Summary:


NtCallbackReturn(>)  1 
NtTestAlert(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUserRegisterWindowMessage(>)  20 

NtDuplicateObject(>)  1 
NtUserCallNoParam(>)  1 
NtSetInformationObject(>)  3 
NtQueryValueKey(>)  23 

NtFsControlFile(>)  1 
NtUserGetThreadDesktop(>)  1 
NtGdiGetStockObject(>)  5 
NtContinue(>)  24 

NtGdiCreateBitmap(>)  1 
NtAddAtom(>)  2 
NtQueryDefaultLocale(>)  5 
NtOpenFile(>)  24 

NtGdiInit(>)  1 
NtCreateKey(>)  2 
NtCreateFile(>)  6 
NtQueryDebugFilterState(>)  24 

NtGdiQueryFontAssocInfo(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtSetInformationThread(>)  6 
NtUserFindExistingCursorIcon(>)  24 

NtGdiSelectBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtUserSystemParametersInfo(>)  6 
NtQuerySystemInformation(>)  25 

NtNotifyChangeKey(>)  1 
NtOpenEvent(>)  2 
NtQuerySection(>)  7 
NtOpenSection(>)  26 

NtOpenKeyedEvent(>)  1 
NtOpenProcessToken(>)  2 
NtOpenProcessTokenEx(>)  8 
NtUserRegisterClassExWOW(>)  34 

NtOpenMutant(>)  1 
NtQueryInformationFile(>)  2 
NtOpenThreadTokenEx(>)  8 
NtProtectVirtualMemory(>)  35 

NtOpenProcess(>)  1 
NtQueryInformationProcess(>)  2 
NtRequestWaitReplyPort(>)  8 
NtAllocateVirtualMemory(>)  36 

NtOpenSymbolicLinkObject(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtMapViewOfSection(>)  39 

NtQueryInformationThread(>)  1 
NtQueryVirtualMemory(>)  2 
NtQueryInformationToken(>)  11 
NtOpenKey(>)  54 

NtQueryObject(>)  1 
NtTerminateProcess(>)  2 
NtFlushInstructionCache(>)  17 
NtUserGetClassInfo(>)  54 

NtQuerySymbolicLinkObject(>)  1 
NtUserGetDC(>)  2 
NtCreateSection(>)  18 
NtClose(>)  98 

NtQueryVolumeInformationFile(>)  1 
NtCreateEvent(>)  3 
NtUserUnregisterClass(>)  18 

NtRegisterThreadTerminatePort(>)  1 
NtCreateSemaphore(>)  3 
NtUnmapViewOfSection(>)  19 

NtSecureConnectPort(>)  1 

Trace:
 00001   480   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   480   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   480   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   480   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   480   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   480   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   480   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   480   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   480   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   480   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   480   NtClose  (12, ... ) == 0x0
 00014   480   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   480   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   480   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   480   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   480   NtClose  (16, ... ) == 0x0
 00021   480   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   480   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   480   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   480   NtClose  (16, ... ) == 0x0
 00026   480   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   480   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   480   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   480   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   480   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 464, 480, 1480, 0} "8@\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 464, 480, 1480, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 464, 480, 1480, 0} "8@\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   480   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   480   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   480   NtClose  (16, ... ) == 0x0
 00036   480   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   480   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   480   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   480   NtClose  (28, ... ) == 0x0
 00041   480   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   480   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   480   NtClose  (28, ... ) == 0x0
 00045   480   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   480   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   480   NtClose  (28, ... ) == 0x0
 00049   480   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   480   NtClose  (28, ... ) == 0x0
 00052   480   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   480   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   480   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   480   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 464, 480, 1481, 0} "\10\240\30\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 464, 480, 1481, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 464, 480, 1481, 0} "\10\240\30\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   480   NtProtectVirtualMemory  (-1, (0x436000), 40960, 4, ... (0x436000), 40960, 8, ) == 0x0
 00057   480   NtProtectVirtualMemory  (-1, (0x436000), 40960, 8, ... (0x436000), 40960, 4, ) == 0x0
 00058   480   NtFlushInstructionCache  (-1, 4415488, 40960, ... ) == 0x0
 00059   480   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   480   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   480   NtClose  (28, ... ) == 0x0
 00062   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   480   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   480   NtClose  (28, ... ) == 0x0
 00065   480   NtTestAlert  (... ) == 0x0
 00066   480   NtContinue  (1244464, 1, ...
 00067   480   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x43605c,}, 4, ... ) == 0x0
 00068   480   NtAllocateVirtualMemory  (-1, 0, 0, 73728, 12288, 64, ... 3342336, 73728, ) == 0x0
 00069   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00070   480   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00071   480   NtClose  (28, ... ) == 0x0
 00072   480   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00073   480   NtContinue  (1244388, 0, ...
 00074   480   NtContinue  (1244388, 0, ...
 00075   480   NtProtectVirtualMemory  (-1, (0x40000c), 512, 4, ... (0x400000), 4096, 2, ) == 0x0
 00076   480   NtContinue  (1244388, 0, ...
 00077   480   NtContinue  (1244388, 0, ...
 00078   480   NtContinue  (1244388, 0, ...
 00079   480   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244988,  (0x100080, {24, 0, 0x40, 0, 1244988, "\??\SUPERBPM"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080   480   NtContinue  (1244388, 0, ...
 00081   480   NtContinue  (1244388, 0, ...
 00082   480   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244988,  (0x100080, {24, 0, 0x40, 0, 1244988, "\??\NTICE"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083   480   NtContinue  (1244388, 0, ...
 00084   480   NtContinue  (1244388, 0, ...
 00085   480   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244988,  (0x100080, {24, 0, 0x40, 0, 1244988, "\??\REGVXD"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086   480   NtAllocateVirtualMemory  (-1, 0, 0, 135168, 12288, 64, ... 3473408, 135168, ) == 0x0
 00087   480   NtContinue  (1244372, 0, ...
 00088   480   NtContinue  (1244372, 0, ...
 00089   480   NtContinue  (1244372, 0, ...
 00090   480   NtContinue  (1244372, 0, ...
 00091   480   NtContinue  (1244372, 0, ...
 00092   480   NtContinue  (1244372, 0, ...
 00093   480   NtContinue  (1244376, 0, ...
 00094   480   NtContinue  (1244376, 0, ...
 00095   480   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244976,  (0x100080, {24, 0, 0x40, 0, 1244976, "\??\FILEVXD"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   480   NtContinue  (1244376, 0, ...
 00097   480   NtContinue  (1244376, 0, ...
 00098   480   NtContinue  (1244376, 0, ...
 00099   480   NtContinue  (1244376, 0, ...
 00100   480   NtAllocateVirtualMemory  (-1, 0, 0, 47552, 12288, 64, ... 3670016, 49152, ) == 0x0
 00101   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00102   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00103   480   NtClose  (28, ... ) == 0x0
 00104   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00105   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00106   480   NtClose  (28, ... ) == 0x0
 00107   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00108   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00109   480   NtClose  (28, ... ) == 0x0
 00110   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00111   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00112   480   NtClose  (28, ... ) == 0x0
 00113   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00114   480   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00115   480   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00116   480   NtClose  (28, ... ) == 0x0
 00117   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00118   480   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119   480   NtClose  (28, ... ) == 0x0
 00120   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00121   480   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00122   480   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00124   480   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 464, 480, 1492, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 464, 480, 1492, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 464, 480, 1492, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00125   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   480   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x510000), 0x0, 1060864, ) == 0x0
 00127   480   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00128   480   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00129   480   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482196, ) == 0x0
 00130   480   NtQueryInformationToken  (-2147482196, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00131   480   NtQueryInformationToken  (-2147482196, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00132   480   NtClose  (-2147482196, ... ) == 0x0
 00133   480   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3735552, 4096, ) == 0x0
 00134   480   NtFreeVirtualMemory  (-1, (0x390000), 4096, 32768, ... (0x390000), 4096, ) == 0x0
 00135   480   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00136   480   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00137   480   NtQueryValueKey  (-2147482196,  (-2147482196, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   480   NtClose  (-2147482196, ... ) == 0x0
 00139   480   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00140   480   NtQueryValueKey  (-2147482196,  (-2147482196, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00141   480   NtClose  (-2147482196, ... ) == 0x0
 00142   480   NtQueryDefaultLocale  (0, -133527028, ... ) == 0x0
 00143   480   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00144   480   NtUserCallNoParam  (24, ... ) == 0x0
 00145   480   NtGdiCreateCompatibleDC  (0, ...
 00146   480   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3735552, 4096, ) == 0x0
 00145   480   NtGdiCreateCompatibleDC  ... ) == 0x160103c6
 00147   480   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00148   480   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00149   480   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x140503fd
 00150   480   NtGdiCreateSolidBrush  (0, 0, ...
 00151   480   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3801088, 4096, ) == 0x0
 00150   480   NtGdiCreateSolidBrush  ... ) == 0x1d100403
 00152   480   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00153   480   NtGdiCreateCompatibleDC  (0, ... ) == 0xe01040b
 00154   480   NtGdiSelectBitmap  (234947595, 335873021, ... ) == 0x185000f
 00155   480   NtUserGetThreadDesktop  (480, 0, ... ) == 0x2c
 00156   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00157   480   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00158   480   NtClose  (52, ... ) == 0x0
 00159   480   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00160   480   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 673, 128, 0, ... ) == 0x810ec017
 00161   480   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00162   480   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 674, 128, 0, ... ) == 0x810ec01c
 00163   480   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00164   480   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 675, 128, 0, ... ) == 0x810ec01e
 00165   480   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00166   480   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 676, 128, 0, ... ) == 0x810e8002
 00167   480   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10013
 00168   480   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 677, 128, 0, ... ) == 0x810ec018
 00169   480   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00170   480   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 678, 128, 0, ... ) == 0x810ec01a
 00171   480   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00172   480   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 679, 128, 0, ... ) == 0x810ec01d
 00173   480   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00174   480   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 681, 128, 0, ... ) == 0x810ec026
 00175   480   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00176   480   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 680, 128, 0, ... ) == 0x810ec019
 00177   480   NtUserRegisterClassExWOW  (1241348, 1241428, 1241412, 1241444, 0, 128, 0, ...
 00178   480   NtAllocateVirtualMemory  (-1, 6516736, 0, 4096, 4096, 32, ... 6516736, 4096, ) == 0x0
 00177   480   NtUserRegisterClassExWOW  ... ) == 0x810ec020
 00179   480   NtUserRegisterClassExWOW  (1241348, 1241424, 1241440, 1241412, 0, 130, 0, ... ) == 0x810ec022
 00180   480   NtUserRegisterClassExWOW  (1241348, 1241428, 1241412, 1241444, 0, 128, 0, ... ) == 0x810ec023
 00181   480   NtUserRegisterClassExWOW  (1241348, 1241424, 1241440, 1241412, 0, 130, 0, ... ) == 0x810ec024
 00182   480   NtUserRegisterClassExWOW  (1241348, 1241428, 1241412, 1241444, 0, 128, 0, ... ) == 0x810ec025
 00183   480   NtCallbackReturn  (0, 0, 0, ...
 00184   480   NtGdiInit  (... ) == 0x1
 00185   480   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00186   480   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00187   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00188   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00189   480   NtClose  (52, ... ) == 0x0
 00190   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00191   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00192   480   NtClose  (52, ... ) == 0x0
 00193   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00194   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00195   480   NtClose  (52, ... ) == 0x0
 00196   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00197   480   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3866624, 65536, ) == 0x0
 00198   480   NtAllocateVirtualMemory  (-1, 3866624, 0, 4096, 4096, 4, ... 3866624, 4096, ) == 0x0
 00199   480   NtAllocateVirtualMemory  (-1, 3870720, 0, 8192, 4096, 4, ... 3870720, 8192, ) == 0x0
 00200   480   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00201   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x3c0000), 0x0, 12288, ) == 0x0
 00202   480   NtClose  (52, ... ) == 0x0
 00203   480   NtAllocateVirtualMemory  (-1, 3878912, 0, 4096, 4096, 4, ... 3878912, 4096, ) == 0x0
 00204   480   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00205   480   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00206   480   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00207   480   NtClose  (52, ... ) == 0x0
 00208   480   NtQueryDefaultUILanguage  (1241428, ...
 00209   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00210   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482196, ) == 0x0
 00211   480   NtQueryInformationToken  (-2147482196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00212   480   NtClose  (-2147482196, ... ) == 0x0
 00213   480   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00214   480   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00215   480   NtOpenKey  (0x80000000, {24, -2147482196, 0x640, 0, 0,  (0x80000000, {24, -2147482196, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482184, ) }, ... -2147482184, ) == 0x0
 00216   480   NtQueryValueKey  (-2147482184,  (-2147482184, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00217   480   NtClose  (-2147482184, ... ) == 0x0
 00218   480   NtClose  (-2147482196, ... ) == 0x0
 00208   480   NtQueryDefaultUILanguage  ... ) == 0x0
 00219   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00220   480   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00221   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00222   480   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00223   480   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x920000), 0x0, 8323072, ) == 0x0
 00224   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00225   480   NtQueryDefaultUILanguage  (2013024600, ...
 00226   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00227   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482196, ) == 0x0
 00228   480   NtQueryInformationToken  (-2147482196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00229   480   NtClose  (-2147482196, ... ) == 0x0
 00230   480   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00231   480   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00232   480   NtOpenKey  (0x80000000, {24, -2147482196, 0x640, 0, 0,  (0x80000000, {24, -2147482196, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482184, ) }, ... -2147482184, ) == 0x0
 00233   480   NtQueryValueKey  (-2147482184,  (-2147482184, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00234   480   NtClose  (-2147482184, ... ) == 0x0
 00235   480   NtClose  (-2147482196, ... ) == 0x0
 00225   480   NtQueryDefaultUILanguage  ... ) == 0x0
 00236   480   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00237   480   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00238   480   NtQueryDefaultLocale  (1, 1239464, ... ) == 0x0
 00239   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   480   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240320, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240320, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 480, 1493, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 480, 1493, 0}  (24, {128, 156, new_msg, 0, 1240320, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 480, 1493, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\22\0\0\0\0\0" )  ) == 0x0
 00241   480   NtClose  (52, ... ) == 0x0
 00242   480   NtClose  (56, ... ) == 0x0
 00243   480   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00244   480   NtUnmapViewOfSection  (-1, 0x12f400, ... ) == STATUS_NOT_MAPPED_VIEW
 00245   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00246   480   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00247   480   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00249   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00250   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238548, ... ) }, 1238548, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00252   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00253   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00254   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239140, ... ) }, 1239140, ... ) == 0x0
 00255   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00256   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00257   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00258   480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00259   480   NtClose  (52, ... ) == 0x0
 00260   480   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x920000), 0x0, 921600, ) == 0x0
 00261   480   NtClose  (60, ... ) == 0x0
 00262   480   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00263   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00264   480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00265   480   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00266   480   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00267   480   NtQueryInformationToken  (64, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00268   480   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00269   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 68, ) }, ... 68, ) == 0x0
 00270   480   NtQueryValueKey  (68,  (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00271   480   NtClose  (68, ... ) == 0x0
 00272   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00273   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00274   480   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00275   480   NtClose  (68, ... ) == 0x0
 00276   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00277   480   NtClose  (64, ... ) == 0x0
 00278   480   NtClose  (60, ... ) == 0x0
 00279   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00280   480   NtClose  (52, ... ) == 0x0
 00281   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00282   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00283   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00284   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00285   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00286   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00287   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00288   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00289   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00290   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00291   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00292   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00293   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00294   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00295   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00296   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00297   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00298   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00299   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00300   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00301   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00302   480   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240324, ... ) , 42, 1240324, ... ) == 0x0
 00303   480   NtQueryDefaultUILanguage  (1239040, ...
 00304   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00305   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482196, ) == 0x0
 00306   480   NtQueryInformationToken  (-2147482196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00307   480   NtClose  (-2147482196, ... ) == 0x0
 00308   480   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00309   480   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   480   NtOpenKey  (0x80000000, {24, -2147482196, 0x640, 0, 0,  (0x80000000, {24, -2147482196, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482184, ) }, ... -2147482184, ) == 0x0
 00311   480   NtQueryValueKey  (-2147482184,  (-2147482184, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   480   NtClose  (-2147482184, ... ) == 0x0
 00313   480   NtClose  (-2147482196, ... ) == 0x0
 00303   480   NtQueryDefaultUILanguage  ... ) == 0x0
 00314   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237892, ... ) }, 1237892, ... ) == 0x0
 00316   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00317   480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00318   480   NtClose  (52, ... ) == 0x0
 00319   480   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 4096, ) == 0x0
 00320   480   NtClose  (60, ... ) == 0x0
 00321   480   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00322   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237532, ... ) }, 1237532, ... ) == 0x0
 00323   480   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238232,  (0x80100080, {24, 0, 0x40, 0, 1238232, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00324   480   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00325   480   NtClose  (60, ... ) == 0x0
 00326   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 4096, ) == 0x0
 00327   480   NtClose  (52, ... ) == 0x0
 00328   480   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00329   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00330   480   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00331   480   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3e0000), 0x0, 4096, ) == 0x0
 00332   480   NtQueryInformationFile  (52, 1237852, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00333   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   480   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237932, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237932, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\254\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 480, 1494, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\254\352\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 480, 1494, 0}  (24, {128, 156, new_msg, 0, 1237932, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\254\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 480, 1494, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\254\352\22\0\0\0\0\0" )  ) == 0x0
 00335   480   NtClose  (52, ... ) == 0x0
 00336   480   NtClose  (60, ... ) == 0x0
 00337   480   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00338   480   NtUnmapViewOfSection  (-1, 0x12eaac, ... ) == STATUS_NOT_MAPPED_VIEW
 00339   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00340   480   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00341   480   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00342   480   NtUserGetDC  (0, ... ) == 0x1010053
 00343   480   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00344   480   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00345   480   NtContinue  (1237888, 0, ...
 00346   480   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00347   480   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 00348   480   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00349   480   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 00350   480   NtClose  (56, ... ) == 0x0
 00351   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00352   480   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00353   480   NtClose  (56, ... ) == 0x0
 00354   480   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {464, 0}, ... 56, ) == 0x0
 00355   480   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00356   480   NtClose  (56, ... ) == 0x0
 00357   480   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00358   480   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00359   480   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00360   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00361   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00362   480   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00363   480   NtClose  (56, ... ) == 0x0
 00364   480   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00365   480   NtSetInformationObject  (56, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00366   480   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 60, ) }, ... 60, ) == 0x0
 00367   480   NtQueryValueKey  (60,  (60, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00368   480   NtClose  (60, ... ) == 0x0
 00369   480   NtUserSystemParametersInfo  (41, 500, 1239912, 0, ... ) == 0x1
 00370   480   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00371   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00372   480   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00373   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec03b
 00374   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00375   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec03d
 00376   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00377   480   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00378   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec03f
 00379   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00380   480   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00381   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec041
 00382   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00383   480   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00384   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec043
 00385   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00386   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec045
 00387   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00388   480   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00389   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec047
 00390   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00391   480   NtUserFindExistingCursorIcon  (1239700, 1239716, 1240284, ... ) == 0x10011
 00392   480   NtUserRegisterClassExWOW  (1240152, 1240232, 1240216, 1240248, 0, 384, 0, ... ) == 0x810ec049
 00393   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00394   480   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00395   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec04b
 00396   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00397   480   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00398   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec04d
 00399   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00400   480   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00401   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec04f
 00402   480   NtUserGetClassInfo  (1999896576, 1240324, 1240276, 1240352, 0, ... ) == 0x0
 00403   480   NtUserRegisterClassExWOW  (1240160, 1240240, 1240224, 1240256, 0, 384, 0, ... ) == 0x810ec051
 00404   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00405   480   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00406   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec053
 00407   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00408   480   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00409   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec055
 00410   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec057
 00411   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00412   480   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00413   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec059
 00414   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00415   480   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10013
 00416   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec05b
 00417   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00418   480   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00419   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec05d
 00420   480   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00421   480   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00422   480   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810ec05f
 00423   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc03b
 00424   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc03d
 00425   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc03f
 00426   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc041
 00427   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc043
 00428   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc045
 00429   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc047
 00430   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc049
 00431   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc04b
 00432   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc04d
 00433   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc04f
 00434   480   NtUserGetClassInfo  (1999896576, 1243168, 1243120, 1243196, 0, ... ) == 0xc051
 00435   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc053
 00436   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc055
 00437   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc059
 00438   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc05b
 00439   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc05d
 00440   480   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc05f
 00441   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00442   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1243072, ... ) }, 1243072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00443   480   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1243072, ... ) }, 1243072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00444   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1243072, ... ) }, 1243072, ... ) == 0x0
 00445   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00446   480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00447   480   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00448   480   NtClose  (60, ... ) == 0x0
 00449   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00450   480   NtClose  (52, ... ) == 0x0
 00451   480   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00452   480   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00453   480   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00454   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00455   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00456   480   NtClose  (52, ... ) == 0x0
 00457   480   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00458   480   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00459   480   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00460   480   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00461   480   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00462   480   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00463   480   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00464   480   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00465   480   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00466   480   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00467   480   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00468   480   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00469   480   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00470   480   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00471   480   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00472   480   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00473   480   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00474   480   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00475   480   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00476   480   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00478   480   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00479   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00480   480   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9568256, 262144, ) == 0x0
 00481   480   NtAllocateVirtualMemory  (-1, 9568256, 0, 4096, 4096, 4, ... 9568256, 4096, ) == 0x0
 00482   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00483   480   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9830400, 262144, ) == 0x0
 00484   480   NtAllocateVirtualMemory  (-1, 9830400, 0, 4096, 4096, 4, ... 9830400, 4096, ) == 0x0
 00485   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00486   480   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10092544, 262144, ) == 0x0
 00487   480   NtAllocateVirtualMemory  (-1, 10092544, 0, 4096, 4096, 4, ... 10092544, 4096, ) == 0x0
 00488   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00489   480   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10354688, 262144, ) == 0x0
 00490   480   NtAllocateVirtualMemory  (-1, 10354688, 0, 4096, 4096, 4, ... 10354688, 4096, ) == 0x0
 00491   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00492   480   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00493   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00494   480   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00495   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1239044, ... ) }, 1239044, ... ) == 0x0
 00496   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00497   480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00498   480   NtClose  (52, ... ) == 0x0
 00499   480   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3d0000), 0x0, 90112, ) == 0x0
 00500   480   NtClose  (60, ... ) == 0x0
 00501   480   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 00502   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1239360, ... ) }, 1239360, ... ) == 0x0
 00503   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00504   480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00505   480   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00506   480   NtClose  (60, ... ) == 0x0
 00507   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00508   480   NtClose  (52, ... ) == 0x0
 00509   480   NtQueryDefaultLocale  (1, 1241048, ... ) == 0x0
 00510   480   NtAllocateVirtualMemory  (-1, 9572352, 0, 4096, 4096, 4, ... 9572352, 4096, ) == 0x0
 00511   480   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 52, ) }, ... 52, ) == 0x0
 00512   480   NtClose  (52, ... ) == 0x0
 00513   480   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00514   480   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   480   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00516   480   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00517   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00518   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1243072, ... ) }, 1243072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00519   480   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1243072, ... ) }, 1243072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00520   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1243072, ... ) }, 1243072, ... ) == 0x0
 00521   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00522   480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 60, ) == 0x0
 00523   480   NtQuerySection  (60, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00524   480   NtClose  (52, ... ) == 0x0
 00525   480   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00526   480   NtClose  (60, ... ) == 0x0
 00527   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00528   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242268, ... ) }, 1242268, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00529   480   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1242268, ... ) }, 1242268, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1242268, ... ) }, 1242268, ... ) == 0x0
 00531   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00532   480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00533   480   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00534   480   NtClose  (60, ... ) == 0x0
 00535   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00536   480   NtClose  (52, ... ) == 0x0
 00537   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00538   480   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00539   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00540   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00541   480   NtClose  (52, ... ) == 0x0
 00542   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00543   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00544   480   NtClose  (52, ... ) == 0x0
 00545   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00546   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00547   480   NtClose  (52, ... ) == 0x0
 00548   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00549   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00550   480   NtClose  (52, ... ) == 0x0
 00551   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 52, ) }, ... 52, ) == 0x0
 00552   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00553   480   NtClose  (52, ... ) == 0x0
 00554   480   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555   480   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00556   480   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00557   480   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00558   480   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00559   480   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00560   480   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243204, 0,  (0x1f0003, {24, 52, 0x80, 1243204, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00561   480   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 60, ) }, ... 60, ) == 0x0
 00562   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00563   480   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00564   480   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 64, ) }, ... 64, ) == 0x0
 00565   480   NtQueryValueKey  (64,  (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00566   480   NtClose  (64, ... ) == 0x0
 00567   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00568   480   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00569   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00570   480   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00571   480   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00572   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 64, ) }, ... 64, ) == 0x0
 00573   480   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   480   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   480   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   480   NtClose  (64, ... ) == 0x0
 00577   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 64, ) }, ... 64, ) == 0x0
 00578   480   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   480   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00580   480   NtClose  (64, ... ) == 0x0
 00581   480   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00582   480   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00583   480   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00584   480   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00585   480   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00586   480   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00587   480   NtCreateKey  (0xf003f, {24, 56, 0x40, 0, 0,  (0xf003f, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00588   480   NtQueryDefaultUILanguage  (1241440, ...
 00589   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00590   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482196, ) == 0x0
 00591   480   NtQueryInformationToken  (-2147482196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00592   480   NtClose  (-2147482196, ... ) == 0x0
 00593   480   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00594   480   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   480   NtOpenKey  (0x80000000, {24, -2147482196, 0x640, 0, 0,  (0x80000000, {24, -2147482196, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482184, ) }, ... -2147482184, ) == 0x0
 00596   480   NtQueryValueKey  (-2147482184,  (-2147482184, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00597   480   NtClose  (-2147482184, ... ) == 0x0
 00598   480   NtClose  (-2147482196, ... ) == 0x0
 00588   480   NtQueryDefaultUILanguage  ... ) == 0x0
 00599   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00601   480   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00602   480   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa20000), 0x0, 593920, ) == 0x0
 00603   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604   480   NtQueryDefaultLocale  (1, 1239476, ... ) == 0x0
 00605   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00606   480   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240332, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240332, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\251\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\14\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 480, 1495, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\251\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\14\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 480, 1495, 0}  (24, {128, 156, new_msg, 0, 1240332, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\251\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\14\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 480, 1495, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\251\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\14\364\22\0\0\0\0\0" )  ) == 0x0
 00607   480   NtClose  (68, ... ) == 0x0
 00608   480   NtClose  (72, ... ) == 0x0
 00609   480   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00610   480   NtUnmapViewOfSection  (-1, 0x12f40c, ... ) == STATUS_NOT_MAPPED_VIEW
 00611   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00612   480   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00613   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00614   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00615   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238016, ... ) }, 1238016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00616   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00617   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00618   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00619   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238608, ... ) }, 1238608, ... ) == 0x0
 00620   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00621   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00622   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00623   480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00624   480   NtClose  (68, ... ) == 0x0
 00625   480   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 921600, ) == 0x0
 00626   480   NtClose  (76, ... ) == 0x0
 00627   480   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00628   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00629   480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00630   480   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00631   480   NtClose  (76, ... ) == 0x0
 00632   480   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00633   480   NtClose  (68, ... ) == 0x0
 00634   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00635   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00636   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00637   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00638   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00639   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00640   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00641   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00642   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00643   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00644   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00645   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00646   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00647   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00648   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00649   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00650   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00651   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00652   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00653   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00654   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00655   480   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1239792, ... ) , 42, 1239792, ... ) == 0x0
 00656   480   NtQueryDefaultUILanguage  (1238508, ...
 00657   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00658   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482196, ) == 0x0
 00659   480   NtQueryInformationToken  (-2147482196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00660   480   NtClose  (-2147482196, ... ) == 0x0
 00661   480   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00662   480   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00663   480   NtOpenKey  (0x80000000, {24, -2147482196, 0x640, 0, 0,  (0x80000000, {24, -2147482196, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482184, ) }, ... -2147482184, ) == 0x0
 00664   480   NtQueryValueKey  (-2147482184,  (-2147482184, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   480   NtClose  (-2147482184, ... ) == 0x0
 00666   480   NtClose  (-2147482196, ... ) == 0x0
 00656   480   NtQueryDefaultUILanguage  ... ) == 0x0
 00667   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237360, ... ) }, 1237360, ... ) == 0x0
 00669   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00670   480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00671   480   NtClose  (68, ... ) == 0x0
 00672   480   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 4096, ) == 0x0
 00673   480   NtClose  (76, ... ) == 0x0
 00674   480   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00675   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237000, ... ) }, 1237000, ... ) == 0x0
 00676   480   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237700,  (0x80100080, {24, 0, 0x40, 0, 1237700, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00677   480   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00678   480   NtClose  (76, ... ) == 0x0
 00679   480   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 4096, ) == 0x0
 00680   480   NtClose  (68, ... ) == 0x0
 00681   480   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00682   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00683   480   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00684   480   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3e0000), 0x0, 4096, ) == 0x0
 00685   480   NtQueryInformationFile  (68, 1237320, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00686   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00687   480   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237400, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237400, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\230\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 480, 1496, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\230\350\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 480, 1496, 0}  (24, {128, 156, new_msg, 0, 1237400, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\230\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 480, 1496, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\230\350\22\0\0\0\0\0" )  ) == 0x0
 00688   480   NtClose  (68, ... ) == 0x0
 00689   480   NtClose  (76, ... ) == 0x0
 00690   480   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00691   480   NtUnmapViewOfSection  (-1, 0x12e898, ... ) == STATUS_NOT_MAPPED_VIEW
 00692   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00693   480   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00694   480   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00695   480   NtUserGetDC  (0, ... ) == 0x1010054
 00696   480   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00697   480   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00698   480   NtContinue  (1237364, 0, ...
 00699   480   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00700   480   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 00701   480   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00702   480   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 00703   480   NtClose  (72, ... ) == 0x0
 00704   480   NtCreateKey  (0x2001f, {24, 56, 0x40, 0, 0,  (0x2001f, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 72, 2, ) }, 0, 0x0, 0, ... 72, 2, ) == 0x0
 00705   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 76, ) }, ... 76, ) == 0x0
 00706   480   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00707   480   NtClose  (76, ... ) == 0x0
 00708   480   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 76, ) == 0x0
 00709   480   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00710   480   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 80, ) }, ... 80, ) == 0x0
 00711   480   NtNotifyChangeKey  (80, 68, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00712   480   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00713   480   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 84, ) == 0x0
 00714   480   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00715   480   NtFreeVirtualMemory  (-1, (0x350000), 135168, 16384, ... (0x350000), 135168, ) == 0x0
 00716   480   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00717   480   NtTerminateProcess  (0, 0, ... ) == 0x0
 00718   480   NtClose  (72, ... ) == 0x0
 00719   480   NtClose  (64, ... ) == 0x0
 00720   480   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 00721   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc03b
 00722   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00723   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc03d
 00724   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00725   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc03f
 00726   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00727   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc041
 00728   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00729   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc043
 00730   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00731   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc045
 00732   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00733   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc047
 00734   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00735   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc049
 00736   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00737   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc04b
 00738   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00739   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc04d
 00740   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00741   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc04f
 00742   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00743   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc051
 00744   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00745   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc053
 00746   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00747   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc057
 00748   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00749   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc059
 00750   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00751   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc05b
 00752   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00753   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc05d
 00754   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00755   480   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc05f
 00756   480   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00757   480   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 00758   480   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 00759   480   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 00760   480   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 00761   480   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00762   480   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 560, 2147344384, 0, 16216908}  (24, {20, 48, new_msg, 0, 560, 2147344384, 0, 16216908} "\0\0\0\0\3\0\1\0L\0.\0D\0L\0\0\0\0\0" ... {20, 48, reply, 0, 464, 480, 1497, 0} "\0\0\0\0\3\0\1\0\0\0\0\0D\0L\0\0\0\0\0" )  ... {20, 48, reply, 0, 464, 480, 1497, 0}  (24, {20, 48, new_msg, 0, 560, 2147344384, 0, 16216908} "\0\0\0\0\3\0\1\0L\0.\0D\0L\0\0\0\0\0" ... {20, 48, reply, 0, 464, 480, 1497, 0} "\0\0\0\0\3\0\1\0\0\0\0\0D\0L\0\0\0\0\0" )  ) == 0x0
 00763   480   NtTerminateProcess  (-1, 0, ...
 00764   480   NtClose  (44, ... ) == 0x0
NtCallbackReturn(>)	1	NtTestAlert(>)	1	NtGdiCreateCompatibleDC(>)	3	NtUserRegisterWindowMessage(>)	20
NtDuplicateObject(>)	1	NtUserCallNoParam(>)	1	NtSetInformationObject(>)	3	NtQueryValueKey(>)	23
NtFsControlFile(>)	1	NtUserGetThreadDesktop(>)	1	NtGdiGetStockObject(>)	5	NtContinue(>)	24
NtGdiCreateBitmap(>)	1	NtAddAtom(>)	2	NtQueryDefaultLocale(>)	5	NtOpenFile(>)	24
NtGdiInit(>)	1	NtCreateKey(>)	2	NtCreateFile(>)	6	NtQueryDebugFilterState(>)	24
NtGdiQueryFontAssocInfo(>)	1	NtGdiCreateSolidBrush(>)	2	NtSetInformationThread(>)	6	NtUserFindExistingCursorIcon(>)	24
NtGdiSelectBitmap(>)	1	NtOpenDirectoryObject(>)	2	NtUserSystemParametersInfo(>)	6	NtQuerySystemInformation(>)	25
NtNotifyChangeKey(>)	1	NtOpenEvent(>)	2	NtQuerySection(>)	7	NtOpenSection(>)	26
NtOpenKeyedEvent(>)	1	NtOpenProcessToken(>)	2	NtOpenProcessTokenEx(>)	8	NtUserRegisterClassExWOW(>)	34
NtOpenMutant(>)	1	NtQueryInformationFile(>)	2	NtOpenThreadTokenEx(>)	8	NtProtectVirtualMemory(>)	35
NtOpenProcess(>)	1	NtQueryInformationProcess(>)	2	NtRequestWaitReplyPort(>)	8	NtAllocateVirtualMemory(>)	36
NtOpenSymbolicLinkObject(>)	1	NtQueryInstallUILanguage(>)	2	NtQueryDefaultUILanguage(>)	10	NtMapViewOfSection(>)	39
NtQueryInformationThread(>)	1	NtQueryVirtualMemory(>)	2	NtQueryInformationToken(>)	11	NtOpenKey(>)	54
NtQueryObject(>)	1	NtTerminateProcess(>)	2	NtFlushInstructionCache(>)	17	NtUserGetClassInfo(>)	54
NtQuerySymbolicLinkObject(>)	1	NtUserGetDC(>)	2	NtCreateSection(>)	18	NtClose(>)	98
NtQueryVolumeInformationFile(>)	1	NtCreateEvent(>)	3	NtUserUnregisterClass(>)	18
NtRegisterThreadTerminatePort(>)	1	NtCreateSemaphore(>)	3	NtUnmapViewOfSection(>)	19
NtSecureConnectPort(>)	1