Summary:





NtAddAtom(>)  1 
NtUserGetThreadDesktop(>)  1 
NtUserFindWindowEx(>)  4 
NtUserRegisterWindowMessage(>)  19 


NtAdjustPrivilegesToken(>)  1 
NtUserOpenWindowStation(>)  1 
NtCreateKey(>)  5 
NtOpenProcess(>)  24 


NtCallbackReturn(>)  1 
NtAccessCheck(>)  2 
NtGdiGetStockObject(>)  5 
NtReadVirtualMemory(>)  25 


NtConnectPort(>)  1 
NtCreateIoCompletion(>)  2 
NtDuplicateObject(>)  6 
NtQueryInformationProcess(>)  27 


NtCreateMutant(>)  1 
NtCreateThread(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtOpenProcessTokenEx(>)  28 


NtCreateProcessEx(>)  1 
NtEnumerateKey(>)  2 
NtOpenProcessToken(>)  7 
NtOpenThreadTokenEx(>)  28 


NtDuplicateToken(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtContinue(>)  8 
NtQuerySystemInformation(>)  30 


NtEnumerateValueKey(>)  1 
NtOpenEvent(>)  2 
NtSetInformationThread(>)  8 
NtCreateSection(>)  33 


NtGdiCreateBitmap(>)  1 
NtQueryInformationJobObject(>)  2 
NtOpenThreadToken(>)  9 
NtQueryInformationToken(>)  36 


NtGdiInit(>)  1 
NtQueryInstallUILanguage(>)  2 
NtFsControlFile(>)  10 
NtUserGetClassInfo(>)  37 


NtGdiQueryFontAssocInfo(>)  1 
NtRaiseException(>)  2 
NtUserSystemParametersInfo(>)  10 
NtOpenFile(>)  47 


NtGdiSelectBitmap(>)  1 
NtResumeThread(>)  2 
NtFlushInstructionCache(>)  11 
NtQueryDefaultLocale(>)  48 


NtNotifyChangeKey(>)  1 
NtUserCloseWindowStation(>)  2 
NtQueryDefaultUILanguage(>)  12 
NtUserFindExistingCursorIcon(>)  48 


NtOpenKeyedEvent(>)  1 
NtCreateSemaphore(>)  3 
NtQuerySection(>)  12 
NtOpenSection(>)  51 


NtQueryKey(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtWaitForMultipleObjects(>)  13 
NtQueryAttributesFile(>)  53 


NtQueryObject(>)  1 
NtOpenDirectoryObject(>)  3 
NtSetInformationFile(>)  14 
NtAllocateVirtualMemory(>)  59 


NtQueryPerformanceCounter(>)  1 
NtOpenMutant(>)  3 
NtWriteFile(>)  14 
NtUserRegisterClassExWOW(>)  63 


NtQuerySystemTime(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtCreateFile(>)  15 
NtQueryValueKey(>)  69 


NtRegisterThreadTerminatePort(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtCreateEvent(>)  16 
NtWriteVirtualMemory(>)  76 


NtSecureConnectPort(>)  1 
NtReadFile(>)  3 
NtQueryDebugFilterState(>)  16 
NtUnmapViewOfSection(>)  77 


NtSetSecurityObject(>)  1 
NtSetInformationObject(>)  3 
NtQueryDirectoryFile(>)  16 
NtProtectVirtualMemory(>)  112 


NtTestAlert(>)  1 
NtFreeVirtualMemory(>)  4 
NtQueryInformationFile(>)  16 
NtMapViewOfSection(>)  128 


NtUserCallNoParam(>)  1 
NtQueryVirtualMemory(>)  4 
NtRequestWaitReplyPort(>)  16 
NtOpenKey(>)  130 


NtUserCallOneParam(>)  1 
NtReleaseMutant(>)  4 
NtWaitForSingleObject(>)  16 
NtUserQueryWindow(>)  132 


NtUserGetDC(>)  1 
NtUserBuildHwndList(>)  4 
NtSetInformationProcess(>)  18 
NtClose(>)  254 





Trace:

 00001   456   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   456   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   456   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   456   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   456   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   456   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   456   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   456   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   456   NtClose  (12, ... ) == 0x0
 00014   456   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   456   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   456   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   456   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   456   NtClose  (16, ... ) == 0x0
 00021   456   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   456   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   456   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   456   NtClose  (16, ... ) == 0x0
 00026   456   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   456   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   456   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   456   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 448, 456, 1505, 0} "\10\367\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 448, 456, 1505, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 448, 456, 1505, 0} "\10\367\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   456   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   456   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   456   NtClose  (16, ... ) == 0x0
 00036   456   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   456   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   456   NtClose  (28, ... ) == 0x0
 00041   456   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   456   NtClose  (28, ... ) == 0x0
 00045   456   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   456   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   456   NtClose  (28, ... ) == 0x0
 00049   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   456   NtClose  (28, ... ) == 0x0
 00052   456   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 448, 456, 1507, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 448, 456, 1507, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 448, 456, 1507, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   456   NtProtectVirtualMemory  (-1, (0x45c000), 212992, 4, ... (0x45c000), 212992, 128, ) == 0x0
 00057   456   NtProtectVirtualMemory  (-1, (0x45c000), 212992, 128, ... (0x45c000), 212992, 4, ) == 0x0
 00058   456   NtFlushInstructionCache  (-1, 4571136, 212992, ... ) == 0x0
 00059   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   456   NtClose  (28, ... ) == 0x0
 00062   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   456   NtClose  (28, ... ) == 0x0
 00065   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   456   NtClose  (28, ... ) == 0x0
 00068   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   456   NtClose  (28, ... ) == 0x0
 00071   456   NtProtectVirtualMemory  (-1, (0x45c000), 212992, 4, ... (0x45c000), 212992, 64, ) == 0x0
 00072   456   NtProtectVirtualMemory  (-1, (0x45c000), 212992, 64, ... (0x45c000), 212992, 4, ) == 0x0
 00073   456   NtFlushInstructionCache  (-1, 4571136, 212992, ... ) == 0x0
 00074   456   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   456   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   456   NtClose  (28, ... ) == 0x0
 00077   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   456   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   456   NtClose  (28, ... ) == 0x0
 00080   456   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00081   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   456   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   456   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   456   NtClose  (28, ... ) == 0x0
 00085   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   456   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   456   NtClose  (28, ... ) == 0x0
 00088   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   456   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 448, 456, 1509, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 448, 456, 1509, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 448, 456, 1509, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00093   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   456   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4a0000), 0x0, 1060864, ) == 0x0
 00095   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   456   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   456   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482032, ) == 0x0
 00098   456   NtQueryInformationToken  (-2147482032, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   456   NtQueryInformationToken  (-2147482032, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   456   NtClose  (-2147482032, ... ) == 0x0
 00101   456   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5963776, 4096, ) == 0x0
 00102   456   NtFreeVirtualMemory  (-1, (0x5b0000), 4096, 32768, ... (0x5b0000), 4096, ) == 0x0
 00103   456   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   456   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00105   456   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   456   NtClose  (-2147482032, ... ) == 0x0
 00107   456   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00108   456   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   456   NtClose  (-2147482032, ... ) == 0x0
 00110   456   NtQueryDefaultLocale  (0, -133527028, ... ) == 0x0
 00111   456   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   456   NtUserCallNoParam  (24, ... ) == 0x0
 00113   456   NtGdiCreateCompatibleDC  (0, ...
 00114   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5963776, 4096, ) == 0x0
 00113   456   NtGdiCreateCompatibleDC  ... ) == 0xf0103e0
 00115   456   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   456   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   456   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x13050402
 00118   456   NtGdiCreateSolidBrush  (0, 0, ...
 00119   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9175040, 4096, ) == 0x0
 00118   456   NtGdiCreateSolidBrush  ... ) == 0xe100408
 00120   456   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   456   NtGdiCreateCompatibleDC  (0, ... ) == 0x35010415
 00122   456   NtGdiSelectBitmap  (889259029, 319095810, ... ) == 0x185000f
 00123   456   NtUserGetThreadDesktop  (456, 0, ... ) == 0x2c
 00124   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   456   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   456   NtClose  (52, ... ) == 0x0
 00127   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00141   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00143   456   NtAllocateVirtualMemory  (-1, 6123520, 0, 4096, 4096, 32, ... 6123520, 4096, ) == 0x0
 00142   456   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00144   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00146   456   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00147   456   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00148   456   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00149   456   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00150   456   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   456   NtCallbackReturn  (0, 0, 0, ...
 00152   456   NtGdiInit  (... ) == 0x1
 00153   456   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   456   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   456   NtAllocateVirtualMemory  (-1, 0, 0, 18306, 4096, 4, ... 9240576, 20480, ) == 0x0
 00156   456   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 20480, ) == 0x0
 00157   456   NtQueryVirtualMemory  (-1, 0x401000, Basic, 52, ... {BaseAddress=0x401000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x22000,State=0x1000,Protect=0x80,Type=0x1000000,}, 28, ) == 0x0
 00158   456   NtQueryVirtualMemory  (-1, 0x451e53, Basic, 28, ... {BaseAddress=0x451000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0xb000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00159   456   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00160   456   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00161   456   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00162   456   NtProtectVirtualMemory  (-1, (0x400220), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00163   456   NtProtectVirtualMemory  (-1, (0x400220), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00164   456   NtProtectVirtualMemory  (-1, (0x400248), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00165   456   NtProtectVirtualMemory  (-1, (0x400248), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00166   456   NtProtectVirtualMemory  (-1, (0x400270), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00167   456   NtProtectVirtualMemory  (-1, (0x400270), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00168   456   NtProtectVirtualMemory  (-1, (0x400298), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00169   456   NtProtectVirtualMemory  (-1, (0x400298), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00170   456   NtProtectVirtualMemory  (-1, (0x4002c0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00171   456   NtProtectVirtualMemory  (-1, (0x4002c0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00172   456   NtProtectVirtualMemory  (-1, (0x4002e8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00173   456   NtProtectVirtualMemory  (-1, (0x4002e8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00174   456   NtProtectVirtualMemory  (-1, (0x400310), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00175   456   NtProtectVirtualMemory  (-1, (0x400310), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00176   456   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00177   456   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00178   456   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00179   456   NtUserQueryWindow  (65706, 0, ... ) == 0x7e8
 00180   456   NtUserQueryWindow  (65706, 1, ... ) == 0x7ec
 00181   456   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 52, ) == 0x0
 00182   456   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \1\0\0", 64, ) , 64, ) == 0x0
 00183   456   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00184   456   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00185   456   NtClose  (52, ... ) == 0x0
 00186   456   NtUserQueryWindow  (65704, 0, ... ) == 0x7e8
 00187   456   NtUserQueryWindow  (65704, 1, ... ) == 0x7ec
 00188   456   NtUserQueryWindow  (65702, 0, ... ) == 0x7e8
 00189   456   NtUserQueryWindow  (65702, 1, ... ) == 0x7ec
 00190   456   NtUserQueryWindow  (131168, 0, ... ) == 0x7e8
 00191   456   NtUserQueryWindow  (131168, 1, ... ) == 0x7ec
 00192   456   NtUserQueryWindow  (65696, 0, ... ) == 0x774
 00193   456   NtUserQueryWindow  (65696, 1, ... ) == 0x78c
 00194   456   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1908, 0}, ... 52, ) == 0x0
 00195   456   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00196   456   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00197   456   NtContinue  (-133530468, 0, ...
 00196   456   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00198   456   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00199   456   NtContinue  (-133530468, 0, ...
 00198   456   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00200   456   NtClose  (52, ... ) == 0x0
 00201   456   NtUserQueryWindow  (65662, 0, ... ) == 0x774
 00202   456   NtUserQueryWindow  (65662, 1, ... ) == 0x78c
 00203   456   NtUserQueryWindow  (65652, 0, ... ) == 0x774
 00204   456   NtUserQueryWindow  (65652, 1, ... ) == 0x78c
 00205   456   NtUserQueryWindow  (65640, 0, ... ) == 0x774
 00206   456   NtUserQueryWindow  (65640, 1, ... ) == 0x78c
 00207   456   NtUserQueryWindow  (196682, 0, ... ) == 0x774
 00208   456   NtUserQueryWindow  (196682, 1, ... ) == 0x78c
 00209   456   NtUserQueryWindow  (65638, 0, ... ) == 0x774
 00210   456   NtUserQueryWindow  (65638, 1, ... ) == 0x78c
 00211   456   NtUserQueryWindow  (196684, 0, ... ) == 0x774
 00212   456   NtUserQueryWindow  (196684, 1, ... ) == 0x78c
 00213   456   NtUserQueryWindow  (196668, 0, ... ) == 0x774
 00214   456   NtUserQueryWindow  (196668, 1, ... ) == 0x78c
 00215   456   NtUserQueryWindow  (65688, 0, ... ) == 0x774
 00216   456   NtUserQueryWindow  (65688, 1, ... ) == 0x78c
 00217   456   NtUserQueryWindow  (65676, 0, ... ) == 0x774
 00218   456   NtUserQueryWindow  (65676, 1, ... ) == 0x78c
 00219   456   NtUserQueryWindow  (65660, 0, ... ) == 0x774
 00220   456   NtUserQueryWindow  (65660, 1, ... ) == 0x778
 00221   456   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00222   456   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 00223   456   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 52, ) == 0x0
 00224   456   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00225   456   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00226   456   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00227   456   NtClose  (52, ... ) == 0x0
 00228   456   NtUserQueryWindow  (65726, 0, ... ) == 0x7f0
 00229   456   NtUserQueryWindow  (65726, 1, ... ) == 0x7f4
 00230   456   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2032, 0}, ... 52, ) == 0x0
 00231   456   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0", 64, ) , 64, ) == 0x0
 00232   456   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\377\0\377\377", 4, ) , 4, ) == 0x0
 00233   456   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\210fvx\210x\206wfvGe$\306d\21\26\210ls\210\210\250g\207\210hhx\207xhvwdfF|d\21\27\210\206hx\250\252\206\210\207v\207\210x\207\207gfv4F\306G\21\21\210\206\207\210\212\250\250h\210\207x\210\210wvwgFD$d!\21\21x\250g\210\212\252\250\206\210\207w\210\207\207wvvgBGd\21\21\21\210\212\203\210\250\252\212\210x\210w\210\210xwgcd%F\1\21\21\21\27\212\250\210\212\252\252\210f\210\207x\210\207w7fR@`\21\21\21\21\21\210\2508\212\252\250\250\210gw\21088vvu$$!\21\21\21\21\21\30\210\210\210\212\252\210\206vgw\210\203wsb`\7\21\21\21\21\21\21\21\210\203\210\210\210\210\207vvwwwsf4\7\21\21\21\21\21\21\21\21\30\210\210\210\210\210wGwvwww5\2\21\21\21\21\21\21", 256, ) , 256, ) == 0x0
 00234   456   NtClose  (52, ... ) == 0x0
 00235   456   NtUserQueryWindow  (65724, 0, ... ) == 0x7f0
 00236   456   NtUserQueryWindow  (65724, 1, ... ) == 0x7f4
 00237   456   NtUserQueryWindow  (65722, 0, ... ) == 0x7f0
 00238   456   NtUserQueryWindow  (65722, 1, ... ) == 0x7f4
 00239   456   NtUserQueryWindow  (65720, 0, ... ) == 0x7f0
 00240   456   NtUserQueryWindow  (65720, 1, ... ) == 0x7f4
 00241   456   NtUserQueryWindow  (65718, 0, ... ) == 0x7f0
 00242   456   NtUserQueryWindow  (65718, 1, ... ) == 0x7f4
 00243   456   NtUserQueryWindow  (65716, 0, ... ) == 0x7f0
 00244   456   NtUserQueryWindow  (65716, 1, ... ) == 0x7f4
 00245   456   NtUserQueryWindow  (65712, 0, ... ) == 0x7f0
 00246   456   NtUserQueryWindow  (65712, 1, ... ) == 0x7f4
 00247   456   NtUserQueryWindow  (65710, 0, ... ) == 0x7f0
 00248   456   NtUserQueryWindow  (65710, 1, ... ) == 0x7f4
 00249   456   NtUserQueryWindow  (131172, 0, ... ) == 0x7fc
 00250   456   NtUserQueryWindow  (131172, 1, ... ) == 0x70
 00251   456   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2044, 0}, ... 52, ) == 0x0
 00252   456   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\301\0\0\0\0\1\0\0\377\356\377\356\11\0\0\0\11\0\0\0\0\376\0\0\0\0\20\0\0 \0\0\0\2\0\0\0 \0\0q\0\0\0\377\357\375\177\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00253   456   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00254   456   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00255   456   NtClose  (52, ... ) == 0x0
 00256   456   NtUserQueryWindow  (65708, 0, ... ) == 0x7e8
 00257   456   NtUserQueryWindow  (65708, 1, ... ) == 0x7ec
 00258   456   NtUserQueryWindow  (131170, 0, ... ) == 0x7e0
 00259   456   NtUserQueryWindow  (131170, 1, ... ) == 0x7e4
 00260   456   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2016, 0}, ... 52, ) == 0x0
 00261   456   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0", 64, ) , 64, ) == 0x0
 00262   456   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00263   456   NtContinue  (-133530468, 0, ...
 00262   456   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00264   456   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00265   456   NtContinue  (-133530468, 0, ...
 00264   456   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00266   456   NtClose  (52, ... ) == 0x0
 00267   456   NtUserQueryWindow  (65644, 0, ... ) == 0x774
 00268   456   NtUserQueryWindow  (65644, 1, ... ) == 0x7c0
 00269   456   NtUserQueryWindow  (327760, 0, ... ) == 0x774
 00270   456   NtUserQueryWindow  (327760, 1, ... ) == 0x778
 00271   456   NtUserQueryWindow  (262228, 0, ... ) == 0x774
 00272   456   NtUserQueryWindow  (262228, 1, ... ) == 0x778
 00273   456   NtUserQueryWindow  (327758, 0, ... ) == 0x774
 00274   456   NtUserQueryWindow  (327758, 1, ... ) == 0x778
 00275   456   NtUserQueryWindow  (65666, 0, ... ) == 0x774
 00276   456   NtUserQueryWindow  (65666, 1, ... ) == 0x778
 00277   456   NtUserQueryWindow  (65654, 0, ... ) == 0x774
 00278   456   NtUserQueryWindow  (65654, 1, ... ) == 0x778
 00279   456   NtRaiseException  (1242696, 1241956, 1, ...
 00280   456   NtContinue  (1240752, 0, ...
 00281   456   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00282   456   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 56, ) }, ... 56, ) == 0x0
 00283   456   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00284   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00285   456   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00286   456   NtDuplicateObject  (-1, 2486, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00287   456   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00288   456   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00289   456   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00290   456   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00291   456   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00292   456   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00293   456   NtUserQueryWindow  (65706, 0, ... ) == 0x7e8
 00294   456   NtUserQueryWindow  (65706, 1, ... ) == 0x7ec
 00295   456   NtUserQueryWindow  (65704, 0, ... ) == 0x7e8
 00296   456   NtUserQueryWindow  (65704, 1, ... ) == 0x7ec
 00297   456   NtUserQueryWindow  (65702, 0, ... ) == 0x7e8
 00298   456   NtUserQueryWindow  (65702, 1, ... ) == 0x7ec
 00299   456   NtUserQueryWindow  (131168, 0, ... ) == 0x7e8
 00300   456   NtUserQueryWindow  (131168, 1, ... ) == 0x7ec
 00301   456   NtUserQueryWindow  (65696, 0, ... ) == 0x774
 00302   456   NtUserQueryWindow  (65696, 1, ... ) == 0x78c
 00303   456   NtUserQueryWindow  (65662, 0, ... ) == 0x774
 00304   456   NtUserQueryWindow  (65662, 1, ... ) == 0x78c
 00305   456   NtUserQueryWindow  (65652, 0, ... ) == 0x774
 00306   456   NtUserQueryWindow  (65652, 1, ... ) == 0x78c
 00307   456   NtUserQueryWindow  (65640, 0, ... ) == 0x774
 00308   456   NtUserQueryWindow  (65640, 1, ... ) == 0x78c
 00309   456   NtUserQueryWindow  (196682, 0, ... ) == 0x774
 00310   456   NtUserQueryWindow  (196682, 1, ... ) == 0x78c
 00311   456   NtUserQueryWindow  (65638, 0, ... ) == 0x774
 00312   456   NtUserQueryWindow  (65638, 1, ... ) == 0x78c
 00313   456   NtUserQueryWindow  (196684, 0, ... ) == 0x774
 00314   456   NtUserQueryWindow  (196684, 1, ... ) == 0x78c
 00315   456   NtUserQueryWindow  (196668, 0, ... ) == 0x774
 00316   456   NtUserQueryWindow  (196668, 1, ... ) == 0x78c
 00317   456   NtUserQueryWindow  (65688, 0, ... ) == 0x774
 00318   456   NtUserQueryWindow  (65688, 1, ... ) == 0x78c
 00319   456   NtUserQueryWindow  (65676, 0, ... ) == 0x774
 00320   456   NtUserQueryWindow  (65676, 1, ... ) == 0x78c
 00321   456   NtUserQueryWindow  (65660, 0, ... ) == 0x774
 00322   456   NtUserQueryWindow  (65660, 1, ... ) == 0x778
 00323   456   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00324   456   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 00325   456   NtUserQueryWindow  (65726, 0, ... ) == 0x7f0
 00326   456   NtUserQueryWindow  (65726, 1, ... ) == 0x7f4
 00327   456   NtUserQueryWindow  (65724, 0, ... ) == 0x7f0
 00328   456   NtUserQueryWindow  (65724, 1, ... ) == 0x7f4
 00329   456   NtUserQueryWindow  (65722, 0, ... ) == 0x7f0
 00330   456   NtUserQueryWindow  (65722, 1, ... ) == 0x7f4
 00331   456   NtUserQueryWindow  (65720, 0, ... ) == 0x7f0
 00332   456   NtUserQueryWindow  (65720, 1, ... ) == 0x7f4
 00333   456   NtUserQueryWindow  (65718, 0, ... ) == 0x7f0
 00334   456   NtUserQueryWindow  (65718, 1, ... ) == 0x7f4
 00335   456   NtUserQueryWindow  (65716, 0, ... ) == 0x7f0
 00336   456   NtUserQueryWindow  (65716, 1, ... ) == 0x7f4
 00337   456   NtUserQueryWindow  (65712, 0, ... ) == 0x7f0
 00338   456   NtUserQueryWindow  (65712, 1, ... ) == 0x7f4
 00339   456   NtUserQueryWindow  (65710, 0, ... ) == 0x7f0
 00340   456   NtUserQueryWindow  (65710, 1, ... ) == 0x7f4
 00341   456   NtUserQueryWindow  (131172, 0, ... ) == 0x7fc
 00342   456   NtUserQueryWindow  (131172, 1, ... ) == 0x70
 00343   456   NtUserQueryWindow  (65708, 0, ... ) == 0x7e8
 00344   456   NtUserQueryWindow  (65708, 1, ... ) == 0x7ec
 00345   456   NtUserQueryWindow  (131170, 0, ... ) == 0x7e0
 00346   456   NtUserQueryWindow  (131170, 1, ... ) == 0x7e4
 00347   456   NtUserQueryWindow  (65644, 0, ... ) == 0x774
 00348   456   NtUserQueryWindow  (65644, 1, ... ) == 0x7c0
 00349   456   NtUserQueryWindow  (327760, 0, ... ) == 0x774
 00350   456   NtUserQueryWindow  (327760, 1, ... ) == 0x778
 00351   456   NtUserQueryWindow  (262228, 0, ... ) == 0x774
 00352   456   NtUserQueryWindow  (262228, 1, ... ) == 0x778
 00353   456   NtUserQueryWindow  (327758, 0, ... ) == 0x774
 00354   456   NtUserQueryWindow  (327758, 1, ... ) == 0x778
 00355   456   NtUserQueryWindow  (65666, 0, ... ) == 0x774
 00356   456   NtUserQueryWindow  (65666, 1, ... ) == 0x778
 00357   456   NtUserQueryWindow  (65654, 0, ... ) == 0x774
 00358   456   NtUserQueryWindow  (65654, 1, ... ) == 0x778
 00359   456   NtRaiseException  (1242640, 1241900, 1, ...
 00360   456   NtContinue  (1240696, 0, ...
 00361   456   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00362   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   456   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00364   456   NtDuplicateObject  (-1, 3102, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00365   456   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00366   456   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00367   456   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00368   456   NtSetSecurityObject  (-1, 4, {1, 0, 0x4, 0, 0, 0, 1242476}, ... ) == 0x0
 00369   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00370   456   NtQueryValueKey  (60,  (60, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   456   NtClose  (60, ... ) == 0x0
 00372   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00373   456   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00374   456   NtClose  (60, ... ) == 0x0
 00375   456   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 60, ) == 0x0
 00376   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00377   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 68, ) }, ... 68, ) == 0x0
 00378   456   NtNotifyChangeKey  (68, 64, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00379   456   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00380   456   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00381   456   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00382   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00384   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00386   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00387   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 84, ) == 0x0
 00388   456   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00389   456   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00390   456   NtQueryInformationToken  (88, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00391   456   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00392   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 92, ) }, ... 92, ) == 0x0
 00393   456   NtQueryValueKey  (92,  (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00394   456   NtClose  (92, ... ) == 0x0
 00395   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00396   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00397   456   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00398   456   NtClose  (92, ... ) == 0x0
 00399   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400   456   NtClose  (88, ... ) == 0x0
 00401   456   NtClose  (80, ... ) == 0x0
 00402   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00403   456   NtClose  (84, ... ) == 0x0
 00404   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00405   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00406   456   NtClose  (84, ... ) == 0x0
 00407   456   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00408   456   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00409   456   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00410   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00411   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00412   456   NtClose  (84, ... ) == 0x0
 00413   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00414   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00415   456   NtClose  (84, ... ) == 0x0
 00416   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00417   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00418   456   NtClose  (84, ... ) == 0x0
 00419   456   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00420   456   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00421   456   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00422   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00423   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00424   456   NtClose  (84, ... ) == 0x0
 00425   456   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {448, 0}, ... 84, ) == 0x0
 00426   456   NtQueryInformationProcess  (84, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00427   456   NtClose  (84, ... ) == 0x0
 00428   456   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00429   456   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00430   456   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00431   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00432   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00433   456   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00434   456   NtClose  (84, ... ) == 0x0
 00435   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 84, ) }, ... 84, ) == 0x0
 00436   456   NtSetInformationObject  (84, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00437   456   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00438   456   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00439   456   NtClose  (80, ... ) == 0x0
 00440   456   NtUserSystemParametersInfo  (41, 500, 1241216, 0, ... ) == 0x1
 00441   456   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00442   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00443   456   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00444   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03b
 00445   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00446   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03d
 00447   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00448   456   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00449   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03f
 00450   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00451   456   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00452   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc041
 00453   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00454   456   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00455   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc043
 00456   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00457   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc045
 00458   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00459   456   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00460   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc047
 00461   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00462   456   NtUserFindExistingCursorIcon  (1241004, 1241020, 1241588, ... ) == 0x10011
 00463   456   NtUserRegisterClassExWOW  (1241456, 1241536, 1241520, 1241552, 0, 384, 0, ... ) == 0x810dc049
 00464   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00465   456   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00466   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04b
 00467   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00468   456   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00469   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04d
 00470   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00471   456   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00472   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04f
 00473   456   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0x0
 00474   456   NtUserRegisterClassExWOW  (1241464, 1241544, 1241528, 1241560, 0, 384, 0, ... ) == 0x810dc051
 00475   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00476   456   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00477   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc053
 00478   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00479   456   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00480   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc055
 00481   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc057
 00482   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00483   456   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00484   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc059
 00485   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00486   456   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10013
 00487   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05b
 00488   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00489   456   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00490   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05d
 00491   456   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00492   456   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00493   456   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05f
 00494   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00495   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 00496   456   NtAllocateVirtualMemory  (-1, 9240576, 0, 4096, 4096, 4, ... 9240576, 4096, ) == 0x0
 00497   456   NtAllocateVirtualMemory  (-1, 9244672, 0, 8192, 4096, 4, ... 9244672, 8192, ) == 0x0
 00498   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 80, ) }, ... 80, ) == 0x0
 00499   456   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8e0000), 0x0, 12288, ) == 0x0
 00500   456   NtClose  (80, ... ) == 0x0
 00501   456   NtAllocateVirtualMemory  (-1, 9252864, 0, 4096, 4096, 4, ... 9252864, 4096, ) == 0x0
 00502   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00503   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 00504   456   NtQueryValueKey  (80,  (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00505   456   NtClose  (80, ... ) == 0x0
 00506   456   NtQueryDefaultUILanguage  (1239840, ...
 00507   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00508   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00509   456   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00510   456   NtClose  (-2147482032, ... ) == 0x0
 00511   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00512   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00513   456   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00514   456   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   456   NtClose  (-2147482044, ... ) == 0x0
 00516   456   NtClose  (-2147482032, ... ) == 0x0
 00506   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00517   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00518   456   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00519   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00520   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 88, ) == 0x0
 00521   456   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 8323072, ) == 0x0
 00522   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   456   NtQueryDefaultUILanguage  (2013024600, ...
 00524   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00525   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00526   456   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00527   456   NtClose  (-2147482032, ... ) == 0x0
 00528   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00529   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530   456   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00531   456   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00532   456   NtClose  (-2147482044, ... ) == 0x0
 00533   456   NtClose  (-2147482032, ... ) == 0x0
 00523   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00534   456   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00535   456   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00536   456   NtQueryDefaultLocale  (1, 1237876, ... ) == 0x0
 00537   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1520, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 448, 456, 1520, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1520, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ) == 0x0
 00539   456   NtClose  (80, ... ) == 0x0
 00540   456   NtClose  (88, ... ) == 0x0
 00541   456   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00542   456   NtUnmapViewOfSection  (-1, 0x12edcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00543   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00544   456   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00545   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00546   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00547   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236960, ... ) }, 1236960, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00548   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00549   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00550   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00551   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237552, ... ) }, 1237552, ... ) == 0x0
 00552   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 88, {status=0x0, info=1}, ) }, 3, 33, ... 88, {status=0x0, info=1}, ) == 0x0
 00553   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00554   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00555   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00556   456   NtClose  (80, ... ) == 0x0
 00557   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00558   456   NtClose  (92, ... ) == 0x0
 00559   456   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00560   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00561   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 80, ) == 0x0
 00562   456   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00563   456   NtClose  (92, ... ) == 0x0
 00564   456   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00565   456   NtClose  (80, ... ) == 0x0
 00566   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00567   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00568   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00569   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00570   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00571   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00572   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00573   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00574   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00575   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00576   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00577   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00578   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00579   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00580   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00581   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00582   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00583   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00584   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00585   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00586   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00587   456   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238736, ... ) , 42, 1238736, ... ) == 0x0
 00588   456   NtQueryDefaultUILanguage  (1237452, ...
 00589   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00590   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00591   456   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00592   456   NtClose  (-2147482032, ... ) == 0x0
 00593   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00594   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   456   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00596   456   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00597   456   NtClose  (-2147482044, ... ) == 0x0
 00598   456   NtClose  (-2147482032, ... ) == 0x0
 00588   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00599   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236304, ... ) }, 1236304, ... ) == 0x0
 00601   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00602   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00603   456   NtClose  (80, ... ) == 0x0
 00604   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 4096, ) == 0x0
 00605   456   NtClose  (92, ... ) == 0x0
 00606   456   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00607   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235944, ... ) }, 1235944, ... ) == 0x0
 00608   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236644,  (0x80100080, {24, 0, 0x40, 0, 1236644, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00609   456   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 92, ... 80, ) == 0x0
 00610   456   NtClose  (92, ... ) == 0x0
 00611   456   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8f0000), {0, 0}, 4096, ) == 0x0
 00612   456   NtClose  (80, ... ) == 0x0
 00613   456   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00614   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00615   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 92, ) == 0x0
 00616   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 4096, ) == 0x0
 00617   456   NtQueryInformationFile  (80, 1236264, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00618   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1521, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 448, 456, 1521, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1521, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ) == 0x0
 00620   456   NtClose  (80, ... ) == 0x0
 00621   456   NtClose  (92, ... ) == 0x0
 00622   456   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00623   456   NtUnmapViewOfSection  (-1, 0x12e478, ... ) == STATUS_NOT_MAPPED_VIEW
 00624   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00625   456   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00626   456   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00627   456   NtUserGetDC  (0, ... ) == 0x1010051
 00628   456   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00629   456   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00630   456   NtUserSystemParametersInfo  (66, 12, 1238756, 0, ... ) == 0x1
 00631   456   NtOpenProcessToken  (-1, 0x8, ... 92, ) == 0x0
 00632   456   NtAccessCheck  (1393640, 92, 0x1, 1238160, 1238104, 56, 1238188, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00633   456   NtClose  (92, ... ) == 0x0
 00634   456   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 92, ) }, ... 92, ) == 0x0
 00635   456   NtQueryValueKey  (92,  (92, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00636   456   NtClose  (92, ... ) == 0x0
 00637   456   NtUserSystemParametersInfo  (41, 500, 1238256, 0, ... ) == 0x1
 00638   456   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00639   456   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 92, ) }, ... 92, ) == 0x0
 00640   456   NtQueryValueKey  (92,  (92, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00641   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 80, ) }, ... 80, ) == 0x0
 00642   456   NtQueryValueKey  (80,  (80, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00643   456   NtClose  (80, ... ) == 0x0
 00644   456   NtClose  (92, ... ) == 0x0
 00645   456   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00646   456   NtUserSystemParametersInfo  (4130, 0, 1238780, 0, ... ) == 0x1
 00647   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 92, ) }, ... 92, ) == 0x0
 00648   456   NtEnumerateValueKey  (92, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00649   456   NtClose  (92, ... ) == 0x0
 00650   456   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00651   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03b
 00652   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03d
 00653   456   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00654   456   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc03f
 00655   456   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00656   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc041
 00657   456   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00658   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ...
 00659   456   NtAllocateVirtualMemory  (-1, 6127616, 0, 4096, 4096, 32, ... 6127616, 4096, ) == 0x0
 00658   456   NtUserRegisterClassExWOW  ... ) == 0x810dc043
 00660   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc045
 00661   456   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00662   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc047
 00663   456   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00664   456   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc049
 00665   456   NtUserGetClassInfo  (1905590272, 1238676, 1238628, 1238704, 0, ... ) == 0xc049
 00666   456   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00667   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04b
 00668   456   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00669   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04d
 00670   456   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00671   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04f
 00672   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc051
 00673   456   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00674   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc053
 00675   456   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00676   456   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc055
 00677   456   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc057
 00678   456   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00679   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc059
 00680   456   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10013
 00681   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05b
 00682   456   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00683   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05d
 00684   456   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00685   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05f
 00686   456   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00687   456   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc017
 00688   456   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00689   456   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc019
 00690   456   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10013
 00691   456   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc018
 00692   456   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00693   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01a
 00694   456   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00695   456   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc01c
 00696   456   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00697   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01e
 00698   456   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00699   456   NtUserRegisterClassExWOW  (1238572, 1238652, 1238636, 1238668, 0, 384, 0, ... ) == 0x810dc01b
 00700   456   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00701   456   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc068
 00702   456   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00703   456   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc06a
 00704   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03b
 00705   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03d
 00706   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03f
 00707   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc041
 00708   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc043
 00709   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc045
 00710   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc047
 00711   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc049
 00712   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04b
 00713   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04d
 00714   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04f
 00715   456   NtUserGetClassInfo  (1999896576, 1241580, 1241532, 1241608, 0, ... ) == 0xc051
 00716   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc053
 00717   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc055
 00718   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc059
 00719   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05b
 00720   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05d
 00721   456   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05f
 00722   456   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00723   456   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00724   456   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00725   456   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00726   456   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00727   456   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00728   456   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00729   456   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00730   456   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00731   456   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00732   456   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00733   456   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00734   456   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00735   456   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00736   456   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00737   456   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00738   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00739   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00740   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00741   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00742   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9502720, 262144, ) == 0x0
 00743   456   NtAllocateVirtualMemory  (-1, 9502720, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 00744   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00745   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9764864, 262144, ) == 0x0
 00746   456   NtAllocateVirtualMemory  (-1, 9764864, 0, 4096, 4096, 4, ... 9764864, 4096, ) == 0x0
 00747   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00748   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10027008, 262144, ) == 0x0
 00749   456   NtAllocateVirtualMemory  (-1, 10027008, 0, 4096, 4096, 4, ... 10027008, 4096, ) == 0x0
 00750   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00751   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10289152, 262144, ) == 0x0
 00752   456   NtAllocateVirtualMemory  (-1, 10289152, 0, 4096, 4096, 4, ... 10289152, 4096, ) == 0x0
 00753   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00754   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00755   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00756   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00757   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 00758   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00759   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 80, ) == 0x0
 00760   456   NtClose  (92, ... ) == 0x0
 00761   456   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa10000), 0x0, 90112, ) == 0x0
 00762   456   NtClose  (80, ... ) == 0x0
 00763   456   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00764   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 00765   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00766   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 92, ) == 0x0
 00767   456   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00768   456   NtClose  (80, ... ) == 0x0
 00769   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00770   456   NtClose  (92, ... ) == 0x0
 00771   456   NtQueryDefaultLocale  (1, 1239460, ... ) == 0x0
 00772   456   NtAllocateVirtualMemory  (-1, 9506816, 0, 4096, 4096, 4, ... 9506816, 4096, ) == 0x0
 00773   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 92, ) }, ... 92, ) == 0x0
 00774   456   NtClose  (92, ... ) == 0x0
 00775   456   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00777   456   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00780   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00781   456   NtClose  (92, ... ) == 0x0
 00782   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00783   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00784   456   NtClose  (92, ... ) == 0x0
 00785   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00786   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00787   456   NtClose  (92, ... ) == 0x0
 00788   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00789   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00790   456   NtClose  (92, ... ) == 0x0
 00791   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 92, ) }, ... 92, ) == 0x0
 00792   456   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00793   456   NtClose  (92, ... ) == 0x0
 00794   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00795   456   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00796   456   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00797   456   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00798   456   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1241616, 0,  (0x1f0003, {24, 52, 0x80, 1241616, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00799   456   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 92, ) }, ... 92, ) == 0x0
 00800   456   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00801   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00802   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00803   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 80, ) }, ... 80, ) == 0x0
 00804   456   NtQueryValueKey  (80,  (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00805   456   NtClose  (80, ... ) == 0x0
 00806   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00807   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00808   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00809   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00810   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 80, ) }, ... 80, ) == 0x0
 00811   456   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00812   456   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00813   456   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00814   456   NtClose  (80, ... ) == 0x0
 00815   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 80, ) }, ... 80, ) == 0x0
 00816   456   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00817   456   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818   456   NtClose  (80, ... ) == 0x0
 00819   456   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820   456   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00821   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00822   456   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00823   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00824   456   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00825   456   NtCreateKey  (0xf003f, {24, 84, 0x40, 0, 0,  (0xf003f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 80, 2, ) }, 0, 0x0, 0, ... 80, 2, ) == 0x0
 00826   456   NtQueryDefaultUILanguage  (1239852, ...
 00827   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00828   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00829   456   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00830   456   NtClose  (-2147482032, ... ) == 0x0
 00831   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00832   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00833   456   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00834   456   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   456   NtClose  (-2147482044, ... ) == 0x0
 00836   456   NtClose  (-2147482032, ... ) == 0x0
 00826   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00837   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00838   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00839   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00840   456   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa10000), 0x0, 593920, ) == 0x0
 00841   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00842   456   NtQueryDefaultLocale  (1, 1237888, ... ) == 0x0
 00843   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1522, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 448, 456, 1522, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 448, 456, 1522, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ) == 0x0
 00845   456   NtClose  (96, ... ) == 0x0
 00846   456   NtClose  (100, ... ) == 0x0
 00847   456   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00848   456   NtUnmapViewOfSection  (-1, 0x12edd8, ... ) == STATUS_NOT_MAPPED_VIEW
 00849   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00850   456   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00852   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00853   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236428, ... ) }, 1236428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00855   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00856   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00857   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237020, ... ) }, 1237020, ... ) == 0x0
 00858   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00859   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00860   456   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00861   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00862   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00863   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00865   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00866   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00867   456   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00868   456   NtClose  (104, ... ) == 0x0
 00869   456   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00870   456   NtClose  (108, ... ) == 0x0
 00871   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00872   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00874   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00875   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00876   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00877   456   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00878   456   NtClose  (108, ... ) == 0x0
 00879   456   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00880   456   NtClose  (104, ... ) == 0x0
 00881   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00882   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00883   456   NtTestAlert  (... ) == 0x0
 00884   456   NtContinue  (1244464, 1, ...
 00885   456   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x491000,}, 4, ... ) == 0x0
 00886   456   NtContinue  (1244312, 0, ...
 00887   456   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1245092, 0,  (0x1f0003, {24, 52, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 104, ) }, 1, 0, ... 104, ) == 0x0
 00888   456   NtCreateSection  (0xe, {24, 0, 0x40, 1245092, 0,  (0xe, {24, 0, 0x40, 1245092, 0, "\BaseNamedObjects\W32_Virtu"}, {27086, 0}, 64, 134217728, 0, ... 108, ) }, {27086, 0}, 64, 134217728, 0, ... 108, ) == 0x0
 00889   456   NtMapViewOfSection  (108, -1, (0x0), 0, 27086, 0x0, 27086, 2, 0, 64, ... (0xa10000), 0x0, 28672, ) == 0x0
 00890   456   NtOpenProcessToken  (-1, 0x20, ... 112, ) == 0x0
 00891   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00892   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 00894   456   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   456   NtClose  (116, ... ) == 0x0
 00896   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00898   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 00899   456   NtQuerySystemTime  (... {1725693060, 29873140}, ) == 0x0
 00900   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 00901   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902   456   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00903   456   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00904   456   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00905   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 00906   456   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 132, ) == 0x0
 00907   456   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 00908   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00909   456   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "ActiveComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 00910   456   NtQueryValueKey  (140,  (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00911   456   NtClose  (140, ... ) == 0x0
 00912   456   NtClose  (136, ... ) == 0x0
 00913   456   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 136, ) == 0x0
 00914   456   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 140, ) == 0x0
 00915   456   NtDuplicateObject  (-1, 136, -1, 0x0, 0, 2, ... 144, ) == 0x0
 00916   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00917   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 00918   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00919   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00920   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243268,  (0xc0100080, {24, 0, 0x40, 0, 1243268, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 00921   456   NtSetInformationFile  (152, 1243324, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00922   456   NtSetInformationFile  (152, 1243316, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00923   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00924   456   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00925   456   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ... 1429504, 4096, ) == 0x0
 00926   456   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\21\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00927   456   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\21\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\21\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00928   456   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0Mu)\241\347?\334\21\261\310\0\14)\371\246\305 \0"\0(\262\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Mu)\241\347?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0(\262\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0Mu)\241\347?\334\21\261\310\0\14)\371\246\305 \0"\0(\262\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Mu)\241\347?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Mu)\241\347?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 00929   456   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Mu)\241\347?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Mu)\241\347?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00930   456   NtClose  (148, ... ) == 0x0
 00931   456   NtClose  (152, ... ) == 0x0
 00932   456   NtAdjustPrivilegesToken  (112, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00933   456   NtClose  (112, ... ) == 0x0
 00934   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 10616832, 65536, ) == 0x0
 00935   456   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00936   456   NtCreateSection  (0xf0007, 0x0, {11728, 0}, 4, 134217728, 0, ... 112, ) == 0x0
 00937   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 12288, ) == 0x0
 00938   456   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 00939   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 12288, ) == 0x0
 00940   456   NtFreeVirtualMemory  (-1, (0xa20000), 0, 32768, ... (0xa20000), 65536, ) == 0x0
 00941   456   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 00942   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00943   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00944   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00945   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00946   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00947   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00948   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00949   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00950   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00951   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00952   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 152, ) == 0x0
 00953   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 148, ) }, ... 148, ) == 0x0
 00954   456   NtMapViewOfSection  (148, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00955   456   NtClose  (148, ... ) == 0x0
 00956   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00957   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00958   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00959   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00960   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00961   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00962   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00963   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00964   456   NtAllocateVirtualMemory  (152, 0, 0, 1048576, 8192, 4, ... 22544384, 1048576, ) == 0x0
 00965   456   NtAllocateVirtualMemory  (152, 23584768, 0, 8192, 4096, 4, ... 23584768, 8192, ) == 0x0
 00966   456   NtProtectVirtualMemory  (152, (0x167e000), 4096, 260, ... (0x167e000), 4096, 4, ) == 0x0
 00967   456   NtCreateThread  (0x1f03ff, 0x0, 152, 1244008, 1244724, 1, ... 148, {616, 732}, ) == 0x0
 00968   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\25\0\0\0\0\0\224\0\0\0h\2\0\0\334\2\0\0" ... {28, 56, reply, 0, 448, 456, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\0\0\0h\2\0\0\334\2\0\0" )  ... {28, 56, reply, 0, 448, 456, 1523, 0}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\25\0\0\0\0\0\224\0\0\0h\2\0\0\334\2\0\0" ... {28, 56, reply, 0, 448, 456, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\0\0\0h\2\0\0\334\2\0\0" )  ) == 0x0
 00969   456   NtResumeThread  (148, ... 1, ) == 0x0
 00970   456   NtClose  (152, ... ) == 0x0
 00971   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00972   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00973   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {660, 0}, ... 152, ) == 0x0
 00974   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 00975   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00976   456   NtClose  (156, ... ) == 0x0
 00977   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00978   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00979   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00980   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00981   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00982   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00983   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00984   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00985   456   NtClose  (152, ... ) == 0x0
 00986   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00987   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00988   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {672, 0}, ... 152, ) == 0x0
 00989   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 00990   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00991   456   NtClose  (156, ... ) == 0x0
 00992   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00993   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00994   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00995   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00996   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00997   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00998   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00999   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01000   456   NtClose  (152, ... ) == 0x0
 01001   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01002   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01003   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {844, 0}, ... 152, ) == 0x0
 01004   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01005   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01006   456   NtClose  (156, ... ) == 0x0
 01007   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01008   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01009   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01010   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01011   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01012   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01013   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01014   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01015   456   NtClose  (152, ... ) == 0x0
 01016   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01017   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01018   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {964, 0}, ... 152, ) == 0x0
 01019   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01020   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff70000), 0x0, 28672, ) == 0x0
 01021   456   NtClose  (156, ... ) == 0x0
 01022   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01023   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01024   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01025   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01026   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01027   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01028   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01029   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01030   456   NtClose  (152, ... ) == 0x0
 01031   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01032   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01033   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1052, 0}, ... 152, ) == 0x0
 01034   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01035   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01036   456   NtClose  (156, ... ) == 0x0
 01037   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01038   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01039   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01040   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01041   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01042   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01043   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01044   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01045   456   NtClose  (152, ... ) == 0x0
 01046   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01047   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01048   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1080, 0}, ... 152, ) == 0x0
 01049   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01050   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01051   456   NtClose  (156, ... ) == 0x0
 01052   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01053   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01054   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01055   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01056   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01057   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01058   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01059   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01060   456   NtClose  (152, ... ) == 0x0
 01061   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01062   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01063   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1368, 0}, ... 152, ) == 0x0
 01064   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01065   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01066   456   NtClose  (156, ... ) == 0x0
 01067   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01068   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01069   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01070   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01071   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01072   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01073   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01074   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01075   456   NtClose  (152, ... ) == 0x0
 01076   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01077   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01078   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1644, 0}, ... 152, ) == 0x0
 01079   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01080   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01081   456   NtClose  (156, ... ) == 0x0
 01082   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01083   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01084   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01085   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01086   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01087   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01088   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01089   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01090   456   NtClose  (152, ... ) == 0x0
 01091   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01092   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01093   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1848, 0}, ... 152, ) == 0x0
 01094   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01095   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01096   456   NtClose  (156, ... ) == 0x0
 01097   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01098   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01099   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01100   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01101   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01102   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01103   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01104   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01105   456   NtClose  (152, ... ) == 0x0
 01106   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01107   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01108   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1908, 0}, ... 152, ) == 0x0
 01109   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01110   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01111   456   NtClose  (156, ... ) == 0x0
 01112   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01113   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01114   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01115   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01116   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01117   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01118   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01119   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01120   456   NtClose  (152, ... ) == 0x0
 01121   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01122   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01123   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2016, 0}, ... 152, ) == 0x0
 01124   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01125   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01126   456   NtClose  (156, ... ) == 0x0
 01127   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01128   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01129   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01130   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01131   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01132   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01133   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01134   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01135   456   NtClose  (152, ... ) == 0x0
 01136   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01137   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01138   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 152, ) == 0x0
 01139   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01140   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01141   456   NtClose  (156, ... ) == 0x0
 01142   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01143   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01144   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01145   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01146   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01147   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01148   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01149   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01150   456   NtClose  (152, ... ) == 0x0
 01151   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01152   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01153   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2032, 0}, ... 152, ) == 0x0
 01154   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01155   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01156   456   NtClose  (156, ... ) == 0x0
 01157   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01158   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01159   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01160   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01161   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01162   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01163   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01164   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01165   456   NtClose  (152, ... ) == 0x0
 01166   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01167   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01168   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2044, 0}, ... 152, ) == 0x0
 01169   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01170   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01171   456   NtClose  (156, ... ) == 0x0
 01172   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01173   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01174   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01175   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01176   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01177   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01178   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01179   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01180   456   NtClose  (152, ... ) == 0x0
 01181   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01182   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01183   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {212, 0}, ... 152, ) == 0x0
 01184   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01185   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01186   456   NtClose  (156, ... ) == 0x0
 01187   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01188   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01189   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01190   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01191   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01192   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01193   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01194   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01195   456   NtClose  (152, ... ) == 0x0
 01196   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01197   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01198   456   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {448, 0}, ... 152, ) == 0x0
 01199   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01200   456   NtMapViewOfSection  (156, 152, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01201   456   NtClose  (156, ... ) == 0x0
 01202   456   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01203   456   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01204   456   NtProtectVirtualMemory  (152, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01205   456   NtWriteVirtualMemory  (152, 0x77f7eaf3,  (152, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01206   456   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01207   456   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01208   456   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01209   456   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01210   456   NtClose  (152, ... ) == 0x0
 01211   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01212   456   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01213   456   NtClose  (112, ... ) == 0x0
 01214   456   NtClose  (104, ... ) == 0x0
 01215   456   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1245092, 0,  (0x1f0003, {24, 52, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 104, ) }, 1, 0, ... 104, ) == STATUS_OBJECT_NAME_EXISTS
 01216   456   NtClose  (104, ... ) == 0x0
 01217   456   NtQueryPerformanceCounter  (... {105948872, 0}, {3579545, 0}, ) == 0x0
 01218   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01219   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10616832, 65536, ) == 0x0
 01220   456   NtAllocateVirtualMemory  (-1, 10616832, 0, 4096, 4096, 4, ... 10616832, 4096, ) == 0x0
 01221   456   NtAllocateVirtualMemory  (-1, 10620928, 0, 8192, 4096, 4, ... 10620928, 8192, ) == 0x0
 01222   456   NtAllocateVirtualMemory  (-1, 10629120, 0, 4096, 4096, 4, ... 10629120, 4096, ) == 0x0
 01223   456   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 01224   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01225   456   NtQueryInformationJobObject  (0, BasicLimit, 48, ... ) == STATUS_ACCESS_DENIED
 01226   456   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"}, ... 104, ) }, ... 104, ) == 0x0
 01227   456   NtQueryValueKey  (104,  (104, "Debugger", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_BUFFER_OVERFLOW
 01228   456   NtQueryValueKey  (104,  (104, "Debugger", Partial, 64, ... TitleIdx=0, Type=1, Data="d\0r\0w\0t\0s\0n\03\02\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0 \0-\0g\0\0\0"}, 64, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (104, "Debugger", Partial, 64, ... TitleIdx=0, Type=1, Data="d\0r\0w\0t\0s\0n\03\02\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0 \0-\0g\0\0\0"}, 64, ) }, 64, ) == 0x0
 01229   456   NtQueryKey  (104, Basic, 24, ... ) == STATUS_BUFFER_OVERFLOW
 01230   456   NtQueryValueKey  (104,  (104, "Auto", Partial, 16, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 16, ... TitleIdx=0, Type=1, Data= (104, "Auto", Partial, 16, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01231   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\faultrep.dll"}, 1240220, ... ) }, 1240220, ... ) == 0x0
 01232   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\faultrep.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01233   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 152, ) == 0x0
 01234   456   NtClose  (112, ... ) == 0x0
 01235   456   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa30000), 0x0, 65536, ) == 0x0
 01236   456   NtClose  (152, ... ) == 0x0
 01237   456   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 01238   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\faultrep.dll"}, 1240536, ... ) }, 1240536, ... ) == 0x0
 01239   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\faultrep.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01240   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 152, ... 112, ) == 0x0
 01241   456   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01242   456   NtClose  (152, ... ) == 0x0
 01243   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x69450000), 0x0, 73728, ) == 0x0
 01244   456   NtClose  (112, ... ) == 0x0
 01245   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 112, ) }, ... 112, ) == 0x0
 01246   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01247   456   NtClose  (112, ... ) == 0x0
 01248   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 112, ) }, ... 112, ) == 0x0
 01249   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 01250   456   NtClose  (112, ... ) == 0x0
 01251   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01252   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1239724, ... ) }, 1239724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01253   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINSTA.dll"}, 1239724, ... ) }, 1239724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01254   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 1239724, ... ) }, 1239724, ... ) == 0x0
 01255   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01256   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 112, ... 152, ) == 0x0
 01257   456   NtQuerySection  (152, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01258   456   NtClose  (112, ... ) == 0x0
 01259   456   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 01260   456   NtClose  (152, ... ) == 0x0
 01261   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01262   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1239724, ... ) }, 1239724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WTSAPI32.dll"}, 1239724, ... ) }, 1239724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01264   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 1239724, ... ) }, 1239724, ... ) == 0x0
 01265   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01266   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 152, ... 112, ) == 0x0
 01267   456   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01268   456   NtClose  (152, ... ) == 0x0
 01269   456   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 01270   456   NtClose  (112, ... ) == 0x0
 01271   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 112, ) }, ... 112, ) == 0x0
 01272   456   NtQueryValueKey  (112,  (112, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01273   456   NtClose  (112, ... ) == 0x0
 01274   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 112, ) }, ... 112, ) == 0x0
 01275   456   NtQueryValueKey  (112,  (112, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01276   456   NtClose  (112, ... ) == 0x0
 01277   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 112, ) }, ... 112, ) == 0x0
 01278   456   NtQueryValueKey  (112,  (112, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 01279   456   NtClose  (112, ... ) == 0x0
 01280   456   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1240152, 0,  (0x1f0003, {24, 52, 0x80, 1240152, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 112, ) }, 0, 1, ... 112, ) == STATUS_OBJECT_NAME_EXISTS
 01281   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01282   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01283   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01284   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01285   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01286   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01287   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01288   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01289   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01290   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01291   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01292   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01293   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01294   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01295   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01296   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01297   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01298   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01299   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01300   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01301   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01302   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01303   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01304   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01305   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01306   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01307   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01308   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 152, ) == 0x0
 01309   456   NtQueryInformationToken  (152, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01310   456   NtClose  (152, ... ) == 0x0
 01311   456   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 152, ) }, ... 152, ) == 0x0
 01312   456   NtOpenKey  (0x20019, {24, 152, 0x40, 0, 0,  (0x20019, {24, 152, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 156, ) }, ... 156, ) == 0x0
 01313   456   NtQueryValueKey  (156,  (156, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01314   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01315   456   NtQueryValueKey  (156,  (156, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 01316   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01317   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01318   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01319   456   NtQueryDefaultLocale  (1, 1237988, ... ) == 0x0
 01320   456   NtClose  (156, ... ) == 0x0
 01321   456   NtClose  (152, ... ) == 0x0
 01322   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 152, ) }, ... 152, ) == 0x0
 01323   456   NtQueryValueKey  (152,  (152, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01324   456   NtClose  (152, ... ) == 0x0
 01325   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 152, ) }, ... 152, ) == 0x0
 01326   456   NtQueryValueKey  (152,  (152, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01327   456   NtQueryValueKey  (152,  (152, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01328   456   NtClose  (152, ... ) == 0x0
 01329   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01330   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 152, ) }, ... 152, ) == 0x0
 01331   456   NtQueryValueKey  (152,  (152, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01332   456   NtClose  (152, ... ) == 0x0
 01333   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01334   456   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\PCHealth\ErrorReporting"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01335   456   NtCreateKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\PCHealth\ErrorReporting"}, 0, 0x0, 0, ... 152, 2, ) }, 0, 0x0, 0, ... 152, 2, ) == 0x0
 01336   456   NtOpenKey  (0x10000, {24, 152, 0x40, 0, 0,  (0x10000, {24, 152, 0x40, 0, 0, "DW"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01337   456   NtQueryValueKey  (152,  (152, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01338   456   NtQueryValueKey  (152,  (152, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01339   456   NtQueryValueKey  (152,  (152, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01340   456   NtQueryValueKey  (152,  (152, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01341   456   NtQueryValueKey  (152,  (152, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01342   456   NtQueryValueKey  (152,  (152, "DoTextLog", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01343   456   NtQueryValueKey  (152,  (152, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01344   456   NtQueryValueKey  (152,  (152, "IncludeShutdownErrs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01345   456   NtQueryValueKey  (152,  (152, "NumberOfFaultPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01346   456   NtQueryValueKey  (152,  (152, "NumberOfHangPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01347   456   NtQueryValueKey  (152,  (152, "MaxUserQueueSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348   456   NtQueryValueKey  (152,  (152, "ForceQueueMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349   456   NtQueryValueKey  (152,  (152, "UseInternalServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01350   456   NtCreateKey  (0x20119, {24, 152, 0x40, 0, 0,  (0x20119, {24, 152, 0x40, 0, 0, "ExclusionList"}, 0, 0x0, 0, ... 156, 2, ) }, 0, 0x0, 0, ... 156, 2, ) == 0x0
 01351   456   NtCreateKey  (0x20119, {24, 152, 0x40, 0, 0,  (0x20119, {24, 152, 0x40, 0, 0, "InclusionList"}, 0, 0x0, 0, ... 160, 2, ) }, 0, 0x0, 0, ... 160, 2, ) == 0x0
 01352   456   NtClose  (152, ... ) == 0x0
 01353   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 152, ) }, ... 152, ) == 0x0
 01354   456   NtQueryValueKey  (152,  (152, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01355   456   NtClose  (152, ... ) == 0x0
 01356   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01357   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01358   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1236200, ... ) }, 1236200, ... ) == 0x0
 01359   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1235012, ... ) }, 1235012, ... ) == 0x0
 01360   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01361   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01362   456   NtQueryValueKey  (156,  (156, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01363   456   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 01364   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01365   456   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ... 1433600, 4096, ) == 0x0
 01366   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01367   456   NtConnectPort  ( ("\RPC Control\IcaApi", {12, 2, 1, 0}, 0x0, 0x0, 1235416, 112, ... 164, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 0}, 0x0, 0x0, 1235416, 112, ... 164, 0x0, 0x0, 0x0, 112, ) == 0x0
 01368   456   NtRequestWaitReplyPort  (164, {128, 152, new_msg, 0, 120748, 1376256, 1235180, 2012750850}  (164, {128, 152, new_msg, 0, 120748, 1376256, 1235180, 2012750850} "\0\337\22\0\2$\370w\370T\367w`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\330\352\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\25\0x\1\25\0\0\0\0\0\0\0\0\08\351\25\0\250\352\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 448, 456, 1537, 0} "\7\337\22\0\2$\370w\370T\367w`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\25\0x\1\25\0\0\0\0\0\0\0\0\08\351\25\0\250\352\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 448, 456, 1537, 0}  (164, {128, 152, new_msg, 0, 120748, 1376256, 1235180, 2012750850} "\0\337\22\0\2$\370w\370T\367w`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\330\352\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\25\0x\1\25\0\0\0\0\0\0\0\0\08\351\25\0\250\352\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 448, 456, 1537, 0} "\7\337\22\0\2$\370w\370T\367w`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\25\0x\1\25\0\0\0\0\0\0\0\0\08\351\25\0\250\352\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\0\0\0\5\0\0\0" )  ) == 0x0
 01369   456   NtRequestWaitReplyPort  (164, {32, 56, new_msg, 0, 44, 3, 20, 0}  (164, {32, 56, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\21\0\0\0" ... {124, 148, reply, 0, 448, 456, 1538, 0} "\2p\370\177\1\00\300\0\0\0\0\305\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Uk\250\243\347?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0\0\0\0\0\250S\34\201H\22\31\201\1\23\31\201\0\0\0\0\34\376\37\300H\22\31\201\0\0\0\0\0\0\311\1\377\377\310\1\0\0\0\0\0\0\311\1\0G>\201H\22\31\201<\213-\370" )  ... {124, 148, reply, 0, 448, 456, 1538, 0}  (164, {32, 56, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\21\0\0\0" ... {124, 148, reply, 0, 448, 456, 1538, 0} "\2p\370\177\1\00\300\0\0\0\0\305\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Uk\250\243\347?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0\0\0\0\0\250S\34\201H\22\31\201\1\23\31\201\0\0\0\0\34\376\37\300H\22\31\201\0\0\0\0\0\0\311\1\377\377\310\1\0\0\0\0\0\0\311\1\0G>\201H\22\31\201<\213-\370" )  ) == 0x0
 01370   456   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ... 1437696, 4096, ) == 0x0
 01371   456   NtRequestWaitReplyPort  (164, {44, 68, new_msg, 56, 448, 456, 1538, 0}  (164, {44, 68, new_msg, 56, 448, 456, 1538, 0} "\1p\0\0B\2\5\0\0\0\0\0\305\7\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\08\354\25\0\10\5\0\0" ... {40, 64, reply, 0, 448, 456, 1539, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\5\0\0\260\323\21\0" )  ... {40, 64, reply, 0, 448, 456, 1539, 0}  (164, {44, 68, new_msg, 56, 448, 456, 1538, 0} "\1p\0\0B\2\5\0\0\0\0\0\305\7\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\08\354\25\0\10\5\0\0" ... {40, 64, reply, 0, 448, 456, 1539, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\5\0\0\260\323\21\0" )  ) == 0x0
 01372   456   NtRequestWaitReplyPort  (164, {64, 88, new_msg, 56, 0, 1436720, 1376632, 0}  (164, {64, 88, new_msg, 56, 0, 1436720, 1376632, 0} "\10\2\0\0@\0\0\00\353\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\08\354\25\0\14\5\0\0\14\5\0\0\260\323\21\0\0\0\0\0\0\0\0\0\0\0\25\0" ... {64, 88, reply, 56, 448, 456, 1540, 0} "\10\2\0\0@\0\0\00\353\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\08\354\25\0\14\5\0\0\14\5\0\0\260\323\21\0\0\0\0\0\0\0\0\0\0\0\25\0" )  ... {64, 88, reply, 56, 448, 456, 1540, 0}  (164, {64, 88, new_msg, 56, 0, 1436720, 1376632, 0} "\10\2\0\0@\0\0\00\353\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\08\354\25\0\14\5\0\0\14\5\0\0\260\323\21\0\0\0\0\0\0\0\0\0\0\0\25\0" ... {64, 88, reply, 56, 448, 456, 1540, 0} "\10\2\0\0@\0\0\00\353\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\08\354\25\0\14\5\0\0\14\5\0\0\260\323\21\0\0\0\0\0\0\0\0\0\0\0\25\0" )  ) == 0x0
 01373   456   NtRequestWaitReplyPort  (164, {44, 68, new_msg, 56, 448, 456, 1539, 0}  (164, {44, 68, new_msg, 56, 448, 456, 1539, 0} "\1\0\0\0B\2\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\08\354\25\0\10\5\0\0" ... {40, 64, reply, 0, 448, 456, 1541, 0} "\2p\370\177\4\00\300\0\0\0\0\305\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\5\0\0\260\323\21\0" )  ... {40, 64, reply, 0, 448, 456, 1541, 0}  (164, {44, 68, new_msg, 56, 448, 456, 1539, 0} "\1\0\0\0B\2\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\08\354\25\0\10\5\0\0" ... {40, 64, reply, 0, 448, 456, 1541, 0} "\2p\370\177\4\00\300\0\0\0\0\305\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\5\0\0\260\323\21\0" )  ) == 0x0
 01374   456   NtRequestWaitReplyPort  (164, {64, 88, new_msg, 56, 0, 1436720, 1376632, 0}  (164, {64, 88, new_msg, 56, 0, 1436720, 1376632, 0} "\10\2\0\0@\0\0\00\353\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\08\354\25\0\14\5\0\0\14\5\0\0\260\323\21\0\0\0\0\0\0\0\0\0\0\0\25\0" ... {64, 88, reply, 56, 448, 456, 1542, 0} "\10\2\0\0@\0\0\00\353\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\08\354\25\0\14\5\0\0\14\5\0\0\260\323\21\0\0\0\0\0\0\0\0\0\0\0\25\0" )  ... {64, 88, reply, 56, 448, 456, 1542, 0}  (164, {64, 88, new_msg, 56, 0, 1436720, 1376632, 0} "\10\2\0\0@\0\0\00\353\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\08\354\25\0\14\5\0\0\14\5\0\0\260\323\21\0\0\0\0\0\0\0\0\0\0\0\25\0" ... {64, 88, reply, 56, 448, 456, 1542, 0} "\10\2\0\0@\0\0\00\353\25\0\340\333\22\0H\334\22\0\242\0\1\1\0\0\25\0\344\332\22\0\1\0\0\08\354\25\0\14\5\0\0\14\5\0\0\260\323\21\0\0\0\0\0\0\0\0\0\0\0\25\0" )  ) == 0x0
 01375   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01376   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 168, ) == 0x0
 01377   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01378   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01379   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235372,  (0xc0100080, {24, 0, 0x40, 0, 1235372, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0
 01380   456   NtSetInformationFile  (172, 1235428, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01381   456   NtSetInformationFile  (172, 1235420, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01382   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01383   456   NtWriteFile  (172, 129, 0, 0,  (172, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01384   456   NtReadFile  (172, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (172, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\22\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01385   456   NtFsControlFile  (172, 129, 0x0, 0x0, 0x11c017,  (172, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\340\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\22\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (172, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\340\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\22\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01386   456   NtFsControlFile  (172, 129, 0x0, 0x0, 0x11c017,  (172, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\200\0\0\0\2\0\0\0h\0\0\0\0\0D\0\0\0\0\0Pu)\241\347?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0 \0"\0\4\343\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 128, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Pu)\241\347?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0\4\343\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 (172, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\200\0\0\0\2\0\0\0h\0\0\0\0\0D\0\0\0\0\0Pu)\241\347?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0 \0"\0\4\343\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 128, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Pu)\241\347?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Pu)\241\347?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01387   456   NtFsControlFile  (172, 129, 0x0, 0x0, 0x11c017,  (172, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Pu)\241\347?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0p\344\25\0\1\0\0\0|\344\25\0 \0\0\0\1\0\0\0\16\0\20\0\210\344\25\0\230\344\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\344\25\0\1\0\0\0\1\0\0\0\350\344\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (172, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Pu)\241\347?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0p\344\25\0\1\0\0\0|\344\25\0 \0\0\0\1\0\0\0\16\0\20\0\210\344\25\0\230\344\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\344\25\0\1\0\0\0\1\0\0\0\350\344\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01388   456   NtClose  (168, ... ) == 0x0
 01389   456   NtClose  (172, ... ) == 0x0
 01390   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01391   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0
 01392   456   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01393   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01394   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235344,  (0xc0100080, {24, 0, 0x40, 0, 1235344, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 168, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 168, {status=0x0, info=1}, ) == 0x0
 01395   456   NtSetInformationFile  (168, 1235400, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01396   456   NtSetInformationFile  (168, 1235392, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01397   456   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01398   456   NtWriteFile  (168, 129, 0, 0,  (168, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01399   456   NtReadFile  (168, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (168, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\23\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01400   456   NtFsControlFile  (168, 129, 0x0, 0x0, 0x11c017,  (168, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0H\340\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\23\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (168, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0H\340\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\23\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01401   456   NtFsControlFile  (168, 129, 0x0, 0x0, 0x11c017,  (168, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\200\0\0\0\2\0\0\0h\0\0\0\0\0D\0\0\0\0\0Qu)\241\347?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0 \0"\0\4\343\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 128, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Qu)\241\347?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0\4\343\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 (168, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\200\0\0\0\2\0\0\0h\0\0\0\0\0D\0\0\0\0\0Qu)\241\347?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0 \0"\0\4\343\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 128, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Qu)\241\347?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Qu)\241\347?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01402   456   NtFsControlFile  (168, 129, 0x0, 0x0, 0x11c017,  (168, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Qu)\241\347?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0p\344\25\0\1\0\0\0|\344\25\0 \0\0\0\1\0\0\0\16\0\20\0\210\344\25\0\230\344\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\344\25\0\1\0\0\0\1\0\0\0\350\344\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (168, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Qu)\241\347?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0p\344\25\0\1\0\0\0|\344\25\0 \0\0\0\1\0\0\0\16\0\20\0\210\344\25\0\230\344\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\344\25\0\1\0\0\0\1\0\0\0\350\344\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01403   456   NtClose  (172, ... ) == 0x0
 01404   456   NtClose  (168, ... ) == 0x0
 01405   456   NtOpenProcessToken  (-1, 0x20008, ... 168, ) == 0x0
 01406   456   NtQueryInformationToken  (168, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01407   456   NtQueryInformationToken  (168, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 01408   456   NtOpenDirectoryObject  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Windows\WindowStations"}, ... 172, ) }, ... 172, ) == 0x0
 01409   456   NtUserOpenWindowStation  ({24, 172, 0x40, 0, 0,  ({24, 172, 0x40, 0, 0, "winsta0"}, 0x37f, ... ) }, 0x37f, ... ) == 0xb0
 01410   456   NtClose  (172, ... ) == 0x0
 01411   456   NtUserCloseWindowStation  (176, ...
 01412   456   NtClose  (176, ... ) == 0x0
 01411   456   NtUserCloseWindowStation  ... ) == 0x1
 01413   456   NtClose  (168, ... ) == 0x0
 01414   456   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 168, ) == 0x0
 01415   456   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 176, ) == 0x0
 01416   456   NtCreateMutant  (0x1f0001, {24, 0, 0x2, 0, 0, 0x0}, 0, ... 172, ) == 0x0
 01417   456   NtDuplicateObject  (-1, -1, -1, 0x1f0fff, 2, 0, ... 180, ) == 0x0
 01418   456   NtCreateSection  (0xf0007, {24, 0, 0x2, 0, 0, 0x0}, {7248, 0}, 4, 134217728, 0, ... 184, ) == 0x0
 01419   456   NtMapViewOfSection  (184, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 8192, ) == 0x0
 01420   456   NtQueryDefaultUILanguage  (1236544, ...
 01421   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01422   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 01423   456   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01424   456   NtClose  (-2147482032, ... ) == 0x0
 01425   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01426   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01427   456   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 01428   456   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01429   456   NtClose  (-2147482044, ... ) == 0x0
 01430   456   NtClose  (-2147482032, ... ) == 0x0
 01420   456   NtQueryDefaultUILanguage  ... ) == 0x0
 01431   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01433   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01434   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234824, ... ) }, 1234824, ... ) == 0x0
 01435   456   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01436   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233636, ... ) }, 1233636, ... ) == 0x0
 01437   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01438   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01439   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1236052, ... ) }, 1236052, ... ) == 0x0
 01440   456   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2012563070, 1432976, 2012568802, 0}  (24, {20, 48, new_msg, 0, 2012563070, 1432976, 2012568802, 0} "\0\0\0\0\2\0\1\0\0\0\0\0D\0\0\0P\342\25\0" ... {20, 48, reply, 0, 448, 456, 1543, 0} "\0\0\0\0\2\0\1\0\1\0\0\0D\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 448, 456, 1543, 0}  (24, {20, 48, new_msg, 0, 2012563070, 1432976, 2012568802, 0} "\0\0\0\0\2\0\1\0\0\0\0\0D\0\0\0P\342\25\0" ... {20, 48, reply, 0, 448, 456, 1543, 0} "\0\0\0\0\2\0\1\0\1\0\0\0D\0\0\0\1\0\0\0" )  ) == 0x0
 01441   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236060,  (0x80100080, {24, 0, 0x40, 0, 1236060, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\WER1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... ) }, 0x0, 128, 0, 2, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION
 01442   456   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 448, 456, 1543, 0}  (24, {20, 48, new_msg, 0, 448, 456, 1543, 0} "\0\0\0\0\2\0\1\0\1\0\0\0D\0\0\0\1\0\0\0" ... {20, 48, reply, 0, 448, 456, 1544, 0} "\0\0\0\0\2\0\1\0\2\0\0\0D\0\0\0\2\0\0\0" )  ... {20, 48, reply, 0, 448, 456, 1544, 0}  (24, {20, 48, new_msg, 0, 448, 456, 1543, 0} "\0\0\0\0\2\0\1\0\1\0\0\0D\0\0\0\1\0\0\0" ... {20, 48, reply, 0, 448, 456, 1544, 0} "\0\0\0\0\2\0\1\0\2\0\0\0D\0\0\0\2\0\0\0" )  ) == 0x0
 01443   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236060,  (0x80100080, {24, 0, 0x40, 0, 1236060, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\WER2.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 188, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 188, {status=0x0, info=2}, ) == 0x0
 01444   456   NtClose  (188, ... ) == 0x0
 01445   456   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\WER2.tmp.dir00"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 188, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 188, {status=0x0, info=2}, ) == 0x0
 01446   456   NtClose  (188, ... ) == 0x0
 01447   456   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 188, ) == 0x0
 01448   456   NtMapViewOfSection  (188, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0xa40000), 0x0, 4194304, ) == 0x0
 01449   456   NtAllocateVirtualMemory  (-1, 10747904, 0, 1, 4096, 4, ... 10747904, 4096, ) == 0x0
 01450   456   NtAllocateVirtualMemory  (-1, 10752000, 0, 3956, 4096, 4, ... 10752000, 4096, ) == 0x0
 01451   456   NtCreateSection  (0xf0007, 0x0, {29844, 0}, 4, 134217728, 0, ... 192, ) == 0x0
 01452   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xe40000), {0, 0}, 32768, ) == 0x0
 01453   456   NtUnmapViewOfSection  (-1, 0xe40000, ... ) == 0x0
 01454   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xe40000), {0, 0}, 32768, ) == 0x0
 01455   456   NtClose  (188, ... ) == 0x0
 01456   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01457   456   NtUnmapViewOfSection  (-1, 0xe40000, ... ) == 0x0
 01458   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01459   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01460   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01461   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01462   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01463   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01464   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01465   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01466   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01467   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01468   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01469   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01470   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01471   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01472   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01473   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01474   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01475   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01476   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01477   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01478   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01479   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01480   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01481   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01482   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01483   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01484   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01485   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01486   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01487   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01488   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01489   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01490   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01491   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01492   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01493   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01494   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01495   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01496   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01497   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01498   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01499   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01500   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01501   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01502   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01503   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01504   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01505   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01506   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01507   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01508   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01509   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01510   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01511   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01512   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01513   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01514   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 32768, ) == 0x0
 01515   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01516   456   NtClose  (192, ... ) == 0x0
 01517   456   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01518   456   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 192, {status=0x0, info=1}, ) }, 3, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01519   456   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 188, ) }, ... 188, ) == 0x0
 01520   456   NtQuerySymbolicLinkObject  (188, ...  (188, ... "\Device\WinDfs\U:0000000000009204", 66, ) , 66, ) == 0x0
 01521   456   NtClose  (188, ... ) == 0x0
 01522   456   NtQueryVolumeInformationFile  (192, 1236160, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01523   456   NtClose  (192, ... ) == 0x0
 01524   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\apphelp.dll"}, 1234020, ... ) }, 1234020, ... ) == 0x0
 01525   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\apphelp.dll"}, 5, 96, ... 192, {status=0x0, info=1}, ) }, 5, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01526   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 192, ... 188, ) == 0x0
 01527   456   NtClose  (192, ... ) == 0x0
 01528   456   NtMapViewOfSection  (188, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa40000), 0x0, 106496, ) == 0x0
 01529   456   NtClose  (188, ... ) == 0x0
 01530   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01531   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\apphelp.dll"}, 1234336, ... ) }, 1234336, ... ) == 0x0
 01532   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\apphelp.dll"}, 5, 96, ... 188, {status=0x0, info=1}, ) }, 5, 96, ... 188, {status=0x0, info=1}, ) == 0x0
 01533   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 188, ... 192, ) == 0x0
 01534   456   NtQuerySection  (192, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01535   456   NtClose  (188, ... ) == 0x0
 01536   456   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01537   456   NtClose  (192, ... ) == 0x0
 01538   456   NtAllocateVirtualMemory  (-1, 1441792, 0, 12288, 4096, 4, ... 1441792, 12288, ) == 0x0
 01539   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1235596, ... ) }, 1235596, ... ) == 0x0
 01540   456   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1235604,  (0x40100080, {24, 0, 0x40, 0, 1235604, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\WER2.tmp.dir00\appcompat.txt"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 01541   456   NtClose  (-2147482032, ... ) == 0x0
 01540   456   NtCreateFile  ... 192, {status=0x0, info=2}, ) == 0x0
 01542   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01543   456   NtQueryDirectoryFile  (188, 0, 0, 0, 1234196, 616, BothDirectory, 1,  (188, 0, 0, 0, 1234196, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01544   456   NtWriteFile  (192, 0, 0, 0,  (192, 0, 0, 0, "\377\376", 2, 0x0, 0, ... {status=0x0, info=2}, ) , 2, 0x0, 0, ... {status=0x0, info=2}, ) == 0x0
 01545   456   NtWriteFile  (192, 0, 0, 0,  (192, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \01\0.\00\0 (192, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \0U\0T\0F\0-\01\06\0 (192, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) , 106, 0x0, 0, ... {status=0x0, info=106}, ) == 0x0
 01546   456   NtWriteFile  (192, 0, 0, 0,  (192, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (192, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (192, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 01547   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234652, ... ) }, 1234652, ... ) == 0x0
 01548   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work"}, 3, 16417, ... 196, {status=0x0, info=1}, ) }, 3, 16417, ... 196, {status=0x0, info=1}, ) == 0x0
 01549   456   NtQueryDirectoryFile  (196, 0, 0, 0, 1234212, 592, Directory, 1,  (196, 0, 0, 0, 1234212, 592, Directory, 1, "packed.exe", 0, ... {status=0x0, info=84}, ) , 0, ... {status=0x0, info=84}, ) == 0x0
 01550   456   NtClose  (196, ... ) == 0x0
 01551   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01552   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01553   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233576, ... ) }, 1233576, ... ) == 0x0
 01554   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232388, ... ) }, 1232388, ... ) == 0x0
 01555   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01556   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01557   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1234524, ... ) }, 1234524, ... ) == 0x0
 01558   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 196, {status=0x0, info=1}, ) }, 7, 2113568, ... 196, {status=0x0, info=1}, ) == 0x0
 01559   456   NtSetInformationFile  (196, 1234500, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01560   456   NtClose  (196, ... ) == 0x0
 01561   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01562   456   NtQueryInformationFile  (196, 1234740, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01563   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 196, ... 200, ) == 0x0
 01564   456   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa40000), 0x0, 237568, ) == 0x0
 01565   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01566   456   NtClose  (200, ... ) == 0x0
 01567   456   NtClose  (196, ... ) == 0x0
 01568   456   NtWriteFile  (192, 0, 0, 0,  (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\03\03\09\08\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\05\0F\08\0D\07\03\0E\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\03\03\09\08\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\05\0F\08\0D\07\03\0E\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \02\03\03\09\08\04\0 (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\03\03\09\08\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\05\0F\08\0D\07\03\0E\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \00\0x\0E\05\0F\08\0D\07\03\0E\0 (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\03\03\09\08\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\05\0F\08\0D\07\03\0E\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \0W\0I\0N\03\02\0 (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\03\03\09\08\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\05\0F\08\0D\07\03\0E\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \00\0x\00\0 (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\03\03\09\08\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\05\0F\08\0D\07\03\0E\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \00\0x\00\0 (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\03\03\09\08\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\05\0F\08\0D\07\03\0E\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0 (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\03\03\09\08\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\05\0F\08\0D\07\03\0E\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) \00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0 (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\03\03\09\08\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\05\0F\08\0D\07\03\0E\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\03\0/\00\07\0/\02\00\00\07\0 \00\02\0:\01\01\0:\02\07\0"\0 \0/\0>\0\15\0\12\0", 410, 0x0, 0, ... {status=0x0, info=410}, ) , 410, 0x0, 0, ... {status=0x0, info=410}, ) == 0x0
 01569   456   NtAllocateVirtualMemory  (-1, 1454080, 0, 8192, 4096, 4, ... 1454080, 8192, ) == 0x0
 01570   456   NtQueryDirectoryFile  (188, 0, 0, 0, 1453128, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01571   456   NtClose  (188, ... ) == 0x0
 01572   456   NtWriteFile  (192, 0, 0, 0,  (192, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0", 16, 0x0, 0, ... {status=0x0, info=16}, ) , 16, 0x0, 0, ... {status=0x0, info=16}, ) == 0x0
 01573   456   NtClose  (192, ... ) == 0x0
 01574   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1235596, ... ) }, 1235596, ... ) == 0x0
 01575   456   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1235604,  (0x40100080, {24, 0, 0x40, 0, 1235604, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\WER2.tmp.dir00\appcompat.txt"}, 0x0, 128, 0, 3, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01576   456   NtQueryInformationFile  (192, 1235628, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01577   456   NtSetInformationFile  (192, 1235660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01578   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01579   456   NtQueryDirectoryFile  (188, 0, 0, 0, 1234196, 616, BothDirectory, 1,  (188, 0, 0, 0, 1234196, 616, BothDirectory, 1, "kernel32.dll", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01580   456   NtWriteFile  (192, 0, 0, 0,  (192, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (192, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (192, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) , 126, 0x0, 0, ... {status=0x0, info=126}, ) == 0x0
 01581   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1234624, ... ) }, 1234624, ... ) == 0x0
 01582   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 3, 16417, ... 196, {status=0x0, info=1}, ) }, 3, 16417, ... 196, {status=0x0, info=1}, ) == 0x0
 01583   456   NtQueryDirectoryFile  (196, 0, 0, 0, 1234212, 592, Directory, 1,  (196, 0, 0, 0, 1234212, 592, Directory, 1, "kernel32.dll", 0, ... {status=0x0, info=88}, ) , 0, ... {status=0x0, info=88}, ) == 0x0
 01584   456   NtClose  (196, ... ) == 0x0
 01585   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01586   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01587   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1233576, ... ) }, 1233576, ... ) == 0x0
 01588   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1232388, ... ) }, 1232388, ... ) == 0x0
 01589   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01590   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01591   456   NtQueryDefaultLocale  (1, 1234440, ... ) == 0x0
 01592   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01593   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01594   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1233568, ... ) }, 1233568, ... ) == 0x0
 01595   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1232380, ... ) }, 1232380, ... ) == 0x0
 01596   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01597   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01598   456   NtQueryDefaultLocale  (1, 1234432, ... ) == 0x0
 01599   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01600   456   NtQueryInformationFile  (196, 1234740, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01601   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 196, ... 200, ) == 0x0
 01602   456   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa40000), 0x0, 929792, ) == 0x0
 01603   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01604   456   NtClose  (200, ... ) == 0x0
 01605   456   NtClose  (196, ... ) == 0x0
 01606   456   NtQueryDefaultUILanguage  (1234104, ...
 01607   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01608   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 01609   456   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01610   456   NtClose  (-2147482032, ... ) == 0x0
 01611   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01612   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01613   456   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 01614   456   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01615   456   NtClose  (-2147482044, ... ) == 0x0
 01616   456   NtClose  (-2147482032, ... ) == 0x0
 01606   456   NtQueryDefaultUILanguage  ... ) == 0x0
 01617   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01618   456   NtWriteFile  (192, 0, 0, 0,  (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \09\02\06\07\02\00\0 (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \00\0x\06\02\06\02\0E\0E\0A\05\0 (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \05\0.\01\0.\02\06\00\00\0.\00\0 (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \05\0.\01\0.\02\06\00\00\0.\00\0 (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \05\0.\01\0.\02\06\00\00\0.\00\0 (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0 (192, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) == 0x0
 01619   456   NtQueryDirectoryFile  (188, 0, 0, 0, 1453664, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01620   456   NtClose  (188, ... ) == 0x0
 01621   456   NtWriteFile  (192, 0, 0, 0,  (192, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0<\0/\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 42, 0x0, 0, ... {status=0x0, info=42}, ) , 42, 0x0, 0, ... {status=0x0, info=42}, ) == 0x0
 01622   456   NtClose  (192, ... ) == 0x0
 01623   456   NtUnmapViewOfSection  (-1, 0x75f40000, ... ) == 0x0
 01624   456   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01625   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 1233012, ... ) }, 1233012, ... ) == 0x0
 01626   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 1233704, ... ) }, 1233704, ... ) == 0x0
 01627   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DWWIN.EXE"}, 1233624, ... ) }, 1233624, ... ) == 0x0
 01628   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DWWIN.EXE"}, 7, 2113568, ... 192, {status=0x0, info=1}, ) }, 7, 2113568, ... 192, {status=0x0, info=1}, ) == 0x0
 01629   456   NtSetInformationFile  (192, 1233600, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01630   456   NtClose  (192, ... ) == 0x0
 01631   456   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233604,  (0xc0100080, {24, 0, 0x40, 0, 1233604, "\??\C:\WINDOWS\SYSTEM32\DWWIN.EXE"}, 0x0, 0, 1, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01632   456   NtQueryInformationFile  (192, 1233656, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01633   456   NtQueryInformationFile  (192, 1233656, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01634   456   NtCreateSection  (0xf0007, 0x0, {162128, 0}, 4, 134217728, 192, ...
 01635   456   NtQueryVolumeInformationFile  (-2147482032, -133528516, 32, FullSize, ... {status=0x0, info=32}, ) == 0x0
 01636   456   NtQueryInformationFile  (-2147482032, -133528236, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01637   456   NtQueryInformationFile  (-2147482032, -133528284, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01638   456   NtQueryInformationFile  (-2147482032, -519778304, 4096, Stream, ... ) == STATUS_INVALID_PARAMETER
 01639   456   NtQueryInformationFile  (-2147482032, -133528592, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01640   456   NtQueryInformationFile  (-2147482044, -133528632, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01641   456   NtSetInformationFile  (-2147482044, -133528552, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01642   456   NtCreateSection  (0x5, 0x0, {162128, 0}, 2, 134217728, -2147482032, ... 188, ) == 0x0
 01643   456   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 65536, 2, 0, 2, ... (0xa40000), {0, 0}, 65536, ) == 0x0
 01644   456   NtWriteFile  (-2147482044, 0, 0, 0,  (-2147482044, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\270\277\220\252\374\336\376\371\374\336\376\371\374\336\376\371\24\301\365\371\375\336\376\371\177\302\360\371\365\336\376\371\24\301\364\371\325\336\376\371\252\301\355\371\364\336\376\371\202\374\342\371\373\336\376\371\14\301\365\371\354\336\376\371\374\336\376\371\343\337\376\371Rich\374\336\376\371\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0_\245\35;\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\24\00\2\0\0\220\0\0\0\0\0\0jr\0\0\0\20\0\0\0p\3\0\0\0\00\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\2\0\0\20\0\0\15"\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\31%\2\0:\1\0\0\0\300\2\0\200\12\0\0\0\0\0\0\0\0\0\0\0`\2\0P\31\0\0\0\0\0\0\0\0\0\0Z8\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\204\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222(\2\0\0\20\0\0\00\2\0", 65536, {0, 0}, 0, ... {status=0x0, info=65536}, ) \3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\31%\2\0:\1\0\0\0\300\2\0\200\12\0\0\0\0\0\0\0\0\0\0\0`\2\0P\31\0\0\0\0\0\0\0\0\0\0Z8\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\204\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222(\2\0\0\20\0\0\00\2\0", 65536, {0, 0}, 0, ... {status=0x0, info=65536}, ) == 0x0
 01645   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01646   456   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {65536, 0}, 65536, 2, 0, 2, ... (0xa40000), {65536, 0}, 65536, ) == 0x0
 01647   456   NtWriteFile  (-2147482044, 0, 0, 0,  (-2147482044, 0, 0, 0, "\0\0HHtDHt \203\350\3\17\205V\2\0\0\270`\30\00P\211E\374\350T\365\0\0\213M\14\215D\10\26\353n\270h\30\00P\211E\374\350=\365\0\0\213M\24\213U\14\3\320\215LI\6\3\312\211M\14\353P\213u\243\300;\367v\17\213M\30\200<\10\0u\1G@;\306r\361Oh@\30\00\211}\370\307E\374L\30\00\350\375\364\0\0\3\307\3E\14\215D0\3\353\25\270\24\30\00P\211E\374\350\344\364\0\0\213M\14\215D\10\16\211E\14\213}\34\213u \213\7\3E\14;\6|*\273\0\200\0\0\213\6\3\303P\213E$\3770\350_\340\0\0\205\300t\22\213M$\1\36\211\1\213\17\3M\14\213\6;\310}\333\213E$\213\37\3\30\213E\10\203\370\5wk\203\370\4sT\205\300t6\17\206w\1\0\0\203\370\2v\16\203\370\3\17\204\205\0\0\0\351d\1\0\0\377u\30\377u\374\377u\20h8\377\00S\377\25\14\23\00\203\304\24\351#\1\0\0\377u\374\377u\20h\\377\00S\377\25\14\23\00\203\304\20\351\11\1\0\0\213E\30\3770\377u\374\377u\20h(\377\00\353\305\203\350\7\17\204\230\0\0\0Ht+\203\350\3\17\205\6\1\0\0\213E\30\213\0P@P\377u\374\377u\20hh\377\00S\377\25\14\23\00\203\304\30\351\300\0\0\0\377u\374\377u\20h\34\377\00S\377\25\14\23\00\203\304\20S\350\325\363\0\03\366\3\3309u\24v\37\215{\1\213E\30W\306\3 \212\4\6P\350\216\346\377\377\203\303\3\203\307\3F;u\24r\344\277$\377\00\203\311\3773\300\362\256\367\321+\371\213\301\213\367\213\373\301\351\2\363\245\213\310\203\341\3\363\244\213}\34\353V\377u\374\2135\14", 65536, {65536, 0}, 0, ... {status=0x0, info=65536}, ) , 65536, {65536, 0}, 0, ... {status=0x0, info=65536}, ) == 0x0
 01648   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01649   456   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {131072, 0}, 31056, 2, 0, 2, ... (0xa40000), {131072, 0}, 32768, ) == 0x0
 01650   456   NtWriteFile  (-2147482044, 0, 0, 0,  (-2147482044, 0, 0, 0, "Fw\11%\377\0\0\0\203\3507\303\203\310\377\303S\213\331UV\212\3W\213\352P3\377\213\363\350\265\16\0\0\205\300t\16\212N\1FQ\350\247\16\0\0\205\300u\362\200>0u\11\200~\1xu\3\203\306\2\212\16\350\214\377\377\377\205\300|!\201\377\377\377\377\17r\7u#\203\370\17w\36\212N\1\301\347\4\3\370F\350k\377\377\377\205\300}\337\211}\0\213\306_^+\303][\303_^]3\300[\303S\213\$\34U\213l$\30V\213t$\20W\213|$$\205\366t\20\203\376\1t\13V\377\25\314\21\00\205\300t6\213D$\34\213L$\30SWUPQV\377\25\214\20\00\205\300\17\217\262\2\0\0u\30\377\25\24\21\00\203\350z_\367\330\33\300^\367\320#\303][\302\30\0\205\355}\21\213l$\34U\350\205\364\377\377@\211D$\24\353\12\213\305\213l$\34\211D$\24\201\376\351\375\0\0u\24S\215T$\30WRU\350\227\2\0\0_^][\302\30\0\205\333\17\204U\2\0\0;\303|\2\213\303\201\376\27'\0\0\17\207\33\1\0\0\17\204\16\1\0\0\201\376\346\4\0\0\17\207\263\0\0\0\17\204\243\0\0\0\201\376\342\4\0\0wkt_\203\356\2\17\204\342\0\0\0\203\356(t\26\201\356@\3\0\0\17\205\20\1\0\0\271P\36\00\351\10\1\0\0\205\377\17\204\365\1\0\0\205\300\17\204\355\1\0\0\2150\212M\0\200\371 \33\3223\333\200\342\20\203\307\2\201\302\360\0\0\0E\212\372N\212\331f\211_\376u\336_^][\302\30\0\271P\37\00\351\303\0\0\0\201\356\343\4\0\0t\36Nt\21N\17\205\257\0\0\0\271P"\00\351\247\0\0\0\271P!\00\351\235\0\0\0\271P \00\351\223\0\0\0\271P#", 31232, {131072, 0}, 0, ... {status=0x0, info=31232}, ) \00\351\247\0\0\0\271P!\00\351\235\0\0\0\271P \00\351\223\0\0\0\271P#", 31232, {131072, 0}, 0, ... {status=0x0, info=31232}, ) == 0x0
 01651   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01652   456   NtSetInformationFile  (-2147482044, -133528708, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01653   456   NtClose  (188, ... ) == 0x0
 01654   456   NtQueryVolumeInformationFile  (-2147482032, -133528404, 116, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01655   456   NtSetInformationFile  (-2147482044, -133528284, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01656   456   NtClose  (-2147482044, ... ) == 0x0
 01657   456   NtClose  (-2147482032, ... ) == 0x0
 01634   456   NtCreateSection  ... 188, ) == 0x0
 01658   456   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 163840, ) == 0x0
 01659   456   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01660   456   NtClose  (188, ... ) == 0x0
 01661   456   NtSetInformationFile  (192, 1233660, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01662   456   NtClose  (192, ... ) == 0x0
 01663   456   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DWWIN.EXE"}, 7, 2113568, ... 192, {status=0x0, info=1}, ) }, 7, 2113568, ... 192, {status=0x0, info=1}, ) == 0x0
 01664   456   NtSetInformationFile  (192, 1233604, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01665   456   NtClose  (192, ... ) == 0x0
 01666   456   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 5, 96, ... 192, {status=0x0, info=1}, ) }, 5, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01667   456   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 192, ... 188, ) == 0x0
 01668   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01669   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 196, ) }, ... 196, ) == 0x0
 01670   456   NtQueryValueKey  (196,  (196, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01671   456   NtClose  (196, ... ) == 0x0
 01672   456   NtQueryVolumeInformationFile  (192, 1233012, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01673   456   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 196, ) }, ... 196, ) == 0x0
 01674   456   NtWaitForSingleObject  (196, 0, {-1000000, -1}, ... ) == 0x0
 01675   456   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 200, ) }, ... 200, ) == 0x0
 01676   456   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 57344, ) == 0x0
 01677   456   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 01678   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1230996, ... ) }, 1230996, ... ) == 0x0
 01679   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01680   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 208, ) == 0x0
 01681   456   NtClose  (204, ... ) == 0x0
 01682   456   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa50000), 0x0, 106496, ) == 0x0
 01683   456   NtClose  (208, ... ) == 0x0
 01684   456   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 01685   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1231312, ... ) }, 1231312, ... ) == 0x0
 01686   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01687   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 204, ) == 0x0
 01688   456   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01689   456   NtClose  (208, ... ) == 0x0
 01690   456   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01691   456   NtClose  (204, ... ) == 0x0
 01692   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 204, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 204, {status=0x0, info=1}, ) == 0x0
 01693   456   NtQueryInformationFile  (204, 1231600, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01694   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 204, ... 208, ) == 0x0
 01695   456   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa50000), 0x0, 1028096, ) == 0x0
 01696   456   NtQueryInformationFile  (204, 1231696, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01697   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01698   456   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01699   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01700   456   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01701   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01702   456   NtQueryDirectoryFile  (212, 0, 0, 0, 1229260, 616, BothDirectory, 1,  (212, 0, 0, 0, 1229260, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01703   456   NtClose  (212, ... ) == 0x0
 01704   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01705   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01706   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 1228648, ... ) }, 1228648, ... ) == 0x0
 01707   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01708   456   NtQueryDirectoryFile  (212, 0, 0, 0, 1228008, 616, BothDirectory, 1,  (212, 0, 0, 0, 1228008, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01709   456   NtClose  (212, ... ) == 0x0
 01710   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01711   456   NtQueryDirectoryFile  (212, 0, 0, 0, 1228008, 616, BothDirectory, 1,  (212, 0, 0, 0, 1228008, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01712   456   NtClose  (212, ... ) == 0x0
 01713   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01714   456   NtQueryDirectoryFile  (212, 0, 0, 0, 1228008, 616, BothDirectory, 1,  (212, 0, 0, 0, 1228008, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01715   456   NtClose  (212, ... ) == 0x0
 01716   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01717   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01718   456   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01719   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01720   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01721   456   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01722   456   NtClose  (212, ... ) == 0x0
 01723   456   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01724   456   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01725   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01726   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01727   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 1230928, ... ) }, 1230928, ... ) == 0x0
 01728   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01729   456   NtQueryDirectoryFile  (212, 0, 0, 0, 1230288, 616, BothDirectory, 1,  (212, 0, 0, 0, 1230288, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01730   456   NtClose  (212, ... ) == 0x0
 01731   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01732   456   NtQueryDirectoryFile  (212, 0, 0, 0, 1230288, 616, BothDirectory, 1,  (212, 0, 0, 0, 1230288, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01733   456   NtClose  (212, ... ) == 0x0
 01734   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01735   456   NtQueryDirectoryFile  (212, 0, 0, 0, 1230288, 616, BothDirectory, 1,  (212, 0, 0, 0, 1230288, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01736   456   NtClose  (212, ... ) == 0x0
 01737   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01738   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01739   456   NtWaitForSingleObject  (196, 0, {-1000000, -1}, ... ) == 0x0
 01740   456   NtQueryVolumeInformationFile  (192, 1231572, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01741   456   NtQueryInformationFile  (192, 1231552, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01742   456   NtQueryInformationFile  (192, 1231592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01743   456   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 01744   456   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 01745   456   NtClose  (208, ... ) == 0x0
 01746   456   NtClose  (204, ... ) == 0x0
 01747   456   NtQuerySection  (188, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01748   456   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01749   456   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01750   456   NtOpenProcessToken  (-1, 0xa, ... 204, ) == 0x0
 01751   456   NtQueryInformationToken  (204, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01752   456   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01753   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 208, ) }, ... 208, ) == 0x0
 01754   456   NtQueryValueKey  (208,  (208, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (208, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01755   456   NtQueryValueKey  (208,  (208, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (208, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01756   456   NtClose  (208, ... ) == 0x0
 01757   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 208, ) }, ... 208, ) == 0x0
 01758   456   NtQueryValueKey  (208,  (208, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01759   456   NtQueryValueKey  (208,  (208, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (208, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01760   456   NtClose  (208, ... ) == 0x0
 01761   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01762   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 208, ) }, ... 208, ) == 0x0
 01763   456   NtQueryValueKey  (208,  (208, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01764   456   NtClose  (208, ... ) == 0x0
 01765   456   NtQueryDefaultLocale  (1, 1232384, ... ) == 0x0
 01766   456   NtQueryDefaultLocale  (1, 1232384, ... ) == 0x0
 01767   456   NtQueryDefaultLocale  (1, 1232384, ... ) == 0x0
 01768   456   NtQueryDefaultLocale  (1, 1232384, ... ) == 0x0
 01769   456   NtQueryDefaultLocale  (1, 1232384, ... ) == 0x0
 01770   456   NtQueryDefaultLocale  (1, 1232384, ... ) == 0x0
 01771   456   NtQueryDefaultLocale  (1, 1232384, ... ) == 0x0
 01772   456   NtQueryDefaultLocale  (1, 1232384, ... ) == 0x0
 01773   456   NtQueryDefaultLocale  (1, 1232384, ... ) == 0x0
 01774   456   NtQueryDefaultLocale  (1, 1232384, ... ) == 0x0
 01775   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 208, ) }, ... 208, ) == 0x0
 01776   456   NtEnumerateKey  (208, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (208, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01777   456   NtOpenKey  (0x20019, {24, 208, 0x40, 0, 0,  (0x20019, {24, 208, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 212, ) }, ... 212, ) == 0x0
 01778   456   NtQueryValueKey  (212,  (212, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (212, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01779   456   NtQueryValueKey  (212,  (212, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (212, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01780   456   NtClose  (212, ... ) == 0x0
 01781   456   NtEnumerateKey  (208, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01782   456   NtClose  (208, ... ) == 0x0
 01783   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01784   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01785   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01786   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01787   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01788   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01789   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01790   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01791   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01792   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01793   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01794   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01795   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01796   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01797   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01798   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01799   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01800   456   NtClose  (208, ... ) == 0x0
 01801   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01802   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01803   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01804   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01805   456   NtClose  (208, ... ) == 0x0
 01806   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01807   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01808   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01809   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01810   456   NtClose  (208, ... ) == 0x0
 01811   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01812   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01813   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01814   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01815   456   NtClose  (208, ... ) == 0x0
 01816   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01817   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01818   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01819   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01820   456   NtClose  (208, ... ) == 0x0
 01821   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01822   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01823   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01824   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01825   456   NtClose  (208, ... ) == 0x0
 01826   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01827   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01828   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01829   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01830   456   NtClose  (208, ... ) == 0x0
 01831   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01832   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01833   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01834   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01835   456   NtClose  (208, ... ) == 0x0
 01836   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01837   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01838   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01839   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01840   456   NtClose  (208, ... ) == 0x0
 01841   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01842   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01843   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01844   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01845   456   NtClose  (208, ... ) == 0x0
 01846   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01847   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01848   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01849   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01850   456   NtClose  (208, ... ) == 0x0
 01851   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01852   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01853   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01854   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01855   456   NtClose  (208, ... ) == 0x0
 01856   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01857   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01858   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01859   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01860   456   NtClose  (208, ... ) == 0x0
 01861   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01862   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01863   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01864   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01865   456   NtClose  (208, ... ) == 0x0
 01866   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01867   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01868   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01869   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01870   456   NtClose  (208, ... ) == 0x0
 01871   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01872   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 208, ) }, ... 208, ) == 0x0
 01873   456   NtQueryValueKey  (208,  (208, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (208, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (208, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01874   456   NtClose  (208, ... ) == 0x0
 01875   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01876   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01877   456   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01878   456   NtClose  (208, ... ) == 0x0
 01879   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01880   456   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01881   456   NtOpenProcessToken  (-1, 0xa, ... 208, ) == 0x0
 01882   456   NtDuplicateToken  (208, 0xc, {24, 0, 0x0, 0, 1232904, 0x0}, 0, 2, ... 212, ) == 0x0
 01883   456   NtClose  (208, ... ) == 0x0
 01884   456   NtAccessCheck  (1434920, 212, 0x1, 1233032, 1232976, 56, 1233060, ... (0x1), ) == 0x0
 01885   456   NtClose  (212, ... ) == 0x0
 01886   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 212, ) }, ... 212, ) == 0x0
 01887   456   NtQueryValueKey  (212,  (212, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (212, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01888   456   NtClose  (212, ... ) == 0x0
 01889   456   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 212, ) }, ... 212, ) == 0x0
 01890   456   NtQuerySymbolicLinkObject  (212, ...  (212, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01891   456   NtClose  (212, ... ) == 0x0
 01892   456   NtQueryInformationFile  (192, 1231364, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 01893   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01894   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01895   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 1230044, ... ) }, 1230044, ... ) == 0x0
 01896   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01897   456   NtQueryDirectoryFile  (212, 0, 0, 0, 1229404, 616, BothDirectory, 1,  (212, 0, 0, 0, 1229404, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01898   456   NtClose  (212, ... ) == 0x0
 01899   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01900   456   NtQueryDirectoryFile  (212, 0, 0, 0, 1229404, 616, BothDirectory, 1,  (212, 0, 0, 0, 1229404, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01901   456   NtClose  (212, ... ) == 0x0
 01902   456   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01903   456   NtQueryDirectoryFile  (212, 0, 0, 0, 1229404, 616, BothDirectory, 1,  (212, 0, 0, 0, 1229404, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01904   456   NtClose  (212, ... ) == 0x0
 01905   456   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01906   456   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01907   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01908   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01909   456   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01910   456   NtClose  (212, ... ) == 0x0
 01911   456   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 212, ) }, ... 212, ) == 0x0
 01912   456   NtOpenKey  (0x20019, {24, 212, 0x40, 0, 0,  (0x20019, {24, 212, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 208, ) }, ... 208, ) == 0x0
 01913   456   NtClose  (212, ... ) == 0x0
 01914   456   NtQueryValueKey  (208,  (208, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01915   456   NtQueryValueKey  (208,  (208, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (208, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01916   456   NtClose  (208, ... ) == 0x0
 01917   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10813440, 4096, ) == 0x0
 01918   456   NtAllocateVirtualMemory  (-1, 10813440, 0, 4096, 4096, 4, ... 10813440, 4096, ) == 0x0
 01919   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 208, ) }, ... 208, ) == 0x0
 01920   456   NtQueryValueKey  (208,  (208, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01921   456   NtClose  (208, ... ) == 0x0
 01922   456   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01923   456   NtQueryInformationToken  (204, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01924   456   NtQueryInformationToken  (204, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01925   456   NtClose  (204, ... ) == 0x0
 01926   456   NtCreateProcessEx  (1235640, 2035711, 0, -1, 4, 188, 0, 0, 0, ... ) == 0x0
 01927   456   NtOpenSection  (0xe, {24, 52, 0x0, 0, 0,  (0xe, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 208, ) }, ... 208, ) == 0x0
 01928   456   NtMapViewOfSection  (208, 204, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01929   456   NtClose  (208, ... ) == 0x0
 01930   456   NtProtectVirtualMemory  (204, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01931   456   NtWriteVirtualMemory  (204, 0x77f7e603,  (204, 0x77f7e603, "\350\214=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01932   456   NtProtectVirtualMemory  (204, (0x77f7eaf3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01933   456   NtWriteVirtualMemory  (204, 0x77f7eaf3,  (204, 0x77f7eaf3, "\350\3518\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01934   456   NtProtectVirtualMemory  (204, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01935   456   NtWriteVirtualMemory  (204, 0x77f7e6a3,  (204, 0x77f7e6a3, "\350@=\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01936   456   NtProtectVirtualMemory  (204, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01937   456   NtWriteVirtualMemory  (204, 0x77f7e6b3,  (204, 0x77f7e6b3, "\350==\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01938   456   NtSetInformationProcess  (204, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 01939   456   NtSetInformationProcess  (204, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01940   456   NtQueryInformationProcess  (204, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=856,ParentPid=448,}, 0x0, ) == 0x0
 01941   456   NtReadVirtualMemory  (204, 0x7ffdf008, 4, ...  (204, 0x7ffdf008, 4, ... "\0\0\00", 0x0, ) , 0x0, ) == 0x0
 01942   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01943   456   NtReadVirtualMemory  (204, 0x30000000, 4096, ...  (204, 0x30000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\270\277\220\252\374\336\376\371\374\336\376\371\374\336\376\371\24\301\365\371\375\336\376\371\177\302\360\371\365\336\376\371\24\301\364\371\325\336\376\371\252\301\355\371\364\336\376\371\202\374\342\371\373\336\376\371\14\301\365\371\354\336\376\371\374\336\376\371\343\337\376\371Rich\374\336\376\371\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0_\245\35;\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\24\00\2\0\0\220\0\0\0\0\0\0jr\0\0\0\20\0\0\0p\3\0\0\0\00\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\2\0\0\20\0\0\15"\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\31%\2\0:\1\0\0\0\300\2\0\200\12\0\0\0\0\0\0\0\0\0\0\0`\2\0P\31\0\0\0\0\0\0\0\0\0\0Z8\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\204\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222(\2\0\0\20\0\0\00\2\0", 4096, ) \3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\31%\2\0:\1\0\0\0\300\2\0\200\12\0\0\0\0\0\0\0\0\0\0\0`\2\0P\31\0\0\0\0\0\0\0\0\0\0Z8\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\204\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222(\2\0\0\20\0\0\00\2\0", 4096, ) == 0x0
 01944   456   NtReadVirtualMemory  (204, 0x3002c000, 256, ...  (204, 0x3002c000, 256, ... "\0\0\0\0Z\245\35;\0\0\0\0\0\0\3\0\5\0\0\0(\0\0\200\13\0\0\0@\0\0\200\20\0\0\0X\0\0\200\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0e\0\0\0p\0\0\200\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0\1\0\0\0\210\0\0\200\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0\1\0\0\0\240\0\0\200\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0\11\4\0\0\270\0\0\0\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0\11\4\0\0\310\0\0\0\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0\11\4\0\0\330\0\0\0\360\300\2\0\26\3\0\0\0\0\0\0\0\0\0\0\10\304\2\0\210\1\0\0\0\0\0\0\0\0\0\0\220\305\2\0\360\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\0\310\200\0\0\0\0\14\0\0\0\0\0f\1", 256, ) , 256, ) == 0x0
 01945   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01946   456   NtQueryInformationProcess  (204, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=856,ParentPid=448,}, 0x0, ) == 0x0
 01947   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1233704, ... ) }, 1233704, ... ) == 0x0
 01948   456   NtAllocateVirtualMemory  (-1, 0, 0, 1668, 4096, 4, ... 10878976, 4096, ) == 0x0
 01949   456   NtAllocateVirtualMemory  (204, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01950   456   NtWriteVirtualMemory  (204, 0x10000,  (204, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01951   456   NtAllocateVirtualMemory  (204, 0, 0, 1668, 4096, 4, ... 131072, 4096, ) == 0x0
 01952   456   NtWriteVirtualMemory  (204, 0x20000,  (204, 0x20000, "\0\20\0\0\204\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\374\0\376\0\230\4\0\0:\0<\0\230\5\0\0N\0P\0\324\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0$\6\0\0\36\0 \0`\6\0\0\0\0\2\0\200\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1668, ... 0x0, ) , 1668, ... 0x0, ) == 0x0
 01953   456   NtWriteVirtualMemory  (204, 0x7ffdf010,  (204, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01954   456   NtWriteVirtualMemory  (204, 0x7ffdf1e8,  (204, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01955   456   NtFreeVirtualMemory  (-1, (0xa60000), 0, 32768, ... (0xa60000), 4096, ) == 0x0
 01956   456   NtAllocateVirtualMemory  (204, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01957   456   NtAllocateVirtualMemory  (204, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01958   456   NtProtectVirtualMemory  (204, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01959   456   NtCreateThread  (0x1f03ff, 0x0, 204, 1233904, 1234624, 1, ... 208, {856, 860}, ) == 0x0
 01960   456   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 6684672, 876097897, 100, 0}  (24, {168, 196, new_msg, 0, 6684672, 876097897, 100, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\317\0\0\0\320\0\0\0X\3\0\0\\3\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\316'\365w" ... {168, 196, reply, 0, 448, 456, 1546, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\314\0\0\0\320\0\0\0X\3\0\0\\3\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\316'\365w" )  ... {168, 196, reply, 0, 448, 456, 1546, 0}  (24, {168, 196, new_msg, 0, 6684672, 876097897, 100, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\317\0\0\0\320\0\0\0X\3\0\0\\3\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\316'\365w" ... {168, 196, reply, 0, 448, 456, 1546, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\314\0\0\0\320\0\0\0X\3\0\0\\3\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\316'\365w" )  ) == 0x0
 01961   456   NtResumeThread  (208, ... 1, ) == 0x0
 01962   456   NtClose  (192, ... ) == 0x0
 01963   456   NtClose  (188, ... ) == 0x0
 01964   456   NtClose  (208, ... ) == 0x0
 01965   456   NtWaitForMultipleObjects  (2, (176, 204, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 01966   456   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x102
 01967   456   NtWaitForMultipleObjects  (2, (176, 204, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 01968   456   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x102
 01969   456   NtWaitForMultipleObjects  (2, (176, 204, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 01970   456   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x102
 01971   456   NtWaitForMultipleObjects  (2, (176, 204, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 01972   456   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x102
 01973   456   NtWaitForMultipleObjects  (2, (176, 204, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 01974   456   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x102
 01975   456   NtWaitForMultipleObjects  (2, (176, 204, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 01976   456   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x102
 01977   456   NtWaitForMultipleObjects  (2, (176, 204, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 01978   456   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x102
 01979   456   NtWaitForMultipleObjects  (2, (176, 204, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 01980   456   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x102
 01981   456   NtWaitForMultipleObjects  (2, (176, 204, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 01982   456   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x102
 01983   456   NtWaitForMultipleObjects  (2, (176, 204, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 01984   456   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x102
 01985   456   NtWaitForMultipleObjects  (2, (176, 204, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 01986   456   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x102
 01987   456   NtWaitForMultipleObjects  (2, (176, 204, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 01988   456   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x102
 01989   456   NtWaitForMultipleObjects  (2, (176, 204, ), 1, 0, {-1200000000, -1}, ...