Summary:





NtAddAtom(>)  1 
NtUserGetDC(>)  1 
NtUserBuildHwndList(>)  4 
NtQueryDefaultLocale(>)  15 


NtCallbackReturn(>)  1 
NtUserGetThreadDesktop(>)  1 
NtUserFindWindowEx(>)  4 
NtUnmapViewOfSection(>)  15 


NtCreateProcessEx(>)  1 
NtAccessCheck(>)  2 
NtWaitForSingleObject(>)  4 
NtCreateSection(>)  18 


NtCreateThread(>)  1 
NtCreateKey(>)  2 
NtWriteFile(>)  4 
NtUserRegisterWindowMessage(>)  19 


NtDuplicateToken(>)  1 
NtEnumerateKey(>)  2 
NtWriteVirtualMemory(>)  4 
NtOpenProcessTokenEx(>)  25 


NtEnumerateValueKey(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtFreeVirtualMemory(>)  5 
NtOpenThreadTokenEx(>)  25 


NtFsControlFile(>)  1 
NtOpenDirectoryObject(>)  2 
NtGdiGetStockObject(>)  5 
NtQueryAttributesFile(>)  25 


NtGdiCreateBitmap(>)  1 
NtOpenEvent(>)  2 
NtOpenProcessToken(>)  5 
NtQuerySystemInformation(>)  27 


NtGdiInit(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtCreateFile(>)  6 
NtReadVirtualMemory(>)  28 


NtGdiQueryFontAssocInfo(>)  1 
NtOpenThreadToken(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtOpenSection(>)  29 


NtGdiSelectBitmap(>)  1 
NtQueryInstallUILanguage(>)  2 
NtSetInformationThread(>)  6 
NtQueryInformationToken(>)  31 


NtNotifyChangeKey(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtOpenProcess(>)  7 
NtOpenFile(>)  34 


NtOpenKeyedEvent(>)  1 
NtRaiseException(>)  2 
NtSetInformationProcess(>)  7 
NtQueryValueKey(>)  38 


NtQueryInformationJobObject(>)  1 
NtSetInformationFile(>)  2 
NtContinue(>)  8 
NtMapViewOfSection(>)  39 


NtQueryObject(>)  1 
NtTerminateProcess(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtProtectVirtualMemory(>)  41 


NtQueryPerformanceCounter(>)  1 
NtCreateEvent(>)  3 
NtQuerySection(>)  8 
NtUserUnregisterClass(>)  45 


NtRegisterThreadTerminatePort(>)  1 
NtCreateSemaphore(>)  3 
NtRequestWaitReplyPort(>)  8 
NtUserFindExistingCursorIcon(>)  48 


NtResumeThread(>)  1 
NtDuplicateObject(>)  3 
NtQueryDirectoryFile(>)  10 
NtAllocateVirtualMemory(>)  51 


NtSecureConnectPort(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUserSystemParametersInfo(>)  10 
NtUserRegisterClassExWOW(>)  63 


NtSetSecurityObject(>)  1 
NtOpenMutant(>)  3 
NtFlushInstructionCache(>)  11 
NtUserGetClassInfo(>)  82 


NtTestAlert(>)  1 
NtSetInformationObject(>)  3 
NtQueryInformationProcess(>)  12 
NtOpenKey(>)  102 


NtUserCallNoParam(>)  1 
NtQueryVirtualMemory(>)  4 
NtQueryInformationFile(>)  13 
NtUserQueryWindow(>)  132 


NtUserCallOneParam(>)  1 
NtReleaseMutant(>)  4 
NtQueryDebugFilterState(>)  15 
NtClose(>)  154 





Trace:

 00001   392   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   392   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   392   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   392   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   392   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   392   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   392   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   392   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   392   NtClose  (12, ... ) == 0x0
 00014   392   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   392   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   392   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   392   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   392   NtClose  (16, ... ) == 0x0
 00021   392   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   392   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   392   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18219008}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18219008}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   392   NtClose  (16, ... ) == 0x0
 00026   392   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   392   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   392   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   392   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\26\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\26\1\4\0\0\0" ... {28, 56, reply, 0, 384, 392, 1474, 0} "0B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\26\1\4\0\0\0" )  ... {28, 56, reply, 0, 384, 392, 1474, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\26\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\26\1\4\0\0\0" ... {28, 56, reply, 0, 384, 392, 1474, 0} "0B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\26\1\4\0\0\0" )  ) == 0x0
 00032   392   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   392   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   392   NtClose  (16, ... ) == 0x0
 00036   392   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   392   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   392   NtClose  (28, ... ) == 0x0
 00041   392   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   392   NtClose  (28, ... ) == 0x0
 00045   392   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   392   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   392   NtClose  (28, ... ) == 0x0
 00049   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   392   NtClose  (28, ... ) == 0x0
 00052   392   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\26\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\26\18\6\0\0" ... {28, 56, reply, 0, 384, 392, 1488, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\26\18\6\0\0" )  ... {28, 56, reply, 0, 384, 392, 1488, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\26\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\26\18\6\0\0" ... {28, 56, reply, 0, 384, 392, 1488, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\26\18\6\0\0" )  ) == 0x0
 00056   392   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 128, ) == 0x0
 00057   392   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 128, ... (0x45d000), 204800, 4, ) == 0x0
 00058   392   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00059   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   392   NtClose  (28, ... ) == 0x0
 00062   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   392   NtClose  (28, ... ) == 0x0
 00065   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   392   NtClose  (28, ... ) == 0x0
 00068   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   392   NtClose  (28, ... ) == 0x0
 00071   392   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 64, ) == 0x0
 00072   392   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 64, ... (0x45d000), 204800, 4, ) == 0x0
 00073   392   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00074   392   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   392   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   392   NtClose  (28, ... ) == 0x0
 00077   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   392   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   392   NtClose  (28, ... ) == 0x0
 00080   392   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00081   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   392   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   392   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   392   NtClose  (28, ... ) == 0x0
 00085   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   392   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   392   NtClose  (28, ... ) == 0x0
 00088   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   392   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\26\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\26\1$\1\0\0" ... {28, 56, reply, 0, 384, 392, 1491, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\26\1$\1\0\0" )  ... {28, 56, reply, 0, 384, 392, 1491, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\26\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\26\1$\1\0\0" ... {28, 56, reply, 0, 384, 392, 1491, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\26\1$\1\0\0" )  ) == 0x0
 00093   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   392   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x490000), 0x0, 1060864, ) == 0x0
 00095   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   392   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   392   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482028, ) == 0x0
 00098   392   NtQueryInformationToken  (-2147482028, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   392   NtQueryInformationToken  (-2147482028, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   392   NtClose  (-2147482028, ... ) == 0x0
 00101   392   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5898240, 4096, ) == 0x0
 00102   392   NtFreeVirtualMemory  (-1, (0x5a0000), 4096, 32768, ... (0x5a0000), 4096, ) == 0x0
 00103   392   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   392   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 00105   392   NtQueryValueKey  (-2147482028,  (-2147482028, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   392   NtClose  (-2147482028, ... ) == 0x0
 00107   392   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 00108   392   NtQueryValueKey  (-2147482028,  (-2147482028, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   392   NtClose  (-2147482028, ... ) == 0x0
 00110   392   NtQueryDefaultLocale  (0, -136476148, ... ) == 0x0
 00111   392   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   392   NtUserCallNoParam  (24, ... ) == 0x0
 00113   392   NtGdiCreateCompatibleDC  (0, ...
 00114   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5898240, 4096, ) == 0x0
 00113   392   NtGdiCreateCompatibleDC  ... ) == 0xb01040a
 00115   392   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   392   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   392   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xc05040b
 00118   392   NtGdiCreateSolidBrush  (0, 0, ...
 00119   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9109504, 4096, ) == 0x0
 00118   392   NtGdiCreateSolidBrush  ... ) == 0x121003e6
 00120   392   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   392   NtGdiCreateCompatibleDC  (0, ... ) == 0xd010409
 00122   392   NtGdiSelectBitmap  (218170377, 201655307, ... ) == 0x185000f
 00123   392   NtUserGetThreadDesktop  (392, 0, ... ) == 0x2c
 00124   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   392   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   392   NtClose  (52, ... ) == 0x0
 00127   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00141   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00143   392   NtAllocateVirtualMemory  (-1, 6057984, 0, 4096, 4096, 32, ... 6057984, 4096, ) == 0x0
 00142   392   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00144   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00146   392   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00147   392   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00148   392   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00149   392   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00150   392   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   392   NtCallbackReturn  (0, 0, 0, ...
 00152   392   NtGdiInit  (... ) == 0x1
 00153   392   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   392   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   392   NtAllocateVirtualMemory  (-1, 0, 0, 18086, 4096, 4, ... 9175040, 20480, ) == 0x0
 00156   392   NtFreeVirtualMemory  (-1, (0x8c0000), 0, 32768, ... (0x8c0000), 20480, ) == 0x0
 00157   392   NtQueryVirtualMemory  (-1, 0x401000, Basic, 52, ... {BaseAddress=0x401000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x23000,State=0x1000,Protect=0x80,Type=0x1000000,}, 28, ) == 0x0
 00158   392   NtQueryVirtualMemory  (-1, 0x45b2a7, Basic, 28, ... {BaseAddress=0x45b000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x2000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00159   392   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00160   392   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00161   392   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00162   392   NtProtectVirtualMemory  (-1, (0x400218), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00163   392   NtProtectVirtualMemory  (-1, (0x400218), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00164   392   NtProtectVirtualMemory  (-1, (0x400240), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00165   392   NtProtectVirtualMemory  (-1, (0x400240), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00166   392   NtProtectVirtualMemory  (-1, (0x400268), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00167   392   NtProtectVirtualMemory  (-1, (0x400268), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00168   392   NtProtectVirtualMemory  (-1, (0x400290), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00169   392   NtProtectVirtualMemory  (-1, (0x400290), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00170   392   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00171   392   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00172   392   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00173   392   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00174   392   NtProtectVirtualMemory  (-1, (0x400308), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00175   392   NtProtectVirtualMemory  (-1, (0x400308), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00176   392   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00177   392   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00178   392   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100a2, 0x10080, 0x10076, 0x1006a, 0x3004c, 0x10068, 0x10066, 0x3003e, 0x1009a, 0x1008e, 0x1007e, 0x10026, 0x100cc, 0x100ca, 0x100c8, 0x100c6, 0x100c4, 0x100c2, 0x100be, 0x100bc, 0x100ae, 0x100ba, 0x100a8, 0x1006e, 0x50050, 0x40054, 0x5004e, 0x10084, 0x10078, 0x1, ), 34, ) == 0x0
 00179   392   NtUserQueryWindow  (65720, 0, ... ) == 0xbc
 00180   392   NtUserQueryWindow  (65720, 1, ... ) == 0xf0
 00181   392   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {188, 0}, ... 52, ) == 0x0
 00182   392   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \1\0\0", 64, ) , 64, ) == 0x0
 00183   392   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00184   392   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00185   392   NtClose  (52, ... ) == 0x0
 00186   392   NtUserQueryWindow  (65718, 0, ... ) == 0xbc
 00187   392   NtUserQueryWindow  (65718, 1, ... ) == 0xf0
 00188   392   NtUserQueryWindow  (65716, 0, ... ) == 0xbc
 00189   392   NtUserQueryWindow  (65716, 1, ... ) == 0xf0
 00190   392   NtUserQueryWindow  (65712, 0, ... ) == 0xbc
 00191   392   NtUserQueryWindow  (65712, 1, ... ) == 0xf0
 00192   392   NtUserQueryWindow  (65698, 0, ... ) == 0x7e8
 00193   392   NtUserQueryWindow  (65698, 1, ... ) == 0x7fc
 00194   392   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 52, ) == 0x0
 00195   392   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00196   392   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00197   392   NtContinue  (-136479588, 0, ...
 00196   392   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00198   392   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00199   392   NtContinue  (-136479588, 0, ...
 00198   392   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00200   392   NtClose  (52, ... ) == 0x0
 00201   392   NtUserQueryWindow  (65664, 0, ... ) == 0x7e8
 00202   392   NtUserQueryWindow  (65664, 1, ... ) == 0x7fc
 00203   392   NtUserQueryWindow  (65654, 0, ... ) == 0x7e8
 00204   392   NtUserQueryWindow  (65654, 1, ... ) == 0x7fc
 00205   392   NtUserQueryWindow  (65642, 0, ... ) == 0x7e8
 00206   392   NtUserQueryWindow  (65642, 1, ... ) == 0x7fc
 00207   392   NtUserQueryWindow  (196684, 0, ... ) == 0x7e8
 00208   392   NtUserQueryWindow  (196684, 1, ... ) == 0x7fc
 00209   392   NtUserQueryWindow  (65640, 0, ... ) == 0x7e8
 00210   392   NtUserQueryWindow  (65640, 1, ... ) == 0x7fc
 00211   392   NtUserQueryWindow  (65638, 0, ... ) == 0x7e8
 00212   392   NtUserQueryWindow  (65638, 1, ... ) == 0x7fc
 00213   392   NtUserQueryWindow  (196670, 0, ... ) == 0x7e8
 00214   392   NtUserQueryWindow  (196670, 1, ... ) == 0x7fc
 00215   392   NtUserQueryWindow  (65690, 0, ... ) == 0x7e8
 00216   392   NtUserQueryWindow  (65690, 1, ... ) == 0x7fc
 00217   392   NtUserQueryWindow  (65678, 0, ... ) == 0x7e8
 00218   392   NtUserQueryWindow  (65678, 1, ... ) == 0x7fc
 00219   392   NtUserQueryWindow  (65662, 0, ... ) == 0x7e8
 00220   392   NtUserQueryWindow  (65662, 1, ... ) == 0x7ec
 00221   392   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00222   392   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 00223   392   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 52, ) == 0x0
 00224   392   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00225   392   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00226   392   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00227   392   NtClose  (52, ... ) == 0x0
 00228   392   NtUserQueryWindow  (65740, 0, ... ) == 0xf4
 00229   392   NtUserQueryWindow  (65740, 1, ... ) == 0xf8
 00230   392   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {244, 0}, ... 52, ) == 0x0
 00231   392   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0", 64, ) , 64, ) == 0x0
 00232   392   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\377\0\377\377", 4, ) , 4, ) == 0x0
 00233   392   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\210fvx\210x\206wfvGe$\306d\21\26\210ls\210\210\250g\207\210hhx\207xhvwdfF|d\21\27\210\206hx\250\252\206\210\207v\207\210x\207\207gfv4F\306G\21\21\210\206\207\210\212\250\250h\210\207x\210\210wvwgFD$d!\21\21x\250g\210\212\252\250\206\210\207w\210\207\207wvvgBGd\21\21\21\210\212\203\210\250\252\212\210x\210w\210\210xwgcd%F\1\21\21\21\27\212\250\210\212\252\252\210f\210\207x\210\207w7fR@`\21\21\21\21\21\210\2508\212\252\250\250\210gw\21088vvu$$!\21\21\21\21\21\30\210\210\210\212\252\210\206vgw\210\203wsb`\7\21\21\21\21\21\21\21\210\203\210\210\210\210\207vvwwwsf4\7\21\21\21\21\21\21\21\21\30\210\210\210\210\210wGwvwww5\2\21\21\21\21\21\21", 256, ) , 256, ) == 0x0
 00234   392   NtClose  (52, ... ) == 0x0
 00235   392   NtUserQueryWindow  (65738, 0, ... ) == 0xf4
 00236   392   NtUserQueryWindow  (65738, 1, ... ) == 0xf8
 00237   392   NtUserQueryWindow  (65736, 0, ... ) == 0xf4
 00238   392   NtUserQueryWindow  (65736, 1, ... ) == 0xf8
 00239   392   NtUserQueryWindow  (65734, 0, ... ) == 0xf4
 00240   392   NtUserQueryWindow  (65734, 1, ... ) == 0xf8
 00241   392   NtUserQueryWindow  (65732, 0, ... ) == 0xf4
 00242   392   NtUserQueryWindow  (65732, 1, ... ) == 0xf8
 00243   392   NtUserQueryWindow  (65730, 0, ... ) == 0xf4
 00244   392   NtUserQueryWindow  (65730, 1, ... ) == 0xf8
 00245   392   NtUserQueryWindow  (65726, 0, ... ) == 0xf4
 00246   392   NtUserQueryWindow  (65726, 1, ... ) == 0xf8
 00247   392   NtUserQueryWindow  (65724, 0, ... ) == 0xf4
 00248   392   NtUserQueryWindow  (65724, 1, ... ) == 0xf8
 00249   392   NtUserQueryWindow  (65710, 0, ... ) == 0xec
 00250   392   NtUserQueryWindow  (65710, 1, ... ) == 0x100
 00251   392   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {236, 0}, ... 52, ) == 0x0
 00252   392   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\301\0\0\0\0\1\0\0\377\356\377\356\11\0\0\0\11\0\0\0\0\376\0\0\0\0\20\0\0 \0\0\0\2\0\0\0 \0\0q\0\0\0\377\357\375\177\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00253   392   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00254   392   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00255   392   NtClose  (52, ... ) == 0x0
 00256   392   NtUserQueryWindow  (65722, 0, ... ) == 0xbc
 00257   392   NtUserQueryWindow  (65722, 1, ... ) == 0xf0
 00258   392   NtUserQueryWindow  (65704, 0, ... ) == 0xe0
 00259   392   NtUserQueryWindow  (65704, 1, ... ) == 0xa0
 00260   392   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {224, 0}, ... 52, ) == 0x0
 00261   392   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0", 64, ) , 64, ) == 0x0
 00262   392   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00263   392   NtContinue  (-136479588, 0, ...
 00262   392   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00264   392   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00265   392   NtContinue  (-136479588, 0, ...
 00264   392   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00266   392   NtClose  (52, ... ) == 0x0
 00267   392   NtUserQueryWindow  (65646, 0, ... ) == 0x7e8
 00268   392   NtUserQueryWindow  (65646, 1, ... ) == 0x9c
 00269   392   NtUserQueryWindow  (327760, 0, ... ) == 0x7e8
 00270   392   NtUserQueryWindow  (327760, 1, ... ) == 0x7ec
 00271   392   NtUserQueryWindow  (262228, 0, ... ) == 0x7e8
 00272   392   NtUserQueryWindow  (262228, 1, ... ) == 0x7ec
 00273   392   NtUserQueryWindow  (327758, 0, ... ) == 0x7e8
 00274   392   NtUserQueryWindow  (327758, 1, ... ) == 0x7ec
 00275   392   NtUserQueryWindow  (65668, 0, ... ) == 0x7e8
 00276   392   NtUserQueryWindow  (65668, 1, ... ) == 0x7ec
 00277   392   NtUserQueryWindow  (65656, 0, ... ) == 0x7e8
 00278   392   NtUserQueryWindow  (65656, 1, ... ) == 0x7ec
 00279   392   NtRaiseException  (1242696, 1241956, 1, ...
 00280   392   NtContinue  (1240752, 0, ...
 00281   392   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00282   392   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 56, ) }, ... 56, ) == 0x0
 00283   392   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00284   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00285   392   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00286   392   NtDuplicateObject  (-1, 2518, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00287   392   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00288   392   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00289   392   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100a2, 0x10080, 0x10076, 0x1006a, 0x3004c, 0x10068, 0x10066, 0x3003e, 0x1009a, 0x1008e, 0x1007e, 0x10026, 0x100cc, 0x100ca, 0x100c8, 0x100c6, 0x100c4, 0x100c2, 0x100be, 0x100bc, 0x100ae, 0x100ba, 0x100a8, 0x1006e, 0x50050, 0x40054, 0x5004e, 0x10084, 0x10078, 0x1, ), 34, ) == 0x0
 00290   392   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00291   392   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00292   392   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100a2, 0x10080, 0x10076, 0x1006a, 0x3004c, 0x10068, 0x10066, 0x3003e, 0x1009a, 0x1008e, 0x1007e, 0x10026, 0x100cc, 0x100ca, 0x100c8, 0x100c6, 0x100c4, 0x100c2, 0x100be, 0x100bc, 0x100ae, 0x100ba, 0x100a8, 0x1006e, 0x50050, 0x40054, 0x5004e, 0x10084, 0x10078, 0x1, ), 34, ) == 0x0
 00293   392   NtUserQueryWindow  (65720, 0, ... ) == 0xbc
 00294   392   NtUserQueryWindow  (65720, 1, ... ) == 0xf0
 00295   392   NtUserQueryWindow  (65718, 0, ... ) == 0xbc
 00296   392   NtUserQueryWindow  (65718, 1, ... ) == 0xf0
 00297   392   NtUserQueryWindow  (65716, 0, ... ) == 0xbc
 00298   392   NtUserQueryWindow  (65716, 1, ... ) == 0xf0
 00299   392   NtUserQueryWindow  (65712, 0, ... ) == 0xbc
 00300   392   NtUserQueryWindow  (65712, 1, ... ) == 0xf0
 00301   392   NtUserQueryWindow  (65698, 0, ... ) == 0x7e8
 00302   392   NtUserQueryWindow  (65698, 1, ... ) == 0x7fc
 00303   392   NtUserQueryWindow  (65664, 0, ... ) == 0x7e8
 00304   392   NtUserQueryWindow  (65664, 1, ... ) == 0x7fc
 00305   392   NtUserQueryWindow  (65654, 0, ... ) == 0x7e8
 00306   392   NtUserQueryWindow  (65654, 1, ... ) == 0x7fc
 00307   392   NtUserQueryWindow  (65642, 0, ... ) == 0x7e8
 00308   392   NtUserQueryWindow  (65642, 1, ... ) == 0x7fc
 00309   392   NtUserQueryWindow  (196684, 0, ... ) == 0x7e8
 00310   392   NtUserQueryWindow  (196684, 1, ... ) == 0x7fc
 00311   392   NtUserQueryWindow  (65640, 0, ... ) == 0x7e8
 00312   392   NtUserQueryWindow  (65640, 1, ... ) == 0x7fc
 00313   392   NtUserQueryWindow  (65638, 0, ... ) == 0x7e8
 00314   392   NtUserQueryWindow  (65638, 1, ... ) == 0x7fc
 00315   392   NtUserQueryWindow  (196670, 0, ... ) == 0x7e8
 00316   392   NtUserQueryWindow  (196670, 1, ... ) == 0x7fc
 00317   392   NtUserQueryWindow  (65690, 0, ... ) == 0x7e8
 00318   392   NtUserQueryWindow  (65690, 1, ... ) == 0x7fc
 00319   392   NtUserQueryWindow  (65678, 0, ... ) == 0x7e8
 00320   392   NtUserQueryWindow  (65678, 1, ... ) == 0x7fc
 00321   392   NtUserQueryWindow  (65662, 0, ... ) == 0x7e8
 00322   392   NtUserQueryWindow  (65662, 1, ... ) == 0x7ec
 00323   392   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00324   392   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 00325   392   NtUserQueryWindow  (65740, 0, ... ) == 0xf4
 00326   392   NtUserQueryWindow  (65740, 1, ... ) == 0xf8
 00327   392   NtUserQueryWindow  (65738, 0, ... ) == 0xf4
 00328   392   NtUserQueryWindow  (65738, 1, ... ) == 0xf8
 00329   392   NtUserQueryWindow  (65736, 0, ... ) == 0xf4
 00330   392   NtUserQueryWindow  (65736, 1, ... ) == 0xf8
 00331   392   NtUserQueryWindow  (65734, 0, ... ) == 0xf4
 00332   392   NtUserQueryWindow  (65734, 1, ... ) == 0xf8
 00333   392   NtUserQueryWindow  (65732, 0, ... ) == 0xf4
 00334   392   NtUserQueryWindow  (65732, 1, ... ) == 0xf8
 00335   392   NtUserQueryWindow  (65730, 0, ... ) == 0xf4
 00336   392   NtUserQueryWindow  (65730, 1, ... ) == 0xf8
 00337   392   NtUserQueryWindow  (65726, 0, ... ) == 0xf4
 00338   392   NtUserQueryWindow  (65726, 1, ... ) == 0xf8
 00339   392   NtUserQueryWindow  (65724, 0, ... ) == 0xf4
 00340   392   NtUserQueryWindow  (65724, 1, ... ) == 0xf8
 00341   392   NtUserQueryWindow  (65710, 0, ... ) == 0xec
 00342   392   NtUserQueryWindow  (65710, 1, ... ) == 0x100
 00343   392   NtUserQueryWindow  (65722, 0, ... ) == 0xbc
 00344   392   NtUserQueryWindow  (65722, 1, ... ) == 0xf0
 00345   392   NtUserQueryWindow  (65704, 0, ... ) == 0xe0
 00346   392   NtUserQueryWindow  (65704, 1, ... ) == 0xa0
 00347   392   NtUserQueryWindow  (65646, 0, ... ) == 0x7e8
 00348   392   NtUserQueryWindow  (65646, 1, ... ) == 0x9c
 00349   392   NtUserQueryWindow  (327760, 0, ... ) == 0x7e8
 00350   392   NtUserQueryWindow  (327760, 1, ... ) == 0x7ec
 00351   392   NtUserQueryWindow  (262228, 0, ... ) == 0x7e8
 00352   392   NtUserQueryWindow  (262228, 1, ... ) == 0x7ec
 00353   392   NtUserQueryWindow  (327758, 0, ... ) == 0x7e8
 00354   392   NtUserQueryWindow  (327758, 1, ... ) == 0x7ec
 00355   392   NtUserQueryWindow  (65668, 0, ... ) == 0x7e8
 00356   392   NtUserQueryWindow  (65668, 1, ... ) == 0x7ec
 00357   392   NtUserQueryWindow  (65656, 0, ... ) == 0x7e8
 00358   392   NtUserQueryWindow  (65656, 1, ... ) == 0x7ec
 00359   392   NtRaiseException  (1242640, 1241900, 1, ...
 00360   392   NtContinue  (1240696, 0, ...
 00361   392   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00362   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   392   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00364   392   NtDuplicateObject  (-1, 2221, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00365   392   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00366   392   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00367   392   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100a2, 0x10080, 0x10076, 0x1006a, 0x3004c, 0x10068, 0x10066, 0x3003e, 0x1009a, 0x1008e, 0x1007e, 0x10026, 0x100cc, 0x100ca, 0x100c8, 0x100c6, 0x100c4, 0x100c2, 0x100be, 0x100bc, 0x100ae, 0x100ba, 0x100a8, 0x1006e, 0x50050, 0x40054, 0x5004e, 0x10084, 0x10078, 0x1, ), 34, ) == 0x0
 00368   392   NtSetSecurityObject  (-1, 4, {1, 0, 0x4, 0, 0, 0, 1242476}, ... ) == 0x0
 00369   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00370   392   NtQueryValueKey  (60,  (60, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   392   NtClose  (60, ... ) == 0x0
 00372   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00373   392   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00374   392   NtClose  (60, ... ) == 0x0
 00375   392   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 60, ) == 0x0
 00376   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00377   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 68, ) }, ... 68, ) == 0x0
 00378   392   NtNotifyChangeKey  (68, 64, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00379   392   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00380   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00381   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00382   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00384   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00386   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00387   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 84, ) == 0x0
 00388   392   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00389   392   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00390   392   NtQueryInformationToken  (88, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00391   392   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00392   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 92, ) }, ... 92, ) == 0x0
 00393   392   NtQueryValueKey  (92,  (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00394   392   NtClose  (92, ... ) == 0x0
 00395   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00396   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00397   392   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00398   392   NtClose  (92, ... ) == 0x0
 00399   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400   392   NtClose  (88, ... ) == 0x0
 00401   392   NtClose  (80, ... ) == 0x0
 00402   392   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00403   392   NtClose  (84, ... ) == 0x0
 00404   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00405   392   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00406   392   NtClose  (84, ... ) == 0x0
 00407   392   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00408   392   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00409   392   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00410   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00411   392   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00412   392   NtClose  (84, ... ) == 0x0
 00413   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00414   392   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00415   392   NtClose  (84, ... ) == 0x0
 00416   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00417   392   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00418   392   NtClose  (84, ... ) == 0x0
 00419   392   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00420   392   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00421   392   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00422   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00423   392   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00424   392   NtClose  (84, ... ) == 0x0
 00425   392   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {384, 0}, ... 84, ) == 0x0
 00426   392   NtQueryInformationProcess  (84, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00427   392   NtClose  (84, ... ) == 0x0
 00428   392   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00429   392   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00430   392   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00431   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00432   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00433   392   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00434   392   NtClose  (84, ... ) == 0x0
 00435   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 84, ) }, ... 84, ) == 0x0
 00436   392   NtSetInformationObject  (84, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00437   392   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00438   392   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00439   392   NtClose  (80, ... ) == 0x0
 00440   392   NtUserSystemParametersInfo  (41, 500, 1241216, 0, ... ) == 0x1
 00441   392   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00442   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00443   392   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00444   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03b
 00445   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00446   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03d
 00447   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00448   392   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00449   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03f
 00450   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00451   392   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00452   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc041
 00453   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00454   392   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00455   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc043
 00456   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00457   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc045
 00458   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00459   392   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00460   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc047
 00461   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00462   392   NtUserFindExistingCursorIcon  (1241004, 1241020, 1241588, ... ) == 0x10011
 00463   392   NtUserRegisterClassExWOW  (1241456, 1241536, 1241520, 1241552, 0, 384, 0, ... ) == 0x810dc049
 00464   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00465   392   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00466   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04b
 00467   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00468   392   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00469   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04d
 00470   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00471   392   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00472   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04f
 00473   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0x0
 00474   392   NtUserRegisterClassExWOW  (1241464, 1241544, 1241528, 1241560, 0, 384, 0, ... ) == 0x810dc051
 00475   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00476   392   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00477   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc053
 00478   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00479   392   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00480   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc055
 00481   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc057
 00482   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00483   392   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00484   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc059
 00485   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00486   392   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10013
 00487   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05b
 00488   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00489   392   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00490   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05d
 00491   392   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00492   392   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00493   392   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05f
 00494   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00495   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9175040, 65536, ) == 0x0
 00496   392   NtAllocateVirtualMemory  (-1, 9175040, 0, 4096, 4096, 4, ... 9175040, 4096, ) == 0x0
 00497   392   NtAllocateVirtualMemory  (-1, 9179136, 0, 8192, 4096, 4, ... 9179136, 8192, ) == 0x0
 00498   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 80, ) }, ... 80, ) == 0x0
 00499   392   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8d0000), 0x0, 12288, ) == 0x0
 00500   392   NtClose  (80, ... ) == 0x0
 00501   392   NtAllocateVirtualMemory  (-1, 9187328, 0, 4096, 4096, 4, ... 9187328, 4096, ) == 0x0
 00502   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00503   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 00504   392   NtQueryValueKey  (80,  (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00505   392   NtClose  (80, ... ) == 0x0
 00506   392   NtQueryDefaultUILanguage  (1239840, ...
 00507   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00508   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00509   392   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00510   392   NtClose  (-2147482020, ... ) == 0x0
 00511   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00512   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00513   392   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00514   392   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   392   NtClose  (-2147482032, ... ) == 0x0
 00516   392   NtClose  (-2147482020, ... ) == 0x0
 00506   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00517   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00518   392   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00519   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00520   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 88, ) == 0x0
 00521   392   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8e0000), 0x0, 8323072, ) == 0x0
 00522   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   392   NtQueryDefaultUILanguage  (2013024600, ...
 00524   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00525   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00526   392   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00527   392   NtClose  (-2147482020, ... ) == 0x0
 00528   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00529   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530   392   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00531   392   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00532   392   NtClose  (-2147482032, ... ) == 0x0
 00533   392   NtClose  (-2147482020, ... ) == 0x0
 00523   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00534   392   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00535   392   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00536   392   NtQueryDefaultLocale  (1, 1237876, ... ) == 0x0
 00537   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\26\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\26\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\305\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\26\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 384, 392, 1513, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\26\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\305\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\26\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 384, 392, 1513, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\26\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\26\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\305\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\26\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 384, 392, 1513, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\26\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\305\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\26\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ) == 0x0
 00539   392   NtClose  (80, ... ) == 0x0
 00540   392   NtClose  (88, ... ) == 0x0
 00541   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00542   392   NtUnmapViewOfSection  (-1, 0x12edcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00543   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00544   392   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00545   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00546   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00547   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236960, ... ) }, 1236960, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00548   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00549   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00550   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00551   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237552, ... ) }, 1237552, ... ) == 0x0
 00552   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 88, {status=0x0, info=1}, ) }, 3, 33, ... 88, {status=0x0, info=1}, ) == 0x0
 00553   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00554   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00555   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00556   392   NtClose  (80, ... ) == 0x0
 00557   392   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8e0000), 0x0, 921600, ) == 0x0
 00558   392   NtClose  (92, ... ) == 0x0
 00559   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00560   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00561   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 80, ) == 0x0
 00562   392   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00563   392   NtClose  (92, ... ) == 0x0
 00564   392   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00565   392   NtClose  (80, ... ) == 0x0
 00566   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00567   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00568   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00569   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00570   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00571   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00572   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00573   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00574   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00575   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00576   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00577   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00578   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00579   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00580   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00581   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00582   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00583   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00584   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00585   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00586   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00587   392   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238736, ... ) , 42, 1238736, ... ) == 0x0
 00588   392   NtQueryDefaultUILanguage  (1237452, ...
 00589   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00590   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00591   392   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00592   392   NtClose  (-2147482020, ... ) == 0x0
 00593   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00594   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   392   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00596   392   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00597   392   NtClose  (-2147482032, ... ) == 0x0
 00598   392   NtClose  (-2147482020, ... ) == 0x0
 00588   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00599   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236304, ... ) }, 1236304, ... ) == 0x0
 00601   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00602   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00603   392   NtClose  (80, ... ) == 0x0
 00604   392   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8e0000), 0x0, 4096, ) == 0x0
 00605   392   NtClose  (92, ... ) == 0x0
 00606   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00607   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235944, ... ) }, 1235944, ... ) == 0x0
 00608   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236644,  (0x80100080, {24, 0, 0x40, 0, 1236644, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00609   392   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 92, ... 80, ) == 0x0
 00610   392   NtClose  (92, ... ) == 0x0
 00611   392   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8e0000), {0, 0}, 4096, ) == 0x0
 00612   392   NtClose  (80, ... ) == 0x0
 00613   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00614   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00615   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 92, ) == 0x0
 00616   392   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8e0000), 0x0, 4096, ) == 0x0
 00617   392   NtQueryInformationFile  (80, 1236264, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00618   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\26\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\26\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\26\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 384, 392, 1514, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\26\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\26\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 384, 392, 1514, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\26\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\26\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\26\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 384, 392, 1514, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\26\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\26\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ) == 0x0
 00620   392   NtClose  (80, ... ) == 0x0
 00621   392   NtClose  (92, ... ) == 0x0
 00622   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00623   392   NtUnmapViewOfSection  (-1, 0x12e478, ... ) == STATUS_NOT_MAPPED_VIEW
 00624   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00625   392   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00626   392   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00627   392   NtUserGetDC  (0, ... ) == 0x1010050
 00628   392   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00629   392   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00630   392   NtUserSystemParametersInfo  (66, 12, 1238756, 0, ... ) == 0x1
 00631   392   NtOpenProcessToken  (-1, 0x8, ... 92, ) == 0x0
 00632   392   NtAccessCheck  (1393640, 92, 0x1, 1238160, 1238104, 56, 1238188, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00633   392   NtClose  (92, ... ) == 0x0
 00634   392   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 92, ) }, ... 92, ) == 0x0
 00635   392   NtQueryValueKey  (92,  (92, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00636   392   NtClose  (92, ... ) == 0x0
 00637   392   NtUserSystemParametersInfo  (41, 500, 1238256, 0, ... ) == 0x1
 00638   392   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00639   392   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 92, ) }, ... 92, ) == 0x0
 00640   392   NtQueryValueKey  (92,  (92, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00641   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 80, ) }, ... 80, ) == 0x0
 00642   392   NtQueryValueKey  (80,  (80, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00643   392   NtClose  (80, ... ) == 0x0
 00644   392   NtClose  (92, ... ) == 0x0
 00645   392   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00646   392   NtUserSystemParametersInfo  (4130, 0, 1238780, 0, ... ) == 0x1
 00647   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 92, ) }, ... 92, ) == 0x0
 00648   392   NtEnumerateValueKey  (92, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00649   392   NtClose  (92, ... ) == 0x0
 00650   392   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00651   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03b
 00652   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03d
 00653   392   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00654   392   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc03f
 00655   392   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00656   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc041
 00657   392   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00658   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ...
 00659   392   NtAllocateVirtualMemory  (-1, 6062080, 0, 4096, 4096, 32, ... 6062080, 4096, ) == 0x0
 00658   392   NtUserRegisterClassExWOW  ... ) == 0x810dc043
 00660   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc045
 00661   392   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00662   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc047
 00663   392   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00664   392   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc049
 00665   392   NtUserGetClassInfo  (1905590272, 1238676, 1238628, 1238704, 0, ... ) == 0xc049
 00666   392   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00667   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04b
 00668   392   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00669   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04d
 00670   392   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00671   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04f
 00672   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc051
 00673   392   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00674   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc053
 00675   392   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00676   392   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc055
 00677   392   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc057
 00678   392   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00679   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc059
 00680   392   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10013
 00681   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05b
 00682   392   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00683   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05d
 00684   392   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00685   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05f
 00686   392   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00687   392   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc017
 00688   392   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00689   392   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc019
 00690   392   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10013
 00691   392   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc018
 00692   392   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00693   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01a
 00694   392   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00695   392   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc01c
 00696   392   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00697   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01e
 00698   392   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00699   392   NtUserRegisterClassExWOW  (1238572, 1238652, 1238636, 1238668, 0, 384, 0, ... ) == 0x810dc01b
 00700   392   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00701   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc068
 00702   392   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00703   392   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc06a
 00704   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03b
 00705   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03d
 00706   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03f
 00707   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc041
 00708   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc043
 00709   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc045
 00710   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc047
 00711   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc049
 00712   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04b
 00713   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04d
 00714   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04f
 00715   392   NtUserGetClassInfo  (1999896576, 1241580, 1241532, 1241608, 0, ... ) == 0xc051
 00716   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc053
 00717   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc055
 00718   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc059
 00719   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05b
 00720   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05d
 00721   392   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05f
 00722   392   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00723   392   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00724   392   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00725   392   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00726   392   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00727   392   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00728   392   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00729   392   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00730   392   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00731   392   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00732   392   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00733   392   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00734   392   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00735   392   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00736   392   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00737   392   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00738   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00739   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00740   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00741   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00742   392   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9437184, 262144, ) == 0x0
 00743   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 4096, 4096, 4, ... 9437184, 4096, ) == 0x0
 00744   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00745   392   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9699328, 262144, ) == 0x0
 00746   392   NtAllocateVirtualMemory  (-1, 9699328, 0, 4096, 4096, 4, ... 9699328, 4096, ) == 0x0
 00747   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00748   392   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9961472, 262144, ) == 0x0
 00749   392   NtAllocateVirtualMemory  (-1, 9961472, 0, 4096, 4096, 4, ... 9961472, 4096, ) == 0x0
 00750   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00751   392   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10223616, 262144, ) == 0x0
 00752   392   NtAllocateVirtualMemory  (-1, 10223616, 0, 4096, 4096, 4, ... 10223616, 4096, ) == 0x0
 00753   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00754   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00755   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00756   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00757   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 00758   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00759   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 80, ) == 0x0
 00760   392   NtClose  (92, ... ) == 0x0
 00761   392   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa00000), 0x0, 90112, ) == 0x0
 00762   392   NtClose  (80, ... ) == 0x0
 00763   392   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00764   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 00765   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00766   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 92, ) == 0x0
 00767   392   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00768   392   NtClose  (80, ... ) == 0x0
 00769   392   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00770   392   NtClose  (92, ... ) == 0x0
 00771   392   NtQueryDefaultLocale  (1, 1239460, ... ) == 0x0
 00772   392   NtAllocateVirtualMemory  (-1, 9441280, 0, 4096, 4096, 4, ... 9441280, 4096, ) == 0x0
 00773   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 92, ) }, ... 92, ) == 0x0
 00774   392   NtClose  (92, ... ) == 0x0
 00775   392   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00777   392   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00780   392   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00781   392   NtClose  (92, ... ) == 0x0
 00782   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00783   392   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00784   392   NtClose  (92, ... ) == 0x0
 00785   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00786   392   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00787   392   NtClose  (92, ... ) == 0x0
 00788   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00789   392   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00790   392   NtClose  (92, ... ) == 0x0
 00791   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 92, ) }, ... 92, ) == 0x0
 00792   392   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00793   392   NtClose  (92, ... ) == 0x0
 00794   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00795   392   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00796   392   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00797   392   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00798   392   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1241616, 0,  (0x1f0003, {24, 52, 0x80, 1241616, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00799   392   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 92, ) }, ... 92, ) == 0x0
 00800   392   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00801   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00802   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00803   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 80, ) }, ... 80, ) == 0x0
 00804   392   NtQueryValueKey  (80,  (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00805   392   NtClose  (80, ... ) == 0x0
 00806   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00807   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00808   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00809   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00810   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 80, ) }, ... 80, ) == 0x0
 00811   392   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00812   392   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00813   392   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00814   392   NtClose  (80, ... ) == 0x0
 00815   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 80, ) }, ... 80, ) == 0x0
 00816   392   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00817   392   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818   392   NtClose  (80, ... ) == 0x0
 00819   392   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820   392   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00821   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00822   392   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00823   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00824   392   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00825   392   NtCreateKey  (0xf003f, {24, 84, 0x40, 0, 0,  (0xf003f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 80, 2, ) }, 0, 0x0, 0, ... 80, 2, ) == 0x0
 00826   392   NtQueryDefaultUILanguage  (1239852, ...
 00827   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00828   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00829   392   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00830   392   NtClose  (-2147482020, ... ) == 0x0
 00831   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00832   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00833   392   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00834   392   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   392   NtClose  (-2147482032, ... ) == 0x0
 00836   392   NtClose  (-2147482020, ... ) == 0x0
 00826   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00837   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00838   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00839   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00840   392   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa00000), 0x0, 593920, ) == 0x0
 00841   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00842   392   NtQueryDefaultLocale  (1, 1237888, ... ) == 0x0
 00843   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\26\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\26\1`\0\0\0\377\377\377\377\0\0\0\0P\275\247\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\26\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 384, 392, 1515, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\26\1`\0\0\0\377\377\377\377\0\0\0\0P\275\247\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\26\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 384, 392, 1515, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\26\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\26\1`\0\0\0\377\377\377\377\0\0\0\0P\275\247\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\26\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 384, 392, 1515, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\26\1`\0\0\0\377\377\377\377\0\0\0\0P\275\247\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\26\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ) == 0x0
 00845   392   NtClose  (96, ... ) == 0x0
 00846   392   NtClose  (100, ... ) == 0x0
 00847   392   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00848   392   NtUnmapViewOfSection  (-1, 0x12edd8, ... ) == STATUS_NOT_MAPPED_VIEW
 00849   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00850   392   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00852   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00853   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236428, ... ) }, 1236428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00855   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00856   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00857   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237020, ... ) }, 1237020, ... ) == 0x0
 00858   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00859   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00860   392   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00861   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00862   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00863   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00865   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00866   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00867   392   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00868   392   NtClose  (104, ... ) == 0x0
 00869   392   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00870   392   NtClose  (108, ... ) == 0x0
 00871   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00872   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00874   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00875   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00876   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00877   392   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00878   392   NtClose  (108, ... ) == 0x0
 00879   392   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00880   392   NtClose  (104, ... ) == 0x0
 00881   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00882   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00883   392   NtTestAlert  (... ) == 0x0
 00884   392   NtContinue  (1244464, 1, ...
 00885   392   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x48e226,}, 4, ... ) == 0x0
 00886   392   NtQueryPerformanceCounter  (... {115420083, 0}, {3579545, 0}, ) == 0x0
 00887   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00888   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10485760, 65536, ) == 0x0
 00889   392   NtAllocateVirtualMemory  (-1, 10485760, 0, 4096, 4096, 4, ... 10485760, 4096, ) == 0x0
 00890   392   NtAllocateVirtualMemory  (-1, 10489856, 0, 8192, 4096, 4, ... 10489856, 8192, ) == 0x0
 00891   392   NtAllocateVirtualMemory  (-1, 10498048, 0, 4096, 4096, 4, ... 10498048, 4096, ) == 0x0
 00892   392   NtAllocateVirtualMemory  (-1, 10502144, 0, 4096, 4096, 4, ... 10502144, 4096, ) == 0x0
 00893   392   NtAllocateVirtualMemory  (-1, 0, 0, 6, 12288, 64, ... 10551296, 4096, ) == 0x0
 00894   392   NtProtectVirtualMemory  (-1, (0xa10000), 6, 64, ...
 00895   392   NtContinue  (-136478932, 0, ...
 00894   392   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 00896   392   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 4096, ) == 0x0
 00897   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241932,  (0x80100080, {24, 0, 0x40, 0, 1241932, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 00898   392   NtQueryInformationFile  (104, 1242868, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00899   392   NtQueryInformationFile  (104, 1242840, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00900   392   NtQueryInformationFile  (104, 1242792, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00901   392   NtAllocateVirtualMemory  (-1, 1425408, 0, 8192, 4096, 4, ... 1425408, 8192, ) == 0x0
 00902   392   NtQueryInformationFile  (104, 1422952, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00903   392   NtQueryInformationFile  (104, 1241336, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00904   392   NtQueryInformationFile  (104, 1241180, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00905   392   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1241188,  (0x40110080, {24, 0, 0x40, 0, 1241188, "\??\C:\WINDOWS\System32\szsvc.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00906   392   NtClose  (-2147482032, ... ) == 0x0
 00905   392   NtCreateFile  ... 108, {status=0x0, info=2}, ) == 0x0
 00907   392   NtQueryVolumeInformationFile  (108, 1240560, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00908   392   NtQueryInformationFile  (108, 1240520, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00909   392   NtQueryVolumeInformationFile  (104, 1240560, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00910   392   NtQueryVolumeInformationFile  (104, 1240244, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00911   392   NtSetInformationFile  (108, 1240348, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00912   392   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 104, ... 112, ) == 0x0
 00913   392   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa10000), {0, 0}, 212992, ) == 0x0
 00914   392   NtClose  (112, ... ) == 0x0
 00915   392   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\221G\273`\327[]\6\204\315\264*\213I\15\22PE\0\0L\1\10\0\16e\340E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\300\0\0\0\0\0\0&\342\10\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\11\0\0\20\0\0S\4\4\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\240\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00916   392   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\17\314\313\221\310E\307t\256\202\354\213\241r(c\300\361\2Zs\31633\247\326\212iaWk\20|_\211Vw\251Q\243\225\13\270Hj\27\364\24L\2"\20\272\230\4\254\31\343\300\32\350\352T"\330Rw\214\312\2JD\211h\225rz\10$\302-i\211x;\305\2\215D$\270K\260G5 \221\10\356\311\310\7\307\24$"\264q\7 \226\253\373?X\22C\246Mqr%\223!b\276\252\365M\5\370\15*jq\300\255\253e\256:\247\204\217\2\374\240\276\274\6\243E\118_R\27\231\234\316VtUc\253\251\234\24\21[\10\246Z\10\246.M\6\34-\221\271V\17EE\12n\323\305\255\306m\312\267\370`\243\217\274\335E\35u\25?\242\205\320\333\330k\277\24zR\327\372\337]\27!\212\5\216\13L8\355;^\267\250\367\242\366\26\340q&\27*q\324\232\210\206P\236\37R \346"\265*\360\276\342W\254FW\261\214\257E\314V\272Q\251\37\260\242\353\214\210\223\4\12V2\212p\366\350\3515\276wQ\305(wqO\272\335C\340\337\363bTb>I7\342S\361\327$uq=0\31Z\22\272B\213\324\260\311\250`1piGY\33\347\356`!\34y]\237,\222\241A\234,\240\312B\371\241M\263\257\351\271\4\362D\267cl\322\324\261\233j\270\37[\35\217\231\313\210\214/UqNv.\342)0LqIKq.\12\33\264\36M\306\313\11=\345W\340B\233\13,! \271\2QF\33\21\306*\23\300\224\232\331\37\331Qt\332\320\244\16)J\313\255:_\30\355\332\302\7\3\253\17\230\324\260\214H!U<\34*\6\22\307\33\203\320\1\323\244\303\224\371a\36m\26X\276*\5\306b\276\337\5\212\251\224`\370Pg\314\332\253\224E\252\1\224\257\265e", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \20\272\230\4\254\31\343\300\32\350\352T (108, 0, 0, 0, "\17\314\313\221\310E\307t\256\202\354\213\241r(c\300\361\2Zs\31633\247\326\212iaWk\20|_\211Vw\251Q\243\225\13\270Hj\27\364\24L\2"\20\272\230\4\254\31\343\300\32\350\352T"\330Rw\214\312\2JD\211h\225rz\10$\302-i\211x;\305\2\215D$\270K\260G5 \221\10\356\311\310\7\307\24$"\264q\7 \226\253\373?X\22C\246Mqr%\223!b\276\252\365M\5\370\15*jq\300\255\253e\256:\247\204\217\2\374\240\276\274\6\243E\118_R\27\231\234\316VtUc\253\251\234\24\21[\10\246Z\10\246.M\6\34-\221\271V\17EE\12n\323\305\255\306m\312\267\370`\243\217\274\335E\35u\25?\242\205\320\333\330k\277\24zR\327\372\337]\27!\212\5\216\13L8\355;^\267\250\367\242\366\26\340q&\27*q\324\232\210\206P\236\37R \346"\265*\360\276\342W\254FW\261\214\257E\314V\272Q\251\37\260\242\353\214\210\223\4\12V2\212p\366\350\3515\276wQ\305(wqO\272\335C\340\337\363bTb>I7\342S\361\327$uq=0\31Z\22\272B\213\324\260\311\250`1piGY\33\347\356`!\34y]\237,\222\241A\234,\240\312B\371\241M\263\257\351\271\4\362D\267cl\322\324\261\233j\270\37[\35\217\231\313\210\214/UqNv.\342)0LqIKq.\12\33\264\36M\306\313\11=\345W\340B\233\13,! \271\2QF\33\21\306*\23\300\224\232\331\37\331Qt\332\320\244\16)J\313\255:_\30\355\332\302\7\3\253\17\230\324\260\214H!U<\34*\6\22\307\33\203\320\1\323\244\303\224\371a\36m\26X\276*\5\306b\276\337\5\212\251\224`\370Pg\314\332\253\224E\252\1\224\257\265e", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \264q\7 \226\253\373?X\22C\246Mqr%\223!b\276\252\365M\5\370\15*jq\300\255\253e\256:\247\204\217\2\374\240\276\274\6\243E\118_R\27\231\234\316VtUc\253\251\234\24\21[\10\246Z\10\246.M\6\34-\221\271V\17EE\12n\323\305\255\306m\312\267\370`\243\217\274\335E\35u\25?\242\205\320\333\330k\277\24zR\327\372\337]\27!\212\5\216\13L8\355;^\267\250\367\242\366\26\340q&\27*q\324\232\210\206P\236\37R \346 (108, 0, 0, 0, "\17\314\313\221\310E\307t\256\202\354\213\241r(c\300\361\2Zs\31633\247\326\212iaWk\20|_\211Vw\251Q\243\225\13\270Hj\27\364\24L\2"\20\272\230\4\254\31\343\300\32\350\352T"\330Rw\214\312\2JD\211h\225rz\10$\302-i\211x;\305\2\215D$\270K\260G5 \221\10\356\311\310\7\307\24$"\264q\7 \226\253\373?X\22C\246Mqr%\223!b\276\252\365M\5\370\15*jq\300\255\253e\256:\247\204\217\2\374\240\276\274\6\243E\118_R\27\231\234\316VtUc\253\251\234\24\21[\10\246Z\10\246.M\6\34-\221\271V\17EE\12n\323\305\255\306m\312\267\370`\243\217\274\335E\35u\25?\242\205\320\333\330k\277\24zR\327\372\337]\27!\212\5\216\13L8\355;^\267\250\367\242\366\26\340q&\27*q\324\232\210\206P\236\37R \346"\265*\360\276\342W\254FW\261\214\257E\314V\272Q\251\37\260\242\353\214\210\223\4\12V2\212p\366\350\3515\276wQ\305(wqO\272\335C\340\337\363bTb>I7\342S\361\327$uq=0\31Z\22\272B\213\324\260\311\250`1piGY\33\347\356`!\34y]\237,\222\241A\234,\240\312B\371\241M\263\257\351\271\4\362D\267cl\322\324\261\233j\270\37[\35\217\231\313\210\214/UqNv.\342)0LqIKq.\12\33\264\36M\306\313\11=\345W\340B\233\13,! \271\2QF\33\21\306*\23\300\224\232\331\37\331Qt\332\320\244\16)J\313\255:_\30\355\332\302\7\3\253\17\230\324\260\214H!U<\34*\6\22\307\33\203\320\1\323\244\303\224\371a\36m\26X\276*\5\306b\276\337\5\212\251\224`\370Pg\314\332\253\224E\252\1\224\257\265e", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00917   392   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\215\350\230\246\224;\310\37\355x\253T\326.(G\340\314\250\12\3756\4\227\273\360/\231\3273_~\320I\361\317\3332c\342G~\234\36\3\301\31~ES\365\346\276h'\230\11\250"^\364i\307I\253\301z[\242\241FJ\230-\242\5\23C%N*=6w\222\24\363C\207F\354\214\342\212\376f)X\243\312S\245\6n{\354\302\242\234BtU\363\265L\214\336\276V\203c\33\205\250\313\312\5\347\27+\345&2\304\263\162\201-\364\304\272\310\22\252\21+d\316\244}\321\213\352\276R\227\342\35\26>r\335FZA\265\277\221J\271\254&\322\346Y\27-\277u\242\13\223\357\201\244\300O\261B\236\303\344\324\372\32\322e\317\236\3376\274\225\31\202\240\314\25\361\347\22\372\320\221\34\240vo\330]\301)y6r\243\277X\325\364\313p[5f;\32\365\201\205\226=\363\27V\242\374\246\311\304\237\108\251\205\16\317\264V\360\242\33~\230\335\13m\375\247\370*\360L\210v\252\310E\325\317\366\231\332\2V\26O1\253\7\356\14i@\304\21\215\242\275\353\256\234\247\217\255\24$\354\213G\320X\1S\354\216+&\356\263\263\320\240V\315\214\7\307\313u\2513\376\246!\334A\223\15\204'\344j\224\16\305\203\373\227\351z\352e\301\337yBC\231\203\276\340x\245\20\371\4ecoA+U\273Tz$\205\203\363\222Z\27\224_\327\301\17\177\353&\264\2121c\307\231\367\22M\12\325\207\341\23P\3\302\276\201\317\214\251\361\376\242\210wY\31@\224\371\322\6\252\312\253\212X\1o%et\361lDs\5\31\342d\241\334\354\253+W\37\345\353\17\255\216\342\203>\361\276{\340te\316\257\350\377\244\32\31\5\367\243m\334y0q\33\211r\321\305'\233\264\211W\216\324\337\12\317\370\341xh\37", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) ^\364i\307I\253\301z[\242\241FJ\230-\242\5\23C%N*=6w\222\24\363C\207F\354\214\342\212\376f)X\243\312S\245\6n{\354\302\242\234BtU\363\265L\214\336\276V\203c\33\205\250\313\312\5\347\27+\345&2\304\263\162\201-\364\304\272\310\22\252\21+d\316\244}\321\213\352\276R\227\342\35\26>r\335FZA\265\277\221J\271\254&\322\346Y\27-\277u\242\13\223\357\201\244\300O\261B\236\303\344\324\372\32\322e\317\236\3376\274\225\31\202\240\314\25\361\347\22\372\320\221\34\240vo\330]\301)y6r\243\277X\325\364\313p[5f;\32\365\201\205\226=\363\27V\242\374\246\311\304\237\108\251\205\16\317\264V\360\242\33~\230\335\13m\375\247\370*\360L\210v\252\310E\325\317\366\231\332\2V\26O1\253\7\356\14i@\304\21\215\242\275\353\256\234\247\217\255\24$\354\213G\320X\1S\354\216+&\356\263\263\320\240V\315\214\7\307\313u\2513\376\246!\334A\223\15\204'\344j\224\16\305\203\373\227\351z\352e\301\337yBC\231\203\276\340x\245\20\371\4ecoA+U\273Tz$\205\203\363\222Z\27\224_\327\301\17\177\353&\264\2121c\307\231\367\22M\12\325\207\341\23P\3\302\276\201\317\214\251\361\376\242\210wY\31@\224\371\322\6\252\312\253\212X\1o%et\361lDs\5\31\342d\241\334\354\253+W\37\345\353\17\255\216\342\203>\361\276{\340te\316\257\350\377\244\32\31\5\367\243m\334y0q\33\211r\321\305'\233\264\211W\216\324\337\12\317\370\341xh\37", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00918   392   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "k\224F\255\305/\2664\353SF\265\26f\312\346^d"g->\350J\341\364\324\312\326\304M \33e\221\213\277\21\255h\357q\215\233\361Y+\s\255\351\205MB\345\11/\372\374\233\301\201!\364\275=T\354\240yV%\177\333:|\223\222\236P\11\222\302F\12\352Y\273\6J\225y\317_Z\3\276\304\314\206\320\365a\300\236^?R[\27,\364;]\306\340\217Fk\265\23111,E\201C\202\352\213m?\17\216\25\252\20\17\26\2\253\361\265\253\333\316D\17\205\201\311\212\363\233W\272\37\257i\372J\314d\2469m\332\12\216\15\14\246E}\345\200\222\246gT?\366\24\364\20\370`I\4vGOz\211<\17\235\301\276S\206\277\351\317\364\23&\221\273\277\330*C\373\333sX\15\227a\337\307\252\207\233K\1\305\370\350!\23\276\231\33`\30\221\374P\371k\362\21D\263KZ\3744TT\6n\217\14\321+\10\351;#\336\333GS\333;T\362\13\260\365\363C\304\304\337I+MXq\224~\2146:bgW\202\201ooj\356\24MY\231\311\271G\247\233:\232E\337\216\203\260\3713m\24\211\303\30\1\3F\321\224\345{\326\204\342\216\207\327`\321\233\240m\217\357\377\247\3555\16\371\274-\204\271{/R\31"\317\14\247M\3229dZ\15\314*i\12V\344\213\372\334\247\1z6\374\20V\302\346\24j\26*\226\27\275\241\34)Uh\332\15\347\325\252K\301\251\273\mU\0*x\326\244\10\371W\200I+\350\24^\272J\347JC=\5\211\211\332\3769\204>\214\36BYqe\0%\25\22x;\230RL?\353b\32\342\12:\25\347\302\1K\240\321j\205\316t\324\273\21\35M\237U{\347\210F9\2674\226\353\355\204\222\343\367!\216H\332+b\3368\312B", 26624, 0x0, 0, ... {status=0x0, info=26624}, ) g->\350J\341\364\324\312\326\304M \33e\221\213\277\21\255h\357q\215\233\361Y+\s\255\351\205MB\345\11/\372\374\233\301\201!\364\275=T\354\240yV%\177\333:|\223\222\236P\11\222\302F\12\352Y\273\6J\225y\317_Z\3\276\304\314\206\320\365a\300\236^?R[\27,\364;]\306\340\217Fk\265\23111,E\201C\202\352\213m?\17\216\25\252\20\17\26\2\253\361\265\253\333\316D\17\205\201\311\212\363\233W\272\37\257i\372J\314d\2469m\332\12\216\15\14\246E}\345\200\222\246gT?\366\24\364\20\370`I\4vGOz\211<\17\235\301\276S\206\277\351\317\364\23&\221\273\277\330*C\373\333sX\15\227a\337\307\252\207\233K\1\305\370\350!\23\276\231\33`\30\221\374P\371k\362\21D\263KZ\3744TT\6n\217\14\321+\10\351;#\336\333GS\333;T\362\13\260\365\363C\304\304\337I+MXq\224~\2146:bgW\202\201ooj\356\24MY\231\311\271G\247\233:\232E\337\216\203\260\3713m\24\211\303\30\1\3F\321\224\345{\326\204\342\216\207\327`\321\233\240m\217\357\377\247\3555\16\371\274-\204\271{/R\31 (108, 0, 0, 0, "k\224F\255\305/\2664\353SF\265\26f\312\346^d"g->\350J\341\364\324\312\326\304M \33e\221\213\277\21\255h\357q\215\233\361Y+\s\255\351\205MB\345\11/\372\374\233\301\201!\364\275=T\354\240yV%\177\333:|\223\222\236P\11\222\302F\12\352Y\273\6J\225y\317_Z\3\276\304\314\206\320\365a\300\236^?R[\27,\364;]\306\340\217Fk\265\23111,E\201C\202\352\213m?\17\216\25\252\20\17\26\2\253\361\265\253\333\316D\17\205\201\311\212\363\233W\272\37\257i\372J\314d\2469m\332\12\216\15\14\246E}\345\200\222\246gT?\366\24\364\20\370`I\4vGOz\211<\17\235\301\276S\206\277\351\317\364\23&\221\273\277\330*C\373\333sX\15\227a\337\307\252\207\233K\1\305\370\350!\23\276\231\33`\30\221\374P\371k\362\21D\263KZ\3744TT\6n\217\14\321+\10\351;#\336\333GS\333;T\362\13\260\365\363C\304\304\337I+MXq\224~\2146:bgW\202\201ooj\356\24MY\231\311\271G\247\233:\232E\337\216\203\260\3713m\24\211\303\30\1\3F\321\224\345{\326\204\342\216\207\327`\321\233\240m\217\357\377\247\3555\16\371\274-\204\271{/R\31"\317\14\247M\3229dZ\15\314*i\12V\344\213\372\334\247\1z6\374\20V\302\346\24j\26*\226\27\275\241\34)Uh\332\15\347\325\252K\301\251\273\mU\0*x\326\244\10\371W\200I+\350\24^\272J\347JC=\5\211\211\332\3769\204>\214\36BYqe\0%\25\22x;\230RL?\353b\32\342\12:\25\347\302\1K\240\321j\205\316t\324\273\21\35M\237U{\347\210F9\2674\226\353\355\204\222\343\367!\216H\332+b\3368\312B", 26624, 0x0, 0, ... {status=0x0, info=26624}, ) , 26624, 0x0, 0, ... {status=0x0, info=26624}, ) == 0x0
 00919   392   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00920   392   NtSetInformationFile  (108, 1242792, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00921   392   NtClose  (104, ... ) == 0x0
 00922   392   NtClose  (108, ... ) == 0x0
 00923   392   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00924   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\szsvc.exe"}, 1239084, ... ) }, 1239084, ... ) == 0x0
 00925   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\szsvc.exe"}, 1239776, ... ) }, 1239776, ... ) == 0x0
 00926   392   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\szsvc.exe"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00927   392   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00928   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00929   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 112, ) }, ... 112, ) == 0x0
 00930   392   NtQueryValueKey  (112,  (112, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   392   NtClose  (112, ... ) == 0x0
 00932   392   NtQueryVolumeInformationFile  (108, 1239084, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00933   392   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 112, ) }, ... 112, ) == 0x0
 00934   392   NtWaitForSingleObject  (112, 0, {-1000000, -1}, ... ) == 0x0
 00935   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 116, ) }, ... 116, ) == 0x0
 00936   392   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa10000), {0, 0}, 57344, ) == 0x0
 00937   392   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00938   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237068, ... ) }, 1237068, ... ) == 0x0
 00939   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00940   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 120, ... 124, ) == 0x0
 00941   392   NtClose  (120, ... ) == 0x0
 00942   392   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 106496, ) == 0x0
 00943   392   NtClose  (124, ... ) == 0x0
 00944   392   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00945   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237384, ... ) }, 1237384, ... ) == 0x0
 00946   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00947   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 124, ... 120, ) == 0x0
 00948   392   NtQuerySection  (120, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00949   392   NtClose  (124, ... ) == 0x0
 00950   392   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00951   392   NtClose  (120, ... ) == 0x0
 00952   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) == 0x0
 00953   392   NtQueryInformationFile  (120, 1237672, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00954   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 120, ... 124, ) == 0x0
 00955   392   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa20000), 0x0, 1028096, ) == 0x0
 00956   392   NtQueryInformationFile  (120, 1237768, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00957   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00959   392   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00960   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00961   392   NtQueryDirectoryFile  (128, 0, 0, 0, 1235332, 616, BothDirectory, 1,  (128, 0, 0, 0, 1235332, 616, BothDirectory, 1, "szsvc.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 00962   392   NtClose  (128, ... ) == 0x0
 00963   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00964   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00965   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\szsvc.exe"}, 1234720, ... ) }, 1234720, ... ) == 0x0
 00966   392   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00967   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00968   392   NtQueryDirectoryFile  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00969   392   NtClose  (128, ... ) == 0x0
 00970   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00971   392   NtQueryDirectoryFile  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00972   392   NtClose  (128, ... ) == 0x0
 00973   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00974   392   NtQueryDirectoryFile  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1, "szsvc.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 00975   392   NtClose  (128, ... ) == 0x0
 00976   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00977   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00978   392   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00979   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00980   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 00981   392   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00982   392   NtClose  (128, ... ) == 0x0
 00983   392   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984   392   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\szsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00985   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00986   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00987   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\szsvc.exe"}, 1237000, ... ) }, 1237000, ... ) == 0x0
 00988   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00989   392   NtQueryDirectoryFile  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00990   392   NtClose  (128, ... ) == 0x0
 00991   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00992   392   NtQueryDirectoryFile  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00993   392   NtClose  (128, ... ) == 0x0
 00994   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00995   392   NtQueryDirectoryFile  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1, "szsvc.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 00996   392   NtClose  (128, ... ) == 0x0
 00997   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00998   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00999   392   NtWaitForSingleObject  (112, 0, {-1000000, -1}, ... ) == 0x0
 01000   392   NtQueryVolumeInformationFile  (108, 1237644, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01001   392   NtQueryInformationFile  (108, 1237624, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01002   392   NtQueryInformationFile  (108, 1237664, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01003   392   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01004   392   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01005   392   NtClose  (124, ... ) == 0x0
 01006   392   NtClose  (120, ... ) == 0x0
 01007   392   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01008   392   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\szsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01009   392   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01010   392   NtOpenProcessToken  (-1, 0xa, ... 120, ) == 0x0
 01011   392   NtQueryInformationToken  (120, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01012   392   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01013   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01014   392   NtQueryValueKey  (124,  (124, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (124, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01015   392   NtQueryValueKey  (124,  (124, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (124, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01016   392   NtClose  (124, ... ) == 0x0
 01017   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01018   392   NtQueryValueKey  (124,  (124, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01019   392   NtQueryValueKey  (124,  (124, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (124, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01020   392   NtClose  (124, ... ) == 0x0
 01021   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01022   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01023   392   NtQueryValueKey  (124,  (124, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024   392   NtClose  (124, ... ) == 0x0
 01025   392   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01026   392   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01027   392   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01028   392   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01029   392   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01030   392   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01031   392   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01032   392   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01033   392   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01034   392   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01035   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 124, ) }, ... 124, ) == 0x0
 01036   392   NtEnumerateKey  (124, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (124, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01037   392   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 128, ) }, ... 128, ) == 0x0
 01038   392   NtQueryValueKey  (128,  (128, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (128, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01039   392   NtQueryValueKey  (128,  (128, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (128, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01040   392   NtClose  (128, ... ) == 0x0
 01041   392   NtEnumerateKey  (124, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01042   392   NtClose  (124, ... ) == 0x0
 01043   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01045   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01046   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01047   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01048   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01049   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01050   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01051   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01052   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01053   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01054   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01055   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01056   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01057   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01058   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01059   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01060   392   NtClose  (124, ... ) == 0x0
 01061   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01062   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01063   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01064   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01065   392   NtClose  (124, ... ) == 0x0
 01066   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01067   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01068   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01069   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01070   392   NtClose  (124, ... ) == 0x0
 01071   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01072   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01073   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01074   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01075   392   NtClose  (124, ... ) == 0x0
 01076   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01077   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01078   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01079   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01080   392   NtClose  (124, ... ) == 0x0
 01081   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01082   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01083   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01084   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01085   392   NtClose  (124, ... ) == 0x0
 01086   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01087   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01088   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01089   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01090   392   NtClose  (124, ... ) == 0x0
 01091   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01093   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01094   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01095   392   NtClose  (124, ... ) == 0x0
 01096   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01097   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01098   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01099   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01100   392   NtClose  (124, ... ) == 0x0
 01101   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01102   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01103   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01104   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01105   392   NtClose  (124, ... ) == 0x0
 01106   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01108   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01109   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01110   392   NtClose  (124, ... ) == 0x0
 01111   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01112   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01113   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01114   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01115   392   NtClose  (124, ... ) == 0x0
 01116   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01118   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01119   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01120   392   NtClose  (124, ... ) == 0x0
 01121   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01123   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01124   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01125   392   NtClose  (124, ... ) == 0x0
 01126   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01127   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01128   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01129   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01130   392   NtClose  (124, ... ) == 0x0
 01131   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01132   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01133   392   NtQueryValueKey  (124,  (124, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (124, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (124, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01134   392   NtClose  (124, ... ) == 0x0
 01135   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01136   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01137   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01138   392   NtClose  (124, ... ) == 0x0
 01139   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01140   392   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01141   392   NtOpenProcessToken  (-1, 0xa, ... 124, ) == 0x0
 01142   392   NtDuplicateToken  (124, 0xc, {24, 0, 0x0, 0, 1238976, 0x0}, 0, 2, ... 128, ) == 0x0
 01143   392   NtClose  (124, ... ) == 0x0
 01144   392   NtAccessCheck  (1430784, 128, 0x1, 1239104, 1239048, 56, 1239132, ... (0x1), ) == 0x0
 01145   392   NtClose  (128, ... ) == 0x0
 01146   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 128, ) }, ... 128, ) == 0x0
 01147   392   NtQueryValueKey  (128,  (128, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (128, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01148   392   NtClose  (128, ... ) == 0x0
 01149   392   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 128, ) }, ... 128, ) == 0x0
 01150   392   NtQuerySymbolicLinkObject  (128, ...  (128, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01151   392   NtClose  (128, ... ) == 0x0
 01152   392   NtQueryInformationFile  (108, 1237436, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 01153   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01154   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01155   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\szsvc.exe"}, 1236116, ... ) }, 1236116, ... ) == 0x0
 01156   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01157   392   NtQueryDirectoryFile  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01158   392   NtClose  (128, ... ) == 0x0
 01159   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01160   392   NtQueryDirectoryFile  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01161   392   NtClose  (128, ... ) == 0x0
 01162   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01163   392   NtQueryDirectoryFile  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1, "szsvc.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01164   392   NtClose  (128, ... ) == 0x0
 01165   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01166   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01167   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01168   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01169   392   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01170   392   NtClose  (128, ... ) == 0x0
 01171   392   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 128, ) }, ... 128, ) == 0x0
 01172   392   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 124, ) }, ... 124, ) == 0x0
 01173   392   NtClose  (128, ... ) == 0x0
 01174   392   NtQueryValueKey  (124,  (124, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01175   392   NtQueryValueKey  (124,  (124, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (124, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01176   392   NtClose  (124, ... ) == 0x0
 01177   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10616832, 4096, ) == 0x0
 01178   392   NtAllocateVirtualMemory  (-1, 10616832, 0, 4096, 4096, 4, ... 10616832, 4096, ) == 0x0
 01179   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01180   392   NtQueryValueKey  (124,  (124, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01181   392   NtClose  (124, ... ) == 0x0
 01182   392   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183   392   NtQueryInformationToken  (120, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01184   392   NtQueryInformationToken  (120, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01185   392   NtClose  (120, ... ) == 0x0
 01186   392   NtCreateProcessEx  (1241712, 2035711, 0, -1, 0, 104, 0, 0, 0, ... ) == 0x0
 01187   392   NtSetInformationProcess  (120, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 01188   392   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=676,ParentPid=384,}, 0x0, ) == 0x0
 01189   392   NtReadVirtualMemory  (120, 0x7ffdf008, 4, ...  (120, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 01190   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\szsvc.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   392   NtAllocateVirtualMemory  (-1, 1433600, 0, 8192, 4096, 4, ... 1433600, 8192, ) == 0x0
 01192   392   NtReadVirtualMemory  (120, 0x400000, 4096, ...  (120, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\221G\273`\327[]\6\204\315\264*\213I\15\22PE\0\0L\1\10\0\16e\340E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\300\0\0\0\0\0\0&\342\10\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\11\0\0\20\0\0S\4\4\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\240\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 4096, ) , 4096, ) == 0x0
 01193   392   NtReadVirtualMemory  (120, 0x43a000, 256, ...  (120, 0x43a000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\240\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) urn:schemas-microsoft-com:asm.v1 (120, 0x43a000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\240\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) 1.0 (120, 0x43a000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\240\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) , 256, ) == 0x0
 01194   392   NtReadVirtualMemory  (120, 0x43a018, 24, ...  (120, 0x43a018, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200", 24, ) , 24, ) == 0x0
 01195   392   NtReadVirtualMemory  (120, 0x43a030, 24, ...  (120, 0x43a030, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0", 24, ) , 24, ) == 0x0
 01196   392   NtReadVirtualMemory  (120, 0x43a048, 16, ...  (120, 0x43a048, 16, ... "X\240\3\0V\0\0\0\344\4\0\0\0\0\0\0", 16, ) , 16, ) == 0x0
 01197   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\szsvc.exe.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01198   392   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=676,ParentPid=384,}, 0x0, ) == 0x0
 01199   392   NtAllocateVirtualMemory  (-1, 0, 0, 1708, 4096, 4, ... 10682368, 4096, ) == 0x0
 01200   392   NtAllocateVirtualMemory  (120, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01201   392   NtWriteVirtualMemory  (120, 0x10000,  (120, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01202   392   NtAllocateVirtualMemory  (120, 0, 0, 1708, 4096, 4, ... 131072, 4096, ) == 0x0
 01203   392   NtWriteVirtualMemory  (120, 0x20000,  (120, 0x20000, "\0\20\0\0\254\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0:\0<\0\230\5\0\0t\0v\0\324\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0L\6\0\0\36\0 \0\210\6\0\0\0\0\2\0\250\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1708, ... 0x0, ) , 1708, ... 0x0, ) == 0x0
 01204   392   NtWriteVirtualMemory  (120, 0x7ffdf010,  (120, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01205   392   NtWriteVirtualMemory  (120, 0x7ffdf1e8,  (120, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01206   392   NtFreeVirtualMemory  (-1, (0xa30000), 0, 32768, ... (0xa30000), 4096, ) == 0x0
 01207   392   NtAllocateVirtualMemory  (120, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01208   392   NtAllocateVirtualMemory  (120, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01209   392   NtProtectVirtualMemory  (120, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01210   392   NtCreateThread  (0x1f03ff, 0x0, 120, 1239976, 1240696, 1, ... 124, {676, 816}, ) == 0x0
 01211   392   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796}  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796} "\210\6\26\1\0\0\1\0\2$\370w U\367w{\0\0\0|\0\0\0\244\2\0\00\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0:\0<\0\244\6\26\1l\0\0\0x\0\0\0\0\0\0\0X\240C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0<\0\340\6\26\1\0\360\375\177\0\0\0\0\0\0\240\0\220\36\240\0" ... {168, 196, reply, 0, 384, 392, 1526, 0} "\250\232\26\0\0\0\1\0\0\0\0\0 U\367wx\0\0\0|\0\0\0\244\2\0\00\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0:\0<\0\244\6\26\1l\0\0\0x\0\0\0\0\0\0\0X\240C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0<\0\340\6\26\1\0\360\375\177\0\0\0\0\0\0\240\0\220\36\240\0" )  ... {168, 196, reply, 0, 384, 392, 1526, 0}  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796} "\210\6\26\1\0\0\1\0\2$\370w U\367w{\0\0\0|\0\0\0\244\2\0\00\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0:\0<\0\244\6\26\1l\0\0\0x\0\0\0\0\0\0\0X\240C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0<\0\340\6\26\1\0\360\375\177\0\0\0\0\0\0\240\0\220\36\240\0" ... {168, 196, reply, 0, 384, 392, 1526, 0} "\250\232\26\0\0\0\1\0\0\0\0\0 U\367wx\0\0\0|\0\0\0\244\2\0\00\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0:\0<\0\244\6\26\1l\0\0\0x\0\0\0\0\0\0\0X\240C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0<\0\340\6\26\1\0\360\375\177\0\0\0\0\0\0\240\0\220\36\240\0" )  ) == 0x0
 01212   392   NtResumeThread  (124, ... 1, ) == 0x0
 01213   392   NtClose  (108, ... ) == 0x0
 01214   392   NtClose  (104, ... ) == 0x0
 01215   392   NtTerminateProcess  (0, 0, ... ) == 0x0
 01216   392   NtClose  (96, ... ) == 0x0
 01217   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 01218   392   NtClose  (100, ... ) == 0x0
 01219   392   NtClose  (80, ... ) == 0x0
 01220   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01221   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01222   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01223   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01224   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01225   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01226   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01227   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01228   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01229   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01230   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01231   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01232   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01233   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01234   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01235   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01236   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01237   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01238   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01239   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01240   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01241   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01242   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01243   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01244   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01245   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01246   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01247   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01248   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01249   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01250   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01251   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01252   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01253   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01254   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01255   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01256   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01257   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc017
 01258   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01259   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc019
 01260   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01261   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc018
 01262   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01263   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01a
 01264   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01265   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01c
 01266   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01267   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01e
 01268   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01269   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01b
 01270   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01271   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc068
 01272   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01273   392   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc06a
 01274   392   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01275   392   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01276   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01277   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01278   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01279   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01280   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01281   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01282   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01283   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01284   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01285   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01286   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01287   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01288   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01289   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01290   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01291   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01292   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01293   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01294   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01295   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01296   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01297   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01298   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01299   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01300   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01301   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01302   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01303   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01304   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01305   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01306   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01307   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01308   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01309   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01310   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01311   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01312   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01313   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01314   392   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01315   392   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01316   392   NtFreeVirtualMemory  (-1, (0xa20000), 4096, 32768, ... (0xa20000), 4096, ) == 0x0
 01317   392   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, -1, 4199054, 4310894, 4423228}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310894, 4423228} "\0\0\0\0\3\0\1\0\220~C\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 384, 392, 1534, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ... {20, 48, reply, 0, 384, 392, 1534, 0}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310894, 4423228} "\0\0\0\0\3\0\1\0\220~C\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 384, 392, 1534, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ) == 0x0
 01318   392   NtTerminateProcess  (-1, 0, ...
 01319   392   NtClose  (44, ... ) == 0x0