Summary:





NtAddAtom(>)  1 
NtUserGetDC(>)  1 
NtUserBuildHwndList(>)  4 
NtQueryDefaultLocale(>)  15 


NtCallbackReturn(>)  1 
NtUserGetThreadDesktop(>)  1 
NtUserFindWindowEx(>)  4 
NtUnmapViewOfSection(>)  15 


NtCreateProcessEx(>)  1 
NtAccessCheck(>)  2 
NtWaitForSingleObject(>)  4 
NtCreateSection(>)  18 


NtCreateThread(>)  1 
NtCreateKey(>)  2 
NtWriteFile(>)  4 
NtUserRegisterWindowMessage(>)  19 


NtDuplicateToken(>)  1 
NtEnumerateKey(>)  2 
NtWriteVirtualMemory(>)  4 
NtOpenProcessTokenEx(>)  25 


NtEnumerateValueKey(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtFreeVirtualMemory(>)  5 
NtOpenThreadTokenEx(>)  25 


NtFsControlFile(>)  1 
NtOpenDirectoryObject(>)  2 
NtGdiGetStockObject(>)  5 
NtQueryAttributesFile(>)  25 


NtGdiCreateBitmap(>)  1 
NtOpenEvent(>)  2 
NtOpenProcessToken(>)  5 
NtQuerySystemInformation(>)  27 


NtGdiInit(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtCreateFile(>)  6 
NtReadVirtualMemory(>)  28 


NtGdiQueryFontAssocInfo(>)  1 
NtOpenThreadToken(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtOpenSection(>)  29 


NtGdiSelectBitmap(>)  1 
NtQueryInstallUILanguage(>)  2 
NtSetInformationThread(>)  6 
NtQueryInformationToken(>)  31 


NtNotifyChangeKey(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtOpenProcess(>)  7 
NtOpenFile(>)  34 


NtOpenKeyedEvent(>)  1 
NtRaiseException(>)  2 
NtSetInformationProcess(>)  7 
NtQueryValueKey(>)  38 


NtQueryInformationJobObject(>)  1 
NtSetInformationFile(>)  2 
NtContinue(>)  8 
NtMapViewOfSection(>)  39 


NtQueryObject(>)  1 
NtTerminateProcess(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtProtectVirtualMemory(>)  41 


NtQueryPerformanceCounter(>)  1 
NtCreateEvent(>)  3 
NtQuerySection(>)  8 
NtUserUnregisterClass(>)  45 


NtRegisterThreadTerminatePort(>)  1 
NtCreateSemaphore(>)  3 
NtRequestWaitReplyPort(>)  8 
NtUserFindExistingCursorIcon(>)  48 


NtResumeThread(>)  1 
NtDuplicateObject(>)  3 
NtQueryDirectoryFile(>)  10 
NtAllocateVirtualMemory(>)  51 


NtSecureConnectPort(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUserSystemParametersInfo(>)  10 
NtUserRegisterClassExWOW(>)  63 


NtSetSecurityObject(>)  1 
NtOpenMutant(>)  3 
NtFlushInstructionCache(>)  11 
NtUserGetClassInfo(>)  82 


NtTestAlert(>)  1 
NtSetInformationObject(>)  3 
NtQueryInformationProcess(>)  12 
NtOpenKey(>)  102 


NtUserCallNoParam(>)  1 
NtQueryVirtualMemory(>)  4 
NtQueryInformationFile(>)  13 
NtUserQueryWindow(>)  132 


NtUserCallOneParam(>)  1 
NtReleaseMutant(>)  4 
NtQueryDebugFilterState(>)  15 
NtClose(>)  154 





Trace:

 00001   396   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   396   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   396   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   396   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   396   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   396   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   396   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   396   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   396   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   396   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   396   NtClose  (12, ... ) == 0x0
 00014   396   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   396   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   396   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   396   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   396   NtClose  (16, ... ) == 0x0
 00021   396   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   396   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   396   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   396   NtClose  (16, ... ) == 0x0
 00026   396   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   396   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   396   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   396   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   396   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 388, 396, 1482, 0} "\330\375\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 388, 396, 1482, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 388, 396, 1482, 0} "\330\375\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   396   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   396   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   396   NtClose  (16, ... ) == 0x0
 00036   396   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   396   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   396   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   396   NtClose  (28, ... ) == 0x0
 00041   396   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   396   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   396   NtClose  (28, ... ) == 0x0
 00045   396   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   396   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   396   NtClose  (28, ... ) == 0x0
 00049   396   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   396   NtClose  (28, ... ) == 0x0
 00052   396   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   396   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   396   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   396   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 388, 396, 1485, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 388, 396, 1485, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 388, 396, 1485, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   396   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 128, ) == 0x0
 00057   396   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 128, ... (0x45d000), 204800, 4, ) == 0x0
 00058   396   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00059   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   396   NtClose  (28, ... ) == 0x0
 00062   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   396   NtClose  (28, ... ) == 0x0
 00065   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   396   NtClose  (28, ... ) == 0x0
 00068   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   396   NtClose  (28, ... ) == 0x0
 00071   396   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 64, ) == 0x0
 00072   396   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 64, ... (0x45d000), 204800, 4, ) == 0x0
 00073   396   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00074   396   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   396   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   396   NtClose  (28, ... ) == 0x0
 00077   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   396   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   396   NtClose  (28, ... ) == 0x0
 00080   396   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00081   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   396   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   396   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   396   NtClose  (28, ... ) == 0x0
 00085   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   396   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   396   NtClose  (28, ... ) == 0x0
 00088   396   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   396   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   396   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 388, 396, 1487, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 388, 396, 1487, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 388, 396, 1487, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00093   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   396   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x490000), 0x0, 1060864, ) == 0x0
 00095   396   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   396   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   396   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00098   396   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   396   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   396   NtClose  (-2147482020, ... ) == 0x0
 00101   396   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5898240, 4096, ) == 0x0
 00102   396   NtFreeVirtualMemory  (-1, (0x5a0000), 4096, 32768, ... (0x5a0000), 4096, ) == 0x0
 00103   396   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   396   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00105   396   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   396   NtClose  (-2147482020, ... ) == 0x0
 00107   396   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00108   396   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   396   NtClose  (-2147482020, ... ) == 0x0
 00110   396   NtQueryDefaultLocale  (0, -131102196, ... ) == 0x0
 00111   396   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   396   NtUserCallNoParam  (24, ... ) == 0x0
 00113   396   NtGdiCreateCompatibleDC  (0, ...
 00114   396   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5898240, 4096, ) == 0x0
 00113   396   NtGdiCreateCompatibleDC  ... ) == 0x150103c6
 00115   396   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   396   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   396   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x1105039a
 00118   396   NtGdiCreateSolidBrush  (0, 0, ...
 00119   396   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9109504, 4096, ) == 0x0
 00118   396   NtGdiCreateSolidBrush  ... ) == 0x131003ce
 00120   396   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   396   NtGdiCreateCompatibleDC  (0, ... ) == 0x3e010406
 00122   396   NtGdiSelectBitmap  (1040253958, 285541274, ... ) == 0x185000f
 00123   396   NtUserGetThreadDesktop  (396, 0, ... ) == 0x2c
 00124   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   396   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   396   NtClose  (52, ... ) == 0x0
 00127   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00141   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00143   396   NtAllocateVirtualMemory  (-1, 6057984, 0, 4096, 4096, 32, ... 6057984, 4096, ) == 0x0
 00142   396   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00144   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00146   396   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00147   396   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00148   396   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00149   396   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00150   396   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   396   NtCallbackReturn  (0, 0, 0, ...
 00152   396   NtGdiInit  (... ) == 0x1
 00153   396   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   396   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   396   NtAllocateVirtualMemory  (-1, 0, 0, 17506, 4096, 4, ... 9175040, 20480, ) == 0x0
 00156   396   NtFreeVirtualMemory  (-1, (0x8c0000), 0, 32768, ... (0x8c0000), 20480, ) == 0x0
 00157   396   NtQueryVirtualMemory  (-1, 0x401000, Basic, 52, ... {BaseAddress=0x401000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x23000,State=0x1000,Protect=0x80,Type=0x1000000,}, 28, ) == 0x0
 00158   396   NtQueryVirtualMemory  (-1, 0x45754c, Basic, 28, ... {BaseAddress=0x457000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x6000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00159   396   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00160   396   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00161   396   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00162   396   NtProtectVirtualMemory  (-1, (0x400218), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00163   396   NtProtectVirtualMemory  (-1, (0x400218), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00164   396   NtProtectVirtualMemory  (-1, (0x400240), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00165   396   NtProtectVirtualMemory  (-1, (0x400240), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00166   396   NtProtectVirtualMemory  (-1, (0x400268), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00167   396   NtProtectVirtualMemory  (-1, (0x400268), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00168   396   NtProtectVirtualMemory  (-1, (0x400290), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00169   396   NtProtectVirtualMemory  (-1, (0x400290), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00170   396   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00171   396   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00172   396   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00173   396   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00174   396   NtProtectVirtualMemory  (-1, (0x400308), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00175   396   NtProtectVirtualMemory  (-1, (0x400308), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00176   396   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00177   396   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00178   396   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a4, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x1009c, 0x10090, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 34, ) == 0x0
 00179   396   NtUserQueryWindow  (65706, 0, ... ) == 0x7dc
 00180   396   NtUserQueryWindow  (65706, 1, ... ) == 0x7e0
 00181   396   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2012, 0}, ... 52, ) == 0x0
 00182   396   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \1\0\0", 64, ) , 64, ) == 0x0
 00183   396   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00184   396   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00185   396   NtClose  (52, ... ) == 0x0
 00186   396   NtUserQueryWindow  (65704, 0, ... ) == 0x7dc
 00187   396   NtUserQueryWindow  (65704, 1, ... ) == 0x7e0
 00188   396   NtUserQueryWindow  (65702, 0, ... ) == 0x7dc
 00189   396   NtUserQueryWindow  (65702, 1, ... ) == 0x7e0
 00190   396   NtUserQueryWindow  (131168, 0, ... ) == 0x7dc
 00191   396   NtUserQueryWindow  (131168, 1, ... ) == 0x7e0
 00192   396   NtUserQueryWindow  (65700, 0, ... ) == 0x778
 00193   396   NtUserQueryWindow  (65700, 1, ... ) == 0x784
 00194   396   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1912, 0}, ... 52, ) == 0x0
 00195   396   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00196   396   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00197   396   NtContinue  (-131105636, 0, ...
 00196   396   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00198   396   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00199   396   NtContinue  (-131105636, 0, ...
 00198   396   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00200   396   NtClose  (52, ... ) == 0x0
 00201   396   NtUserQueryWindow  (65664, 0, ... ) == 0x778
 00202   396   NtUserQueryWindow  (65664, 1, ... ) == 0x784
 00203   396   NtUserQueryWindow  (65652, 0, ... ) == 0x778
 00204   396   NtUserQueryWindow  (65652, 1, ... ) == 0x784
 00205   396   NtUserQueryWindow  (65640, 0, ... ) == 0x778
 00206   396   NtUserQueryWindow  (65640, 1, ... ) == 0x784
 00207   396   NtUserQueryWindow  (196682, 0, ... ) == 0x778
 00208   396   NtUserQueryWindow  (196682, 1, ... ) == 0x784
 00209   396   NtUserQueryWindow  (65638, 0, ... ) == 0x778
 00210   396   NtUserQueryWindow  (65638, 1, ... ) == 0x784
 00211   396   NtUserQueryWindow  (196684, 0, ... ) == 0x778
 00212   396   NtUserQueryWindow  (196684, 1, ... ) == 0x784
 00213   396   NtUserQueryWindow  (196668, 0, ... ) == 0x778
 00214   396   NtUserQueryWindow  (196668, 1, ... ) == 0x784
 00215   396   NtUserQueryWindow  (65692, 0, ... ) == 0x778
 00216   396   NtUserQueryWindow  (65692, 1, ... ) == 0x784
 00217   396   NtUserQueryWindow  (65680, 0, ... ) == 0x778
 00218   396   NtUserQueryWindow  (65680, 1, ... ) == 0x784
 00219   396   NtUserQueryWindow  (65660, 0, ... ) == 0x778
 00220   396   NtUserQueryWindow  (65660, 1, ... ) == 0x77c
 00221   396   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00222   396   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 00223   396   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 52, ) == 0x0
 00224   396   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00225   396   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00226   396   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00227   396   NtClose  (52, ... ) == 0x0
 00228   396   NtUserQueryWindow  (65726, 0, ... ) == 0x7e4
 00229   396   NtUserQueryWindow  (65726, 1, ... ) == 0x7e8
 00230   396   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2020, 0}, ... 52, ) == 0x0
 00231   396   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0", 64, ) , 64, ) == 0x0
 00232   396   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\377\0\377\377", 4, ) , 4, ) == 0x0
 00233   396   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\210fvx\210x\206wfvGe$\306d\21\26\210ls\210\210\250g\207\210hhx\207xhvwdfF|d\21\27\210\206hx\250\252\206\210\207v\207\210x\207\207gfv4F\306G\21\21\210\206\207\210\212\250\250h\210\207x\210\210wvwgFD$d!\21\21x\250g\210\212\252\250\206\210\207w\210\207\207wvvgBGd\21\21\21\210\212\203\210\250\252\212\210x\210w\210\210xwgcd%F\1\21\21\21\27\212\250\210\212\252\252\210f\210\207x\210\207w7fR@`\21\21\21\21\21\210\2508\212\252\250\250\210gw\21088vvu$$!\21\21\21\21\21\30\210\210\210\212\252\210\206vgw\210\203wsb`\7\21\21\21\21\21\21\21\210\203\210\210\210\210\207vvwwwsf4\7\21\21\21\21\21\21\21\21\30\210\210\210\210\210wGwvwww5\2\21\21\21\21\21\21", 256, ) , 256, ) == 0x0
 00234   396   NtClose  (52, ... ) == 0x0
 00235   396   NtUserQueryWindow  (65724, 0, ... ) == 0x7e4
 00236   396   NtUserQueryWindow  (65724, 1, ... ) == 0x7e8
 00237   396   NtUserQueryWindow  (65722, 0, ... ) == 0x7e4
 00238   396   NtUserQueryWindow  (65722, 1, ... ) == 0x7e8
 00239   396   NtUserQueryWindow  (65720, 0, ... ) == 0x7e4
 00240   396   NtUserQueryWindow  (65720, 1, ... ) == 0x7e8
 00241   396   NtUserQueryWindow  (65718, 0, ... ) == 0x7e4
 00242   396   NtUserQueryWindow  (65718, 1, ... ) == 0x7e8
 00243   396   NtUserQueryWindow  (65716, 0, ... ) == 0x7e4
 00244   396   NtUserQueryWindow  (65716, 1, ... ) == 0x7e8
 00245   396   NtUserQueryWindow  (65714, 0, ... ) == 0x7e4
 00246   396   NtUserQueryWindow  (65714, 1, ... ) == 0x7e8
 00247   396   NtUserQueryWindow  (65712, 0, ... ) == 0x7e4
 00248   396   NtUserQueryWindow  (65712, 1, ... ) == 0x7e8
 00249   396   NtUserQueryWindow  (131172, 0, ... ) == 0x7f0
 00250   396   NtUserQueryWindow  (131172, 1, ... ) == 0x7f4
 00251   396   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2032, 0}, ... 52, ) == 0x0
 00252   396   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\301\0\0\0\0\1\0\0\377\356\377\356\11\0\0\0\11\0\0\0\0\376\0\0\0\0\20\0\0 \0\0\0\2\0\0\0 \0\0q\0\0\0\377\357\375\177\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00253   396   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00254   396   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00255   396   NtClose  (52, ... ) == 0x0
 00256   396   NtUserQueryWindow  (65708, 0, ... ) == 0x7dc
 00257   396   NtUserQueryWindow  (65708, 1, ... ) == 0x7e0
 00258   396   NtUserQueryWindow  (131170, 0, ... ) == 0x7d4
 00259   396   NtUserQueryWindow  (131170, 1, ... ) == 0x7d8
 00260   396   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2004, 0}, ... 52, ) == 0x0
 00261   396   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0", 64, ) , 64, ) == 0x0
 00262   396   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00263   396   NtContinue  (-131105636, 0, ...
 00262   396   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00264   396   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00265   396   NtContinue  (-131105636, 0, ...
 00264   396   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00266   396   NtClose  (52, ... ) == 0x0
 00267   396   NtUserQueryWindow  (65644, 0, ... ) == 0x778
 00268   396   NtUserQueryWindow  (65644, 1, ... ) == 0x7b8
 00269   396   NtUserQueryWindow  (327760, 0, ... ) == 0x778
 00270   396   NtUserQueryWindow  (327760, 1, ... ) == 0x77c
 00271   396   NtUserQueryWindow  (262228, 0, ... ) == 0x778
 00272   396   NtUserQueryWindow  (262228, 1, ... ) == 0x77c
 00273   396   NtUserQueryWindow  (327758, 0, ... ) == 0x778
 00274   396   NtUserQueryWindow  (327758, 1, ... ) == 0x77c
 00275   396   NtUserQueryWindow  (65662, 0, ... ) == 0x778
 00276   396   NtUserQueryWindow  (65662, 1, ... ) == 0x77c
 00277   396   NtUserQueryWindow  (65654, 0, ... ) == 0x778
 00278   396   NtUserQueryWindow  (65654, 1, ... ) == 0x77c
 00279   396   NtRaiseException  (1242696, 1241956, 1, ...
 00280   396   NtContinue  (1240752, 0, ...
 00281   396   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00282   396   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 56, ) }, ... 56, ) == 0x0
 00283   396   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00284   396   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00285   396   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00286   396   NtDuplicateObject  (-1, 3101, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00287   396   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00288   396   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00289   396   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a4, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x1009c, 0x10090, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 34, ) == 0x0
 00290   396   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00291   396   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00292   396   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a4, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x1009c, 0x10090, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 34, ) == 0x0
 00293   396   NtUserQueryWindow  (65706, 0, ... ) == 0x7dc
 00294   396   NtUserQueryWindow  (65706, 1, ... ) == 0x7e0
 00295   396   NtUserQueryWindow  (65704, 0, ... ) == 0x7dc
 00296   396   NtUserQueryWindow  (65704, 1, ... ) == 0x7e0
 00297   396   NtUserQueryWindow  (65702, 0, ... ) == 0x7dc
 00298   396   NtUserQueryWindow  (65702, 1, ... ) == 0x7e0
 00299   396   NtUserQueryWindow  (131168, 0, ... ) == 0x7dc
 00300   396   NtUserQueryWindow  (131168, 1, ... ) == 0x7e0
 00301   396   NtUserQueryWindow  (65700, 0, ... ) == 0x778
 00302   396   NtUserQueryWindow  (65700, 1, ... ) == 0x784
 00303   396   NtUserQueryWindow  (65664, 0, ... ) == 0x778
 00304   396   NtUserQueryWindow  (65664, 1, ... ) == 0x784
 00305   396   NtUserQueryWindow  (65652, 0, ... ) == 0x778
 00306   396   NtUserQueryWindow  (65652, 1, ... ) == 0x784
 00307   396   NtUserQueryWindow  (65640, 0, ... ) == 0x778
 00308   396   NtUserQueryWindow  (65640, 1, ... ) == 0x784
 00309   396   NtUserQueryWindow  (196682, 0, ... ) == 0x778
 00310   396   NtUserQueryWindow  (196682, 1, ... ) == 0x784
 00311   396   NtUserQueryWindow  (65638, 0, ... ) == 0x778
 00312   396   NtUserQueryWindow  (65638, 1, ... ) == 0x784
 00313   396   NtUserQueryWindow  (196684, 0, ... ) == 0x778
 00314   396   NtUserQueryWindow  (196684, 1, ... ) == 0x784
 00315   396   NtUserQueryWindow  (196668, 0, ... ) == 0x778
 00316   396   NtUserQueryWindow  (196668, 1, ... ) == 0x784
 00317   396   NtUserQueryWindow  (65692, 0, ... ) == 0x778
 00318   396   NtUserQueryWindow  (65692, 1, ... ) == 0x784
 00319   396   NtUserQueryWindow  (65680, 0, ... ) == 0x778
 00320   396   NtUserQueryWindow  (65680, 1, ... ) == 0x784
 00321   396   NtUserQueryWindow  (65660, 0, ... ) == 0x778
 00322   396   NtUserQueryWindow  (65660, 1, ... ) == 0x77c
 00323   396   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00324   396   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 00325   396   NtUserQueryWindow  (65726, 0, ... ) == 0x7e4
 00326   396   NtUserQueryWindow  (65726, 1, ... ) == 0x7e8
 00327   396   NtUserQueryWindow  (65724, 0, ... ) == 0x7e4
 00328   396   NtUserQueryWindow  (65724, 1, ... ) == 0x7e8
 00329   396   NtUserQueryWindow  (65722, 0, ... ) == 0x7e4
 00330   396   NtUserQueryWindow  (65722, 1, ... ) == 0x7e8
 00331   396   NtUserQueryWindow  (65720, 0, ... ) == 0x7e4
 00332   396   NtUserQueryWindow  (65720, 1, ... ) == 0x7e8
 00333   396   NtUserQueryWindow  (65718, 0, ... ) == 0x7e4
 00334   396   NtUserQueryWindow  (65718, 1, ... ) == 0x7e8
 00335   396   NtUserQueryWindow  (65716, 0, ... ) == 0x7e4
 00336   396   NtUserQueryWindow  (65716, 1, ... ) == 0x7e8
 00337   396   NtUserQueryWindow  (65714, 0, ... ) == 0x7e4
 00338   396   NtUserQueryWindow  (65714, 1, ... ) == 0x7e8
 00339   396   NtUserQueryWindow  (65712, 0, ... ) == 0x7e4
 00340   396   NtUserQueryWindow  (65712, 1, ... ) == 0x7e8
 00341   396   NtUserQueryWindow  (131172, 0, ... ) == 0x7f0
 00342   396   NtUserQueryWindow  (131172, 1, ... ) == 0x7f4
 00343   396   NtUserQueryWindow  (65708, 0, ... ) == 0x7dc
 00344   396   NtUserQueryWindow  (65708, 1, ... ) == 0x7e0
 00345   396   NtUserQueryWindow  (131170, 0, ... ) == 0x7d4
 00346   396   NtUserQueryWindow  (131170, 1, ... ) == 0x7d8
 00347   396   NtUserQueryWindow  (65644, 0, ... ) == 0x778
 00348   396   NtUserQueryWindow  (65644, 1, ... ) == 0x7b8
 00349   396   NtUserQueryWindow  (327760, 0, ... ) == 0x778
 00350   396   NtUserQueryWindow  (327760, 1, ... ) == 0x77c
 00351   396   NtUserQueryWindow  (262228, 0, ... ) == 0x778
 00352   396   NtUserQueryWindow  (262228, 1, ... ) == 0x77c
 00353   396   NtUserQueryWindow  (327758, 0, ... ) == 0x778
 00354   396   NtUserQueryWindow  (327758, 1, ... ) == 0x77c
 00355   396   NtUserQueryWindow  (65662, 0, ... ) == 0x778
 00356   396   NtUserQueryWindow  (65662, 1, ... ) == 0x77c
 00357   396   NtUserQueryWindow  (65654, 0, ... ) == 0x778
 00358   396   NtUserQueryWindow  (65654, 1, ... ) == 0x77c
 00359   396   NtRaiseException  (1242640, 1241900, 1, ...
 00360   396   NtContinue  (1240696, 0, ...
 00361   396   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00362   396   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   396   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00364   396   NtDuplicateObject  (-1, 3380, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00365   396   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00366   396   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00367   396   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a4, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x1009c, 0x10090, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 34, ) == 0x0
 00368   396   NtSetSecurityObject  (-1, 4, {1, 0, 0x4, 0, 0, 0, 1242476}, ... ) == 0x0
 00369   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00370   396   NtQueryValueKey  (60,  (60, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   396   NtClose  (60, ... ) == 0x0
 00372   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00373   396   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00374   396   NtClose  (60, ... ) == 0x0
 00375   396   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 60, ) == 0x0
 00376   396   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00377   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 68, ) }, ... 68, ) == 0x0
 00378   396   NtNotifyChangeKey  (68, 64, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00379   396   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00380   396   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00381   396   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00382   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00384   396   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00386   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00387   396   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 84, ) == 0x0
 00388   396   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00389   396   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00390   396   NtQueryInformationToken  (88, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00391   396   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00392   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 92, ) }, ... 92, ) == 0x0
 00393   396   NtQueryValueKey  (92,  (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00394   396   NtClose  (92, ... ) == 0x0
 00395   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00396   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00397   396   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00398   396   NtClose  (92, ... ) == 0x0
 00399   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400   396   NtClose  (88, ... ) == 0x0
 00401   396   NtClose  (80, ... ) == 0x0
 00402   396   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00403   396   NtClose  (84, ... ) == 0x0
 00404   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00405   396   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00406   396   NtClose  (84, ... ) == 0x0
 00407   396   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00408   396   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00409   396   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00410   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00411   396   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00412   396   NtClose  (84, ... ) == 0x0
 00413   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00414   396   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00415   396   NtClose  (84, ... ) == 0x0
 00416   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00417   396   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00418   396   NtClose  (84, ... ) == 0x0
 00419   396   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00420   396   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00421   396   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00422   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00423   396   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00424   396   NtClose  (84, ... ) == 0x0
 00425   396   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {388, 0}, ... 84, ) == 0x0
 00426   396   NtQueryInformationProcess  (84, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00427   396   NtClose  (84, ... ) == 0x0
 00428   396   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00429   396   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00430   396   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00431   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00432   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00433   396   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00434   396   NtClose  (84, ... ) == 0x0
 00435   396   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 84, ) }, ... 84, ) == 0x0
 00436   396   NtSetInformationObject  (84, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00437   396   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00438   396   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00439   396   NtClose  (80, ... ) == 0x0
 00440   396   NtUserSystemParametersInfo  (41, 500, 1241216, 0, ... ) == 0x1
 00441   396   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00442   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00443   396   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00444   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03b
 00445   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00446   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03d
 00447   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00448   396   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00449   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03f
 00450   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00451   396   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00452   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc041
 00453   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00454   396   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00455   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc043
 00456   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00457   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc045
 00458   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00459   396   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00460   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc047
 00461   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00462   396   NtUserFindExistingCursorIcon  (1241004, 1241020, 1241588, ... ) == 0x10011
 00463   396   NtUserRegisterClassExWOW  (1241456, 1241536, 1241520, 1241552, 0, 384, 0, ... ) == 0x810dc049
 00464   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00465   396   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00466   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04b
 00467   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00468   396   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00469   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04d
 00470   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00471   396   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00472   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04f
 00473   396   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0x0
 00474   396   NtUserRegisterClassExWOW  (1241464, 1241544, 1241528, 1241560, 0, 384, 0, ... ) == 0x810dc051
 00475   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00476   396   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00477   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc053
 00478   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00479   396   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00480   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc055
 00481   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc057
 00482   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00483   396   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00484   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc059
 00485   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00486   396   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10013
 00487   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05b
 00488   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00489   396   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00490   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05d
 00491   396   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00492   396   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00493   396   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05f
 00494   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00495   396   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9175040, 65536, ) == 0x0
 00496   396   NtAllocateVirtualMemory  (-1, 9175040, 0, 4096, 4096, 4, ... 9175040, 4096, ) == 0x0
 00497   396   NtAllocateVirtualMemory  (-1, 9179136, 0, 8192, 4096, 4, ... 9179136, 8192, ) == 0x0
 00498   396   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 80, ) }, ... 80, ) == 0x0
 00499   396   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8d0000), 0x0, 12288, ) == 0x0
 00500   396   NtClose  (80, ... ) == 0x0
 00501   396   NtAllocateVirtualMemory  (-1, 9187328, 0, 4096, 4096, 4, ... 9187328, 4096, ) == 0x0
 00502   396   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00503   396   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 00504   396   NtQueryValueKey  (80,  (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00505   396   NtClose  (80, ... ) == 0x0
 00506   396   NtQueryDefaultUILanguage  (1239840, ...
 00507   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00508   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00509   396   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00510   396   NtClose  (-2147482020, ... ) == 0x0
 00511   396   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00512   396   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00513   396   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00514   396   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   396   NtClose  (-2147482032, ... ) == 0x0
 00516   396   NtClose  (-2147482020, ... ) == 0x0
 00506   396   NtQueryDefaultUILanguage  ... ) == 0x0
 00517   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00518   396   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00519   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00520   396   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 88, ) == 0x0
 00521   396   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8e0000), 0x0, 8323072, ) == 0x0
 00522   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   396   NtQueryDefaultUILanguage  (2013024600, ...
 00524   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00525   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00526   396   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00527   396   NtClose  (-2147482020, ... ) == 0x0
 00528   396   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00529   396   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530   396   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00531   396   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00532   396   NtClose  (-2147482032, ... ) == 0x0
 00533   396   NtClose  (-2147482020, ... ) == 0x0
 00523   396   NtQueryDefaultUILanguage  ... ) == 0x0
 00534   396   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00535   396   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00536   396   NtQueryDefaultLocale  (1, 1237876, ... ) == 0x0
 00537   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538   396   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\305\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 396, 1498, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\305\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 388, 396, 1498, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\305\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 396, 1498, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\305\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ) == 0x0
 00539   396   NtClose  (80, ... ) == 0x0
 00540   396   NtClose  (88, ... ) == 0x0
 00541   396   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00542   396   NtUnmapViewOfSection  (-1, 0x12edcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00543   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00544   396   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00545   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00546   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00547   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236960, ... ) }, 1236960, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00548   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00549   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00550   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00551   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237552, ... ) }, 1237552, ... ) == 0x0
 00552   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 88, {status=0x0, info=1}, ) }, 3, 33, ... 88, {status=0x0, info=1}, ) == 0x0
 00553   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00554   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00555   396   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00556   396   NtClose  (80, ... ) == 0x0
 00557   396   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8e0000), 0x0, 921600, ) == 0x0
 00558   396   NtClose  (92, ... ) == 0x0
 00559   396   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00560   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00561   396   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 80, ) == 0x0
 00562   396   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00563   396   NtClose  (92, ... ) == 0x0
 00564   396   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00565   396   NtClose  (80, ... ) == 0x0
 00566   396   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00567   396   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00568   396   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00569   396   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00570   396   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00571   396   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00572   396   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00573   396   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00574   396   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00575   396   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00576   396   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00577   396   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00578   396   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00579   396   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00580   396   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00581   396   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00582   396   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00583   396   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00584   396   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00585   396   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00586   396   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00587   396   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238736, ... ) , 42, 1238736, ... ) == 0x0
 00588   396   NtQueryDefaultUILanguage  (1237452, ...
 00589   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00590   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00591   396   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00592   396   NtClose  (-2147482020, ... ) == 0x0
 00593   396   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00594   396   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   396   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00596   396   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00597   396   NtClose  (-2147482032, ... ) == 0x0
 00598   396   NtClose  (-2147482020, ... ) == 0x0
 00588   396   NtQueryDefaultUILanguage  ... ) == 0x0
 00599   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236304, ... ) }, 1236304, ... ) == 0x0
 00601   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00602   396   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00603   396   NtClose  (80, ... ) == 0x0
 00604   396   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8e0000), 0x0, 4096, ) == 0x0
 00605   396   NtClose  (92, ... ) == 0x0
 00606   396   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00607   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235944, ... ) }, 1235944, ... ) == 0x0
 00608   396   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236644,  (0x80100080, {24, 0, 0x40, 0, 1236644, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00609   396   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 92, ... 80, ) == 0x0
 00610   396   NtClose  (92, ... ) == 0x0
 00611   396   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8e0000), {0, 0}, 4096, ) == 0x0
 00612   396   NtClose  (80, ... ) == 0x0
 00613   396   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00614   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00615   396   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 92, ) == 0x0
 00616   396   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8e0000), 0x0, 4096, ) == 0x0
 00617   396   NtQueryInformationFile  (80, 1236264, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00618   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619   396   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 396, 1499, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 388, 396, 1499, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 396, 1499, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ) == 0x0
 00620   396   NtClose  (80, ... ) == 0x0
 00621   396   NtClose  (92, ... ) == 0x0
 00622   396   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00623   396   NtUnmapViewOfSection  (-1, 0x12e478, ... ) == STATUS_NOT_MAPPED_VIEW
 00624   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00625   396   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00626   396   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00627   396   NtUserGetDC  (0, ... ) == 0x1010050
 00628   396   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00629   396   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00630   396   NtUserSystemParametersInfo  (66, 12, 1238756, 0, ... ) == 0x1
 00631   396   NtOpenProcessToken  (-1, 0x8, ... 92, ) == 0x0
 00632   396   NtAccessCheck  (1393640, 92, 0x1, 1238160, 1238104, 56, 1238188, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00633   396   NtClose  (92, ... ) == 0x0
 00634   396   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 92, ) }, ... 92, ) == 0x0
 00635   396   NtQueryValueKey  (92,  (92, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00636   396   NtClose  (92, ... ) == 0x0
 00637   396   NtUserSystemParametersInfo  (41, 500, 1238256, 0, ... ) == 0x1
 00638   396   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00639   396   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 92, ) }, ... 92, ) == 0x0
 00640   396   NtQueryValueKey  (92,  (92, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00641   396   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 80, ) }, ... 80, ) == 0x0
 00642   396   NtQueryValueKey  (80,  (80, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00643   396   NtClose  (80, ... ) == 0x0
 00644   396   NtClose  (92, ... ) == 0x0
 00645   396   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00646   396   NtUserSystemParametersInfo  (4130, 0, 1238780, 0, ... ) == 0x1
 00647   396   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 92, ) }, ... 92, ) == 0x0
 00648   396   NtEnumerateValueKey  (92, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00649   396   NtClose  (92, ... ) == 0x0
 00650   396   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00651   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03b
 00652   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03d
 00653   396   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00654   396   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc03f
 00655   396   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00656   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc041
 00657   396   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00658   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ...
 00659   396   NtAllocateVirtualMemory  (-1, 6062080, 0, 4096, 4096, 32, ... 6062080, 4096, ) == 0x0
 00658   396   NtUserRegisterClassExWOW  ... ) == 0x810dc043
 00660   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc045
 00661   396   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00662   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc047
 00663   396   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00664   396   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc049
 00665   396   NtUserGetClassInfo  (1905590272, 1238676, 1238628, 1238704, 0, ... ) == 0xc049
 00666   396   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00667   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04b
 00668   396   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00669   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04d
 00670   396   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00671   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04f
 00672   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc051
 00673   396   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00674   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc053
 00675   396   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00676   396   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc055
 00677   396   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc057
 00678   396   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00679   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc059
 00680   396   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10013
 00681   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05b
 00682   396   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00683   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05d
 00684   396   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00685   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05f
 00686   396   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00687   396   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc017
 00688   396   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00689   396   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc019
 00690   396   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10013
 00691   396   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc018
 00692   396   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00693   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01a
 00694   396   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00695   396   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc01c
 00696   396   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00697   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01e
 00698   396   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00699   396   NtUserRegisterClassExWOW  (1238572, 1238652, 1238636, 1238668, 0, 384, 0, ... ) == 0x810dc01b
 00700   396   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00701   396   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc068
 00702   396   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00703   396   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc06a
 00704   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03b
 00705   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03d
 00706   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03f
 00707   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc041
 00708   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc043
 00709   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc045
 00710   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc047
 00711   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc049
 00712   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04b
 00713   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04d
 00714   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04f
 00715   396   NtUserGetClassInfo  (1999896576, 1241580, 1241532, 1241608, 0, ... ) == 0xc051
 00716   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc053
 00717   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc055
 00718   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc059
 00719   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05b
 00720   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05d
 00721   396   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05f
 00722   396   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00723   396   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00724   396   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00725   396   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00726   396   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00727   396   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00728   396   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00729   396   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00730   396   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00731   396   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00732   396   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00733   396   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00734   396   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00735   396   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00736   396   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00737   396   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00738   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00739   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00740   396   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00741   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00742   396   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9437184, 262144, ) == 0x0
 00743   396   NtAllocateVirtualMemory  (-1, 9437184, 0, 4096, 4096, 4, ... 9437184, 4096, ) == 0x0
 00744   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00745   396   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9699328, 262144, ) == 0x0
 00746   396   NtAllocateVirtualMemory  (-1, 9699328, 0, 4096, 4096, 4, ... 9699328, 4096, ) == 0x0
 00747   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00748   396   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9961472, 262144, ) == 0x0
 00749   396   NtAllocateVirtualMemory  (-1, 9961472, 0, 4096, 4096, 4, ... 9961472, 4096, ) == 0x0
 00750   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00751   396   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10223616, 262144, ) == 0x0
 00752   396   NtAllocateVirtualMemory  (-1, 10223616, 0, 4096, 4096, 4, ... 10223616, 4096, ) == 0x0
 00753   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00754   396   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00755   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00756   396   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00757   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 00758   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00759   396   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 80, ) == 0x0
 00760   396   NtClose  (92, ... ) == 0x0
 00761   396   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa00000), 0x0, 90112, ) == 0x0
 00762   396   NtClose  (80, ... ) == 0x0
 00763   396   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00764   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 00765   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00766   396   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 92, ) == 0x0
 00767   396   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00768   396   NtClose  (80, ... ) == 0x0
 00769   396   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00770   396   NtClose  (92, ... ) == 0x0
 00771   396   NtQueryDefaultLocale  (1, 1239460, ... ) == 0x0
 00772   396   NtAllocateVirtualMemory  (-1, 9441280, 0, 4096, 4096, 4, ... 9441280, 4096, ) == 0x0
 00773   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 92, ) }, ... 92, ) == 0x0
 00774   396   NtClose  (92, ... ) == 0x0
 00775   396   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00777   396   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00780   396   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00781   396   NtClose  (92, ... ) == 0x0
 00782   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00783   396   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00784   396   NtClose  (92, ... ) == 0x0
 00785   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00786   396   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00787   396   NtClose  (92, ... ) == 0x0
 00788   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00789   396   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00790   396   NtClose  (92, ... ) == 0x0
 00791   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 92, ) }, ... 92, ) == 0x0
 00792   396   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00793   396   NtClose  (92, ... ) == 0x0
 00794   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00795   396   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00796   396   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00797   396   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00798   396   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1241616, 0,  (0x1f0003, {24, 52, 0x80, 1241616, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00799   396   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 92, ) }, ... 92, ) == 0x0
 00800   396   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00801   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00802   396   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00803   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 80, ) }, ... 80, ) == 0x0
 00804   396   NtQueryValueKey  (80,  (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00805   396   NtClose  (80, ... ) == 0x0
 00806   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00807   396   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00808   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00809   396   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00810   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 80, ) }, ... 80, ) == 0x0
 00811   396   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00812   396   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00813   396   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00814   396   NtClose  (80, ... ) == 0x0
 00815   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 80, ) }, ... 80, ) == 0x0
 00816   396   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00817   396   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818   396   NtClose  (80, ... ) == 0x0
 00819   396   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820   396   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00821   396   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00822   396   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00823   396   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00824   396   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00825   396   NtCreateKey  (0xf003f, {24, 84, 0x40, 0, 0,  (0xf003f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 80, 2, ) }, 0, 0x0, 0, ... 80, 2, ) == 0x0
 00826   396   NtQueryDefaultUILanguage  (1239852, ...
 00827   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00828   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00829   396   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00830   396   NtClose  (-2147482020, ... ) == 0x0
 00831   396   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00832   396   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00833   396   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00834   396   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   396   NtClose  (-2147482032, ... ) == 0x0
 00836   396   NtClose  (-2147482020, ... ) == 0x0
 00826   396   NtQueryDefaultUILanguage  ... ) == 0x0
 00837   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00838   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00839   396   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00840   396   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa00000), 0x0, 593920, ) == 0x0
 00841   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00842   396   NtQueryDefaultLocale  (1, 1237888, ... ) == 0x0
 00843   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   396   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\247\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 396, 1500, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\247\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 388, 396, 1500, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\247\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 396, 1500, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\247\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ) == 0x0
 00845   396   NtClose  (96, ... ) == 0x0
 00846   396   NtClose  (100, ... ) == 0x0
 00847   396   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00848   396   NtUnmapViewOfSection  (-1, 0x12edd8, ... ) == STATUS_NOT_MAPPED_VIEW
 00849   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00850   396   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00852   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00853   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236428, ... ) }, 1236428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00855   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00856   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00857   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237020, ... ) }, 1237020, ... ) == 0x0
 00858   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00859   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00860   396   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00861   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00862   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00863   396   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00865   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00866   396   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00867   396   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00868   396   NtClose  (104, ... ) == 0x0
 00869   396   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00870   396   NtClose  (108, ... ) == 0x0
 00871   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00872   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   396   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00874   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00875   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00876   396   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00877   396   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00878   396   NtClose  (108, ... ) == 0x0
 00879   396   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00880   396   NtClose  (104, ... ) == 0x0
 00881   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00882   396   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00883   396   NtTestAlert  (... ) == 0x0
 00884   396   NtContinue  (1244464, 1, ...
 00885   396   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x48efae,}, 4, ... ) == 0x0
 00886   396   NtQueryPerformanceCounter  (... {94619493, 0}, {3579545, 0}, ) == 0x0
 00887   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00888   396   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10485760, 65536, ) == 0x0
 00889   396   NtAllocateVirtualMemory  (-1, 10485760, 0, 4096, 4096, 4, ... 10485760, 4096, ) == 0x0
 00890   396   NtAllocateVirtualMemory  (-1, 10489856, 0, 8192, 4096, 4, ... 10489856, 8192, ) == 0x0
 00891   396   NtAllocateVirtualMemory  (-1, 10498048, 0, 4096, 4096, 4, ... 10498048, 4096, ) == 0x0
 00892   396   NtAllocateVirtualMemory  (-1, 10502144, 0, 4096, 4096, 4, ... 10502144, 4096, ) == 0x0
 00893   396   NtAllocateVirtualMemory  (-1, 0, 0, 6, 12288, 64, ... 10551296, 4096, ) == 0x0
 00894   396   NtProtectVirtualMemory  (-1, (0xa10000), 6, 64, ...
 00895   396   NtContinue  (-131104980, 0, ...
 00894   396   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 00896   396   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 4096, ) == 0x0
 00897   396   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241932,  (0x80100080, {24, 0, 0x40, 0, 1241932, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 00898   396   NtQueryInformationFile  (104, 1242868, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00899   396   NtQueryInformationFile  (104, 1242840, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00900   396   NtQueryInformationFile  (104, 1242792, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00901   396   NtAllocateVirtualMemory  (-1, 1425408, 0, 8192, 4096, 4, ... 1425408, 8192, ) == 0x0
 00902   396   NtQueryInformationFile  (104, 1422952, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00903   396   NtQueryInformationFile  (104, 1241336, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00904   396   NtQueryInformationFile  (104, 1241180, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00905   396   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1241188,  (0x40110080, {24, 0, 0x40, 0, 1241188, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00906   396   NtClose  (-2147482020, ... ) == 0x0
 00905   396   NtCreateFile  ... 108, {status=0x0, info=2}, ) == 0x0
 00907   396   NtQueryVolumeInformationFile  (108, 1240560, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00908   396   NtQueryInformationFile  (108, 1240520, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00909   396   NtQueryVolumeInformationFile  (104, 1240560, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00910   396   NtQueryVolumeInformationFile  (104, 1240244, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00911   396   NtSetInformationFile  (108, 1240348, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00912   396   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 104, ... 112, ) == 0x0
 00913   396   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa10000), {0, 0}, 217088, ) == 0x0
 00914   396   NtClose  (112, ... ) == 0x0
 00915   396   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\256\357\10\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\11\0\0\20\0\0\4=\4\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\256\357\10\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\11\0\0\20\0\0\4=\4\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00916   396   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352 (108, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353 (108, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00917   396   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\353`m\263\222\16Zi\373\3759\377Al:\306\233\30\21!g\226\254j\14Q\312\366P)6\252\361\374wR\276\216\30\3\6\310\255\6\303'tiZ\357L\17{\272\303\341\201\245\20\361\323yf&\17\6\11\261\207\300\303\321\17\30\367u@\301\324\371\356-\253.S\255\244"O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00918   396   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\25\313\36\270\214\226\21B\304\243`\371\275\66-:\177\243\35\264OQ\207\273\321\2559\243/O\202\300\216\234\3505\315D*\27+\220\360\354\201\205G\337\266\240\331\221\303\273\333\242\5w\247\254\25_\376\332\12\240\26\4!\212e\22e\344\276/Y\341\235] \362\240!YK\343F\36\370\36\13\255\270\361\316\245\210#\16\3\332\215\371fC\263\243\253\262\220\323]\21\37\12\277o\222\252\231\316T\354\207U\205\334\25-r\251\274\373%\22\251\66\313\2534g}S\177\17\271\232\360~\313E\234U\305\2515z\252\226\376g\211\15\203\364\316\275\314\310\237Iz\227+\233\317\270f\21\310?\266\367\213\251\24\34\365\321\307\370;\31?\334+\232\231~\30\0i\231c\303\36\325\253\361[\276\205lp\264O\224<\365\353\200B@\247\4\360\225\366B\212H9\336\252\242Ui\265\330\331\364\371\305a\3663\347\213[\315\250\343m\321\273$\203\210\350\27\234\271"\16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", 29696, 0x0, 0, ... {status=0x0, info=29696}, ) \16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", 29696, 0x0, 0, ... {status=0x0, info=29696}, ) == 0x0
 00919   396   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00920   396   NtSetInformationFile  (108, 1242792, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00921   396   NtClose  (104, ... ) == 0x0
 00922   396   NtClose  (108, ... ) == 0x0
 00923   396   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00924   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1239084, ... ) }, 1239084, ... ) == 0x0
 00925   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1239776, ... ) }, 1239776, ... ) == 0x0
 00926   396   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00927   396   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00928   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00929   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 112, ) }, ... 112, ) == 0x0
 00930   396   NtQueryValueKey  (112,  (112, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   396   NtClose  (112, ... ) == 0x0
 00932   396   NtQueryVolumeInformationFile  (108, 1239084, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00933   396   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 112, ) }, ... 112, ) == 0x0
 00934   396   NtWaitForSingleObject  (112, 0, {-1000000, -1}, ... ) == 0x0
 00935   396   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 116, ) }, ... 116, ) == 0x0
 00936   396   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa10000), {0, 0}, 57344, ) == 0x0
 00937   396   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00938   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237068, ... ) }, 1237068, ... ) == 0x0
 00939   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00940   396   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 120, ... 124, ) == 0x0
 00941   396   NtClose  (120, ... ) == 0x0
 00942   396   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 106496, ) == 0x0
 00943   396   NtClose  (124, ... ) == 0x0
 00944   396   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00945   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237384, ... ) }, 1237384, ... ) == 0x0
 00946   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00947   396   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 124, ... 120, ) == 0x0
 00948   396   NtQuerySection  (120, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00949   396   NtClose  (124, ... ) == 0x0
 00950   396   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00951   396   NtClose  (120, ... ) == 0x0
 00952   396   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) == 0x0
 00953   396   NtQueryInformationFile  (120, 1237672, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00954   396   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 120, ... 124, ) == 0x0
 00955   396   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa20000), 0x0, 1028096, ) == 0x0
 00956   396   NtQueryInformationFile  (120, 1237768, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00957   396   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   396   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00959   396   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00960   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00961   396   NtQueryDirectoryFile  (128, 0, 0, 0, 1235332, 616, BothDirectory, 1,  (128, 0, 0, 0, 1235332, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00962   396   NtClose  (128, ... ) == 0x0
 00963   396   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00964   396   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00965   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1234720, ... ) }, 1234720, ... ) == 0x0
 00966   396   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00967   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00968   396   NtQueryDirectoryFile  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00969   396   NtClose  (128, ... ) == 0x0
 00970   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00971   396   NtQueryDirectoryFile  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00972   396   NtClose  (128, ... ) == 0x0
 00973   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00974   396   NtQueryDirectoryFile  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00975   396   NtClose  (128, ... ) == 0x0
 00976   396   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00977   396   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00978   396   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00979   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00980   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 00981   396   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00982   396   NtClose  (128, ... ) == 0x0
 00983   396   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984   396   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\eupsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00985   396   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00986   396   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00987   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1237000, ... ) }, 1237000, ... ) == 0x0
 00988   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00989   396   NtQueryDirectoryFile  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00990   396   NtClose  (128, ... ) == 0x0
 00991   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00992   396   NtQueryDirectoryFile  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00993   396   NtClose  (128, ... ) == 0x0
 00994   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 00995   396   NtQueryDirectoryFile  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00996   396   NtClose  (128, ... ) == 0x0
 00997   396   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00998   396   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00999   396   NtWaitForSingleObject  (112, 0, {-1000000, -1}, ... ) == 0x0
 01000   396   NtQueryVolumeInformationFile  (108, 1237644, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01001   396   NtQueryInformationFile  (108, 1237624, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01002   396   NtQueryInformationFile  (108, 1237664, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01003   396   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01004   396   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01005   396   NtClose  (124, ... ) == 0x0
 01006   396   NtClose  (120, ... ) == 0x0
 01007   396   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01008   396   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eupsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01009   396   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01010   396   NtOpenProcessToken  (-1, 0xa, ... 120, ) == 0x0
 01011   396   NtQueryInformationToken  (120, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01012   396   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01013   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01014   396   NtQueryValueKey  (124,  (124, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (124, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01015   396   NtQueryValueKey  (124,  (124, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (124, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01016   396   NtClose  (124, ... ) == 0x0
 01017   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01018   396   NtQueryValueKey  (124,  (124, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01019   396   NtQueryValueKey  (124,  (124, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (124, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01020   396   NtClose  (124, ... ) == 0x0
 01021   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01022   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01023   396   NtQueryValueKey  (124,  (124, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024   396   NtClose  (124, ... ) == 0x0
 01025   396   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01026   396   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01027   396   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01028   396   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01029   396   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01030   396   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01031   396   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01032   396   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01033   396   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01034   396   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01035   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 124, ) }, ... 124, ) == 0x0
 01036   396   NtEnumerateKey  (124, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (124, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01037   396   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 128, ) }, ... 128, ) == 0x0
 01038   396   NtQueryValueKey  (128,  (128, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (128, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01039   396   NtQueryValueKey  (128,  (128, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (128, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01040   396   NtClose  (128, ... ) == 0x0
 01041   396   NtEnumerateKey  (124, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01042   396   NtClose  (124, ... ) == 0x0
 01043   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01045   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01046   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01047   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01048   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01049   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01050   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01051   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01052   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01053   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01054   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01055   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01056   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01057   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01058   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01059   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01060   396   NtClose  (124, ... ) == 0x0
 01061   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01062   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01063   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01064   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01065   396   NtClose  (124, ... ) == 0x0
 01066   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01067   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01068   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01069   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01070   396   NtClose  (124, ... ) == 0x0
 01071   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01072   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01073   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01074   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01075   396   NtClose  (124, ... ) == 0x0
 01076   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01077   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01078   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01079   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01080   396   NtClose  (124, ... ) == 0x0
 01081   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01082   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01083   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01084   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01085   396   NtClose  (124, ... ) == 0x0
 01086   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01087   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01088   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01089   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01090   396   NtClose  (124, ... ) == 0x0
 01091   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01093   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01094   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01095   396   NtClose  (124, ... ) == 0x0
 01096   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01097   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01098   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01099   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01100   396   NtClose  (124, ... ) == 0x0
 01101   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01102   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01103   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01104   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01105   396   NtClose  (124, ... ) == 0x0
 01106   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01108   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01109   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01110   396   NtClose  (124, ... ) == 0x0
 01111   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01112   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01113   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01114   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01115   396   NtClose  (124, ... ) == 0x0
 01116   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01118   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01119   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01120   396   NtClose  (124, ... ) == 0x0
 01121   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01123   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01124   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01125   396   NtClose  (124, ... ) == 0x0
 01126   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01127   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01128   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01129   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01130   396   NtClose  (124, ... ) == 0x0
 01131   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01132   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01133   396   NtQueryValueKey  (124,  (124, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (124, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (124, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01134   396   NtClose  (124, ... ) == 0x0
 01135   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01136   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01137   396   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01138   396   NtClose  (124, ... ) == 0x0
 01139   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01140   396   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01141   396   NtOpenProcessToken  (-1, 0xa, ... 124, ) == 0x0
 01142   396   NtDuplicateToken  (124, 0xc, {24, 0, 0x0, 0, 1238976, 0x0}, 0, 2, ... 128, ) == 0x0
 01143   396   NtClose  (124, ... ) == 0x0
 01144   396   NtAccessCheck  (1430784, 128, 0x1, 1239104, 1239048, 56, 1239132, ... (0x1), ) == 0x0
 01145   396   NtClose  (128, ... ) == 0x0
 01146   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 128, ) }, ... 128, ) == 0x0
 01147   396   NtQueryValueKey  (128,  (128, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (128, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01148   396   NtClose  (128, ... ) == 0x0
 01149   396   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 128, ) }, ... 128, ) == 0x0
 01150   396   NtQuerySymbolicLinkObject  (128, ...  (128, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01151   396   NtClose  (128, ... ) == 0x0
 01152   396   NtQueryInformationFile  (108, 1237436, 528, Name, ... {status=0x0, info=60}, ) == 0x0
 01153   396   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01154   396   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01155   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1236116, ... ) }, 1236116, ... ) == 0x0
 01156   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01157   396   NtQueryDirectoryFile  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01158   396   NtClose  (128, ... ) == 0x0
 01159   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01160   396   NtQueryDirectoryFile  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01161   396   NtClose  (128, ... ) == 0x0
 01162   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01163   396   NtQueryDirectoryFile  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (128, 0, 0, 0, 1235476, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01164   396   NtClose  (128, ... ) == 0x0
 01165   396   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01166   396   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01167   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01168   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01169   396   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01170   396   NtClose  (128, ... ) == 0x0
 01171   396   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 128, ) }, ... 128, ) == 0x0
 01172   396   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 124, ) }, ... 124, ) == 0x0
 01173   396   NtClose  (128, ... ) == 0x0
 01174   396   NtQueryValueKey  (124,  (124, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01175   396   NtQueryValueKey  (124,  (124, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (124, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01176   396   NtClose  (124, ... ) == 0x0
 01177   396   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10616832, 4096, ) == 0x0
 01178   396   NtAllocateVirtualMemory  (-1, 10616832, 0, 4096, 4096, 4, ... 10616832, 4096, ) == 0x0
 01179   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01180   396   NtQueryValueKey  (124,  (124, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01181   396   NtClose  (124, ... ) == 0x0
 01182   396   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183   396   NtQueryInformationToken  (120, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01184   396   NtQueryInformationToken  (120, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01185   396   NtClose  (120, ... ) == 0x0
 01186   396   NtCreateProcessEx  (1241712, 2035711, 0, -1, 0, 104, 0, 0, 0, ... ) == 0x0
 01187   396   NtSetInformationProcess  (120, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 01188   396   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=388,}, 0x0, ) == 0x0
 01189   396   NtReadVirtualMemory  (120, 0x7ffdf008, 4, ...  (120, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 01190   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   396   NtAllocateVirtualMemory  (-1, 1433600, 0, 8192, 4096, 4, ... 1433600, 8192, ) == 0x0
 01192   396   NtReadVirtualMemory  (120, 0x400000, 4096, ...  (120, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\256\357\10\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\11\0\0\20\0\0\4=\4\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 4096, ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\256\357\10\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\11\0\0\20\0\0\4=\4\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 4096, ) == 0x0
 01193   396   NtReadVirtualMemory  (120, 0x439000, 256, ...  (120, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) urn:schemas-microsoft-com:asm.v1 (120, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) 1.0 (120, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) , 256, ) == 0x0
 01194   396   NtReadVirtualMemory  (120, 0x439018, 24, ...  (120, 0x439018, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200", 24, ) , 24, ) == 0x0
 01195   396   NtReadVirtualMemory  (120, 0x439030, 24, ...  (120, 0x439030, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0", 24, ) , 24, ) == 0x0
 01196   396   NtReadVirtualMemory  (120, 0x439048, 16, ...  (120, 0x439048, 16, ... "X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0", 16, ) , 16, ) == 0x0
 01197   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01198   396   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=388,}, 0x0, ) == 0x0
 01199   396   NtAllocateVirtualMemory  (-1, 0, 0, 1716, 4096, 4, ... 10682368, 4096, ) == 0x0
 01200   396   NtAllocateVirtualMemory  (120, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01201   396   NtWriteVirtualMemory  (120, 0x10000,  (120, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01202   396   NtAllocateVirtualMemory  (120, 0, 0, 1716, 4096, 4, ... 131072, 4096, ) == 0x0
 01203   396   NtWriteVirtualMemory  (120, 0x20000,  (120, 0x20000, "\0\20\0\0\264\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0<\0>\0\230\5\0\0v\0x\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\0>\0P\6\0\0\36\0 \0\220\6\0\0\0\0\2\0\260\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1716, ... 0x0, ) , 1716, ... 0x0, ) == 0x0
 01204   396   NtWriteVirtualMemory  (120, 0x7ffdf010,  (120, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01205   396   NtWriteVirtualMemory  (120, 0x7ffdf1e8,  (120, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01206   396   NtFreeVirtualMemory  (-1, (0xa30000), 0, 32768, ... (0xa30000), 4096, ) == 0x0
 01207   396   NtAllocateVirtualMemory  (120, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01208   396   NtAllocateVirtualMemory  (120, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01209   396   NtProtectVirtualMemory  (120, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01210   396   NtCreateThread  (0x1f03ff, 0x0, 120, 1239976, 1240696, 1, ... 124, {364, 564}, ) == 0x0
 01211   396   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796}  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796} "\210\6\31\1\0\0\1\0\2$\370w U\367w{\0\0\0|\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1l\0\0\0x\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\240\0\220\36\240\0" ... {168, 196, reply, 0, 388, 396, 1501, 0} "\320\231\26\0\0\0\1\0\0\0\0\0 U\367wx\0\0\0|\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1l\0\0\0x\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\240\0\220\36\240\0" )  ... {168, 196, reply, 0, 388, 396, 1501, 0}  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796} "\210\6\31\1\0\0\1\0\2$\370w U\367w{\0\0\0|\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1l\0\0\0x\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\240\0\220\36\240\0" ... {168, 196, reply, 0, 388, 396, 1501, 0} "\320\231\26\0\0\0\1\0\0\0\0\0 U\367wx\0\0\0|\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1l\0\0\0x\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\240\0\220\36\240\0" )  ) == 0x0
 01212   396   NtResumeThread  (124, ... 1, ) == 0x0
 01213   396   NtClose  (108, ... ) == 0x0
 01214   396   NtClose  (104, ... ) == 0x0
 01215   396   NtTerminateProcess  (0, 0, ... ) == 0x0
 01216   396   NtClose  (96, ... ) == 0x0
 01217   396   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 01218   396   NtClose  (100, ... ) == 0x0
 01219   396   NtClose  (80, ... ) == 0x0
 01220   396   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01221   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01222   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01223   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01224   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01225   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01226   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01227   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01228   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01229   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01230   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01231   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01232   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01233   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01234   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01235   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01236   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01237   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01238   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01239   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01240   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01241   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01242   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01243   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01244   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01245   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01246   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01247   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01248   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01249   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01250   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01251   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01252   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01253   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01254   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01255   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01256   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01257   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc017
 01258   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01259   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc019
 01260   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01261   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc018
 01262   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01263   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01a
 01264   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01265   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01c
 01266   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01267   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01e
 01268   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01269   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01b
 01270   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01271   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc068
 01272   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01273   396   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc06a
 01274   396   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01275   396   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01276   396   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01277   396   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01278   396   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01279   396   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01280   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01281   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01282   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01283   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01284   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01285   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01286   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01287   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01288   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01289   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01290   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01291   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01292   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01293   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01294   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01295   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01296   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01297   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01298   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01299   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01300   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01301   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01302   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01303   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01304   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01305   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01306   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01307   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01308   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01309   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01310   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01311   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01312   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01313   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01314   396   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01315   396   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01316   396   NtFreeVirtualMemory  (-1, (0xa20000), 4096, 32768, ... (0xa20000), 4096, ) == 0x0
 01317   396   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244} "\0\0\0\0\3\0\1\0\320vC\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 388, 396, 1509, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ... {20, 48, reply, 0, 388, 396, 1509, 0}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244} "\0\0\0\0\3\0\1\0\320vC\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 388, 396, 1509, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ) == 0x0
 01318   396   NtTerminateProcess  (-1, 0, ...
 01319   396   NtClose  (44, ... ) == 0x0