Summary:





NtAddAtom(>)  1 
NtUserGetDC(>)  1 
NtUserBuildHwndList(>)  4 
NtQueryDefaultLocale(>)  15 


NtCallbackReturn(>)  1 
NtUserGetThreadDesktop(>)  1 
NtUserFindWindowEx(>)  4 
NtUnmapViewOfSection(>)  15 


NtCreateProcessEx(>)  1 
NtAccessCheck(>)  2 
NtWaitForSingleObject(>)  4 
NtCreateSection(>)  18 


NtCreateThread(>)  1 
NtCreateKey(>)  2 
NtWriteFile(>)  4 
NtUserRegisterWindowMessage(>)  19 


NtDuplicateToken(>)  1 
NtEnumerateKey(>)  2 
NtWriteVirtualMemory(>)  4 
NtOpenProcessTokenEx(>)  25 


NtEnumerateValueKey(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtFreeVirtualMemory(>)  5 
NtOpenThreadTokenEx(>)  25 


NtFsControlFile(>)  1 
NtOpenDirectoryObject(>)  2 
NtGdiGetStockObject(>)  5 
NtQueryAttributesFile(>)  25 


NtGdiCreateBitmap(>)  1 
NtOpenEvent(>)  2 
NtOpenProcessToken(>)  5 
NtQuerySystemInformation(>)  27 


NtGdiInit(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtCreateFile(>)  6 
NtReadVirtualMemory(>)  28 


NtGdiQueryFontAssocInfo(>)  1 
NtOpenThreadToken(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtOpenSection(>)  29 


NtGdiSelectBitmap(>)  1 
NtQueryInstallUILanguage(>)  2 
NtSetInformationThread(>)  6 
NtQueryInformationToken(>)  31 


NtNotifyChangeKey(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtOpenProcess(>)  7 
NtOpenFile(>)  34 


NtOpenKeyedEvent(>)  1 
NtRaiseException(>)  2 
NtSetInformationProcess(>)  7 
NtQueryValueKey(>)  38 


NtQueryInformationJobObject(>)  1 
NtSetInformationFile(>)  2 
NtContinue(>)  8 
NtMapViewOfSection(>)  39 


NtQueryObject(>)  1 
NtTerminateProcess(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtProtectVirtualMemory(>)  41 


NtQueryPerformanceCounter(>)  1 
NtCreateEvent(>)  3 
NtQuerySection(>)  8 
NtUserUnregisterClass(>)  45 


NtRegisterThreadTerminatePort(>)  1 
NtCreateSemaphore(>)  3 
NtRequestWaitReplyPort(>)  8 
NtUserFindExistingCursorIcon(>)  48 


NtResumeThread(>)  1 
NtDuplicateObject(>)  3 
NtQueryDirectoryFile(>)  10 
NtAllocateVirtualMemory(>)  51 


NtSecureConnectPort(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUserSystemParametersInfo(>)  10 
NtUserRegisterClassExWOW(>)  63 


NtSetSecurityObject(>)  1 
NtOpenMutant(>)  3 
NtFlushInstructionCache(>)  11 
NtUserGetClassInfo(>)  82 


NtTestAlert(>)  1 
NtSetInformationObject(>)  3 
NtQueryInformationProcess(>)  12 
NtOpenKey(>)  102 


NtUserCallNoParam(>)  1 
NtQueryVirtualMemory(>)  4 
NtQueryInformationFile(>)  13 
NtUserQueryWindow(>)  132 


NtUserCallOneParam(>)  1 
NtReleaseMutant(>)  4 
NtQueryDebugFilterState(>)  15 
NtClose(>)  154 





Trace:

 00001   420   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   420   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   420   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   420   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   420   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   420   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   420   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   420   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   420   NtClose  (12, ... ) == 0x0
 00014   420   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   420   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   420   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   420   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   420   NtClose  (16, ... ) == 0x0
 00021   420   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   420   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   420   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   420   NtClose  (16, ... ) == 0x0
 00026   420   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   420   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   420   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   420   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 412, 420, 1481, 0} "\20>\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ... {28, 56, reply, 0, 412, 420, 1481, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 412, 420, 1481, 0} "\20>\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ) == 0x0
 00032   420   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   420   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   420   NtClose  (16, ... ) == 0x0
 00036   420   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   420   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   420   NtClose  (28, ... ) == 0x0
 00041   420   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   420   NtClose  (28, ... ) == 0x0
 00045   420   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   420   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   420   NtClose  (28, ... ) == 0x0
 00049   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   420   NtClose  (28, ... ) == 0x0
 00052   420   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 412, 420, 1484, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ... {28, 56, reply, 0, 412, 420, 1484, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 412, 420, 1484, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ) == 0x0
 00056   420   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 128, ) == 0x0
 00057   420   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 128, ... (0x45d000), 204800, 4, ) == 0x0
 00058   420   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00059   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   420   NtClose  (28, ... ) == 0x0
 00062   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   420   NtClose  (28, ... ) == 0x0
 00065   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   420   NtClose  (28, ... ) == 0x0
 00068   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   420   NtClose  (28, ... ) == 0x0
 00071   420   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 64, ) == 0x0
 00072   420   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 64, ... (0x45d000), 204800, 4, ) == 0x0
 00073   420   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00074   420   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   420   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   420   NtClose  (28, ... ) == 0x0
 00077   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   420   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   420   NtClose  (28, ... ) == 0x0
 00080   420   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00081   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   420   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   420   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   420   NtClose  (28, ... ) == 0x0
 00085   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   420   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   420   NtClose  (28, ... ) == 0x0
 00088   420   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   420   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   420   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\35\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 412, 420, 1486, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\35\1$\1\0\0" )  ... {28, 56, reply, 0, 412, 420, 1486, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\35\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 412, 420, 1486, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\35\1$\1\0\0" )  ) == 0x0
 00093   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   420   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4a0000), 0x0, 1060864, ) == 0x0
 00095   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   420   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   420   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00098   420   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   420   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   420   NtClose  (-2147482020, ... ) == 0x0
 00101   420   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5963776, 4096, ) == 0x0
 00102   420   NtFreeVirtualMemory  (-1, (0x5b0000), 4096, 32768, ... (0x5b0000), 4096, ) == 0x0
 00103   420   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   420   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00105   420   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   420   NtClose  (-2147482020, ... ) == 0x0
 00107   420   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00108   420   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   420   NtClose  (-2147482020, ... ) == 0x0
 00110   420   NtQueryDefaultLocale  (0, -130905588, ... ) == 0x0
 00111   420   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   420   NtUserCallNoParam  (24, ... ) == 0x0
 00113   420   NtGdiCreateCompatibleDC  (0, ...
 00114   420   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5963776, 4096, ) == 0x0
 00113   420   NtGdiCreateCompatibleDC  ... ) == 0x100103c9
 00115   420   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   420   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   420   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xf0503d5
 00118   420   NtGdiCreateSolidBrush  (0, 0, ...
 00119   420   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9175040, 4096, ) == 0x0
 00118   420   NtGdiCreateSolidBrush  ... ) == 0x111003d7
 00120   420   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   420   NtGdiCreateCompatibleDC  (0, ... ) == 0x3e01040c
 00122   420   NtGdiSelectBitmap  (1040253964, 251986901, ... ) == 0x185000f
 00123   420   NtUserGetThreadDesktop  (420, 0, ... ) == 0x2c
 00124   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   420   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   420   NtClose  (52, ... ) == 0x0
 00127   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00141   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00143   420   NtAllocateVirtualMemory  (-1, 6123520, 0, 4096, 4096, 32, ... 6123520, 4096, ) == 0x0
 00142   420   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00144   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00146   420   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00147   420   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00148   420   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00149   420   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00150   420   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   420   NtCallbackReturn  (0, 0, 0, ...
 00152   420   NtGdiInit  (... ) == 0x1
 00153   420   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   420   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   420   NtAllocateVirtualMemory  (-1, 0, 0, 17506, 4096, 4, ... 9240576, 20480, ) == 0x0
 00156   420   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 20480, ) == 0x0
 00157   420   NtQueryVirtualMemory  (-1, 0x401000, Basic, 52, ... {BaseAddress=0x401000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x23000,State=0x1000,Protect=0x80,Type=0x1000000,}, 28, ) == 0x0
 00158   420   NtQueryVirtualMemory  (-1, 0x45754c, Basic, 28, ... {BaseAddress=0x457000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x6000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00159   420   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00160   420   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00161   420   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00162   420   NtProtectVirtualMemory  (-1, (0x400218), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00163   420   NtProtectVirtualMemory  (-1, (0x400218), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00164   420   NtProtectVirtualMemory  (-1, (0x400240), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00165   420   NtProtectVirtualMemory  (-1, (0x400240), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00166   420   NtProtectVirtualMemory  (-1, (0x400268), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00167   420   NtProtectVirtualMemory  (-1, (0x400268), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00168   420   NtProtectVirtualMemory  (-1, (0x400290), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00169   420   NtProtectVirtualMemory  (-1, (0x400290), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00170   420   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00171   420   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00172   420   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00173   420   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00174   420   NtProtectVirtualMemory  (-1, (0x400308), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00175   420   NtProtectVirtualMemory  (-1, (0x400308), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00176   420   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00177   420   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00178   420   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x60036, 0x20062, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20060, 0x100ac, 0x2005e, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00179   420   NtUserQueryWindow  (65706, 0, ... ) == 0x7e0
 00180   420   NtUserQueryWindow  (65706, 1, ... ) == 0x7e4
 00181   420   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2016, 0}, ... 52, ) == 0x0
 00182   420   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \1\0\0", 64, ) , 64, ) == 0x0
 00183   420   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00184   420   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00185   420   NtClose  (52, ... ) == 0x0
 00186   420   NtUserQueryWindow  (65704, 0, ... ) == 0x7e0
 00187   420   NtUserQueryWindow  (65704, 1, ... ) == 0x7e4
 00188   420   NtUserQueryWindow  (65702, 0, ... ) == 0x7e0
 00189   420   NtUserQueryWindow  (65702, 1, ... ) == 0x7e4
 00190   420   NtUserQueryWindow  (393270, 0, ... ) == 0x7e0
 00191   420   NtUserQueryWindow  (393270, 1, ... ) == 0x7e4
 00192   420   NtUserQueryWindow  (131170, 0, ... ) == 0x76c
 00193   420   NtUserQueryWindow  (131170, 1, ... ) == 0x780
 00194   420   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1900, 0}, ... 52, ) == 0x0
 00195   420   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00196   420   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00197   420   NtContinue  (-130909028, 0, ...
 00196   420   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00198   420   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00199   420   NtContinue  (-130909028, 0, ...
 00198   420   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00200   420   NtClose  (52, ... ) == 0x0
 00201   420   NtUserQueryWindow  (65662, 0, ... ) == 0x76c
 00202   420   NtUserQueryWindow  (65662, 1, ... ) == 0x780
 00203   420   NtUserQueryWindow  (65652, 0, ... ) == 0x76c
 00204   420   NtUserQueryWindow  (65652, 1, ... ) == 0x780
 00205   420   NtUserQueryWindow  (65640, 0, ... ) == 0x76c
 00206   420   NtUserQueryWindow  (65640, 1, ... ) == 0x780
 00207   420   NtUserQueryWindow  (196682, 0, ... ) == 0x76c
 00208   420   NtUserQueryWindow  (196682, 1, ... ) == 0x780
 00209   420   NtUserQueryWindow  (65638, 0, ... ) == 0x76c
 00210   420   NtUserQueryWindow  (65638, 1, ... ) == 0x780
 00211   420   NtUserQueryWindow  (196684, 0, ... ) == 0x76c
 00212   420   NtUserQueryWindow  (196684, 1, ... ) == 0x780
 00213   420   NtUserQueryWindow  (196668, 0, ... ) == 0x76c
 00214   420   NtUserQueryWindow  (196668, 1, ... ) == 0x780
 00215   420   NtUserQueryWindow  (65688, 0, ... ) == 0x76c
 00216   420   NtUserQueryWindow  (65688, 1, ... ) == 0x780
 00217   420   NtUserQueryWindow  (65676, 0, ... ) == 0x76c
 00218   420   NtUserQueryWindow  (65676, 1, ... ) == 0x780
 00219   420   NtUserQueryWindow  (65660, 0, ... ) == 0x76c
 00220   420   NtUserQueryWindow  (65660, 1, ... ) == 0x774
 00221   420   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00222   420   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 00223   420   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 52, ) == 0x0
 00224   420   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00225   420   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00226   420   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00227   420   NtClose  (52, ... ) == 0x0
 00228   420   NtUserQueryWindow  (65726, 0, ... ) == 0x7e8
 00229   420   NtUserQueryWindow  (65726, 1, ... ) == 0x7ec
 00230   420   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 52, ) == 0x0
 00231   420   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0", 64, ) , 64, ) == 0x0
 00232   420   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\377\0\377\377", 4, ) , 4, ) == 0x0
 00233   420   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\210fvx\210x\206wfvGe$\306d\21\26\210ls\210\210\250g\207\210hhx\207xhvwdfF|d\21\27\210\206hx\250\252\206\210\207v\207\210x\207\207gfv4F\306G\21\21\210\206\207\210\212\250\250h\210\207x\210\210wvwgFD$d!\21\21x\250g\210\212\252\250\206\210\207w\210\207\207wvvgBGd\21\21\21\210\212\203\210\250\252\212\210x\210w\210\210xwgcd%F\1\21\21\21\27\212\250\210\212\252\252\210f\210\207x\210\207w7fR@`\21\21\21\21\21\210\2508\212\252\250\250\210gw\21088vvu$$!\21\21\21\21\21\30\210\210\210\212\252\210\206vgw\210\203wsb`\7\21\21\21\21\21\21\21\210\203\210\210\210\210\207vvwwwsf4\7\21\21\21\21\21\21\21\21\30\210\210\210\210\210wGwvwww5\2\21\21\21\21\21\21", 256, ) , 256, ) == 0x0
 00234   420   NtClose  (52, ... ) == 0x0
 00235   420   NtUserQueryWindow  (65724, 0, ... ) == 0x7e8
 00236   420   NtUserQueryWindow  (65724, 1, ... ) == 0x7ec
 00237   420   NtUserQueryWindow  (65722, 0, ... ) == 0x7e8
 00238   420   NtUserQueryWindow  (65722, 1, ... ) == 0x7ec
 00239   420   NtUserQueryWindow  (65720, 0, ... ) == 0x7e8
 00240   420   NtUserQueryWindow  (65720, 1, ... ) == 0x7ec
 00241   420   NtUserQueryWindow  (65718, 0, ... ) == 0x7e8
 00242   420   NtUserQueryWindow  (65718, 1, ... ) == 0x7ec
 00243   420   NtUserQueryWindow  (65716, 0, ... ) == 0x7e8
 00244   420   NtUserQueryWindow  (65716, 1, ... ) == 0x7ec
 00245   420   NtUserQueryWindow  (65712, 0, ... ) == 0x7e8
 00246   420   NtUserQueryWindow  (65712, 1, ... ) == 0x7ec
 00247   420   NtUserQueryWindow  (65710, 0, ... ) == 0x7e8
 00248   420   NtUserQueryWindow  (65710, 1, ... ) == 0x7ec
 00249   420   NtUserQueryWindow  (131168, 0, ... ) == 0x7f4
 00250   420   NtUserQueryWindow  (131168, 1, ... ) == 0x7f8
 00251   420   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2036, 0}, ... 52, ) == 0x0
 00252   420   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\301\0\0\0\0\1\0\0\377\356\377\356\11\0\0\0\11\0\0\0\0\376\0\0\0\0\20\0\0 \0\0\0\2\0\0\0 \0\0q\0\0\0\377\357\375\177\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00253   420   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00254   420   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00255   420   NtClose  (52, ... ) == 0x0
 00256   420   NtUserQueryWindow  (65708, 0, ... ) == 0x7e0
 00257   420   NtUserQueryWindow  (65708, 1, ... ) == 0x7e4
 00258   420   NtUserQueryWindow  (131166, 0, ... ) == 0x7d8
 00259   420   NtUserQueryWindow  (131166, 1, ... ) == 0x7dc
 00260   420   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2008, 0}, ... 52, ) == 0x0
 00261   420   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0", 64, ) , 64, ) == 0x0
 00262   420   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00263   420   NtContinue  (-130909028, 0, ...
 00262   420   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00264   420   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00265   420   NtContinue  (-130909028, 0, ...
 00264   420   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00266   420   NtClose  (52, ... ) == 0x0
 00267   420   NtUserQueryWindow  (65644, 0, ... ) == 0x76c
 00268   420   NtUserQueryWindow  (65644, 1, ... ) == 0x7ac
 00269   420   NtUserQueryWindow  (327760, 0, ... ) == 0x76c
 00270   420   NtUserQueryWindow  (327760, 1, ... ) == 0x774
 00271   420   NtUserQueryWindow  (262228, 0, ... ) == 0x76c
 00272   420   NtUserQueryWindow  (262228, 1, ... ) == 0x774
 00273   420   NtUserQueryWindow  (327758, 0, ... ) == 0x76c
 00274   420   NtUserQueryWindow  (327758, 1, ... ) == 0x774
 00275   420   NtUserQueryWindow  (65666, 0, ... ) == 0x76c
 00276   420   NtUserQueryWindow  (65666, 1, ... ) == 0x774
 00277   420   NtUserQueryWindow  (65654, 0, ... ) == 0x76c
 00278   420   NtUserQueryWindow  (65654, 1, ... ) == 0x774
 00279   420   NtRaiseException  (1242696, 1241956, 1, ...
 00280   420   NtContinue  (1240752, 0, ...
 00281   420   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00282   420   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 56, ) }, ... 56, ) == 0x0
 00283   420   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00284   420   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00285   420   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00286   420   NtDuplicateObject  (-1, 3101, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00287   420   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00288   420   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00289   420   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x60036, 0x20062, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20060, 0x100ac, 0x2005e, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00290   420   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00291   420   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00292   420   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x60036, 0x20062, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20060, 0x100ac, 0x2005e, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00293   420   NtUserQueryWindow  (65706, 0, ... ) == 0x7e0
 00294   420   NtUserQueryWindow  (65706, 1, ... ) == 0x7e4
 00295   420   NtUserQueryWindow  (65704, 0, ... ) == 0x7e0
 00296   420   NtUserQueryWindow  (65704, 1, ... ) == 0x7e4
 00297   420   NtUserQueryWindow  (65702, 0, ... ) == 0x7e0
 00298   420   NtUserQueryWindow  (65702, 1, ... ) == 0x7e4
 00299   420   NtUserQueryWindow  (393270, 0, ... ) == 0x7e0
 00300   420   NtUserQueryWindow  (393270, 1, ... ) == 0x7e4
 00301   420   NtUserQueryWindow  (131170, 0, ... ) == 0x76c
 00302   420   NtUserQueryWindow  (131170, 1, ... ) == 0x780
 00303   420   NtUserQueryWindow  (65662, 0, ... ) == 0x76c
 00304   420   NtUserQueryWindow  (65662, 1, ... ) == 0x780
 00305   420   NtUserQueryWindow  (65652, 0, ... ) == 0x76c
 00306   420   NtUserQueryWindow  (65652, 1, ... ) == 0x780
 00307   420   NtUserQueryWindow  (65640, 0, ... ) == 0x76c
 00308   420   NtUserQueryWindow  (65640, 1, ... ) == 0x780
 00309   420   NtUserQueryWindow  (196682, 0, ... ) == 0x76c
 00310   420   NtUserQueryWindow  (196682, 1, ... ) == 0x780
 00311   420   NtUserQueryWindow  (65638, 0, ... ) == 0x76c
 00312   420   NtUserQueryWindow  (65638, 1, ... ) == 0x780
 00313   420   NtUserQueryWindow  (196684, 0, ... ) == 0x76c
 00314   420   NtUserQueryWindow  (196684, 1, ... ) == 0x780
 00315   420   NtUserQueryWindow  (196668, 0, ... ) == 0x76c
 00316   420   NtUserQueryWindow  (196668, 1, ... ) == 0x780
 00317   420   NtUserQueryWindow  (65688, 0, ... ) == 0x76c
 00318   420   NtUserQueryWindow  (65688, 1, ... ) == 0x780
 00319   420   NtUserQueryWindow  (65676, 0, ... ) == 0x76c
 00320   420   NtUserQueryWindow  (65676, 1, ... ) == 0x780
 00321   420   NtUserQueryWindow  (65660, 0, ... ) == 0x76c
 00322   420   NtUserQueryWindow  (65660, 1, ... ) == 0x774
 00323   420   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00324   420   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 00325   420   NtUserQueryWindow  (65726, 0, ... ) == 0x7e8
 00326   420   NtUserQueryWindow  (65726, 1, ... ) == 0x7ec
 00327   420   NtUserQueryWindow  (65724, 0, ... ) == 0x7e8
 00328   420   NtUserQueryWindow  (65724, 1, ... ) == 0x7ec
 00329   420   NtUserQueryWindow  (65722, 0, ... ) == 0x7e8
 00330   420   NtUserQueryWindow  (65722, 1, ... ) == 0x7ec
 00331   420   NtUserQueryWindow  (65720, 0, ... ) == 0x7e8
 00332   420   NtUserQueryWindow  (65720, 1, ... ) == 0x7ec
 00333   420   NtUserQueryWindow  (65718, 0, ... ) == 0x7e8
 00334   420   NtUserQueryWindow  (65718, 1, ... ) == 0x7ec
 00335   420   NtUserQueryWindow  (65716, 0, ... ) == 0x7e8
 00336   420   NtUserQueryWindow  (65716, 1, ... ) == 0x7ec
 00337   420   NtUserQueryWindow  (65712, 0, ... ) == 0x7e8
 00338   420   NtUserQueryWindow  (65712, 1, ... ) == 0x7ec
 00339   420   NtUserQueryWindow  (65710, 0, ... ) == 0x7e8
 00340   420   NtUserQueryWindow  (65710, 1, ... ) == 0x7ec
 00341   420   NtUserQueryWindow  (131168, 0, ... ) == 0x7f4
 00342   420   NtUserQueryWindow  (131168, 1, ... ) == 0x7f8
 00343   420   NtUserQueryWindow  (65708, 0, ... ) == 0x7e0
 00344   420   NtUserQueryWindow  (65708, 1, ... ) == 0x7e4
 00345   420   NtUserQueryWindow  (131166, 0, ... ) == 0x7d8
 00346   420   NtUserQueryWindow  (131166, 1, ... ) == 0x7dc
 00347   420   NtUserQueryWindow  (65644, 0, ... ) == 0x76c
 00348   420   NtUserQueryWindow  (65644, 1, ... ) == 0x7ac
 00349   420   NtUserQueryWindow  (327760, 0, ... ) == 0x76c
 00350   420   NtUserQueryWindow  (327760, 1, ... ) == 0x774
 00351   420   NtUserQueryWindow  (262228, 0, ... ) == 0x76c
 00352   420   NtUserQueryWindow  (262228, 1, ... ) == 0x774
 00353   420   NtUserQueryWindow  (327758, 0, ... ) == 0x76c
 00354   420   NtUserQueryWindow  (327758, 1, ... ) == 0x774
 00355   420   NtUserQueryWindow  (65666, 0, ... ) == 0x76c
 00356   420   NtUserQueryWindow  (65666, 1, ... ) == 0x774
 00357   420   NtUserQueryWindow  (65654, 0, ... ) == 0x76c
 00358   420   NtUserQueryWindow  (65654, 1, ... ) == 0x774
 00359   420   NtRaiseException  (1242640, 1241900, 1, ...
 00360   420   NtContinue  (1240696, 0, ...
 00361   420   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00362   420   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   420   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00364   420   NtDuplicateObject  (-1, 3380, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00365   420   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00366   420   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00367   420   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x60036, 0x20062, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20060, 0x100ac, 0x2005e, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00368   420   NtSetSecurityObject  (-1, 4, {1, 0, 0x4, 0, 0, 0, 1242476}, ... ) == 0x0
 00369   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00370   420   NtQueryValueKey  (60,  (60, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   420   NtClose  (60, ... ) == 0x0
 00372   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00373   420   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00374   420   NtClose  (60, ... ) == 0x0
 00375   420   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 60, ) == 0x0
 00376   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00377   420   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 68, ) }, ... 68, ) == 0x0
 00378   420   NtNotifyChangeKey  (68, 64, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00379   420   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00380   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00381   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00382   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00384   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00386   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00387   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 84, ) == 0x0
 00388   420   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00389   420   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00390   420   NtQueryInformationToken  (88, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00391   420   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00392   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 92, ) }, ... 92, ) == 0x0
 00393   420   NtQueryValueKey  (92,  (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00394   420   NtClose  (92, ... ) == 0x0
 00395   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00396   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00397   420   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00398   420   NtClose  (92, ... ) == 0x0
 00399   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400   420   NtClose  (88, ... ) == 0x0
 00401   420   NtClose  (80, ... ) == 0x0
 00402   420   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00403   420   NtClose  (84, ... ) == 0x0
 00404   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00405   420   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00406   420   NtClose  (84, ... ) == 0x0
 00407   420   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00408   420   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00409   420   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00410   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00411   420   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00412   420   NtClose  (84, ... ) == 0x0
 00413   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00414   420   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00415   420   NtClose  (84, ... ) == 0x0
 00416   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00417   420   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00418   420   NtClose  (84, ... ) == 0x0
 00419   420   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00420   420   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00421   420   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00422   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00423   420   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00424   420   NtClose  (84, ... ) == 0x0
 00425   420   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 84, ) == 0x0
 00426   420   NtQueryInformationProcess  (84, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00427   420   NtClose  (84, ... ) == 0x0
 00428   420   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00429   420   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00430   420   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00431   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00432   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00433   420   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00434   420   NtClose  (84, ... ) == 0x0
 00435   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 84, ) }, ... 84, ) == 0x0
 00436   420   NtSetInformationObject  (84, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00437   420   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00438   420   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00439   420   NtClose  (80, ... ) == 0x0
 00440   420   NtUserSystemParametersInfo  (41, 500, 1241216, 0, ... ) == 0x1
 00441   420   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00442   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00443   420   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00444   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03b
 00445   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00446   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03d
 00447   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00448   420   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00449   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03f
 00450   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00451   420   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00452   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc041
 00453   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00454   420   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00455   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc043
 00456   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00457   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc045
 00458   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00459   420   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00460   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc047
 00461   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00462   420   NtUserFindExistingCursorIcon  (1241004, 1241020, 1241588, ... ) == 0x10011
 00463   420   NtUserRegisterClassExWOW  (1241456, 1241536, 1241520, 1241552, 0, 384, 0, ... ) == 0x810dc049
 00464   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00465   420   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00466   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04b
 00467   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00468   420   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00469   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04d
 00470   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00471   420   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00472   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04f
 00473   420   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0x0
 00474   420   NtUserRegisterClassExWOW  (1241464, 1241544, 1241528, 1241560, 0, 384, 0, ... ) == 0x810dc051
 00475   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00476   420   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00477   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc053
 00478   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00479   420   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00480   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc055
 00481   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc057
 00482   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00483   420   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00484   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc059
 00485   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00486   420   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10013
 00487   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05b
 00488   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00489   420   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00490   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05d
 00491   420   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00492   420   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00493   420   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05f
 00494   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00495   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 00496   420   NtAllocateVirtualMemory  (-1, 9240576, 0, 4096, 4096, 4, ... 9240576, 4096, ) == 0x0
 00497   420   NtAllocateVirtualMemory  (-1, 9244672, 0, 8192, 4096, 4, ... 9244672, 8192, ) == 0x0
 00498   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 80, ) }, ... 80, ) == 0x0
 00499   420   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8e0000), 0x0, 12288, ) == 0x0
 00500   420   NtClose  (80, ... ) == 0x0
 00501   420   NtAllocateVirtualMemory  (-1, 9252864, 0, 4096, 4096, 4, ... 9252864, 4096, ) == 0x0
 00502   420   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00503   420   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 00504   420   NtQueryValueKey  (80,  (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00505   420   NtClose  (80, ... ) == 0x0
 00506   420   NtQueryDefaultUILanguage  (1239840, ...
 00507   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00508   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00509   420   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00510   420   NtClose  (-2147482020, ... ) == 0x0
 00511   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00512   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00513   420   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00514   420   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   420   NtClose  (-2147482032, ... ) == 0x0
 00516   420   NtClose  (-2147482020, ... ) == 0x0
 00506   420   NtQueryDefaultUILanguage  ... ) == 0x0
 00517   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00518   420   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00519   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00520   420   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 88, ) == 0x0
 00521   420   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 8323072, ) == 0x0
 00522   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   420   NtQueryDefaultUILanguage  (2013024600, ...
 00524   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00525   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00526   420   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00527   420   NtClose  (-2147482020, ... ) == 0x0
 00528   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00529   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530   420   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00531   420   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00532   420   NtClose  (-2147482032, ... ) == 0x0
 00533   420   NtClose  (-2147482020, ... ) == 0x0
 00523   420   NtQueryDefaultUILanguage  ... ) == 0x0
 00534   420   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00535   420   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00536   420   NtQueryDefaultLocale  (1, 1237876, ... ) == 0x0
 00537   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538   420   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1497, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 420, 1497, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1497, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ) == 0x0
 00539   420   NtClose  (80, ... ) == 0x0
 00540   420   NtClose  (88, ... ) == 0x0
 00541   420   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00542   420   NtUnmapViewOfSection  (-1, 0x12edcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00543   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00544   420   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00545   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00546   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00547   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236960, ... ) }, 1236960, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00548   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00549   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00550   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00551   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237552, ... ) }, 1237552, ... ) == 0x0
 00552   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 88, {status=0x0, info=1}, ) }, 3, 33, ... 88, {status=0x0, info=1}, ) == 0x0
 00553   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00554   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00555   420   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00556   420   NtClose  (80, ... ) == 0x0
 00557   420   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00558   420   NtClose  (92, ... ) == 0x0
 00559   420   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00560   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00561   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 80, ) == 0x0
 00562   420   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00563   420   NtClose  (92, ... ) == 0x0
 00564   420   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00565   420   NtClose  (80, ... ) == 0x0
 00566   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00567   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00568   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00569   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00570   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00571   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00572   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00573   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00574   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00575   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00576   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00577   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00578   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00579   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00580   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00581   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00582   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00583   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00584   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00585   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00586   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00587   420   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238736, ... ) , 42, 1238736, ... ) == 0x0
 00588   420   NtQueryDefaultUILanguage  (1237452, ...
 00589   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00590   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00591   420   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00592   420   NtClose  (-2147482020, ... ) == 0x0
 00593   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00594   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   420   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00596   420   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00597   420   NtClose  (-2147482032, ... ) == 0x0
 00598   420   NtClose  (-2147482020, ... ) == 0x0
 00588   420   NtQueryDefaultUILanguage  ... ) == 0x0
 00599   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236304, ... ) }, 1236304, ... ) == 0x0
 00601   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00602   420   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00603   420   NtClose  (80, ... ) == 0x0
 00604   420   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 4096, ) == 0x0
 00605   420   NtClose  (92, ... ) == 0x0
 00606   420   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00607   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235944, ... ) }, 1235944, ... ) == 0x0
 00608   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236644,  (0x80100080, {24, 0, 0x40, 0, 1236644, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00609   420   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 92, ... 80, ) == 0x0
 00610   420   NtClose  (92, ... ) == 0x0
 00611   420   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8f0000), {0, 0}, 4096, ) == 0x0
 00612   420   NtClose  (80, ... ) == 0x0
 00613   420   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00614   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00615   420   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 92, ) == 0x0
 00616   420   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 4096, ) == 0x0
 00617   420   NtQueryInformationFile  (80, 1236264, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00618   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619   420   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1498, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 420, 1498, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1498, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ) == 0x0
 00620   420   NtClose  (80, ... ) == 0x0
 00621   420   NtClose  (92, ... ) == 0x0
 00622   420   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00623   420   NtUnmapViewOfSection  (-1, 0x12e478, ... ) == STATUS_NOT_MAPPED_VIEW
 00624   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00625   420   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00626   420   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00627   420   NtUserGetDC  (0, ... ) == 0x1010053
 00628   420   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00629   420   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00630   420   NtUserSystemParametersInfo  (66, 12, 1238756, 0, ... ) == 0x1
 00631   420   NtOpenProcessToken  (-1, 0x8, ... 92, ) == 0x0
 00632   420   NtAccessCheck  (1393640, 92, 0x1, 1238160, 1238104, 56, 1238188, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00633   420   NtClose  (92, ... ) == 0x0
 00634   420   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 92, ) }, ... 92, ) == 0x0
 00635   420   NtQueryValueKey  (92,  (92, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00636   420   NtClose  (92, ... ) == 0x0
 00637   420   NtUserSystemParametersInfo  (41, 500, 1238256, 0, ... ) == 0x1
 00638   420   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00639   420   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 92, ) }, ... 92, ) == 0x0
 00640   420   NtQueryValueKey  (92,  (92, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00641   420   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 80, ) }, ... 80, ) == 0x0
 00642   420   NtQueryValueKey  (80,  (80, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00643   420   NtClose  (80, ... ) == 0x0
 00644   420   NtClose  (92, ... ) == 0x0
 00645   420   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00646   420   NtUserSystemParametersInfo  (4130, 0, 1238780, 0, ... ) == 0x1
 00647   420   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 92, ) }, ... 92, ) == 0x0
 00648   420   NtEnumerateValueKey  (92, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00649   420   NtClose  (92, ... ) == 0x0
 00650   420   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00651   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03b
 00652   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03d
 00653   420   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00654   420   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc03f
 00655   420   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00656   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc041
 00657   420   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00658   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ...
 00659   420   NtAllocateVirtualMemory  (-1, 6127616, 0, 4096, 4096, 32, ... 6127616, 4096, ) == 0x0
 00658   420   NtUserRegisterClassExWOW  ... ) == 0x810dc043
 00660   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc045
 00661   420   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00662   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc047
 00663   420   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00664   420   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc049
 00665   420   NtUserGetClassInfo  (1905590272, 1238676, 1238628, 1238704, 0, ... ) == 0xc049
 00666   420   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00667   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04b
 00668   420   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00669   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04d
 00670   420   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00671   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04f
 00672   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc051
 00673   420   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00674   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc053
 00675   420   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00676   420   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc055
 00677   420   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc057
 00678   420   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00679   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc059
 00680   420   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10013
 00681   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05b
 00682   420   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00683   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05d
 00684   420   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00685   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05f
 00686   420   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00687   420   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc017
 00688   420   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00689   420   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc019
 00690   420   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10013
 00691   420   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc018
 00692   420   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00693   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01a
 00694   420   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00695   420   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc01c
 00696   420   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00697   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01e
 00698   420   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00699   420   NtUserRegisterClassExWOW  (1238572, 1238652, 1238636, 1238668, 0, 384, 0, ... ) == 0x810dc01b
 00700   420   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00701   420   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc068
 00702   420   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00703   420   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc06a
 00704   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03b
 00705   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03d
 00706   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03f
 00707   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc041
 00708   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc043
 00709   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc045
 00710   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc047
 00711   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc049
 00712   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04b
 00713   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04d
 00714   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04f
 00715   420   NtUserGetClassInfo  (1999896576, 1241580, 1241532, 1241608, 0, ... ) == 0xc051
 00716   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc053
 00717   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc055
 00718   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc059
 00719   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05b
 00720   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05d
 00721   420   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05f
 00722   420   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00723   420   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00724   420   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00725   420   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00726   420   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00727   420   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00728   420   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00729   420   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00730   420   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00731   420   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00732   420   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00733   420   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00734   420   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00735   420   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00736   420   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00737   420   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00738   420   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00739   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00740   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00741   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00742   420   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9502720, 262144, ) == 0x0
 00743   420   NtAllocateVirtualMemory  (-1, 9502720, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 00744   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00745   420   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9764864, 262144, ) == 0x0
 00746   420   NtAllocateVirtualMemory  (-1, 9764864, 0, 4096, 4096, 4, ... 9764864, 4096, ) == 0x0
 00747   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00748   420   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10027008, 262144, ) == 0x0
 00749   420   NtAllocateVirtualMemory  (-1, 10027008, 0, 4096, 4096, 4, ... 10027008, 4096, ) == 0x0
 00750   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00751   420   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10289152, 262144, ) == 0x0
 00752   420   NtAllocateVirtualMemory  (-1, 10289152, 0, 4096, 4096, 4, ... 10289152, 4096, ) == 0x0
 00753   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00754   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00755   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00756   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00757   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 00758   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00759   420   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 80, ) == 0x0
 00760   420   NtClose  (92, ... ) == 0x0
 00761   420   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa10000), 0x0, 90112, ) == 0x0
 00762   420   NtClose  (80, ... ) == 0x0
 00763   420   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00764   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 00765   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00766   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 92, ) == 0x0
 00767   420   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00768   420   NtClose  (80, ... ) == 0x0
 00769   420   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00770   420   NtClose  (92, ... ) == 0x0
 00771   420   NtQueryDefaultLocale  (1, 1239460, ... ) == 0x0
 00772   420   NtAllocateVirtualMemory  (-1, 9506816, 0, 4096, 4096, 4, ... 9506816, 4096, ) == 0x0
 00773   420   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 92, ) }, ... 92, ) == 0x0
 00774   420   NtClose  (92, ... ) == 0x0
 00775   420   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   420   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00777   420   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778   420   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00780   420   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00781   420   NtClose  (92, ... ) == 0x0
 00782   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00783   420   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00784   420   NtClose  (92, ... ) == 0x0
 00785   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00786   420   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00787   420   NtClose  (92, ... ) == 0x0
 00788   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00789   420   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00790   420   NtClose  (92, ... ) == 0x0
 00791   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 92, ) }, ... 92, ) == 0x0
 00792   420   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00793   420   NtClose  (92, ... ) == 0x0
 00794   420   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00795   420   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00796   420   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00797   420   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00798   420   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1241616, 0,  (0x1f0003, {24, 52, 0x80, 1241616, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00799   420   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 92, ) }, ... 92, ) == 0x0
 00800   420   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00801   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00802   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00803   420   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 80, ) }, ... 80, ) == 0x0
 00804   420   NtQueryValueKey  (80,  (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00805   420   NtClose  (80, ... ) == 0x0
 00806   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00807   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00808   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00809   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00810   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 80, ) }, ... 80, ) == 0x0
 00811   420   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00812   420   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00813   420   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00814   420   NtClose  (80, ... ) == 0x0
 00815   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 80, ) }, ... 80, ) == 0x0
 00816   420   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00817   420   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818   420   NtClose  (80, ... ) == 0x0
 00819   420   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820   420   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00821   420   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00822   420   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00823   420   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00824   420   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00825   420   NtCreateKey  (0xf003f, {24, 84, 0x40, 0, 0,  (0xf003f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 80, 2, ) }, 0, 0x0, 0, ... 80, 2, ) == 0x0
 00826   420   NtQueryDefaultUILanguage  (1239852, ...
 00827   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00828   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00829   420   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00830   420   NtClose  (-2147482020, ... ) == 0x0
 00831   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00832   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00833   420   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00834   420   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   420   NtClose  (-2147482032, ... ) == 0x0
 00836   420   NtClose  (-2147482020, ... ) == 0x0
 00826   420   NtQueryDefaultUILanguage  ... ) == 0x0
 00837   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00838   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00839   420   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00840   420   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa10000), 0x0, 593920, ) == 0x0
 00841   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00842   420   NtQueryDefaultLocale  (1, 1237888, ... ) == 0x0
 00843   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   420   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1499, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 420, 1499, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1499, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ) == 0x0
 00845   420   NtClose  (96, ... ) == 0x0
 00846   420   NtClose  (100, ... ) == 0x0
 00847   420   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00848   420   NtUnmapViewOfSection  (-1, 0x12edd8, ... ) == STATUS_NOT_MAPPED_VIEW
 00849   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00850   420   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00852   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00853   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236428, ... ) }, 1236428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00855   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00856   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00857   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237020, ... ) }, 1237020, ... ) == 0x0
 00858   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00859   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00860   420   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00861   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00862   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00863   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00865   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00866   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00867   420   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00868   420   NtClose  (104, ... ) == 0x0
 00869   420   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00870   420   NtClose  (108, ... ) == 0x0
 00871   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00872   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00874   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00875   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00876   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00877   420   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00878   420   NtClose  (108, ... ) == 0x0
 00879   420   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00880   420   NtClose  (104, ... ) == 0x0
 00881   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00882   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00883   420   NtTestAlert  (... ) == 0x0
 00884   420   NtContinue  (1244464, 1, ...
 00885   420   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x48efae,}, 4, ... ) == 0x0
 00886   420   NtQueryPerformanceCounter  (... {99715574, 0}, {3579545, 0}, ) == 0x0
 00887   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00888   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 00889   420   NtAllocateVirtualMemory  (-1, 10551296, 0, 4096, 4096, 4, ... 10551296, 4096, ) == 0x0
 00890   420   NtAllocateVirtualMemory  (-1, 10555392, 0, 8192, 4096, 4, ... 10555392, 8192, ) == 0x0
 00891   420   NtAllocateVirtualMemory  (-1, 10563584, 0, 4096, 4096, 4, ... 10563584, 4096, ) == 0x0
 00892   420   NtAllocateVirtualMemory  (-1, 10567680, 0, 4096, 4096, 4, ... 10567680, 4096, ) == 0x0
 00893   420   NtAllocateVirtualMemory  (-1, 0, 0, 6, 12288, 64, ... 10616832, 4096, ) == 0x0
 00894   420   NtProtectVirtualMemory  (-1, (0xa20000), 6, 64, ...
 00895   420   NtContinue  (-130908372, 0, ...
 00894   420   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 00896   420   NtFreeVirtualMemory  (-1, (0xa20000), 0, 32768, ... (0xa20000), 4096, ) == 0x0
 00897   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241932,  (0x80100080, {24, 0, 0x40, 0, 1241932, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 00898   420   NtQueryInformationFile  (104, 1242868, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00899   420   NtQueryInformationFile  (104, 1242840, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00900   420   NtQueryInformationFile  (104, 1242792, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00901   420   NtAllocateVirtualMemory  (-1, 1425408, 0, 8192, 4096, 4, ... 1425408, 8192, ) == 0x0
 00902   420   NtQueryInformationFile  (104, 1422952, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00903   420   NtQueryInformationFile  (104, 1241336, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00904   420   NtQueryInformationFile  (104, 1241180, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00905   420   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1241188,  (0x40110080, {24, 0, 0x40, 0, 1241188, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00906   420   NtClose  (-2147482020, ... ) == 0x0
 00905   420   NtCreateFile  ... 108, {status=0x0, info=2}, ) == 0x0
 00907   420   NtQueryVolumeInformationFile  (108, 1240560, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00908   420   NtQueryInformationFile  (108, 1240520, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00909   420   NtQueryVolumeInformationFile  (104, 1240560, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00910   420   NtQueryVolumeInformationFile  (104, 1240244, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00911   420   NtSetInformationFile  (108, 1240348, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00912   420   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 104, ... 112, ) == 0x0
 00913   420   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa20000), {0, 0}, 217088, ) == 0x0
 00914   420   NtClose  (112, ... ) == 0x0
 00915   420   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\256\357\10\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\256\357\10\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00916   420   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352 (108, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353 (108, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00917   420   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\353`m\263\222\16Zi\373\3759\377Al:\306\233\30\21!g\226\254j\14Q\312\366P)6\252\361\374wR\276\216\30\3\6\310\255\6\303'tiZ\357L\17{\272\303\341\201\245\20\361\323yf&\17\6\11\261\207\300\303\321\17\30\367u@\301\324\371\356-\253.S\255\244"O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00918   420   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\25\313\36\270\214\226\21B\304\243`\371\275\66-:\177\243\35\264OQ\207\273\321\2559\243/O\202\300\216\234\3505\315D*\27+\220\360\354\201\205G\337\266\240\331\221\303\273\333\242\5w\247\254\25_\376\332\12\240\26\4!\212e\22e\344\276/Y\341\235] \362\240!YK\343F\36\370\36\13\255\270\361\316\245\210#\16\3\332\215\371fC\263\243\253\262\220\323]\21\37\12\277o\222\252\231\316T\354\207U\205\334\25-r\251\274\373%\22\251\66\313\2534g}S\177\17\271\232\360~\313E\234U\305\2515z\252\226\376g\211\15\203\364\316\275\314\310\237Iz\227+\233\317\270f\21\310?\266\367\213\251\24\34\365\321\307\370;\31?\334+\232\231~\30\0i\231c\303\36\325\253\361[\276\205lp\264O\224<\365\353\200B@\247\4\360\225\366B\212H9\336\252\242Ui\265\330\331\364\371\305a\3663\347\213[\315\250\343m\321\273$\203\210\350\27\234\271"\16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", 29696, 0x0, 0, ... {status=0x0, info=29696}, ) \16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", 29696, 0x0, 0, ... {status=0x0, info=29696}, ) == 0x0
 00919   420   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00920   420   NtSetInformationFile  (108, 1242792, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00921   420   NtClose  (104, ... ) == 0x0
 00922   420   NtClose  (108, ... ) == 0x0
 00923   420   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00924   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1239084, ... ) }, 1239084, ... ) == 0x0
 00925   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1239776, ... ) }, 1239776, ... ) == 0x0
 00926   420   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00927   420   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00928   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00929   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 112, ) }, ... 112, ) == 0x0
 00930   420   NtQueryValueKey  (112,  (112, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   420   NtClose  (112, ... ) == 0x0
 00932   420   NtQueryVolumeInformationFile  (108, 1239084, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00933   420   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 112, ) }, ... 112, ) == 0x0
 00934   420   NtWaitForSingleObject  (112, 0, {-1000000, -1}, ... ) == 0x0
 00935   420   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 116, ) }, ... 116, ) == 0x0
 00936   420   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 57344, ) == 0x0
 00937   420   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00938   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237068, ... ) }, 1237068, ... ) == 0x0
 00939   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00940   420   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 120, ... 124, ) == 0x0
 00941   420   NtClose  (120, ... ) == 0x0
 00942   420   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa30000), 0x0, 106496, ) == 0x0
 00943   420   NtClose  (124, ... ) == 0x0
 00944   420   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 00945   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237384, ... ) }, 1237384, ... ) == 0x0
 00946   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00947   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 124, ... 120, ) == 0x0
 00948   420   NtQuerySection  (120, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00949   420   NtClose  (124, ... ) == 0x0
 00950   420   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00951   420   NtClose  (120, ... ) == 0x0
 00952   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) == 0x0
 00953   420   NtQueryInformationFile  (120, 1237672, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00954   420   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 120, ... 124, ) == 0x0
 00955   420   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa30000), 0x0, 1028096, ) == 0x0
 00956   420   NtQueryInformationFile  (120, 1237768, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00957   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00959   420   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00960   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00961   420   NtQueryDirectoryFile  (128, 0, 0, 0, 1235332, 616, BothDirectory, 1,  (128, 0, 0, 0, 1235332, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00962   420   NtClose  (128, ... ) == 0x0
 00963   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00964   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00965   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1234720, ... ) }, 1234720, ... ) == 0x0
 00966   420   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00967   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00968   420   NtQueryDirectoryFile  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00969   420   NtClose  (128, ... ) == 0x0
 00970   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00971   420   NtQueryDirectoryFile  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00972   420   NtClose  (128, ... ) == 0x0
 00973   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00974   420   NtQueryDirectoryFile  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00975   420   NtClose  (128, ... ) == 0x0
 00976   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00977   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00978   420   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00979   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00980   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 00981   420   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00982   420   NtClose  (128, ... ) == 0x0
 00983   420   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984   420   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\eupsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00985   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00986   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00987   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1237000, ... ) }, 1237000, ... ) == 0x0
 00988   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00989   420   NtQueryDirectoryFile  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00990   420   NtClose  (128, ... ) == 0x0
 00991   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00992   420   NtQueryDirectoryFile  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00993   420   NtClose  (128, ... ) == 0x0
 00994   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00995   420   NtQueryDirectoryFile  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00996   420   NtClose  (128, ... ) == 0x0
 00997   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00998   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00999   420   NtWaitForSingleObject  (112, 0, {-1000000, -1}, ... ) == 0x0
 01000   420   NtQueryVolumeInformationFile  (108, 1237644, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01001   420   NtQueryInformationFile  (108, 1237624, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01002   420   NtQueryInformationFile  (108, 1237664, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01003   420   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01004   420   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 01005   420   NtClose  (124, ... ) == 0x0
 01006   420   NtClose  (120, ... ) == 0x0
 01007   420   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01008   420   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eupsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01009   420   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01010   420   NtOpenProcessToken  (-1, 0xa, ... 120, ) == 0x0
 01011   420   NtQueryInformationToken  (120, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01012   420   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01013   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01014   420   NtQueryValueKey  (124,  (124, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (124, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01015   420   NtQueryValueKey  (124,  (124, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (124, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01016   420   NtClose  (124, ... ) == 0x0
 01017   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01018   420   NtQueryValueKey  (124,  (124, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01019   420   NtQueryValueKey  (124,  (124, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (124, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01020   420   NtClose  (124, ... ) == 0x0
 01021   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01022   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01023   420   NtQueryValueKey  (124,  (124, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024   420   NtClose  (124, ... ) == 0x0
 01025   420   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01026   420   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01027   420   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01028   420   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01029   420   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01030   420   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01031   420   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01032   420   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01033   420   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01034   420   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01035   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 124, ) }, ... 124, ) == 0x0
 01036   420   NtEnumerateKey  (124, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (124, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01037   420   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 128, ) }, ... 128, ) == 0x0
 01038   420   NtQueryValueKey  (128,  (128, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (128, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01039   420   NtQueryValueKey  (128,  (128, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (128, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01040   420   NtClose  (128, ... ) == 0x0
 01041   420   NtEnumerateKey  (124, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01042   420   NtClose  (124, ... ) == 0x0
 01043   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01045   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01046   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01047   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01048   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01049   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01050   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01051   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01052   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01053   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01054   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01055   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01056   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01057   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01058   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01059   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01060   420   NtClose  (124, ... ) == 0x0
 01061   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01062   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01063   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01064   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01065   420   NtClose  (124, ... ) == 0x0
 01066   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01067   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01068   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01069   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01070   420   NtClose  (124, ... ) == 0x0
 01071   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01072   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01073   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01074   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01075   420   NtClose  (124, ... ) == 0x0
 01076   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01077   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01078   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01079   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01080   420   NtClose  (124, ... ) == 0x0
 01081   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01082   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01083   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01084   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01085   420   NtClose  (124, ... ) == 0x0
 01086   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01087   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01088   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01089   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01090   420   NtClose  (124, ... ) == 0x0
 01091   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01093   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01094   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01095   420   NtClose  (124, ... ) == 0x0
 01096   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01097   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01098   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01099   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01100   420   NtClose  (124, ... ) == 0x0
 01101   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01102   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01103   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01104   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01105   420   NtClose  (124, ... ) == 0x0
 01106   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01108   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01109   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01110   420   NtClose  (124, ... ) == 0x0
 01111   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01112   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01113   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01114   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01115   420   NtClose  (124, ... ) == 0x0
 01116   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01118   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01119   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01120   420   NtClose  (124, ... ) == 0x0
 01121   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01123   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01124   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01125   420   NtClose  (124, ... ) == 0x0
 01126   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01127   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01128   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01129   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01130   420   NtClose  (124, ... ) == 0x0
 01131   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01132   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01133   420   NtQueryValueKey  (124,  (124, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (124, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (124, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01134   420   NtClose  (124, ... ) == 0x0
 01135   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01136   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01137   420   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01138   420   NtClose  (124, ... ) == 0x0
 01139   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01140   420   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01141   420   NtOpenProcessToken  (-1, 0xa, ... 124, ) == 0x0
 01142   420   NtDuplicateToken  (124, 0xc, {24, 0, 0x0, 0, 1238976, 0x0}, 0, 2, ... 128, ) == 0x0
 01143   420   NtClose  (124, ... ) == 0x0
 01144   420   NtAccessCheck  (1430784, 128, 0x1, 1239104, 1239048, 56, 1239132, ... (0x1), ) == 0x0
 01145   420   NtClose  (128, ... ) == 0x0
 01146   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 128, ) }, ... 128, ) == 0x0
 01147   420   NtQueryValueKey  (128,  (128, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (128, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01148   420   NtClose  (128, ... ) == 0x0
 01149   420   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 128, ) }, ... 128, ) == 0x0
 01150   420   NtQuerySymbolicLinkObject  (128, ...  (128, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01151   420   NtClose  (128, ... ) == 0x0
 01152   420   NtQueryInformationFile  (108, 1237436, 528, Name, ... {status=0x0, info=60}, ) == 0x0
 01153   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01154   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01155   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1236116, ... ) }, 1236116, ... ) == 0x0
 01156   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01157   420   NtQueryDirectoryFile  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01158   420   NtClose  (128, ... ) == 0x0
 01159   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01160   420   NtQueryDirectoryFile  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01161   420   NtClose  (128, ... ) == 0x0
 01162   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01163   420   NtQueryDirectoryFile  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01164   420   NtClose  (128, ... ) == 0x0
 01165   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01166   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01167   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01168   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01169   420   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01170   420   NtClose  (128, ... ) == 0x0
 01171   420   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 128, ) }, ... 128, ) == 0x0
 01172   420   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 124, ) }, ... 124, ) == 0x0
 01173   420   NtClose  (128, ... ) == 0x0
 01174   420   NtQueryValueKey  (124,  (124, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01175   420   NtQueryValueKey  (124,  (124, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (124, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01176   420   NtClose  (124, ... ) == 0x0
 01177   420   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10682368, 4096, ) == 0x0
 01178   420   NtAllocateVirtualMemory  (-1, 10682368, 0, 4096, 4096, 4, ... 10682368, 4096, ) == 0x0
 01179   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01180   420   NtQueryValueKey  (124,  (124, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01181   420   NtClose  (124, ... ) == 0x0
 01182   420   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183   420   NtQueryInformationToken  (120, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01184   420   NtQueryInformationToken  (120, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01185   420   NtClose  (120, ... ) == 0x0
 01186   420   NtCreateProcessEx  (1241712, 2035711, 0, -1, 0, 104, 0, 0, 0, ... ) == 0x0
 01187   420   NtSetInformationProcess  (120, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 01188   420   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=412,}, 0x0, ) == 0x0
 01189   420   NtReadVirtualMemory  (120, 0x7ffdf008, 4, ...  (120, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 01190   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   420   NtAllocateVirtualMemory  (-1, 1433600, 0, 8192, 4096, 4, ... 1433600, 8192, ) == 0x0
 01192   420   NtReadVirtualMemory  (120, 0x400000, 4096, ...  (120, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\256\357\10\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 4096, ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\256\357\10\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 4096, ) == 0x0
 01193   420   NtReadVirtualMemory  (120, 0x439000, 256, ...  (120, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) urn:schemas-microsoft-com:asm.v1 (120, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) 1.0 (120, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) , 256, ) == 0x0
 01194   420   NtReadVirtualMemory  (120, 0x439018, 24, ...  (120, 0x439018, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200", 24, ) , 24, ) == 0x0
 01195   420   NtReadVirtualMemory  (120, 0x439030, 24, ...  (120, 0x439030, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0", 24, ) , 24, ) == 0x0
 01196   420   NtReadVirtualMemory  (120, 0x439048, 16, ...  (120, 0x439048, 16, ... "X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0", 16, ) , 16, ) == 0x0
 01197   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01198   420   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=412,}, 0x0, ) == 0x0
 01199   420   NtAllocateVirtualMemory  (-1, 0, 0, 1716, 4096, 4, ... 10747904, 4096, ) == 0x0
 01200   420   NtAllocateVirtualMemory  (120, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01201   420   NtWriteVirtualMemory  (120, 0x10000,  (120, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01202   420   NtAllocateVirtualMemory  (120, 0, 0, 1716, 4096, 4, ... 131072, 4096, ) == 0x0
 01203   420   NtWriteVirtualMemory  (120, 0x20000,  (120, 0x20000, "\0\20\0\0\264\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0<\0>\0\230\5\0\0v\0x\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\0>\0P\6\0\0\36\0 \0\220\6\0\0\0\0\2\0\260\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1716, ... 0x0, ) , 1716, ... 0x0, ) == 0x0
 01204   420   NtWriteVirtualMemory  (120, 0x7ffdf010,  (120, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01205   420   NtWriteVirtualMemory  (120, 0x7ffdf1e8,  (120, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01206   420   NtFreeVirtualMemory  (-1, (0xa40000), 0, 32768, ... (0xa40000), 4096, ) == 0x0
 01207   420   NtAllocateVirtualMemory  (120, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01208   420   NtAllocateVirtualMemory  (120, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01209   420   NtProtectVirtualMemory  (120, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01210   420   NtCreateThread  (0x1f03ff, 0x0, 120, 1239976, 1240696, 1, ... 124, {364, 564}, ) == 0x0
 01211   420   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796}  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796} "\210\6\35\1\0\0\1\0\2$\370w U\367w{\0\0\0|\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\35\1l\0\0\0x\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\35\1\0\360\375\177\0\0\0\0\0\0\241\0\220\36\241\0" ... {168, 196, reply, 0, 412, 420, 1500, 0} "\320\231\26\0\0\0\1\0\0\0\0\0 U\367wx\0\0\0|\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\35\1l\0\0\0x\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\35\1\0\360\375\177\0\0\0\0\0\0\241\0\220\36\241\0" )  ... {168, 196, reply, 0, 412, 420, 1500, 0}  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796} "\210\6\35\1\0\0\1\0\2$\370w U\367w{\0\0\0|\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\35\1l\0\0\0x\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\35\1\0\360\375\177\0\0\0\0\0\0\241\0\220\36\241\0" ... {168, 196, reply, 0, 412, 420, 1500, 0} "\320\231\26\0\0\0\1\0\0\0\0\0 U\367wx\0\0\0|\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\35\1l\0\0\0x\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\35\1\0\360\375\177\0\0\0\0\0\0\241\0\220\36\241\0" )  ) == 0x0
 01212   420   NtResumeThread  (124, ... 1, ) == 0x0
 01213   420   NtClose  (108, ... ) == 0x0
 01214   420   NtClose  (104, ... ) == 0x0
 01215   420   NtTerminateProcess  (0, 0, ... ) == 0x0
 01216   420   NtClose  (96, ... ) == 0x0
 01217   420   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01218   420   NtClose  (100, ... ) == 0x0
 01219   420   NtClose  (80, ... ) == 0x0
 01220   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01221   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01222   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01223   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01224   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01225   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01226   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01227   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01228   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01229   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01230   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01231   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01232   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01233   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01234   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01235   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01236   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01237   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01238   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01239   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01240   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01241   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01242   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01243   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01244   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01245   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01246   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01247   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01248   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01249   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01250   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01251   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01252   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01253   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01254   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01255   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01256   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01257   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc017
 01258   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01259   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc019
 01260   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01261   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc018
 01262   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01263   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01a
 01264   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01265   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01c
 01266   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01267   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01e
 01268   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01269   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01b
 01270   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01271   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc068
 01272   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01273   420   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc06a
 01274   420   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01275   420   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 01276   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01277   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01278   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01279   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01280   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01281   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01282   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01283   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01284   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01285   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01286   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01287   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01288   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01289   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01290   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01291   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01292   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01293   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01294   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01295   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01296   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01297   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01298   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01299   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01300   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01301   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01302   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01303   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01304   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01305   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01306   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01307   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01308   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01309   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01310   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01311   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01312   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01313   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01314   420   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01315   420   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01316   420   NtFreeVirtualMemory  (-1, (0xa30000), 4096, 32768, ... (0xa30000), 4096, ) == 0x0
 01317   420   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244} "\0\0\0\0\3\0\1\0\320vC\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 412, 420, 1508, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ... {20, 48, reply, 0, 412, 420, 1508, 0}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244} "\0\0\0\0\3\0\1\0\320vC\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 412, 420, 1508, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ) == 0x0
 01318   420   NtTerminateProcess  (-1, 0, ...
 01319   420   NtClose  (44, ... ) == 0x0