  (184,  (184, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01664   456   NtQueryValueKey  (184,  (184, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (184, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01665   456   NtClose  (184, ... ) == 0x0
 01666   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 16777216, 4096, ) == 0x0
 01667   456   NtAllocateVirtualMemory  (-1, 16777216, 0, 4096, 4096, 4, ... 16777216, 4096, ) == 0x0
 01668   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01669   456   NtQueryValueKey  (184,  (184, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01670   456   NtClose  (184, ... ) == 0x0
 01671   456   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01672   456   NtQueryInformationToken  (180, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01673   456   NtQueryInformationToken  (180, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01674   456   NtClose  (180, ... ) == 0x0
 01675   456   NtCreateProcessEx  (2290288, 2035711, 0, -1, 0, 168, 0, 0, 0, ... ) == 0x0
 01676   456   NtSetInformationProcess  (180, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 01677   456   NtQueryInformationProcess  (180, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=596,ParentPid=448,}, 0x0, ) == 0x0
 01678   456   NtReadVirtualMemory  (180, 0x7ffdf008, 4, ...  (180, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 01679   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01680   456   NtAllocateVirtualMemory  (-1, 5120000, 0, 8192, 4096, 4, ... 5120000, 8192, ) == 0x0
 01681   456   NtReadVirtualMemory  (180, 0x400000, 4096, ...  (180, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\14\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\1\0\4\0\0\0\0\0\0\0\34*\14\0\0\20\0\0\4=\4\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 4096, ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\14\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\1\0\4\0\0\0\0\0\0\0\34*\14\0\0\20\0\0\4=\4\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 4096, ) == 0x0
 01682   456   NtReadVirtualMemory  (180, 0x439000, 256, ...  (180, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) urn:schemas-microsoft-com:asm.v1 (180, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) 1.0 (180, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) , 256, ) == 0x0
 01683   456   NtReadVirtualMemory  (180, 0x439018, 24, ...  (180, 0x439018, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200", 24, ) , 24, ) == 0x0
 01684   456   NtReadVirtualMemory  (180, 0x439030, 24, ...  (180, 0x439030, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0", 24, ) , 24, ) == 0x0
 01685   456   NtReadVirtualMemory  (180, 0x439048, 16, ...  (180, 0x439048, 16, ... "X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0", 16, ) , 16, ) == 0x0
 01686   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01687   456   NtQueryInformationProcess  (180, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=596,ParentPid=448,}, 0x0, ) == 0x0
 01688   456   NtAllocateVirtualMemory  (-1, 0, 0, 1716, 4096, 4, ... 16842752, 4096, ) == 0x0
 01689   456   NtAllocateVirtualMemory  (180, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01690   456   NtWriteVirtualMemory  (180, 0x10000,  (180, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01691   456   NtAllocateVirtualMemory  (180, 0, 0, 1716, 4096, 4, ... 131072, 4096, ) == 0x0
 01692   456   NtWriteVirtualMemory  (180, 0x20000,  (180, 0x20000, "\0\20\0\0\264\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0<\0>\0\230\5\0\0v\0x\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\0>\0P\6\0\0\36\0 \0\220\6\0\0\0\0\2\0\260\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1716, ... 0x0, ) , 1716, ... 0x0, ) == 0x0
 01693   456   NtWriteVirtualMemory  (180, 0x7ffdf010,  (180, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01694   456   NtWriteVirtualMemory  (180, 0x7ffdf1e8,  (180, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01695   456   NtFreeVirtualMemory  (-1, (0x1010000), 0, 32768, ... (0x1010000), 4096, ) == 0x0
 01696   456   NtAllocateVirtualMemory  (180, 0, 0, 2097152, 8192, 4, ... 196608, 2097152, ) == 0x0
 01697   456   NtAllocateVirtualMemory  (180, 2285568, 0, 8192, 4096, 4, ... 2285568, 8192, ) == 0x0
 01698   456   NtProtectVirtualMemory  (180, (0x22e000), 4096, 260, ... (0x22e000), 4096, 4, ) == 0x0
 01699   456   NtCreateThread  (0x1f03ff, 0x0, 180, 2288552, 2289272, 1, ... 184, {596, 636}, ) == 0x0
 01700   456   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 5048712, 5046272, 5066760, 2290372}  (24, {168, 196, new_msg, 0, 5048712, 5046272, 5066760, 2290372} "\210\6\31\1\0\0\1\0\2$\370w U\367w\267\0\0\0\270\0\0\0T\2\0\0|\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1\224\0\0\0\264\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\344\0\220\36\344\0" ... {168, 196, reply, 0, 448, 456, 1501, 0} "\320\231\26\0\0\0\1\0\0\0\0\0 U\367w\264\0\0\0\270\0\0\0T\2\0\0|\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1\224\0\0\0\264\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\344\0\220\36\344\0" )  ... {168, 196, reply, 0, 448, 456, 1501, 0}  (24, {168, 196, new_msg, 0, 5048712, 5046272, 5066760, 2290372} "\210\6\31\1\0\0\1\0\2$\370w U\367w\267\0\0\0\270\0\0\0T\2\0\0|\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1\224\0\0\0\264\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\344\0\220\36\344\0" ... {168, 196, reply, 0, 448, 456, 1501, 0} "\320\231\26\0\0\0\1\0\0\0\0\0 U\367w\264\0\0\0\270\0\0\0T\2\0\0|\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1\224\0\0\0\264\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\344\0\220\36\344\0" )  ) == 0x0
 01701   456   NtResumeThread  (184, ... 1, ) == 0x0
 01702   456   NtClose  (148, ... ) == 0x0
 01703   456   NtClose  (168, ... ) == 0x0
 01704   456   NtTerminateProcess  (0, 0, ...
 01415   580   NtDelayExecution  ... ) == 0xc0
 01704   456   NtTerminateProcess  ... ) == 0x0
 01705   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 01706   456   NtGdiDeleteObjectApp  (118490118, ... ) == 0x1
 01707   456   NtUserGetProcessWindowStation  (... ) == 0x28
 01708   456   NtUserBuildNameList  (40, 256, 5062168, 2292908, ... ) == 0x0
 01709   456   NtUserGetProcessWindowStation  (... ) == 0x28
 01710   456   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x8c
 01711   456   NtUserBuildHwndList  (140, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 01712   456   NtUserQueryWindow  (65706, 0, ... ) == 0x7d4
 01713   456   NtUserQueryWindow  (65706, 1, ... ) == 0x7d8
 01714   456   NtUserQueryWindow  (65704, 0, ... ) == 0x7d4
 01715   456   NtUserQueryWindow  (65704, 1, ... ) == 0x7d8
 01716   456   NtUserQueryWindow  (65702, 0, ... ) == 0x7d4
 01717   456   NtUserQueryWindow  (65702, 1, ... ) == 0x7d8
 01718   456   NtUserQueryWindow  (131168, 0, ... ) == 0x7d4
 01719   456   NtUserQueryWindow  (131168, 1, ... ) == 0x7d8
 01720   456   NtUserQueryWindow  (65696, 0, ... ) == 0x760
 01721   456   NtUserQueryWindow  (65696, 1, ... ) == 0x778
 01722   456   NtUserQueryWindow  (65662, 0, ... ) == 0x760
 01723   456   NtUserQueryWindow  (65662, 1, ... ) == 0x778
 01724   456   NtUserBuildHwndList  (0, 65662, 1, 0, 64, ... (0x10080, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0
 01725   456   NtUserQueryWindow  (65664, 0, ... ) == 0x760
 01726   456   NtUserQueryWindow  (65664, 1, ... ) == 0x778
 01727   456   NtUserQueryWindow  (65670, 0, ... ) == 0x760
 01728   456   NtUserQueryWindow  (65670, 1, ... ) == 0x778
 01729   456   NtUserQueryWindow  (65672, 0, ... ) == 0x760
 01730   456   NtUserQueryWindow  (65672, 1, ... ) == 0x778
 01731   456   NtUserQueryWindow  (65674, 0, ... ) == 0x760
 01732   456   NtUserQueryWindow  (65674, 1, ... ) == 0x778
 01733   456   NtUserQueryWindow  (65678, 0, ... ) == 0x760
 01734   456   NtUserQueryWindow  (65678, 1, ... ) == 0x778
 01735   456   NtUserQueryWindow  (65680, 0, ... ) == 0x760
 01736   456   NtUserQueryWindow  (65680, 1, ... ) == 0x778
 01737   456   NtUserQueryWindow  (65682, 0, ... ) == 0x760
 01738   456   NtUserQueryWindow  (65682, 1, ... ) == 0x778
 01739   456   NtUserQueryWindow  (65684, 0, ... ) == 0x760
 01740   456   NtUserQueryWindow  (65684, 1, ... ) == 0x778
 01741   456   NtUserQueryWindow  (65686, 0, ... ) == 0x760
 01742   456   NtUserQueryWindow  (65686, 1, ... ) == 0x778
 01743   456   NtUserQueryWindow  (65690, 0, ... ) == 0x760
 01744   456   NtUserQueryWindow  (65690, 1, ... ) == 0x778
 01745   456   NtUserQueryWindow  (65692, 0, ... ) == 0x760
 01746   456   NtUserQueryWindow  (65692, 1, ... ) == 0x778
 01747   456   NtUserQueryWindow  (65694, 0, ... ) == 0x760
 01748   456   NtUserQueryWindow  (65694, 1, ... ) == 0x778
 01749   456   NtUserQueryWindow  (65652, 0, ... ) == 0x760
 01750   456   NtUserQueryWindow  (65652, 1, ... ) == 0x778
 01751   456   NtUserQueryWindow  (65640, 0, ... ) == 0x760
 01752   456   NtUserQueryWindow  (65640, 1, ... ) == 0x778
 01753   456   NtUserQueryWindow  (196682, 0, ... ) == 0x760
 01754   456   NtUserQueryWindow  (196682, 1, ... ) == 0x778
 01755   456   NtUserQueryWindow  (65638, 0, ... ) == 0x760
 01756   456   NtUserQueryWindow  (65638, 1, ... ) == 0x778
 01757   456   NtUserQueryWindow  (196684, 0, ... ) == 0x760
 01758   456   NtUserQueryWindow  (196684, 1, ... ) == 0x778
 01759   456   NtUserQueryWindow  (196668, 0, ... ) == 0x760
 01760   456   NtUserQueryWindow  (196668, 1, ... ) == 0x778
 01761   456   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 01762   456   NtUserQueryWindow  (196670, 0, ... ) == 0x760
 01763   456   NtUserQueryWindow  (196670, 1, ... ) == 0x778
 01764   456   NtUserQueryWindow  (196674, 0, ... ) == 0x760
 01765   456   NtUserQueryWindow  (196674, 1, ... ) == 0x778
 01766   456   NtUserQueryWindow  (196672, 0, ... ) == 0x760
 01767   456   NtUserQueryWindow  (196672, 1, ... ) == 0x778
 01768   456   NtUserQueryWindow  (196676, 0, ... ) == 0x760
 01769   456   NtUserQueryWindow  (196676, 1, ... ) == 0x778
 01770   456   NtUserQueryWindow  (196678, 0, ... ) == 0x760
 01771   456   NtUserQueryWindow  (196678, 1, ... ) == 0x778
 01772   456   NtUserQueryWindow  (196680, 0, ... ) == 0x760
 01773   456   NtUserQueryWindow  (196680, 1, ... ) == 0x778
 01774   456   NtUserQueryWindow  (65642, 0, ... ) == 0x760
 01775   456   NtUserQueryWindow  (65642, 1, ... ) == 0x778
 01776   456   NtUserQueryWindow  (65646, 0, ... ) == 0x760
 01777   456   NtUserQueryWindow  (65646, 1, ... ) == 0x778
 01778   456   NtUserQueryWindow  (65650, 0, ... ) == 0x760
 01779   456   NtUserQueryWindow  (65650, 1, ... ) == 0x778
 01780   456   NtUserQueryWindow  (65688, 0, ... ) == 0x760
 01781   456   NtUserQueryWindow  (65688, 1, ... ) == 0x778
 01782   456   NtUserQueryWindow  (65676, 0, ... ) == 0x760
 01783   456   NtUserQueryWindow  (65676, 1, ... ) == 0x778
 01784   456   NtUserQueryWindow  (65660, 0, ... ) == 0x760
 01785   456   NtUserQueryWindow  (65660, 1, ... ) == 0x764
 01786   456   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 01787   456   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 01788   456   NtUserQueryWindow  (65726, 0, ... ) == 0x7dc
 01789   456   NtUserQueryWindow  (65726, 1, ... ) == 0x7e0
 01790   456   NtUserQueryWindow  (65724, 0, ... ) == 0x7dc
 01791   456   NtUserQueryWindow  (65724, 1, ... ) == 0x7e0
 01792   456   NtUserQueryWindow  (65722, 0, ... ) == 0x7dc
 01793   456   NtUserQueryWindow  (65722, 1, ... ) == 0x7e0
 01794   456   NtUserQueryWindow  (65720, 0, ... ) == 0x7dc
 01795   456   NtUserQueryWindow  (65720, 1, ... ) == 0x7e0
 01796   456   NtUserQueryWindow  (65718, 0, ... ) == 0x7dc
 01797   456   NtUserQueryWindow  (65718, 1, ... ) == 0x7e0
 01798   456   NtUserQueryWindow  (65716, 0, ... ) == 0x7dc
 01799   456   NtUserQueryWindow  (65716, 1, ... ) == 0x7e0
 01800   456   NtUserQueryWindow  (65712, 0, ... ) == 0x7dc
 01801   456   NtUserQueryWindow  (65712, 1, ... ) == 0x7e0
 01802   456   NtUserQueryWindow  (65710, 0, ... ) == 0x7dc
 01803   456   NtUserQueryWindow  (65710, 1, ... ) == 0x7e0
 01804   456   NtUserQueryWindow  (131172, 0, ... ) == 0x7e8
 01805   456   NtUserQueryWindow  (131172, 1, ... ) == 0x7ec
 01806   456   NtUserQueryWindow  (65708, 0, ... ) == 0x7d4
 01807   456   NtUserQueryWindow  (65708, 1, ... ) == 0x7d8
 01808   456   NtUserQueryWindow  (131170, 0, ... ) == 0x7cc
 01809   456   NtUserQueryWindow  (131170, 1, ... ) == 0x7d0
 01810   456   NtUserQueryWindow  (65644, 0, ... ) == 0x760
 01811   456   NtUserQueryWindow  (65644, 1, ... ) == 0x794
 01812   456   NtUserQueryWindow  (327760, 0, ... ) == 0x760
 01813   456   NtUserQueryWindow  (327760, 1, ... ) == 0x764
 01814   456   NtUserQueryWindow  (262228, 0, ... ) == 0x760
 01815   456   NtUserQueryWindow  (262228, 1, ... ) == 0x764
 01816   456   NtUserQueryWindow  (327758, 0, ... ) == 0x760
 01817   456   NtUserQueryWindow  (327758, 1, ... ) == 0x764
 01818   456   NtUserQueryWindow  (65666, 0, ... ) == 0x760
 01819   456   NtUserQueryWindow  (65666, 1, ... ) == 0x764
 01820   456   NtUserQueryWindow  (65654, 0, ... ) == 0x760
 01821   456   NtUserQueryWindow  (65654, 1, ... ) == 0x764
 01822   456   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 01823   456   NtUserQueryWindow  (65656, 0, ... ) == 0x760
 01824   456   NtUserQueryWindow  (65656, 1, ... ) == 0x764
 01825   456   NtUserQueryWindow  (65658, 0, ... ) == 0x760
 01826   456   NtUserQueryWindow  (65658, 1, ... ) == 0x764
 01827   456   NtUserCloseDesktop  (140, ...
 01828   456   NtClose  (140, ... ) == 0x0
 01827   456   NtUserCloseDesktop  ... ) == 0x1
 01829   456   NtUserGetProcessWindowStation  (... ) == 0x28
 01830   456   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01831   456   NtUserGetProcessWindowStation  (... ) == 0x28
 01832   456   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01833   456   NtUnmapViewOfSection  (-1, 0xf90000, ... ) == 0x0
 01834   456   NtClose  (152, ... ) == 0x0
 01835   456   NtGdiDeleteObjectApp  (420086657, ... ) == 0x1
 01836   456   NtGdiDeleteObjectApp  (252314623, ... ) == 0x1
 01837   456   NtClose  (144, ... ) == 0x0
 01838   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 01839   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 01840   456   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 262144, ) == 0x0
 01841   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 01842   456   NtClose  (96, ... ) == 0x0
 01843   456   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 01844   456   NtClose  (100, ... ) == 0x0
 01845   456   NtClose  (80, ... ) == 0x0
 01846   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01847   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc03b
 01848   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01849   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc03d
 01850   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01851   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc03f
 01852   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01853   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc041
 01854   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01855   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc043
 01856   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01857   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc045
 01858   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01859   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc047
 01860   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01861   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc049
 01862   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01863   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc04b
 01864   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01865   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc04d
 01866   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01867   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc04f
 01868   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01869   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc051
 01870   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01871   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc053
 01872   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01873   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc057
 01874   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01875   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc059
 01876   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01877   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc05b
 01878   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01879   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc05d
 01880   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01881   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc05f
 01882   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01883   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc017
 01884   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01885   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc019
 01886   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01887   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc018
 01888   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01889   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc01a
 01890   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01891   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc01c
 01892   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01893   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc01e
 01894   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01895   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc01b
 01896   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01897   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc068
 01898   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01899   456   NtUserGetClassInfo  (1905590272, 2292956, 2292908, 2292984, 0, ... ) == 0xc06a
 01900   456   NtUserUnregisterClass  (2292960, 1905590272, 2292948, ... ) == 0x1
 01901   456   NtUnmapViewOfSection  (-1, 0xb30000, ... ) == 0x0
 01902   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01903   456   NtClose  (132, ... ) == 0x0
 01904   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01905   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01906   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01907   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc03b
 01908   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01909   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc03d
 01910   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01911   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc03f
 01912   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01913   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc041
 01914   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01915   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc043
 01916   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01917   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc045
 01918   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01919   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc047
 01920   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01921   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc049
 01922   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01923   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc04b
 01924   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01925   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc04d
 01926   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01927   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc04f
 01928   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01929   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc051
 01930   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01931   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc053
 01932   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01933   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc057
 01934   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01935   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc059
 01936   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01937   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc05b
 01938   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01939   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc05d
 01940   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01941   456   NtUserGetClassInfo  (1999896576, 2292956, 2292908, 2292984, 0, ... ) == 0xc05f
 01942   456   NtUserUnregisterClass  (2292960, 1999896576, 2292948, ... ) == 0x1
 01943   456   NtFreeVirtualMemory  (-1, (0x1000000), 4096, 32768, ... (0x1000000), 4096, ) == 0x0
 01944   456   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244} "\0\0\0\0\3\0\1\0\320vC\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 448, 456, 1514, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ... {20, 48, reply, 0, 448, 456, 1514, 0}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244} "\0\0\0\0\3\0\1\0\320vC\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 448, 456, 1514, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ) == 0x0
 01945   456   NtTerminateProcess  (-1, 0, ...
 01946   456   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtAccessCheck(>)	2	NtUserGetObjectInformation(>)	3	NtQueryDebugFilterState(>)	15
NtConnectPort(>)	1	NtCallbackReturn(>)	2	NtUserOpenDesktop(>)	3	NtQueryDefaultLocale(>)	15
NtCreateProcessEx(>)	1	NtCreateThread(>)	2	NtCreateKey(>)	4	NtRequestWaitReplyPort(>)	15
NtDuplicateToken(>)	1	NtEnumerateKey(>)	2	NtCreateSemaphore(>)	4	NtUnmapViewOfSection(>)	16
NtEnumerateValueKey(>)	1	NtGdiCreateBitmap(>)	2	NtGdiCreateCompatibleDC(>)	4	NtQueryInformationFile(>)	17
NtFsControlFile(>)	1	NtGdiCreatePatternBrushInternal(>)	2	NtQueryVirtualMemory(>)	4	NtQueryDirectoryFile(>)	19
NtGdiBitBlt(>)	1	NtGdiCreateSolidBrush(>)	2	NtReleaseMutant(>)	4	NtUserGetWindowDC(>)	19
NtGdiCreateCompatibleBitmap(>)	1	NtGdiDoPalette(>)	2	NtSetEventBoostPriority(>)	4	NtUserRegisterWindowMessage(>)	19
NtGdiCreateDIBitmapInternal(>)	1	NtGdiGetDIBitsInternal(>)	2	NtUserFindWindowEx(>)	4	NtUserCallOneParam(>)	23
NtGdiInit(>)	1	NtGdiStretchDIBitsInternal(>)	2	NtWriteVirtualMemory(>)	4	NtCreateSection(>)	24
NtGdiQueryFontAssocInfo(>)	1	NtOpenDirectoryObject(>)	2	NtGdiGetStockObject(>)	5	NtOpenProcessTokenEx(>)	27
NtNotifyChangeKey(>)	1	NtOpenEvent(>)	2	NtOpenProcessToken(>)	5	NtOpenThreadTokenEx(>)	27
NtOpenKeyedEvent(>)	1	NtOpenSymbolicLinkObject(>)	2	NtUserGetProcessWindowStation(>)	5	NtReadVirtualMemory(>)	28
NtQueryInformationJobObject(>)	1	NtQueryInstallUILanguage(>)	2	NtQueryVolumeInformationFile(>)	6	NtQuerySystemInformation(>)	30
NtQueryInformationThread(>)	1	NtQuerySymbolicLinkObject(>)	2	NtWriteFile(>)	6	NtOpenSection(>)	34
NtQueryObject(>)	1	NtRaiseException(>)	2	NtFreeVirtualMemory(>)	7	NtQueryInformationToken(>)	34
NtQueryPerformanceCounter(>)	1	NtRegisterThreadTerminatePort(>)	2	NtOpenProcess(>)	7	NtQueryValueKey(>)	41
NtReleaseSemaphore(>)	1	NtResumeThread(>)	2	NtSetInformationProcess(>)	7	NtOpenFile(>)	45
NtSecureConnectPort(>)	1	NtSetInformationFile(>)	2	NtUserCallNoParam(>)	7	NtUserUnregisterClass(>)	45
NtSetEvent(>)	1	NtTestAlert(>)	2	NtCreateEvent(>)	8	NtMapViewOfSection(>)	46
NtSetSecurityObject(>)	1	NtUserCloseDesktop(>)	2	NtCreateFile(>)	8	NtProtectVirtualMemory(>)	50
NtSetValueKey(>)	1	NtUserCreateWindowEx(>)	2	NtGdiDeleteObjectApp(>)	8	NtQueryAttributesFile(>)	50
NtUserBuildNameList(>)	1	NtUserGetThreadDesktop(>)	2	NtQueryDefaultUILanguage(>)	8	NtUserFindExistingCursorIcon(>)	51
NtUserGetAncestor(>)	1	NtUserMessageCall(>)	2	NtUserBuildHwndList(>)	8	NtUserRegisterClassExWOW(>)	64
NtUserGetClassName(>)	1	NtCreateMutant(>)	3	NtContinue(>)	9	NtUserGetClassInfo(>)	82
NtUserGetGUIThreadInfo(>)	1	NtDelayExecution(>)	3	NtGdiSelectBitmap(>)	9	NtAllocateVirtualMemory(>)	83
NtUserGetIconInfo(>)	1	NtDuplicateObject(>)	3	NtWaitForSingleObject(>)	9	NtOpenKey(>)	106
NtUserGetIconSize(>)	1	NtGdiExtGetObjectW(>)	3	NtSetInformationThread(>)	10	NtClose(>)	181
NtUserGetThreadState(>)	1	NtGdiHfontCreate(>)	3	NtFlushInstructionCache(>)	11	NtOpenMutant(>)	201
NtUserRemoveProp(>)	1	NtOpenThreadToken(>)	3	NtUserSystemParametersInfo(>)	11	NtUserQueryWindow(>)	244
NtUserSetCursorIconData(>)	1	NtSetInformationObject(>)	3	NtQueryInformationProcess(>)	12
NtUserSetProp(>)	1	NtTerminateProcess(>)	3	NtQuerySection(>)	13
NtUserSetWindowPos(>)	1