Summary:


NtAddAtom(>)  1 
NtUserGetThreadDesktop(>)  1 
NtUserFindWindowEx(>)  4 
NtUserRegisterWindowMessage(>)  19 

NtAdjustPrivilegesToken(>)  1 
NtAccessCheck(>)  2 
NtWaitForSingleObject(>)  4 
NtCreateSection(>)  20 

NtCallbackReturn(>)  1 
NtCreateIoCompletion(>)  2 
NtDuplicateObject(>)  5 
NtOpenProcessTokenEx(>)  25 

NtCreateProcessEx(>)  1 
NtCreateKey(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenThreadTokenEx(>)  25 

NtDuplicateToken(>)  1 
NtCreateThread(>)  2 
NtSetInformationFile(>)  5 
NtOpenProcess(>)  26 

NtEnumerateValueKey(>)  1 
NtEnumerateKey(>)  2 
NtWriteFile(>)  5 
NtQueryAttributesFile(>)  27 

NtGdiCreateBitmap(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtFreeVirtualMemory(>)  6 
NtQuerySystemInformation(>)  30 

NtGdiInit(>)  1 
NtOpenDirectoryObject(>)  2 
NtOpenProcessToken(>)  6 
NtQueryInformationToken(>)  31 

NtGdiQueryFontAssocInfo(>)  1 
NtOpenEvent(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtReadVirtualMemory(>)  33 

NtGdiSelectBitmap(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtCreateFile(>)  7 
NtOpenFile(>)  35 

NtNotifyChangeKey(>)  1 
NtQueryInstallUILanguage(>)  2 
NtSetInformationProcess(>)  7 
NtQueryValueKey(>)  40 

NtOpenKeyedEvent(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtUnmapViewOfSection(>)  40 

NtQueryInformationJobObject(>)  1 
NtRaiseException(>)  2 
NtQuerySection(>)  8 
NtUserUnregisterClass(>)  45 

NtQueryObject(>)  1 
NtResumeThread(>)  2 
NtSetInformationThread(>)  8 
NtOpenSection(>)  48 

NtQueryPerformanceCounter(>)  1 
NtTerminateProcess(>)  2 
NtCreateEvent(>)  9 
NtUserFindExistingCursorIcon(>)  48 

NtQuerySystemTime(>)  1 
NtCreateSemaphore(>)  3 
NtRequestWaitReplyPort(>)  9 
NtAllocateVirtualMemory(>)  56 

NtReadFile(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtContinue(>)  10 
NtWriteVirtualMemory(>)  61 

NtRegisterThreadTerminatePort(>)  1 
NtOpenMutant(>)  3 
NtQueryDirectoryFile(>)  10 
NtUserRegisterClassExWOW(>)  63 

NtSecureConnectPort(>)  1 
NtSetInformationObject(>)  3 
NtUserSystemParametersInfo(>)  10 
NtUserGetClassInfo(>)  82 

NtSetSecurityObject(>)  1 
NtFsControlFile(>)  4 
NtFlushInstructionCache(>)  11 
NtMapViewOfSection(>)  84 

NtTestAlert(>)  1 
NtOpenThreadToken(>)  4 
NtQueryInformationFile(>)  13 
NtProtectVirtualMemory(>)  99 

NtUserCallNoParam(>)  1 
NtQueryVirtualMemory(>)  4 
NtQueryInformationProcess(>)  14 
NtOpenKey(>)  108 

NtUserCallOneParam(>)  1 
NtReleaseMutant(>)  4 
NtQueryDebugFilterState(>)  15 
NtUserQueryWindow(>)  156 

NtUserGetDC(>)  1 
NtUserBuildHwndList(>)  4 
NtQueryDefaultLocale(>)  15 
NtClose(>)  201 


Trace:
 00001   448   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   448   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   448   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   448   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   448   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   448   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   448   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   448   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   448   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   448   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   448   NtClose  (12, ... ) == 0x0
 00014   448   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   448   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   448   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   448   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   448   NtClose  (16, ... ) == 0x0
 00021   448   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   448   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   448   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   448   NtClose  (16, ... ) == 0x0
 00026   448   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   448   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   448   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   448   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   448   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 428, 448, 1507, 0} "\20>\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 428, 448, 1507, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 428, 448, 1507, 0} "\20>\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   448   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   448   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   448   NtClose  (16, ... ) == 0x0
 00036   448   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   448   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   448   NtClose  (28, ... ) == 0x0
 00041   448   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   448   NtClose  (28, ... ) == 0x0
 00045   448   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   448   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   448   NtClose  (28, ... ) == 0x0
 00049   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   448   NtClose  (28, ... ) == 0x0
 00052   448   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   448   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 428, 448, 1510, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 428, 448, 1510, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 428, 448, 1510, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   448   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 128, ) == 0x0
 00057   448   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 128, ... (0x45d000), 204800, 4, ) == 0x0
 00058   448   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00059   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   448   NtClose  (28, ... ) == 0x0
 00062   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   448   NtClose  (28, ... ) == 0x0
 00065   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   448   NtClose  (28, ... ) == 0x0
 00068   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   448   NtClose  (28, ... ) == 0x0
 00071   448   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 64, ) == 0x0
 00072   448   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 64, ... (0x45d000), 204800, 4, ) == 0x0
 00073   448   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00074   448   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   448   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   448   NtClose  (28, ... ) == 0x0
 00077   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   448   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   448   NtClose  (28, ... ) == 0x0
 00080   448   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00081   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   448   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   448   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   448   NtClose  (28, ... ) == 0x0
 00085   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   448   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   448   NtClose  (28, ... ) == 0x0
 00088   448   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   448   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   448   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 428, 448, 1515, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 428, 448, 1515, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 428, 448, 1515, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00093   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   448   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4a0000), 0x0, 1060864, ) == 0x0
 00095   448   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   448   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   448   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482060, ) == 0x0
 00098   448   NtQueryInformationToken  (-2147482060, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   448   NtQueryInformationToken  (-2147482060, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   448   NtClose  (-2147482060, ... ) == 0x0
 00101   448   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5963776, 4096, ) == 0x0
 00102   448   NtFreeVirtualMemory  (-1, (0x5b0000), 4096, 32768, ... (0x5b0000), 4096, ) == 0x0
 00103   448   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   448   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482060, ) }, ... -2147482060, ) == 0x0
 00105   448   NtQueryValueKey  (-2147482060,  (-2147482060, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   448   NtClose  (-2147482060, ... ) == 0x0
 00107   448   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482060, ) }, ... -2147482060, ) == 0x0
 00108   448   NtQueryValueKey  (-2147482060,  (-2147482060, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   448   NtClose  (-2147482060, ... ) == 0x0
 00110   448   NtQueryDefaultLocale  (0, -133690868, ... ) == 0x0
 00111   448   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   448   NtUserCallNoParam  (24, ... ) == 0x0
 00113   448   NtGdiCreateCompatibleDC  (0, ...
 00114   448   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5963776, 4096, ) == 0x0
 00113   448   NtGdiCreateCompatibleDC  ... ) == 0x1d010431
 00115   448   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   448   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   448   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x18050439
 00118   448   NtGdiCreateSolidBrush  (0, 0, ...
 00119   448   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9175040, 4096, ) == 0x0
 00118   448   NtGdiCreateSolidBrush  ... ) == 0x27100436
 00120   448   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   448   NtGdiCreateCompatibleDC  (0, ... ) == 0x1901043c
 00122   448   NtGdiSelectBitmap  (419497020, 402981945, ... ) == 0x185000f
 00123   448   NtUserGetThreadDesktop  (448, 0, ... ) == 0x2c
 00124   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   448   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   448   NtClose  (52, ... ) == 0x0
 00127   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00129   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00131   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00133   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00135   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00137   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00139   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00141   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00143   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00144   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00145   448   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc020
 00146   448   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00147   448   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc023
 00148   448   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc024
 00149   448   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00150   448   NtAllocateVirtualMemory  (-1, 6139904, 0, 4096, 4096, 32, ... 6139904, 4096, ) == 0x0
 00149   448   NtUserRegisterClassExWOW  ... ) == 0x810cc025
 00151   448   NtCallbackReturn  (0, 0, 0, ...
 00152   448   NtGdiInit  (... ) == 0x1
 00153   448   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   448   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   448   NtAllocateVirtualMemory  (-1, 0, 0, 17506, 4096, 4, ... 9240576, 20480, ) == 0x0
 00156   448   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 20480, ) == 0x0
 00157   448   NtQueryVirtualMemory  (-1, 0x401000, Basic, 52, ... {BaseAddress=0x401000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x23000,State=0x1000,Protect=0x80,Type=0x1000000,}, 28, ) == 0x0
 00158   448   NtQueryVirtualMemory  (-1, 0x45754c, Basic, 28, ... {BaseAddress=0x457000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x6000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00159   448   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00160   448   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00161   448   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00162   448   NtProtectVirtualMemory  (-1, (0x400218), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00163   448   NtProtectVirtualMemory  (-1, (0x400218), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00164   448   NtProtectVirtualMemory  (-1, (0x400240), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00165   448   NtProtectVirtualMemory  (-1, (0x400240), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00166   448   NtProtectVirtualMemory  (-1, (0x400268), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00167   448   NtProtectVirtualMemory  (-1, (0x400268), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00168   448   NtProtectVirtualMemory  (-1, (0x400290), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00169   448   NtProtectVirtualMemory  (-1, (0x400290), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00170   448   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00171   448   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00172   448   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00173   448   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00174   448   NtProtectVirtualMemory  (-1, (0x400308), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00175   448   NtProtectVirtualMemory  (-1, (0x400308), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00176   448   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00177   448   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00178   448   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100dc, 0x100aa, 0x100a8, 0x100a6, 0x60036, 0x20062, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x1009c, 0x1008c, 0x1007c, 0x10026, 0x200b2, 0x100d0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20060, 0x100cc, 0x100c2, 0x100c0, 0x100ac, 0x2005e, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 40, ) == 0x0
 00179   448   NtUserQueryWindow  (196684, 0, ... ) == 0x768
 00180   448   NtUserQueryWindow  (196684, 1, ... ) == 0x778
 00181   448   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1896, 0}, ... 52, ) == 0x0
 00182   448   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00183   448   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00184   448   NtContinue  (-133694308, 0, ...
 00183   448   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00185   448   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00186   448   NtContinue  (-133694308, 0, ...
 00185   448   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00187   448   NtClose  (52, ... ) == 0x0
 00188   448   NtUserQueryWindow  (65756, 0, ... ) == 0x768
 00189   448   NtUserQueryWindow  (65756, 1, ... ) == 0x778
 00190   448   NtUserQueryWindow  (65706, 0, ... ) == 0x7d8
 00191   448   NtUserQueryWindow  (65706, 1, ... ) == 0x7dc
 00192   448   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2008, 0}, ... 52, ) == 0x0
 00193   448   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \1\0\0", 64, ) , 64, ) == 0x0
 00194   448   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00195   448   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00196   448   NtClose  (52, ... ) == 0x0
 00197   448   NtUserQueryWindow  (65704, 0, ... ) == 0x7d8
 00198   448   NtUserQueryWindow  (65704, 1, ... ) == 0x7dc
 00199   448   NtUserQueryWindow  (65702, 0, ... ) == 0x7d8
 00200   448   NtUserQueryWindow  (65702, 1, ... ) == 0x7dc
 00201   448   NtUserQueryWindow  (393270, 0, ... ) == 0x7d8
 00202   448   NtUserQueryWindow  (393270, 1, ... ) == 0x7dc
 00203   448   NtUserQueryWindow  (131170, 0, ... ) == 0x768
 00204   448   NtUserQueryWindow  (131170, 1, ... ) == 0x778
 00205   448   NtUserQueryWindow  (65664, 0, ... ) == 0x768
 00206   448   NtUserQueryWindow  (65664, 1, ... ) == 0x778
 00207   448   NtUserQueryWindow  (65652, 0, ... ) == 0x768
 00208   448   NtUserQueryWindow  (65652, 1, ... ) == 0x778
 00209   448   NtUserQueryWindow  (65640, 0, ... ) == 0x768
 00210   448   NtUserQueryWindow  (65640, 1, ... ) == 0x778
 00211   448   NtUserQueryWindow  (196682, 0, ... ) == 0x768
 00212   448   NtUserQueryWindow  (196682, 1, ... ) == 0x778
 00213   448   NtUserQueryWindow  (65638, 0, ... ) == 0x768
 00214   448   NtUserQueryWindow  (65638, 1, ... ) == 0x778
 00215   448   NtUserQueryWindow  (196668, 0, ... ) == 0x768
 00216   448   NtUserQueryWindow  (196668, 1, ... ) == 0x778
 00217   448   NtUserQueryWindow  (65692, 0, ... ) == 0x768
 00218   448   NtUserQueryWindow  (65692, 1, ... ) == 0x778
 00219   448   NtUserQueryWindow  (65676, 0, ... ) == 0x768
 00220   448   NtUserQueryWindow  (65676, 1, ... ) == 0x778
 00221   448   NtUserQueryWindow  (65660, 0, ... ) == 0x768
 00222   448   NtUserQueryWindow  (65660, 1, ... ) == 0x76c
 00223   448   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00224   448   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 00225   448   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 52, ) == 0x0
 00226   448   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00227   448   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00228   448   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00229   448   NtClose  (52, ... ) == 0x0
 00230   448   NtUserQueryWindow  (131250, 0, ... ) == 0x10c
 00231   448   NtUserQueryWindow  (131250, 1, ... ) == 0x110
 00232   448   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {268, 0}, ... 52, ) == 0x0
 00233   448   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00234   448   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00235   448   NtContinue  (-133694308, 0, ...
 00234   448   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00236   448   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00237   448   NtContinue  (-133694308, 0, ...
 00236   448   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00238   448   NtClose  (52, ... ) == 0x0
 00239   448   NtUserQueryWindow  (65744, 0, ... ) == 0x10c
 00240   448   NtUserQueryWindow  (65744, 1, ... ) == 0x110
 00241   448   NtUserQueryWindow  (65726, 0, ... ) == 0x7e0
 00242   448   NtUserQueryWindow  (65726, 1, ... ) == 0x7e4
 00243   448   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2016, 0}, ... 52, ) == 0x0
 00244   448   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0", 64, ) , 64, ) == 0x0
 00245   448   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\377\0\377\377", 4, ) , 4, ) == 0x0
 00246   448   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\210fvx\210x\206wfvGe$\306d\21\26\210ls\210\210\250g\207\210hhx\207xhvwdfF|d\21\27\210\206hx\250\252\206\210\207v\207\210x\207\207gfv4F\306G\21\21\210\206\207\210\212\250\250h\210\207x\210\210wvwgFD$d!\21\21x\250g\210\212\252\250\206\210\207w\210\207\207wvvgBGd\21\21\21\210\212\203\210\250\252\212\210x\210w\210\210xwgcd%F\1\21\21\21\27\212\250\210\212\252\252\210f\210\207x\210\207w7fR@`\21\21\21\21\21\210\2508\212\252\250\250\210gw\21088vvu$$!\21\21\21\21\21\30\210\210\210\212\252\210\206vgw\210\203wsb`\7\21\21\21\21\21\21\21\210\203\210\210\210\210\207vvwwwsf4\7\21\21\21\21\21\21\21\21\30\210\210\210\210\210wGwvwww5\2\21\21\21\21\21\21", 256, ) , 256, ) == 0x0
 00247   448   NtClose  (52, ... ) == 0x0
 00248   448   NtUserQueryWindow  (65724, 0, ... ) == 0x7e0
 00249   448   NtUserQueryWindow  (65724, 1, ... ) == 0x7e4
 00250   448   NtUserQueryWindow  (65722, 0, ... ) == 0x7e0
 00251   448   NtUserQueryWindow  (65722, 1, ... ) == 0x7e4
 00252   448   NtUserQueryWindow  (65720, 0, ... ) == 0x7e0
 00253   448   NtUserQueryWindow  (65720, 1, ... ) == 0x7e4
 00254   448   NtUserQueryWindow  (65718, 0, ... ) == 0x7e0
 00255   448   NtUserQueryWindow  (65718, 1, ... ) == 0x7e4
 00256   448   NtUserQueryWindow  (65716, 0, ... ) == 0x7e0
 00257   448   NtUserQueryWindow  (65716, 1, ... ) == 0x7e4
 00258   448   NtUserQueryWindow  (65712, 0, ... ) == 0x7e0
 00259   448   NtUserQueryWindow  (65712, 1, ... ) == 0x7e4
 00260   448   NtUserQueryWindow  (65710, 0, ... ) == 0x7e0
 00261   448   NtUserQueryWindow  (65710, 1, ... ) == 0x7e4
 00262   448   NtUserQueryWindow  (131168, 0, ... ) == 0x7ec
 00263   448   NtUserQueryWindow  (131168, 1, ... ) == 0x7f0
 00264   448   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2028, 0}, ... 52, ) == 0x0
 00265   448   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\301\0\0\0\0\1\0\0\377\356\377\356\11\0\0\0\11\0\0\0\0\376\0\0\0\0\20\0\0 \0\0\0\2\0\0\0 \0\0q\0\0\0\377\357\375\177\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00266   448   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00267   448   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00268   448   NtClose  (52, ... ) == 0x0
 00269   448   NtUserQueryWindow  (65740, 0, ... ) == 0x768
 00270   448   NtUserQueryWindow  (65740, 1, ... ) == 0x11c
 00271   448   NtUserQueryWindow  (65730, 0, ... ) == 0x768
 00272   448   NtUserQueryWindow  (65730, 1, ... ) == 0x11c
 00273   448   NtUserQueryWindow  (65728, 0, ... ) == 0x768
 00274   448   NtUserQueryWindow  (65728, 1, ... ) == 0x778
 00275   448   NtUserQueryWindow  (65708, 0, ... ) == 0x7d8
 00276   448   NtUserQueryWindow  (65708, 1, ... ) == 0x7dc
 00277   448   NtUserQueryWindow  (131166, 0, ... ) == 0x7d0
 00278   448   NtUserQueryWindow  (131166, 1, ... ) == 0x7d4
 00279   448   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2000, 0}, ... 52, ) == 0x0
 00280   448   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0", 64, ) , 64, ) == 0x0
 00281   448   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00282   448   NtContinue  (-133694308, 0, ...
 00281   448   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00283   448   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00284   448   NtContinue  (-133694308, 0, ...
 00283   448   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00285   448   NtClose  (52, ... ) == 0x0
 00286   448   NtUserQueryWindow  (65644, 0, ... ) == 0x768
 00287   448   NtUserQueryWindow  (65644, 1, ... ) == 0x7a8
 00288   448   NtUserQueryWindow  (327760, 0, ... ) == 0x768
 00289   448   NtUserQueryWindow  (327760, 1, ... ) == 0x76c
 00290   448   NtUserQueryWindow  (262228, 0, ... ) == 0x768
 00291   448   NtUserQueryWindow  (262228, 1, ... ) == 0x76c
 00292   448   NtUserQueryWindow  (327758, 0, ... ) == 0x768
 00293   448   NtUserQueryWindow  (327758, 1, ... ) == 0x76c
 00294   448   NtUserQueryWindow  (65662, 0, ... ) == 0x768
 00295   448   NtUserQueryWindow  (65662, 1, ... ) == 0x76c
 00296   448   NtUserQueryWindow  (65654, 0, ... ) == 0x768
 00297   448   NtUserQueryWindow  (65654, 1, ... ) == 0x76c
 00298   448   NtRaiseException  (1242696, 1241956, 1, ...
 00299   448   NtContinue  (1240752, 0, ...
 00300   448   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00301   448   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 56, ) }, ... 56, ) == 0x0
 00302   448   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00303   448   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   448   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00305   448   NtDuplicateObject  (-1, 3101, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00306   448   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00307   448   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00308   448   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100dc, 0x100aa, 0x100a8, 0x100a6, 0x60036, 0x20062, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x1009c, 0x1008c, 0x1007c, 0x10026, 0x200b2, 0x100d0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20060, 0x100cc, 0x100c2, 0x100c0, 0x100ac, 0x2005e, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 40, ) == 0x0
 00309   448   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00310   448   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00311   448   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100dc, 0x100aa, 0x100a8, 0x100a6, 0x60036, 0x20062, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x1009c, 0x1008c, 0x1007c, 0x10026, 0x200b2, 0x100d0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20060, 0x100cc, 0x100c2, 0x100c0, 0x100ac, 0x2005e, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 40, ) == 0x0
 00312   448   NtUserQueryWindow  (196684, 0, ... ) == 0x768
 00313   448   NtUserQueryWindow  (196684, 1, ... ) == 0x778
 00314   448   NtUserQueryWindow  (65756, 0, ... ) == 0x768
 00315   448   NtUserQueryWindow  (65756, 1, ... ) == 0x778
 00316   448   NtUserQueryWindow  (65706, 0, ... ) == 0x7d8
 00317   448   NtUserQueryWindow  (65706, 1, ... ) == 0x7dc
 00318   448   NtUserQueryWindow  (65704, 0, ... ) == 0x7d8
 00319   448   NtUserQueryWindow  (65704, 1, ... ) == 0x7dc
 00320   448   NtUserQueryWindow  (65702, 0, ... ) == 0x7d8
 00321   448   NtUserQueryWindow  (65702, 1, ... ) == 0x7dc
 00322   448   NtUserQueryWindow  (393270, 0, ... ) == 0x7d8
 00323   448   NtUserQueryWindow  (393270, 1, ... ) == 0x7dc
 00324   448   NtUserQueryWindow  (131170, 0, ... ) == 0x768
 00325   448   NtUserQueryWindow  (131170, 1, ... ) == 0x778
 00326   448   NtUserQueryWindow  (65664, 0, ... ) == 0x768
 00327   448   NtUserQueryWindow  (65664, 1, ... ) == 0x778
 00328   448   NtUserQueryWindow  (65652, 0, ... ) == 0x768
 00329   448   NtUserQueryWindow  (65652, 1, ... ) == 0x778
 00330   448   NtUserQueryWindow  (65640, 0, ... ) == 0x768
 00331   448   NtUserQueryWindow  (65640, 1, ... ) == 0x778
 00332   448   NtUserQueryWindow  (196682, 0, ... ) == 0x768
 00333   448   NtUserQueryWindow  (196682, 1, ... ) == 0x778
 00334   448   NtUserQueryWindow  (65638, 0, ... ) == 0x768
 00335   448   NtUserQueryWindow  (65638, 1, ... ) == 0x778
 00336   448   NtUserQueryWindow  (196668, 0, ... ) == 0x768
 00337   448   NtUserQueryWindow  (196668, 1, ... ) == 0x778
 00338   448   NtUserQueryWindow  (65692, 0, ... ) == 0x768
 00339   448   NtUserQueryWindow  (65692, 1, ... ) == 0x778
 00340   448   NtUserQueryWindow  (65676, 0, ... ) == 0x768
 00341   448   NtUserQueryWindow  (65676, 1, ... ) == 0x778
 00342   448   NtUserQueryWindow  (65660, 0, ... ) == 0x768
 00343   448   NtUserQueryWindow  (65660, 1, ... ) == 0x76c
 00344   448   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00345   448   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 00346   448   NtUserQueryWindow  (131250, 0, ... ) == 0x10c
 00347   448   NtUserQueryWindow  (131250, 1, ... ) == 0x110
 00348   448   NtUserQueryWindow  (65744, 0, ... ) == 0x10c
 00349   448   NtUserQueryWindow  (65744, 1, ... ) == 0x110
 00350   448   NtUserQueryWindow  (65726, 0, ... ) == 0x7e0
 00351   448   NtUserQueryWindow  (65726, 1, ... ) == 0x7e4
 00352   448   NtUserQueryWindow  (65724, 0, ... ) == 0x7e0
 00353   448   NtUserQueryWindow  (65724, 1, ... ) == 0x7e4
 00354   448   NtUserQueryWindow  (65722, 0, ... ) == 0x7e0
 00355   448   NtUserQueryWindow  (65722, 1, ... ) == 0x7e4
 00356   448   NtUserQueryWindow  (65720, 0, ... ) == 0x7e0
 00357   448   NtUserQueryWindow  (65720, 1, ... ) == 0x7e4
 00358   448   NtUserQueryWindow  (65718, 0, ... ) == 0x7e0
 00359   448   NtUserQueryWindow  (65718, 1, ... ) == 0x7e4
 00360   448   NtUserQueryWindow  (65716, 0, ... ) == 0x7e0
 00361   448   NtUserQueryWindow  (65716, 1, ... ) == 0x7e4
 00362   448   NtUserQueryWindow  (65712, 0, ... ) == 0x7e0
 00363   448   NtUserQueryWindow  (65712, 1, ... ) == 0x7e4
 00364   448   NtUserQueryWindow  (65710, 0, ... ) == 0x7e0
 00365   448   NtUserQueryWindow  (65710, 1, ... ) == 0x7e4
 00366   448   NtUserQueryWindow  (131168, 0, ... ) == 0x7ec
 00367   448   NtUserQueryWindow  (131168, 1, ... ) == 0x7f0
 00368   448   NtUserQueryWindow  (65740, 0, ... ) == 0x768
 00369   448   NtUserQueryWindow  (65740, 1, ... ) == 0x11c
 00370   448   NtUserQueryWindow  (65730, 0, ... ) == 0x768
 00371   448   NtUserQueryWindow  (65730, 1, ... ) == 0x11c
 00372   448   NtUserQueryWindow  (65728, 0, ... ) == 0x768
 00373   448   NtUserQueryWindow  (65728, 1, ... ) == 0x778
 00374   448   NtUserQueryWindow  (65708, 0, ... ) == 0x7d8
 00375   448   NtUserQueryWindow  (65708, 1, ... ) == 0x7dc
 00376   448   NtUserQueryWindow  (131166, 0, ... ) == 0x7d0
 00377   448   NtUserQueryWindow  (131166, 1, ... ) == 0x7d4
 00378   448   NtUserQueryWindow  (65644, 0, ... ) == 0x768
 00379   448   NtUserQueryWindow  (65644, 1, ... ) == 0x7a8
 00380   448   NtUserQueryWindow  (327760, 0, ... ) == 0x768
 00381   448   NtUserQueryWindow  (327760, 1, ... ) == 0x76c
 00382   448   NtUserQueryWindow  (262228, 0, ... ) == 0x768
 00383   448   NtUserQueryWindow  (262228, 1, ... ) == 0x76c
 00384   448   NtUserQueryWindow  (327758, 0, ... ) == 0x768
 00385   448   NtUserQueryWindow  (327758, 1, ... ) == 0x76c
 00386   448   NtUserQueryWindow  (65662, 0, ... ) == 0x768
 00387   448   NtUserQueryWindow  (65662, 1, ... ) == 0x76c
 00388   448   NtUserQueryWindow  (65654, 0, ... ) == 0x768
 00389   448   NtUserQueryWindow  (65654, 1, ... ) == 0x76c
 00390   448   NtRaiseException  (1242640, 1241900, 1, ...
 00391   448   NtContinue  (1240696, 0, ...
 00392   448   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00393   448   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00394   448   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00395   448   NtDuplicateObject  (-1, 3380, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00396   448   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00397   448   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00398   448   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100dc, 0x100aa, 0x100a8, 0x100a6, 0x60036, 0x20062, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x1009c, 0x1008c, 0x1007c, 0x10026, 0x200b2, 0x100d0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20060, 0x100cc, 0x100c2, 0x100c0, 0x100ac, 0x2005e, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 40, ) == 0x0
 00399   448   NtSetSecurityObject  (-1, 4, {1, 0, 0x4, 0, 0, 0, 1242476}, ... ) == 0x0
 00400   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00401   448   NtQueryValueKey  (60,  (60, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   448   NtClose  (60, ... ) == 0x0
 00403   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00404   448   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00405   448   NtClose  (60, ... ) == 0x0
 00406   448   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 60, ) == 0x0
 00407   448   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00408   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 68, ) }, ... 68, ) == 0x0
 00409   448   NtNotifyChangeKey  (68, 64, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00410   448   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00411   448   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00412   448   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00413   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00414   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00415   448   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00416   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00417   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00418   448   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 84, ) == 0x0
 00419   448   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00420   448   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00421   448   NtQueryInformationToken  (88, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00422   448   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00423   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 92, ) }, ... 92, ) == 0x0
 00424   448   NtQueryValueKey  (92,  (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00425   448   NtClose  (92, ... ) == 0x0
 00426   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00427   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00428   448   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00429   448   NtClose  (92, ... ) == 0x0
 00430   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00431   448   NtClose  (88, ... ) == 0x0
 00432   448   NtClose  (80, ... ) == 0x0
 00433   448   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00434   448   NtClose  (84, ... ) == 0x0
 00435   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00436   448   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00437   448   NtClose  (84, ... ) == 0x0
 00438   448   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00439   448   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00440   448   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00441   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00442   448   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00443   448   NtClose  (84, ... ) == 0x0
 00444   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00445   448   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00446   448   NtClose  (84, ... ) == 0x0
 00447   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00448   448   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00449   448   NtClose  (84, ... ) == 0x0
 00450   448   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00451   448   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00452   448   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00453   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00454   448   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00455   448   NtClose  (84, ... ) == 0x0
 00456   448   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {428, 0}, ... 84, ) == 0x0
 00457   448   NtQueryInformationProcess  (84, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00458   448   NtClose  (84, ... ) == 0x0
 00459   448   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00460   448   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00461   448   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00462   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00463   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00464   448   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00465   448   NtClose  (84, ... ) == 0x0
 00466   448   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 84, ) }, ... 84, ) == 0x0
 00467   448   NtSetInformationObject  (84, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00468   448   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00469   448   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00470   448   NtClose  (80, ... ) == 0x0
 00471   448   NtUserSystemParametersInfo  (41, 500, 1241216, 0, ... ) == 0x1
 00472   448   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00473   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00474   448   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00475   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc03b
 00476   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00477   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc03d
 00478   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00479   448   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00480   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc03f
 00481   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00482   448   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00483   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc041
 00484   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00485   448   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00486   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc043
 00487   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00488   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc045
 00489   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00490   448   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00491   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc047
 00492   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00493   448   NtUserFindExistingCursorIcon  (1241004, 1241020, 1241588, ... ) == 0x10011
 00494   448   NtUserRegisterClassExWOW  (1241456, 1241536, 1241520, 1241552, 0, 384, 0, ... ) == 0x810cc049
 00495   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00496   448   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00497   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc04b
 00498   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00499   448   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00500   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc04d
 00501   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00502   448   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00503   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc04f
 00504   448   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0x0
 00505   448   NtUserRegisterClassExWOW  (1241464, 1241544, 1241528, 1241560, 0, 384, 0, ... ) == 0x810cc051
 00506   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00507   448   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00508   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc053
 00509   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00510   448   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00511   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc055
 00512   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc057
 00513   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00514   448   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00515   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc059
 00516   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00517   448   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10013
 00518   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc05b
 00519   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00520   448   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00521   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc05d
 00522   448   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00523   448   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00524   448   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc05f
 00525   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00526   448   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 00527   448   NtAllocateVirtualMemory  (-1, 9240576, 0, 4096, 4096, 4, ... 9240576, 4096, ) == 0x0
 00528   448   NtAllocateVirtualMemory  (-1, 9244672, 0, 8192, 4096, 4, ... 9244672, 8192, ) == 0x0
 00529   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 80, ) }, ... 80, ) == 0x0
 00530   448   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8e0000), 0x0, 12288, ) == 0x0
 00531   448   NtClose  (80, ... ) == 0x0
 00532   448   NtAllocateVirtualMemory  (-1, 9252864, 0, 4096, 4096, 4, ... 9252864, 4096, ) == 0x0
 00533   448   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00534   448   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 00535   448   NtQueryValueKey  (80,  (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00536   448   NtClose  (80, ... ) == 0x0
 00537   448   NtQueryDefaultUILanguage  (1239840, ...
 00538   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00539   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482060, ) == 0x0
 00540   448   NtQueryInformationToken  (-2147482060, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00541   448   NtClose  (-2147482060, ... ) == 0x0
 00542   448   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482060, ) }, ... -2147482060, ) == 0x0
 00543   448   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00544   448   NtOpenKey  (0x80000000, {24, -2147482060, 0x640, 0, 0,  (0x80000000, {24, -2147482060, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482072, ) }, ... -2147482072, ) == 0x0
 00545   448   NtQueryValueKey  (-2147482072,  (-2147482072, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00546   448   NtClose  (-2147482072, ... ) == 0x0
 00547   448   NtClose  (-2147482060, ... ) == 0x0
 00537   448   NtQueryDefaultUILanguage  ... ) == 0x0
 00548   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549   448   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00550   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00551   448   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 88, ) == 0x0
 00552   448   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 8323072, ) == 0x0
 00553   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00554   448   NtQueryDefaultUILanguage  (2013024600, ...
 00555   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00556   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482060, ) == 0x0
 00557   448   NtQueryInformationToken  (-2147482060, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00558   448   NtClose  (-2147482060, ... ) == 0x0
 00559   448   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482060, ) }, ... -2147482060, ) == 0x0
 00560   448   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00561   448   NtOpenKey  (0x80000000, {24, -2147482060, 0x640, 0, 0,  (0x80000000, {24, -2147482060, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482072, ) }, ... -2147482072, ) == 0x0
 00562   448   NtQueryValueKey  (-2147482072,  (-2147482072, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00563   448   NtClose  (-2147482072, ... ) == 0x0
 00564   448   NtClose  (-2147482060, ... ) == 0x0
 00554   448   NtQueryDefaultUILanguage  ... ) == 0x0
 00565   448   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00566   448   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00567   448   NtQueryDefaultLocale  (1, 1237876, ... ) == 0x0
 00568   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00569   448   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 428, 448, 1522, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 428, 448, 1522, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 428, 448, 1522, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ) == 0x0
 00570   448   NtClose  (80, ... ) == 0x0
 00571   448   NtClose  (88, ... ) == 0x0
 00572   448   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00573   448   NtUnmapViewOfSection  (-1, 0x12edcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00574   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00575   448   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00577   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00578   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236960, ... ) }, 1236960, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00580   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00581   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00582   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237552, ... ) }, 1237552, ... ) == 0x0
 00583   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 88, {status=0x0, info=1}, ) }, 3, 33, ... 88, {status=0x0, info=1}, ) == 0x0
 00584   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00585   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00586   448   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00587   448   NtClose  (80, ... ) == 0x0
 00588   448   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00589   448   NtClose  (92, ... ) == 0x0
 00590   448   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00591   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00592   448   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 80, ) == 0x0
 00593   448   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00594   448   NtClose  (92, ... ) == 0x0
 00595   448   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00596   448   NtClose  (80, ... ) == 0x0
 00597   448   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00598   448   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00599   448   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00600   448   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00601   448   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00602   448   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00603   448   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00604   448   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00605   448   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00606   448   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00607   448   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00608   448   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00609   448   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00610   448   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00611   448   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00612   448   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00613   448   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00614   448   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00615   448   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00616   448   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00617   448   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00618   448   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238736, ... ) , 42, 1238736, ... ) == 0x0
 00619   448   NtQueryDefaultUILanguage  (1237452, ...
 00620   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00621   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482060, ) == 0x0
 00622   448   NtQueryInformationToken  (-2147482060, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00623   448   NtClose  (-2147482060, ... ) == 0x0
 00624   448   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482060, ) }, ... -2147482060, ) == 0x0
 00625   448   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00626   448   NtOpenKey  (0x80000000, {24, -2147482060, 0x640, 0, 0,  (0x80000000, {24, -2147482060, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482072, ) }, ... -2147482072, ) == 0x0
 00627   448   NtQueryValueKey  (-2147482072,  (-2147482072, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00628   448   NtClose  (-2147482072, ... ) == 0x0
 00629   448   NtClose  (-2147482060, ... ) == 0x0
 00619   448   NtQueryDefaultUILanguage  ... ) == 0x0
 00630   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00631   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236304, ... ) }, 1236304, ... ) == 0x0
 00632   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00633   448   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00634   448   NtClose  (80, ... ) == 0x0
 00635   448   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 4096, ) == 0x0
 00636   448   NtClose  (92, ... ) == 0x0
 00637   448   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00638   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235944, ... ) }, 1235944, ... ) == 0x0
 00639   448   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236644,  (0x80100080, {24, 0, 0x40, 0, 1236644, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00640   448   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 92, ... 80, ) == 0x0
 00641   448   NtClose  (92, ... ) == 0x0
 00642   448   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8f0000), {0, 0}, 4096, ) == 0x0
 00643   448   NtClose  (80, ... ) == 0x0
 00644   448   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00645   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00646   448   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 92, ) == 0x0
 00647   448   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 4096, ) == 0x0
 00648   448   NtQueryInformationFile  (80, 1236264, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00649   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00650   448   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 428, 448, 1523, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 428, 448, 1523, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 428, 448, 1523, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ) == 0x0
 00651   448   NtClose  (80, ... ) == 0x0
 00652   448   NtClose  (92, ... ) == 0x0
 00653   448   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00654   448   NtUnmapViewOfSection  (-1, 0x12e478, ... ) == STATUS_NOT_MAPPED_VIEW
 00655   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00656   448   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00657   448   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00658   448   NtUserGetDC  (0, ... ) == 0x1010050
 00659   448   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00660   448   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00661   448   NtUserSystemParametersInfo  (66, 12, 1238756, 0, ... ) == 0x1
 00662   448   NtOpenProcessToken  (-1, 0x8, ... 92, ) == 0x0
 00663   448   NtAccessCheck  (1393640, 92, 0x1, 1238160, 1238104, 56, 1238188, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00664   448   NtClose  (92, ... ) == 0x0
 00665   448   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 92, ) }, ... 92, ) == 0x0
 00666   448   NtQueryValueKey  (92,  (92, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667   448   NtClose  (92, ... ) == 0x0
 00668   448   NtUserSystemParametersInfo  (41, 500, 1238256, 0, ... ) == 0x1
 00669   448   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00670   448   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 92, ) }, ... 92, ) == 0x0
 00671   448   NtQueryValueKey  (92,  (92, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   448   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 80, ) }, ... 80, ) == 0x0
 00673   448   NtQueryValueKey  (80,  (80, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   448   NtClose  (80, ... ) == 0x0
 00675   448   NtClose  (92, ... ) == 0x0
 00676   448   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00677   448   NtUserSystemParametersInfo  (4130, 0, 1238780, 0, ... ) == 0x1
 00678   448   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 92, ) }, ... 92, ) == 0x0
 00679   448   NtEnumerateValueKey  (92, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00680   448   NtClose  (92, ... ) == 0x0
 00681   448   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00682   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc03b
 00683   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc03d
 00684   448   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00685   448   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc03f
 00686   448   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00687   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc041
 00688   448   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00689   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc043
 00690   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc045
 00691   448   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00692   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc047
 00693   448   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00694   448   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc049
 00695   448   NtUserGetClassInfo  (1905590272, 1238676, 1238628, 1238704, 0, ... ) == 0xc049
 00696   448   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00697   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ...
 00698   448   NtAllocateVirtualMemory  (-1, 6144000, 0, 4096, 4096, 32, ... 6144000, 4096, ) == 0x0
 00697   448   NtUserRegisterClassExWOW  ... ) == 0x810cc04b
 00699   448   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00700   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc04d
 00701   448   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00702   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc04f
 00703   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc051
 00704   448   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00705   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc053
 00706   448   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00707   448   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc055
 00708   448   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc057
 00709   448   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00710   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc059
 00711   448   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10013
 00712   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc05b
 00713   448   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00714   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc05d
 00715   448   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00716   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc05f
 00717   448   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00718   448   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc017
 00719   448   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00720   448   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc019
 00721   448   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10013
 00722   448   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc018
 00723   448   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00724   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc01a
 00725   448   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00726   448   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc01c
 00727   448   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00728   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc01e
 00729   448   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00730   448   NtUserRegisterClassExWOW  (1238572, 1238652, 1238636, 1238668, 0, 384, 0, ... ) == 0x810cc01b
 00731   448   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00732   448   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810cc068
 00733   448   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00734   448   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc06a
 00735   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03b
 00736   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03d
 00737   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03f
 00738   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc041
 00739   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc043
 00740   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc045
 00741   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc047
 00742   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc049
 00743   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04b
 00744   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04d
 00745   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04f
 00746   448   NtUserGetClassInfo  (1999896576, 1241580, 1241532, 1241608, 0, ... ) == 0xc051
 00747   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc053
 00748   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc055
 00749   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc059
 00750   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05b
 00751   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05d
 00752   448   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05f
 00753   448   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00754   448   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00755   448   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00756   448   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00757   448   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00758   448   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00759   448   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00760   448   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00761   448   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00762   448   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00763   448   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00764   448   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00765   448   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00766   448   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00767   448   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00768   448   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00769   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00771   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00772   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00773   448   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9502720, 262144, ) == 0x0
 00774   448   NtAllocateVirtualMemory  (-1, 9502720, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 00775   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00776   448   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9764864, 262144, ) == 0x0
 00777   448   NtAllocateVirtualMemory  (-1, 9764864, 0, 4096, 4096, 4, ... 9764864, 4096, ) == 0x0
 00778   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00779   448   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10027008, 262144, ) == 0x0
 00780   448   NtAllocateVirtualMemory  (-1, 10027008, 0, 4096, 4096, 4, ... 10027008, 4096, ) == 0x0
 00781   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00782   448   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10289152, 262144, ) == 0x0
 00783   448   NtAllocateVirtualMemory  (-1, 10289152, 0, 4096, 4096, 4, ... 10289152, 4096, ) == 0x0
 00784   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00785   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00786   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00787   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00788   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 00789   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00790   448   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 80, ) == 0x0
 00791   448   NtClose  (92, ... ) == 0x0
 00792   448   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa10000), 0x0, 90112, ) == 0x0
 00793   448   NtClose  (80, ... ) == 0x0
 00794   448   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00795   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 00796   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00797   448   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 92, ) == 0x0
 00798   448   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00799   448   NtClose  (80, ... ) == 0x0
 00800   448   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00801   448   NtClose  (92, ... ) == 0x0
 00802   448   NtQueryDefaultLocale  (1, 1239460, ... ) == 0x0
 00803   448   NtAllocateVirtualMemory  (-1, 9506816, 0, 4096, 4096, 4, ... 9506816, 4096, ) == 0x0
 00804   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 92, ) }, ... 92, ) == 0x0
 00805   448   NtClose  (92, ... ) == 0x0
 00806   448   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00807   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808   448   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00809   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00810   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00811   448   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00812   448   NtClose  (92, ... ) == 0x0
 00813   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00814   448   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00815   448   NtClose  (92, ... ) == 0x0
 00816   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00817   448   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00818   448   NtClose  (92, ... ) == 0x0
 00819   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00820   448   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00821   448   NtClose  (92, ... ) == 0x0
 00822   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 92, ) }, ... 92, ) == 0x0
 00823   448   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00824   448   NtClose  (92, ... ) == 0x0
 00825   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00826   448   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00827   448   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00828   448   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00829   448   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1241616, 0,  (0x1f0003, {24, 52, 0x80, 1241616, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00830   448   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 92, ) }, ... 92, ) == 0x0
 00831   448   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00832   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00833   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00834   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 80, ) }, ... 80, ) == 0x0
 00835   448   NtQueryValueKey  (80,  (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00836   448   NtClose  (80, ... ) == 0x0
 00837   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00838   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00839   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00840   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00841   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 80, ) }, ... 80, ) == 0x0
 00842   448   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00843   448   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   448   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00845   448   NtClose  (80, ... ) == 0x0
 00846   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 80, ) }, ... 80, ) == 0x0
 00847   448   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00848   448   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00849   448   NtClose  (80, ... ) == 0x0
 00850   448   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   448   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00852   448   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00853   448   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   448   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00855   448   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00856   448   NtCreateKey  (0xf003f, {24, 84, 0x40, 0, 0,  (0xf003f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 80, 2, ) }, 0, 0x0, 0, ... 80, 2, ) == 0x0
 00857   448   NtQueryDefaultUILanguage  (1239852, ...
 00858   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00859   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482060, ) == 0x0
 00860   448   NtQueryInformationToken  (-2147482060, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00861   448   NtClose  (-2147482060, ... ) == 0x0
 00862   448   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482060, ) }, ... -2147482060, ) == 0x0
 00863   448   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   448   NtOpenKey  (0x80000000, {24, -2147482060, 0x640, 0, 0,  (0x80000000, {24, -2147482060, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482072, ) }, ... -2147482072, ) == 0x0
 00865   448   NtQueryValueKey  (-2147482072,  (-2147482072, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00866   448   NtClose  (-2147482072, ... ) == 0x0
 00867   448   NtClose  (-2147482060, ... ) == 0x0
 00857   448   NtQueryDefaultUILanguage  ... ) == 0x0
 00868   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00869   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00870   448   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00871   448   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa10000), 0x0, 593920, ) == 0x0
 00872   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   448   NtQueryDefaultLocale  (1, 1237888, ... ) == 0x0
 00874   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00875   448   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 428, 448, 1524, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 428, 448, 1524, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 428, 448, 1524, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ) == 0x0
 00876   448   NtClose  (96, ... ) == 0x0
 00877   448   NtClose  (100, ... ) == 0x0
 00878   448   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00879   448   NtUnmapViewOfSection  (-1, 0x12edd8, ... ) == STATUS_NOT_MAPPED_VIEW
 00880   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00881   448   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00883   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00884   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236428, ... ) }, 1236428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00886   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00887   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00888   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237020, ... ) }, 1237020, ... ) == 0x0
 00889   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00890   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00891   448   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00892   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00894   448   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00896   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00897   448   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00898   448   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00899   448   NtClose  (104, ... ) == 0x0
 00900   448   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00901   448   NtClose  (108, ... ) == 0x0
 00902   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   448   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00906   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00907   448   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00908   448   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00909   448   NtClose  (108, ... ) == 0x0
 00910   448   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00911   448   NtClose  (104, ... ) == 0x0
 00912   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00913   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00914   448   NtTestAlert  (... ) == 0x0
 00915   448   NtContinue  (1244464, 1, ...
 00916   448   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x490000,}, 4, ... ) == 0x0
 00917   448   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1245092, 0,  (0x1f0003, {24, 52, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 104, ) }, 1, 0, ... 104, ) == 0x0
 00918   448   NtCreateSection  (0xf0007, {24, 52, 0x80, 1245092, 0,  (0xf0007, {24, 52, 0x80, 1245092, 0, "W32_Virtu"}, {22585, 0}, 4, 134217728, 0, ... 108, ) }, {22585, 0}, 4, 134217728, 0, ... 108, ) == 0x0
 00919   448   NtMapViewOfSection  (108, -1, (0x0), 0, 22585, 0x0, 22585, 2, 0, 4, ... (0xa10000), 0x0, 24576, ) == 0x0
 00920   448   NtOpenProcessToken  (-1, 0x20, ... 112, ) == 0x0
 00921   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00922   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 00924   448   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925   448   NtClose  (116, ... ) == 0x0
 00926   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927   448   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00928   448   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 00929   448   NtQuerySystemTime  (... {-1895621098, 29873137}, ) == 0x0
 00930   448   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 00931   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932   448   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00933   448   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00934   448   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00935   448   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 00936   448   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 132, ) == 0x0
 00937   448   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 00938   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00939   448   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "ActiveComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 00940   448   NtQueryValueKey  (140,  (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00941   448   NtClose  (140, ... ) == 0x0
 00942   448   NtClose  (136, ... ) == 0x0
 00943   448   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 136, ) == 0x0
 00944   448   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 140, ) == 0x0
 00945   448   NtDuplicateObject  (-1, 136, -1, 0x0, 0, 2, ... 144, ) == 0x0
 00946   448   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00947   448   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 00948   448   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00949   448   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00950   448   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243268,  (0xc0100080, {24, 0, 0x40, 0, 1243268, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 00951   448   NtSetInformationFile  (152, 1243324, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00952   448   NtSetInformationFile  (152, 1243316, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00953   448   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00954   448   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00955   448   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ... 1429504, 4096, ) == 0x0
 00956   448   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\357 \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00957   448   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\357 \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\357 \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00958   448   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\350\234\364\307\344?\334\21\261\310\0\14)\371\246\305 \0"\0(\262\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\350\234\364\307\344?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0(\262\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\350\234\364\307\344?\334\21\261\310\0\14)\371\246\305 \0"\0(\262\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\350\234\364\307\344?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\350\234\364\307\344?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 00959   448   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\350\234\364\307\344?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\350\234\364\307\344?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00960   448   NtClose  (148, ... ) == 0x0
 00961   448   NtClose  (152, ... ) == 0x0
 00962   448   NtAdjustPrivilegesToken  (112, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00963   448   NtClose  (112, ... ) == 0x0
 00964   448   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 10616832, 65536, ) == 0x0
 00965   448   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00966   448   NtCreateSection  (0xf0007, 0x0, {12284, 0}, 4, 134217728, 0, ... 112, ) == 0x0
 00967   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 12288, ) == 0x0
 00968   448   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 00969   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 12288, ) == 0x0
 00970   448   NtFreeVirtualMemory  (-1, (0xa20000), 0, 32768, ... (0xa20000), 65536, ) == 0x0
 00971   448   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 00972   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00973   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00974   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00975   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00976   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00977   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00978   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00979   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00980   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00981   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00982   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 152, ) == 0x0
 00983   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 148, ) }, ... 148, ) == 0x0
 00984   448   NtMapViewOfSection  (148, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 00985   448   NtClose  (148, ... ) == 0x0
 00986   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00987   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00988   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00989   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00990   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00991   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00992   448   NtAllocateVirtualMemory  (152, 0, 0, 1048576, 8192, 4, ... 22413312, 1048576, ) == 0x0
 00993   448   NtAllocateVirtualMemory  (152, 23453696, 0, 8192, 4096, 4, ... 23453696, 8192, ) == 0x0
 00994   448   NtProtectVirtualMemory  (152, (0x165e000), 4096, 260, ... (0x165e000), 4096, 4, ) == 0x0
 00995   448   NtCreateThread  (0x1f03ff, 0x0, 152, 1244008, 1244724, 1, ... 148, {616, 788}, ) == 0x0
 00996   448   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\25\0\0\0\0\0\224\0\0\0h\2\0\0\24\3\0\0" ... {28, 56, reply, 0, 428, 448, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\0\0\0h\2\0\0\24\3\0\0" )  ... {28, 56, reply, 0, 428, 448, 1525, 0}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\25\0\0\0\0\0\224\0\0\0h\2\0\0\24\3\0\0" ... {28, 56, reply, 0, 428, 448, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\0\0\0h\2\0\0\24\3\0\0" )  ) == 0x0
 00997   448   NtResumeThread  (148, ... 1, ) == 0x0
 00998   448   NtClose  (152, ... ) == 0x0
 00999   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01000   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01001   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {660, 0}, ... 152, ) == 0x0
 01002   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01003   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 01004   448   NtClose  (156, ... ) == 0x0
 01005   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01006   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01007   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01008   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01009   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01010   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01011   448   NtClose  (152, ... ) == 0x0
 01012   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01013   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01014   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {672, 0}, ... 152, ) == 0x0
 01015   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01016   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 01017   448   NtClose  (156, ... ) == 0x0
 01018   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01019   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01020   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01021   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01022   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01023   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01024   448   NtClose  (152, ... ) == 0x0
 01025   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01026   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01027   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {844, 0}, ... 152, ) == 0x0
 01028   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01029   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01030   448   NtClose  (156, ... ) == 0x0
 01031   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01032   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01033   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01034   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01035   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01036   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01037   448   NtClose  (152, ... ) == 0x0
 01038   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01039   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01040   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {972, 0}, ... 152, ) == 0x0
 01041   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01042   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff70000), 0x0, 24576, ) == 0x0
 01043   448   NtClose  (156, ... ) == 0x0
 01044   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01045   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01046   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01047   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01048   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01049   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01050   448   NtClose  (152, ... ) == 0x0
 01051   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01052   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01053   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1048, 0}, ... 152, ) == 0x0
 01054   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01055   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01056   448   NtClose  (156, ... ) == 0x0
 01057   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01058   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01059   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01060   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01061   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01062   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01063   448   NtClose  (152, ... ) == 0x0
 01064   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01065   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01066   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1072, 0}, ... 152, ) == 0x0
 01067   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01068   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01069   448   NtClose  (156, ... ) == 0x0
 01070   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01071   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01072   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01073   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01074   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01075   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01076   448   NtClose  (152, ... ) == 0x0
 01077   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01078   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01079   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1372, 0}, ... 152, ) == 0x0
 01080   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01081   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01082   448   NtClose  (156, ... ) == 0x0
 01083   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01084   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01085   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01086   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01087   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01088   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01089   448   NtClose  (152, ... ) == 0x0
 01090   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01091   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01092   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1636, 0}, ... 152, ) == 0x0
 01093   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01094   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01095   448   NtClose  (156, ... ) == 0x0
 01096   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01097   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01098   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01099   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01100   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01101   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01102   448   NtClose  (152, ... ) == 0x0
 01103   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01104   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01105   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1840, 0}, ... 152, ) == 0x0
 01106   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01107   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01108   448   NtClose  (156, ... ) == 0x0
 01109   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01110   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01111   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01112   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01113   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01114   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01115   448   NtClose  (152, ... ) == 0x0
 01116   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01117   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01118   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1896, 0}, ... 152, ) == 0x0
 01119   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01120   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01121   448   NtClose  (156, ... ) == 0x0
 01122   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01123   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01124   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01125   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01126   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01127   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01128   448   NtClose  (152, ... ) == 0x0
 01129   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01130   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01131   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2000, 0}, ... 152, ) == 0x0
 01132   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01133   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01134   448   NtClose  (156, ... ) == 0x0
 01135   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01136   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01137   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01138   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01139   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01140   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01141   448   NtClose  (152, ... ) == 0x0
 01142   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01143   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01144   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2008, 0}, ... 152, ) == 0x0
 01145   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01146   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01147   448   NtClose  (156, ... ) == 0x0
 01148   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01149   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01150   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01151   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01152   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01153   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01154   448   NtClose  (152, ... ) == 0x0
 01155   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01156   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01157   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2016, 0}, ... 152, ) == 0x0
 01158   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01159   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01160   448   NtClose  (156, ... ) == 0x0
 01161   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01162   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01163   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01164   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01165   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01166   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01167   448   NtClose  (152, ... ) == 0x0
 01168   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01169   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01170   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2028, 0}, ... 152, ) == 0x0
 01171   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01172   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01173   448   NtClose  (156, ... ) == 0x0
 01174   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01175   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01176   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01177   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01178   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01179   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01180   448   NtClose  (152, ... ) == 0x0
 01181   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01182   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01183   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {140, 0}, ... 152, ) == 0x0
 01184   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01185   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01186   448   NtClose  (156, ... ) == 0x0
 01187   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01188   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01189   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01190   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01191   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01192   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01193   448   NtClose  (152, ... ) == 0x0
 01194   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01195   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01196   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {268, 0}, ... 152, ) == 0x0
 01197   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01198   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01199   448   NtClose  (156, ... ) == 0x0
 01200   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01201   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01202   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01203   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01204   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01205   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01206   448   NtClose  (152, ... ) == 0x0
 01207   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01208   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01209   448   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {428, 0}, ... 152, ) == 0x0
 01210   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01211   448   NtMapViewOfSection  (156, 152, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01212   448   NtClose  (156, ... ) == 0x0
 01213   448   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01214   448   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01215   448   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01216   448   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01217   448   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01218   448   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01219   448   NtClose  (152, ... ) == 0x0
 01220   448   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01221   448   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01222   448   NtClose  (112, ... ) == 0x0
 01223   448   NtClose  (104, ... ) == 0x0
 01224   448   NtQueryPerformanceCounter  (... {112284832, 0}, {3579545, 0}, ) == 0x0
 01225   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01226   448   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10616832, 65536, ) == 0x0
 01227   448   NtAllocateVirtualMemory  (-1, 10616832, 0, 4096, 4096, 4, ... 10616832, 4096, ) == 0x0
 01228   448   NtAllocateVirtualMemory  (-1, 10620928, 0, 8192, 4096, 4, ... 10620928, 8192, ) == 0x0
 01229   448   NtAllocateVirtualMemory  (-1, 10629120, 0, 4096, 4096, 4, ... 10629120, 4096, ) == 0x0
 01230   448   NtAllocateVirtualMemory  (-1, 10633216, 0, 4096, 4096, 4, ... 10633216, 4096, ) == 0x0
 01231   448   NtAllocateVirtualMemory  (-1, 0, 0, 6, 12288, 64, ... 10682368, 4096, ) == 0x0
 01232   448   NtProtectVirtualMemory  (-1, (0xa30000), 6, 64, ...
 01233   448   NtContinue  (-133693652, 0, ...
 01232   448   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 01234   448   NtFreeVirtualMemory  (-1, (0xa30000), 0, 32768, ... (0xa30000), 4096, ) == 0x0
 01235   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1241688, ... ) }, 1241688, ... ) == 0x0
 01236   448   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 01237   448   NtSetInformationFile  (104, 1241664, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01238   448   NtClose  (104, ... ) == 0x0
 01239   448   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241932,  (0x80100080, {24, 0, 0x40, 0, 1241932, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 01240   448   NtQueryInformationFile  (104, 1242868, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01241   448   NtQueryInformationFile  (104, 1242840, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01242   448   NtQueryInformationFile  (104, 1242792, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01243   448   NtAllocateVirtualMemory  (-1, 1433600, 0, 8192, 4096, 4, ... 1433600, 8192, ) == 0x0
 01244   448   NtQueryInformationFile  (104, 1431152, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01245   448   NtQueryInformationFile  (104, 1241336, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01246   448   NtQueryInformationFile  (104, 1241180, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01247   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\EUPSVC.EXE"}, 1240072, ... ) }, 1240072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01248   448   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1241188,  (0x40110080, {24, 0, 0x40, 0, 1241188, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01249   448   NtClose  (-2147482060, ... ) == 0x0
 01248   448   NtCreateFile  ... 112, {status=0x0, info=2}, ) == 0x0
 01250   448   NtQueryVolumeInformationFile  (112, 1240560, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01251   448   NtQueryInformationFile  (112, 1240520, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01252   448   NtQueryVolumeInformationFile  (104, 1240560, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01253   448   NtQueryVolumeInformationFile  (104, 1240244, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01254   448   NtSetInformationFile  (112, 1240348, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01255   448   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 104, ... 152, ) == 0x0
 01256   448   NtMapViewOfSection  (152, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa30000), {0, 0}, 221184, ) == 0x0
 01257   448   NtClose  (152, ... ) == 0x0
 01258   448   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01259   448   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352 (112, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353 (112, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01260   448   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\353`m\263\222\16Zi\373\3759\377Al:\306\233\30\21!g\226\254j\14Q\312\366P)6\252\361\374wR\276\216\30\3\6\310\255\6\303'tiZ\357L\17{\272\303\341\201\245\20\361\323yf&\17\6\11\261\207\300\303\321\17\30\367u@\301\324\371\356-\253.S\255\244"O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01261   448   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\25\313\36\270\214\226\21B\304\243`\371\275\66-:\177\243\35\264OQ\207\273\321\2559\243/O\202\300\216\234\3505\315D*\27+\220\360\354\201\205G\337\266\240\331\221\303\273\333\242\5w\247\254\25_\376\332\12\240\26\4!\212e\22e\344\276/Y\341\235] \362\240!YK\343F\36\370\36\13\255\270\361\316\245\210#\16\3\332\215\371fC\263\243\253\262\220\323]\21\37\12\277o\222\252\231\316T\354\207U\205\334\25-r\251\274\373%\22\251\66\313\2534g}S\177\17\271\232\360~\313E\234U\305\2515z\252\226\376g\211\15\203\364\316\275\314\310\237Iz\227+\233\317\270f\21\310?\266\367\213\251\24\34\365\321\307\370;\31?\334+\232\231~\30\0i\231c\303\36\325\253\361[\276\205lp\264O\224<\365\353\200B@\247\4\360\225\366B\212H9\336\252\242Ui\265\330\331\364\371\305a\3663\347\213[\315\250\343m\321\273$\203\210\350\27\234\271"\16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", 35328, 0x0, 0, ... {status=0x0, info=35328}, ) \16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", 35328, 0x0, 0, ... {status=0x0, info=35328}, ) == 0x0
 01262   448   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 01263   448   NtSetInformationFile  (112, 1242792, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01264   448   NtClose  (104, ... ) == 0x0
 01265   448   NtClose  (112, ... ) == 0x0
 01266   448   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01267   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1239084, ... ) }, 1239084, ... ) == 0x0
 01268   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1239776, ... ) }, 1239776, ... ) == 0x0
 01269   448   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01270   448   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 112, ... 104, ) == 0x0
 01271   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 152, ) }, ... 152, ) == 0x0
 01273   448   NtQueryValueKey  (152,  (152, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01274   448   NtClose  (152, ... ) == 0x0
 01275   448   NtQueryVolumeInformationFile  (112, 1239084, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01276   448   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 152, ) }, ... 152, ) == 0x0
 01277   448   NtWaitForSingleObject  (152, 0, {-1000000, -1}, ... ) == 0x0
 01278   448   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 156, ) }, ... 156, ) == 0x0
 01279   448   NtMapViewOfSection  (156, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 57344, ) == 0x0
 01280   448   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01281   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237068, ... ) }, 1237068, ... ) == 0x0
 01282   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 01283   448   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 160, ... 164, ) == 0x0
 01284   448   NtClose  (160, ... ) == 0x0
 01285   448   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa40000), 0x0, 106496, ) == 0x0
 01286   448   NtClose  (164, ... ) == 0x0
 01287   448   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01288   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237384, ... ) }, 1237384, ... ) == 0x0
 01289   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 164, {status=0x0, info=1}, ) }, 5, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 01290   448   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 164, ... 160, ) == 0x0
 01291   448   NtQuerySection  (160, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01292   448   NtClose  (164, ... ) == 0x0
 01293   448   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01294   448   NtClose  (160, ... ) == 0x0
 01295   448   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01296   448   NtQueryInformationFile  (160, 1237672, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01297   448   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 160, ... 164, ) == 0x0
 01298   448   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa40000), 0x0, 1028096, ) == 0x0
 01299   448   NtQueryInformationFile  (160, 1237768, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01300   448   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01302   448   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01303   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01304   448   NtQueryDirectoryFile  (168, 0, 0, 0, 1235332, 616, BothDirectory, 1,  (168, 0, 0, 0, 1235332, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01305   448   NtClose  (168, ... ) == 0x0
 01306   448   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01307   448   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01308   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1234720, ... ) }, 1234720, ... ) == 0x0
 01309   448   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01310   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01311   448   NtQueryDirectoryFile  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01312   448   NtClose  (168, ... ) == 0x0
 01313   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01314   448   NtQueryDirectoryFile  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01315   448   NtClose  (168, ... ) == 0x0
 01316   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01317   448   NtQueryDirectoryFile  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01318   448   NtClose  (168, ... ) == 0x0
 01319   448   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01320   448   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01321   448   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01322   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01323   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01324   448   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01325   448   NtClose  (168, ... ) == 0x0
 01326   448   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01327   448   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\eupsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01328   448   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01329   448   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01330   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1237000, ... ) }, 1237000, ... ) == 0x0
 01331   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01332   448   NtQueryDirectoryFile  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01333   448   NtClose  (168, ... ) == 0x0
 01334   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01335   448   NtQueryDirectoryFile  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01336   448   NtClose  (168, ... ) == 0x0
 01337   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01338   448   NtQueryDirectoryFile  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01339   448   NtClose  (168, ... ) == 0x0
 01340   448   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01341   448   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01342   448   NtWaitForSingleObject  (152, 0, {-1000000, -1}, ... ) == 0x0
 01343   448   NtQueryVolumeInformationFile  (112, 1237644, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01344   448   NtQueryInformationFile  (112, 1237624, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01345   448   NtQueryInformationFile  (112, 1237664, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01346   448   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01347   448   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01348   448   NtClose  (164, ... ) == 0x0
 01349   448   NtClose  (160, ... ) == 0x0
 01350   448   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01351   448   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eupsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01352   448   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01353   448   NtOpenProcessToken  (-1, 0xa, ... 160, ) == 0x0
 01354   448   NtQueryInformationToken  (160, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01355   448   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01356   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 164, ) }, ... 164, ) == 0x0
 01357   448   NtQueryValueKey  (164,  (164, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (164, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01358   448   NtQueryValueKey  (164,  (164, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (164, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01359   448   NtClose  (164, ... ) == 0x0
 01360   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 164, ) }, ... 164, ) == 0x0
 01361   448   NtQueryValueKey  (164,  (164, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01362   448   NtQueryValueKey  (164,  (164, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (164, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01363   448   NtClose  (164, ... ) == 0x0
 01364   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01365   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 164, ) }, ... 164, ) == 0x0
 01366   448   NtQueryValueKey  (164,  (164, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01367   448   NtClose  (164, ... ) == 0x0
 01368   448   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01369   448   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01370   448   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01371   448   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01372   448   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01373   448   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01374   448   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01375   448   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01376   448   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01377   448   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01378   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 164, ) }, ... 164, ) == 0x0
 01379   448   NtEnumerateKey  (164, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (164, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01380   448   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 168, ) }, ... 168, ) == 0x0
 01381   448   NtQueryValueKey  (168,  (168, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (168, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01382   448   NtQueryValueKey  (168,  (168, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (168, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01383   448   NtClose  (168, ... ) == 0x0
 01384   448   NtEnumerateKey  (164, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01385   448   NtClose  (164, ... ) == 0x0
 01386   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01387   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01388   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01389   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01390   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01391   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01392   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01393   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01394   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01395   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01396   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01397   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01398   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01399   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01400   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01401   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01402   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01403   448   NtClose  (164, ... ) == 0x0
 01404   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01405   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01406   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01407   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01408   448   NtClose  (164, ... ) == 0x0
 01409   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01410   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01411   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01412   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01413   448   NtClose  (164, ... ) == 0x0
 01414   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01416   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01417   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01418   448   NtClose  (164, ... ) == 0x0
 01419   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01420   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01421   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01422   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01423   448   NtClose  (164, ... ) == 0x0
 01424   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01425   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01426   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01427   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01428   448   NtClose  (164, ... ) == 0x0
 01429   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01430   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01431   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01432   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01433   448   NtClose  (164, ... ) == 0x0
 01434   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01435   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01436   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01437   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01438   448   NtClose  (164, ... ) == 0x0
 01439   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01441   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01442   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01443   448   NtClose  (164, ... ) == 0x0
 01444   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01446   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01447   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01448   448   NtClose  (164, ... ) == 0x0
 01449   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01450   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01451   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01452   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01453   448   NtClose  (164, ... ) == 0x0
 01454   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01456   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01457   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01458   448   NtClose  (164, ... ) == 0x0
 01459   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01461   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01462   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01463   448   NtClose  (164, ... ) == 0x0
 01464   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01465   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01466   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01467   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01468   448   NtClose  (164, ... ) == 0x0
 01469   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01470   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01471   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01472   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01473   448   NtClose  (164, ... ) == 0x0
 01474   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 164, ) }, ... 164, ) == 0x0
 01476   448   NtQueryValueKey  (164,  (164, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (164, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (164, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01477   448   NtClose  (164, ... ) == 0x0
 01478   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01479   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01480   448   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01481   448   NtClose  (164, ... ) == 0x0
 01482   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483   448   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01484   448   NtOpenProcessToken  (-1, 0xa, ... 164, ) == 0x0
 01485   448   NtDuplicateToken  (164, 0xc, {24, 0, 0x0, 0, 1238976, 0x0}, 0, 2, ... 168, ) == 0x0
 01486   448   NtClose  (164, ... ) == 0x0
 01487   448   NtAccessCheck  (1438096, 168, 0x1, 1239104, 1239048, 56, 1239132, ... (0x1), ) == 0x0
 01488   448   NtClose  (168, ... ) == 0x0
 01489   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 168, ) }, ... 168, ) == 0x0
 01490   448   NtQueryValueKey  (168,  (168, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (168, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01491   448   NtClose  (168, ... ) == 0x0
 01492   448   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 168, ) }, ... 168, ) == 0x0
 01493   448   NtQuerySymbolicLinkObject  (168, ...  (168, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01494   448   NtClose  (168, ... ) == 0x0
 01495   448   NtQueryInformationFile  (112, 1237436, 528, Name, ... {status=0x0, info=60}, ) == 0x0
 01496   448   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01497   448   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01498   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1236116, ... ) }, 1236116, ... ) == 0x0
 01499   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01500   448   NtQueryDirectoryFile  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01501   448   NtClose  (168, ... ) == 0x0
 01502   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01503   448   NtQueryDirectoryFile  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01504   448   NtClose  (168, ... ) == 0x0
 01505   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01506   448   NtQueryDirectoryFile  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01507   448   NtClose  (168, ... ) == 0x0
 01508   448   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01509   448   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01510   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01511   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01512   448   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01513   448   NtClose  (168, ... ) == 0x0
 01514   448   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 168, ) }, ... 168, ) == 0x0
 01515   448   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 164, ) }, ... 164, ) == 0x0
 01516   448   NtClose  (168, ... ) == 0x0
 01517   448   NtQueryValueKey  (164,  (164, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01518   448   NtQueryValueKey  (164,  (164, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (164, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01519   448   NtClose  (164, ... ) == 0x0
 01520   448   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10747904, 4096, ) == 0x0
 01521   448   NtAllocateVirtualMemory  (-1, 10747904, 0, 4096, 4096, 4, ... 10747904, 4096, ) == 0x0
 01522   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 164, ) }, ... 164, ) == 0x0
 01523   448   NtQueryValueKey  (164,  (164, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   448   NtClose  (164, ... ) == 0x0
 01525   448   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526   448   NtQueryInformationToken  (160, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01527   448   NtQueryInformationToken  (160, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01528   448   NtClose  (160, ... ) == 0x0
 01529   448   NtCreateProcessEx  (1241712, 2035711, 0, -1, 0, 104, 0, 0, 0, ... ) == 0x0
 01530   448   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 164, ) }, ... 164, ) == 0x0
 01531   448   NtMapViewOfSection  (164, 160, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01532   448   NtClose  (164, ... ) == 0x0
 01533   448   NtProtectVirtualMemory  (160, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01534   448   NtWriteVirtualMemory  (160, 0x77f7e603,  (160, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01535   448   NtProtectVirtualMemory  (160, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01536   448   NtWriteVirtualMemory  (160, 0x77f7e6a3,  (160, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01537   448   NtProtectVirtualMemory  (160, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01538   448   NtWriteVirtualMemory  (160, 0x77f7e6b3,  (160, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01539   448   NtSetInformationProcess  (160, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 01540   448   NtQueryInformationProcess  (160, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=868,ParentPid=428,}, 0x0, ) == 0x0
 01541   448   NtReadVirtualMemory  (160, 0x7ffdf008, 4, ...  (160, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 01542   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01543   448   NtAllocateVirtualMemory  (-1, 1441792, 0, 8192, 4096, 4, ... 1441792, 8192, ) == 0x0
 01544   448   NtReadVirtualMemory  (160, 0x400000, 4096, ...  (160, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 4096, ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 4096, ) == 0x0
 01545   448   NtReadVirtualMemory  (160, 0x439000, 256, ...  (160, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) urn:schemas-microsoft-com:asm.v1 (160, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) 1.0 (160, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) , 256, ) == 0x0
 01546   448   NtReadVirtualMemory  (160, 0x439018, 24, ...  (160, 0x439018, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200", 24, ) , 24, ) == 0x0
 01547   448   NtReadVirtualMemory  (160, 0x439030, 24, ...  (160, 0x439030, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0", 24, ) , 24, ) == 0x0
 01548   448   NtReadVirtualMemory  (160, 0x439048, 16, ...  (160, 0x439048, 16, ... "X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0", 16, ) , 16, ) == 0x0
 01549   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01550   448   NtQueryInformationProcess  (160, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=868,ParentPid=428,}, 0x0, ) == 0x0
 01551   448   NtAllocateVirtualMemory  (-1, 0, 0, 1716, 4096, 4, ... 10813440, 4096, ) == 0x0
 01552   448   NtAllocateVirtualMemory  (160, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01553   448   NtWriteVirtualMemory  (160, 0x10000,  (160, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01554   448   NtAllocateVirtualMemory  (160, 0, 0, 1716, 4096, 4, ... 131072, 4096, ) == 0x0
 01555   448   NtWriteVirtualMemory  (160, 0x20000,  (160, 0x20000, "\0\20\0\0\264\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0<\0>\0\230\5\0\0v\0x\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\0>\0P\6\0\0\36\0 \0\220\6\0\0\0\0\2\0\260\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1716, ... 0x0, ) , 1716, ... 0x0, ) == 0x0
 01556   448   NtWriteVirtualMemory  (160, 0x7ffdf010,  (160, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01557   448   NtWriteVirtualMemory  (160, 0x7ffdf1e8,  (160, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01558   448   NtFreeVirtualMemory  (-1, (0xa50000), 0, 32768, ... (0xa50000), 4096, ) == 0x0
 01559   448   NtAllocateVirtualMemory  (160, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01560   448   NtAllocateVirtualMemory  (160, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01561   448   NtProtectVirtualMemory  (160, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01562   448   NtCreateThread  (0x1f03ff, 0x0, 160, 1239976, 1240696, 1, ... 164, {868, 872}, ) == 0x0
 01563   448   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796}  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796} "\210\6\32\1\0\0\1\0\2$\370w U\367w\243\0\0\0\244\0\0\0d\3\0\0h\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\32\1p\0\0\0\240\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\32\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" ... {168, 196, reply, 0, 428, 448, 1539, 0} "\320\231\26\0\0\0\1\0\0\0\0\0 U\367w\240\0\0\0\244\0\0\0d\3\0\0h\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\32\1p\0\0\0\240\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\32\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" )  ... {168, 196, reply, 0, 428, 448, 1539, 0}  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796} "\210\6\32\1\0\0\1\0\2$\370w U\367w\243\0\0\0\244\0\0\0d\3\0\0h\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\32\1p\0\0\0\240\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\32\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" ... {168, 196, reply, 0, 428, 448, 1539, 0} "\320\231\26\0\0\0\1\0\0\0\0\0 U\367w\240\0\0\0\244\0\0\0d\3\0\0h\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\32\1p\0\0\0\240\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\32\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" )  ) == 0x0
 01564   448   NtResumeThread  (164, ... 1, ) == 0x0
 01565   448   NtClose  (112, ... ) == 0x0
 01566   448   NtClose  (104, ... ) == 0x0
 01567   448   NtTerminateProcess  (0, 0, ... ) == 0x0
 01568   448   NtClose  (96, ... ) == 0x0
 01569   448   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01570   448   NtClose  (100, ... ) == 0x0
 01571   448   NtClose  (80, ... ) == 0x0
 01572   448   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01573   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01574   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01575   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01576   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01577   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01578   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01579   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01580   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01581   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01582   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01583   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01584   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01585   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01586   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01587   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01588   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01589   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01590   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01591   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01592   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01593   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01594   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01595   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01596   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01597   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01598   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01599   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01600   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01601   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01602   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01603   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01604   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01605   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01606   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01607   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01608   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01609   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc017
 01610   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01611   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc019
 01612   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01613   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc018
 01614   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01615   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01a
 01616   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01617   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01c
 01618   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01619   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01e
 01620   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01621   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01b
 01622   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01623   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc068
 01624   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01625   448   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc06a
 01626   448   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01627   448   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 01628   448   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01629   448   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01630   448   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01631   448   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01632   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01633   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01634   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01635   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01636   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01637   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01638   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01639   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01640   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01641   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01642   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01643   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01644   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01645   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01646   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01647   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01648   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01649   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01650   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01651   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01652   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01653   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01654   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01655   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01656   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01657   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01658   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01659   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01660   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01661   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01662   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01663   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01664   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01665   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01666   448   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01667   448   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01668   448   NtFreeVirtualMemory  (-1, (0xa40000), 4096, 32768, ... (0xa40000), 4096, ) == 0x0
 01669   448   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244} "\0\0\0\0\3\0\1\0\320vC\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 428, 448, 1569, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ... {20, 48, reply, 0, 428, 448, 1569, 0}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244} "\0\0\0\0\3\0\1\0\320vC\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 428, 448, 1569, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ) == 0x0
 01670   448   NtTerminateProcess  (-1, 0, ...
 01671   448   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtUserGetThreadDesktop(>)	1	NtUserFindWindowEx(>)	4	NtUserRegisterWindowMessage(>)	19
NtAdjustPrivilegesToken(>)	1	NtAccessCheck(>)	2	NtWaitForSingleObject(>)	4	NtCreateSection(>)	20
NtCallbackReturn(>)	1	NtCreateIoCompletion(>)	2	NtDuplicateObject(>)	5	NtOpenProcessTokenEx(>)	25
NtCreateProcessEx(>)	1	NtCreateKey(>)	2	NtGdiGetStockObject(>)	5	NtOpenThreadTokenEx(>)	25
NtDuplicateToken(>)	1	NtCreateThread(>)	2	NtSetInformationFile(>)	5	NtOpenProcess(>)	26
NtEnumerateValueKey(>)	1	NtEnumerateKey(>)	2	NtWriteFile(>)	5	NtQueryAttributesFile(>)	27
NtGdiCreateBitmap(>)	1	NtGdiCreateSolidBrush(>)	2	NtFreeVirtualMemory(>)	6	NtQuerySystemInformation(>)	30
NtGdiInit(>)	1	NtOpenDirectoryObject(>)	2	NtOpenProcessToken(>)	6	NtQueryInformationToken(>)	31
NtGdiQueryFontAssocInfo(>)	1	NtOpenEvent(>)	2	NtQueryVolumeInformationFile(>)	6	NtReadVirtualMemory(>)	33
NtGdiSelectBitmap(>)	1	NtOpenSymbolicLinkObject(>)	2	NtCreateFile(>)	7	NtOpenFile(>)	35
NtNotifyChangeKey(>)	1	NtQueryInstallUILanguage(>)	2	NtSetInformationProcess(>)	7	NtQueryValueKey(>)	40
NtOpenKeyedEvent(>)	1	NtQuerySymbolicLinkObject(>)	2	NtQueryDefaultUILanguage(>)	8	NtUnmapViewOfSection(>)	40
NtQueryInformationJobObject(>)	1	NtRaiseException(>)	2	NtQuerySection(>)	8	NtUserUnregisterClass(>)	45
NtQueryObject(>)	1	NtResumeThread(>)	2	NtSetInformationThread(>)	8	NtOpenSection(>)	48
NtQueryPerformanceCounter(>)	1	NtTerminateProcess(>)	2	NtCreateEvent(>)	9	NtUserFindExistingCursorIcon(>)	48
NtQuerySystemTime(>)	1	NtCreateSemaphore(>)	3	NtRequestWaitReplyPort(>)	9	NtAllocateVirtualMemory(>)	56
NtReadFile(>)	1	NtGdiCreateCompatibleDC(>)	3	NtContinue(>)	10	NtWriteVirtualMemory(>)	61
NtRegisterThreadTerminatePort(>)	1	NtOpenMutant(>)	3	NtQueryDirectoryFile(>)	10	NtUserRegisterClassExWOW(>)	63
NtSecureConnectPort(>)	1	NtSetInformationObject(>)	3	NtUserSystemParametersInfo(>)	10	NtUserGetClassInfo(>)	82
NtSetSecurityObject(>)	1	NtFsControlFile(>)	4	NtFlushInstructionCache(>)	11	NtMapViewOfSection(>)	84
NtTestAlert(>)	1	NtOpenThreadToken(>)	4	NtQueryInformationFile(>)	13	NtProtectVirtualMemory(>)	99
NtUserCallNoParam(>)	1	NtQueryVirtualMemory(>)	4	NtQueryInformationProcess(>)	14	NtOpenKey(>)	108
NtUserCallOneParam(>)	1	NtReleaseMutant(>)	4	NtQueryDebugFilterState(>)	15	NtUserQueryWindow(>)	156
NtUserGetDC(>)	1	NtUserBuildHwndList(>)	4	NtQueryDefaultLocale(>)	15	NtClose(>)	201