Summary:


NtAccessCheck(>)  1 
NtUserGetThreadDesktop(>)  1 
NtSetInformationFile(>)  5 
NtQueryVirtualMemory(>)  15 

NtCallbackReturn(>)  1 
NtUserOpenWindowStation(>)  1 
NtUserBuildHwndList(>)  5 
NtDeviceIoControlFile(>)  16 

NtCreateProcessEx(>)  1 
NtUserSystemParametersInfo(>)  1 
NtWriteVirtualMemory(>)  5 
NtRequestWaitReplyPort(>)  16 

NtCreateSemaphore(>)  1 
NtConnectPort(>)  2 
NtContinue(>)  6 
NtOpenSection(>)  24 

NtCreateThread(>)  1 
NtCreateIoCompletion(>)  2 
NtOpenProcessToken(>)  6 
NtQueryDirectoryFile(>)  24 

NtDuplicateToken(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryDefaultUILanguage(>)  6 
NtSetInformationProcess(>)  25 

NtGdiCreateBitmap(>)  1 
NtGdiHfontCreate(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtOpenProcessTokenEx(>)  28 

NtGdiCreatePatternBrushInternal(>)  1 
NtQueryInformationJobObject(>)  2 
NtWaitForSingleObject(>)  6 
NtOpenThreadTokenEx(>)  28 

NtGdiInit(>)  1 
NtReleaseMutant(>)  2 
NtFsControlFile(>)  7 
NtCreateSection(>)  29 

NtGdiQueryFontAssocInfo(>)  1 
NtTerminateProcess(>)  2 
NtOpenThreadToken(>)  7 
NtQueryInformationToken(>)  37 

NtGdiSelectBitmap(>)  1 
NtUserCloseWindowStation(>)  2 
NtQueryInformationFile(>)  7 
NtOpenFile(>)  41 

NtOpenEvent(>)  1 
NtUserGetObjectInformation(>)  2 
NtWaitForMultipleObjects(>)  7 
NtQueryInformationProcess(>)  44 

NtOpenKeyedEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtEnumerateKey(>)  8 
NtQueryDefaultLocale(>)  48 

NtOpenMutant(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtSetValueKey(>)  8 
NtUnmapViewOfSection(>)  48 

NtQueryDebugFilterState(>)  1 
NtOpenDirectoryObject(>)  3 
NtUserCallNoParam(>)  9 
NtAllocateVirtualMemory(>)  51 

NtQueryInstallUILanguage(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtUserFindExistingCursorIcon(>)  9 
NtQueryAttributesFile(>)  54 

NtQueryObject(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtUserGetWindowDC(>)  10 
NtFlushInstructionCache(>)  65 

NtQueryPerformanceCounter(>)  1 
NtReadVirtualMemory(>)  3 
NtCreateKey(>)  11 
NtMapViewOfSection(>)  69 

NtQuerySystemTime(>)  1 
NtSetEvent(>)  3 
NtFreeVirtualMemory(>)  11 
NtQuerySystemInformation(>)  76 

NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 
NtUserCallOneParam(>)  11 
NtQueryValueKey(>)  105 

NtResumeThread(>)  1 
NtUserOpenDesktop(>)  3 
NtWriteFile(>)  11 
NtUserValidateHandleSecure(>)  132 

NtSecureConnectPort(>)  1 
NtCreateMutant(>)  4 
NtQuerySection(>)  12 
NtOpenKey(>)  153 

NtTestAlert(>)  1 
NtDuplicateObject(>)  4 
NtSetInformationThread(>)  13 
NtProtectVirtualMemory(>)  156 

NtUserBuildNameList(>)  1 
NtQueryVolumeInformationFile(>)  4 
NtCreateEvent(>)  14 
NtUserQueryWindow(>)  160 

NtUserCloseDesktop(>)  1 
NtGdiGetStockObject(>)  5 
NtCreateFile(>)  14 
NtClose(>)  240 

NtUserGetGUIThreadInfo(>)  1 
NtReadFile(>)  5 
NtUserRegisterClassExWOW(>)  14 

Trace:
 00001   860   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   860   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   860   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   860   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010   860   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011   860   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012   860   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013   860   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014   860   NtClose  (12, ... ) == 0x0
 00015   860   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016   860   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020   860   NtClose  (16, ... ) == 0x0
 00021   860   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022   860   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023   860   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024   860   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025   860   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027   860   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028   860   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029   860   NtClose  (16, ... ) == 0x0
 00030   860   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031   860   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033   860   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034   860   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 464, 860, 57957, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 464, 860, 57957, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 464, 860, 57957, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036   860   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037   860   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039   860   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040   860   NtClose  (16, ... ) == 0x0
 00041   860   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043   860   NtClose  (16, ... ) == 0x0
 00044   860   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045   860   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047   860   NtClose  (16, ... ) == 0x0
 00048   860   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050   860   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051   860   NtClose  (16, ... ) == 0x0
 00052   860   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054   860   NtClose  (16, ... ) == 0x0
 00055   860   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056   860   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057   860   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   860   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059   860   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 464, 860, 57958, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 464, 860, 57958, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 464, 860, 57958, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 464, 860, 57959, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 464, 860, 57959, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 464, 860, 57959, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061   860   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 4, ... (0x47c000), 155648, 128, ) == 0x0
 00062   860   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 128, ... (0x47c000), 155648, 4, ) == 0x0
 00063   860   NtFlushInstructionCache  (-1, 4702208, 155648, ... ) == 0x0
 00064   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00065   860   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00066   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.DLL"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00067   860   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00068   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.DLL"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00069   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00070   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00071   860   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00072   860   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00073   860   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00074   860   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00076   860   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00077   860   NtClose  (36, ... ) == 0x0
 00078   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00079   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00080   860   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00081   860   NtClose  (36, ... ) == 0x0
 00082   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083   860   NtClose  (32, ... ) == 0x0
 00084   860   NtClose  (16, ... ) == 0x0
 00085   860   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00086   860   NtClose  (28, ... ) == 0x0
 00087   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00088   860   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00089   860   NtClose  (28, ... ) == 0x0
 00090   860   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00091   860   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00092   860   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00093   860   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00094   860   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00095   860   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00096   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00097   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == 0x0
 00099   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00100   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 16, ) == 0x0
 00101   860   NtQuerySection  (16, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00102   860   NtClose  (28, ... ) == 0x0
 00103   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00104   860   NtClose  (16, ... ) == 0x0
 00105   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00106   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00107   860   NtClose  (16, ... ) == 0x0
 00108   860   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00109   860   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00110   860   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00111   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00112   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00113   860   NtClose  (16, ... ) == 0x0
 00114   860   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00115   860   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00116   860   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00117   860   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00118   860   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00119   860   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00120   860   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00121   860   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00122   860   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00123   860   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00124   860   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00125   860   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00126   860   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00127   860   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00128   860   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00129   860   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00130   860   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00131   860   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00132   860   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 4, ... (0x47c000), 155648, 64, ) == 0x0
 00133   860   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 64, ... (0x47c000), 155648, 4, ) == 0x0
 00134   860   NtFlushInstructionCache  (-1, 4702208, 155648, ... ) == 0x0
 00135   860   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00136   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00137   860   NtReadFile  (16, 0, 0, 0, 4, {188412, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {188412, 0}, 0, ... {status=0x0, info=4}, "\300 \0\0", ) , ) == 0x0
 00138   860   NtReadFile  (16, 0, 0, 0, 8, {8380, 0}, 0, ... {status=0x0, info=8},  (16, 0, 0, 0, 8, {8380, 0}, 0, ... {status=0x0, info=8}, "\320J\233Dhs5\223", ) , ) == 0x0
 00139   860   NtReadFile  (16, 0, 0, 0, 8, {180020, 0}, 0, ... {status=0x0, info=8},  (16, 0, 0, 0, 8, {180020, 0}, 0, ... {status=0x0, info=8}, "\362;\213\12\257\312\207\325", ) , ) == 0x0
 00140   860   NtClose  (16, ... ) == 0x0
 00141   860   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00142   860   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00143   860   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00144   860   NtClose  (16, ... ) == 0x0
 00145   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00146   860   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00147   860   NtClose  (16, ... ) == 0x0
 00148   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00150   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00151   860   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00152   860   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00153   860   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00154   860   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 16, ) }, ... 16, ) == 0x0
 00155   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00156   860   NtClose  (16, ... ) == 0x0
 00157   860   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00158   860   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00159   860   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00160   860   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00161   860   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00162   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00163   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00165   860   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00166   860   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00167   860   NtClose  (16, ... ) == 0x0
 00168   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00169   860   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00170   860   NtClose  (16, ... ) == 0x0
 00171   860   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00172   860   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00173   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00174   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00177   860   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00178   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00180   860   NtTestAlert  (... ) == 0x0
 00181   860   NtContinue  (1244464, 1, ...
 00182   860   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x47c17a,}, 4, ... ) == 0x0
 00183   860   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 3407872, 4096, ) == 0x0
 00184   860   NtAllocateVirtualMemory  (-1, 0, 0, 15980, 4096, 4, ... 3473408, 16384, ) == 0x0
 00185   860   NtFreeVirtualMemory  (-1, (0x350000), 0, 32768, ... (0x350000), 16384, ) == 0x0
 00186   860   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00187   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00188   860   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   860   NtClose  (28, ... ) == 0x0
 00190   860   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00191   860   NtProtectVirtualMemory  (-1, (0x40e860), -1662053999, -238816909, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00192   860   NtProtectVirtualMemory  (-1, (0x3fff02), -1920137235, -2091057152, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00193   860   NtProtectVirtualMemory  (-1, (0x141c600), 148100, 251738496, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00194   860   NtProtectVirtualMemory  (-1, (0xfed68589), -362, -2060728949, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00195   860   NtProtectVirtualMemory  (-1, (0xff4ab58d), -314, -2063466497, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00196   860   NtProtectVirtualMemory  (-1, (0x500068), 1080710741, 100794367, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00197   860   NtProtectVirtualMemory  (-1, (0xff6e95ff), 6946816, 268462080, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00198   860   NtProtectVirtualMemory  (-1, (0x85c90000), 57246735, -1064960001, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00199   860   NtProtectVirtualMemory  (-1, (0x67f95b00), 232, -322, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00200   860   NtProtectVirtualMemory  (-1, (0x4002b0), -397192999, 50331651, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00201   860   NtProtectVirtualMemory  (-1, (0x3ffe86), -1123811957, 915103070, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00202   860   NtProtectVirtualMemory  (-1, (0xf904c7), -2096466688, 1065607051, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00203   860   NtProtectVirtualMemory  (-1, (0x3b430000), 112918, -352321536, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00204   860   NtProtectVirtualMemory  (-1, (0x33cb1301), 880017467, -2096839805, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00205   860   NtProtectVirtualMemory  (-1, (0x3fff32), -1241558191, 1459911427, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00206   860   NtProtectVirtualMemory  (-1, (0x85cbcf8b), -695468033, -13715969, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00207   860   NtProtectVirtualMemory  (-1, (0x5c10ff00), 371205, -322, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00208   860   NtProtectVirtualMemory  (-1, (0xc82b08c3), -2096794624, -108830887, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00209   860   NtProtectVirtualMemory  (-1, (0x3ebeb5), -16750080, 8388712, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00210   860   NtProtectVirtualMemory  (-1, (0x3ec6b5), -1912602625, 848691199, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00211   860   NtProtectVirtualMemory  (-1, (0x843e8b36), -1961863539, 139365375, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00212   860   NtProtectVirtualMemory  (-1, (0x77413ce8), 742852490, 1064567033, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00213   860   NtProtectVirtualMemory  (-1, (0x385a8a14), 1946157434, -2146989065, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00214   860   NtProtectVirtualMemory  (-1, (0xc10108e8), -1050278817, -1964411617, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00215   860   NtProtectVirtualMemory  (-1, (0xc101c486), 73370122, -339442160, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00216   860   NtAllocateVirtualMemory  (-1, 0, 0, 118784, 4096, 4, ... 3407872, 118784, ) == 0x0
 00217   860   NtAllocateVirtualMemory  (-1, 0, 0, 118784, 4096, 4, ... 3538944, 118784, ) == 0x0
 00218   860   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 118784, ) == 0x0
 00219   860   NtAllocateVirtualMemory  (-1, 0, 0, 1350, 4096, 4, ... 3407872, 4096, ) == 0x0
 00220   860   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00221   860   NtAllocateVirtualMemory  (-1, 0, 0, 79872, 4096, 4, ... 3407872, 81920, ) == 0x0
 00222   860   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 81920, ) == 0x0
 00223   860   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 4, ... 3407872, 4096, ) == 0x0
 00224   860   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00225   860   NtAllocateVirtualMemory  (-1, 0, 0, 2560, 4096, 4, ... 3407872, 4096, ) == 0x0
 00226   860   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00227   860   NtAllocateVirtualMemory  (-1, 0, 0, 5120, 4096, 4, ... 3407872, 8192, ) == 0x0
 00228   860   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 8192, ) == 0x0
 00229   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00230   860   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00231   860   NtClose  (28, ... ) == 0x0
 00232   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00233   860   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00234   860   NtClose  (28, ... ) == 0x0
 00235   860   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00236   860   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00237   860   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00238   860   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00239   860   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00240   860   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00241   860   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00242   860   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00243   860   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00244   860   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00245   860   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00246   860   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00247   860   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00248   860   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00249   860   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00250   860   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00251   860   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00252   860   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00253   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00256   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 7274606, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 7274606, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 464, 860, 57967, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 464, 860, 57967, 0}  (24, {28, 56, new_msg, 0, 2089900645, 7274606, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 464, 860, 57967, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00257   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00258   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00259   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00260   860   NtClose  (28, ... ) == 0x0
 00261   860   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00262   860   NtClose  (32, ... ) == 0x0
 00263   860   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00264   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00265   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00266   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00267   860   NtClose  (32, ... ) == 0x0
 00268   860   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00269   860   NtClose  (28, ... ) == 0x0
 00270   860   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00271   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00272   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00273   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00274   860   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00275   860   NtClose  (28, ... ) == 0x0
 00276   860   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00277   860   NtClose  (32, ... ) == 0x0
 00278   860   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00279   860   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00280   860   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00281   860   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00282   860   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00283   860   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00284   860   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00285   860   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00286   860   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00287   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00288   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00289   860   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00290   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00291   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00292   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00294   860   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00295   860   NtClose  (32, ... ) == 0x0
 00296   860   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x580000), 0x0, 1060864, ) == 0x0
 00297   860   NtClose  (-2147482740, ... ) == 0x0
 00298   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00299   860   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00300   860   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00301   860   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00302   860   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00303   860   NtClose  (-2147482740, ... ) == 0x0
 00304   860   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00305   860   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00306   860   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00307   860   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00308   860   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   860   NtClose  (-2147482740, ... ) == 0x0
 00310   860   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00311   860   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   860   NtClose  (-2147482740, ... ) == 0x0
 00313   860   NtQueryDefaultLocale  (0, -106645172, ... ) == 0x0
 00314   860   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00315   860   NtUserCallNoParam  (24, ... ) == 0x0
 00316   860   NtGdiCreateCompatibleDC  (0, ...
 00317   860   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00316   860   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00318   860   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00319   860   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00320   860   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00321   860   NtGdiCreateSolidBrush  (0, 0, ...
 00322   860   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00321   860   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00323   860   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00324   860   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00325   860   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00326   860   NtUserGetThreadDesktop  (860, 0, ... ) == 0x24
 00327   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00328   860   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00329   860   NtClose  (44, ... ) == 0x0
 00330   860   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00331   860   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8173c017
 00332   860   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00333   860   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8173c01c
 00334   860   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00335   860   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8173c01e
 00336   860   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00337   860   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81738002
 00338   860   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00339   860   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8173c018
 00340   860   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00341   860   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8173c01a
 00342   860   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00343   860   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8173c01d
 00344   860   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00345   860   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8173c026
 00346   860   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00347   860   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8173c019
 00348   860   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c020
 00349   860   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c022
 00350   860   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c023
 00351   860   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c024
 00352   860   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c025
 00353   860   NtCallbackReturn  (0, 0, 0, ...
 00354   860   NtGdiInit  (... ) == 0x1
 00355   860   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00356   860   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00357   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00358   860   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00359   860   NtClose  (44, ... ) == 0x0
 00360   860   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00361   860   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00362   860   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00363   860   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00364   860   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00365   860   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00366   860   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00367   860   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00368   860   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00369   860   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00370   860   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00371   860   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00372   860   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00373   860   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00374   860   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00375   860   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00376   860   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00377   860   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00378   860   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00379   860   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00380   860   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00381   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382   860   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00383   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 44, {status=0x0, info=0}, ) }, 7, 16, ... 44, {status=0x0, info=0}, ) == 0x0
 00384   860   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Mh\230,\17W\350:K\353\307\264v\265\37\253\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00385   860   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00386   860   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00387   860   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00388   860   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00389   860   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00390   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00391   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00392   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00393   860   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "Y\350\306\326?\374\262\221t\200\342 \240r~\343\276\360\225\202N\365\325\374\360\2572\326\210\327\21\336\303\244\234\310\301\353\30`H[\202\252\261,c\37|\276vz\342\355\263\345\363\206\177\344\351\343\260\245\33t\35\256\363ZmxA=&\247\15\270\3", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "Y\350\306\326?\374\262\221t\200\342 \240r~\343\276\360\225\202N\365\325\374\360\2572\326\210\327\21\336\303\244\234\310\301\353\30`H[\202\252\261,c\37|\276vz\342\355\263\345\363\206\177\344\351\343\260\245\33t\35\256\363ZmxA=&\247\15\270\3", 80, ... ) , 80, ... ) == 0x0
 00394   860   NtClose  (-2147482740, ... ) == 0x0
 00384   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "+\225+\332\211 \323?\234W\0\362\264{q\354L\224h\253\364]\4\365\33140m\250\251\202\225Q\3a0\4\11\13\2606\225ukcT\210\31\2038\2473\333\343\310beS\35W\301\350\271-\306Md{Dy=`k\305P?\33\311\321o\260\366\22524\2\341\373\310\216\233\216)\333XQ\322/\33\262Z\314\301;z\203RT\357`\345\227[\222\260\245\334\257\231\335\240[S\246\251\33\256\314\12\327\217\352\177z\255\341\17s_\34\177jN\257\200\357\216\302\340\210\335\343\344\370\347D\355\373\2540h\14\316S\325\211y\370\317f\206"\10\256$\2162w~\13\234\177\267\3235+E\345\300\252\326\334|\3218\302\366B3\14\2456F\375o\206P_\372\3533\377zDp\30\0y\335!\220O,m\17v\5\210!\243\217\321\4\330\24\24c\235\320v\222Q\365\265zz\14\273\177\10\267\262\0OG", ) \10\256$\2162w~\13\234\177\267\3235+E\345\300\252\326\334|\3218\302\366B3\14\2456F\375o\206P_\372\3533\377zDp\30\0y\335!\220O,m\17v\5\210!\243\217\321\4\330\24\24c\235\320v\222Q\365\265zz\14\273\177\10\267\262\0OG", ) == 0x0
 00395   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00396   860   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00397   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 48, ) }, ... 48, ) == 0x0
 00398   860   NtQueryValueKey  (48,  (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00399   860   NtClose  (48, ... ) == 0x0
 00400   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 48, ) }, ... 48, ) == 0x0
 00401   860   NtQueryValueKey  (48,  (48, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   860   NtClose  (48, ... ) == 0x0
 00403   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00404   860   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00405   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00406   860   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00407   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 48, ) }, ... 48, ) == 0x0
 00408   860   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00409   860   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00410   860   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00411   860   NtClose  (48, ... ) == 0x0
 00412   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 48, ) }, ... 48, ) == 0x0
 00413   860   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00414   860   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00415   860   NtClose  (48, ... ) == 0x0
 00416   860   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 48, ) }, ... 48, ) == 0x0
 00417   860   NtOpenEvent  (0x1f0003, {24, 48, 0x0, 0, 0,  (0x1f0003, {24, 48, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00419   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00420   860   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00421   860   NtClose  (52, ... ) == 0x0
 00422   860   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00423   860   NtSetInformationObject  (52, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00424   860   NtOpenKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00425   860   NtOpenKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00426   860   NtOpenProcessToken  (-1, 0x8, ... 56, ) == 0x0
 00427   860   NtQueryInformationToken  (56, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00428   860   NtClose  (56, ... ) == 0x0
 00429   860   NtUserCallOneParam  (0, 41, ... ) == 0x4
 00430   860   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00431   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 10027008, 1048576, ) == 0x0
 00432   860   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00433   860   NtAllocateVirtualMemory  (-1, 10027008, 0, 16384, 4096, 4, ... 10027008, 16384, ) == 0x0
 00434   860   NtUserCallNoParam  (29, ...
 00435   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242268, ... ) }, 1242268, ... ) == 0x0
 00436   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00437   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 60, ) == 0x0
 00438   860   NtClose  (56, ... ) == 0x0
 00439   860   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x380000), 0x0, 221184, ) == 0x0
 00440   860   NtClose  (60, ... ) == 0x0
 00441   860   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00442   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242576, ... ) }, 1242576, ... ) == 0x0
 00443   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00444   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 56, ) == 0x0
 00445   860   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00446   860   NtClose  (60, ... ) == 0x0
 00447   860   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 00448   860   NtClose  (56, ... ) == 0x0
 00449   860   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00450   860   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00451   860   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00452   860   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00453   860   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00454   860   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00455   860   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00456   860   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00457   860   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00458   860   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00459   860   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00460   860   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00461   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00462   860   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00463   860   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00464   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00465   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00466   860   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00467   860   NtClose  (56, ... ) == 0x0
 00468   860   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00469   860   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 60, ) }, ... 60, ) == 0x0
 00470   860   NtQueryValueKey  (60,  (60, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00471   860   NtClose  (60, ... ) == 0x0
 00472   860   NtClose  (56, ... ) == 0x0
 00473   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00474   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00475   860   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00476   860   NtClose  (56, ... ) == 0x0
 00477   860   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00478   860   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 60, ) }, ... 60, ) == 0x0
 00479   860   NtQueryValueKey  (60,  (60, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00480   860   NtClose  (60, ... ) == 0x0
 00481   860   NtClose  (56, ... ) == 0x0
 00482   860   NtUserGetProcessWindowStation  (... ) == 0x1c
 00483   860   NtUserGetObjectInformation  (28, 2, 1244364, 64, 1244360, ... ) == 0x1
 00484   860   NtUserGetGUIThreadInfo  (860, 1244384, ... ) == 0x1
 00485   860   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1244228, 64, ... 56, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1244228, 64, ... 56, 0x0, 0x0, 0x0, 64, ) == 0x0
 00486   860   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 860, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 464, 860, 57969, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 860, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00487   860   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 860, 57970, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 464, 860, 57970, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 860, 57970, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00488   860   NtUserCallNoParam  (29, ...
 00489   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241624, ... ) }, 1241624, ... ) == 0x0
 00488   860   NtUserCallNoParam  ... ) == 0x0
 00490   860   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ... ) == 0x1
 00491   860   NtGdiHfontCreate  (1243752, 356, 0, 0, 1340336, ... ) == 0x330a04e1
 00492   860   NtGdiHfontCreate  (1243752, 356, 0, 0, 1340328, ... ) == 0x520a0634
 00493   860   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 860, 57971, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 464, 860, 57971, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 860, 57971, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00494   860   NtMapViewOfSection  (60, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x380000), {0, 0}, 327680, ) == 0x0
 00495   860   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00496   860   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00497   860   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00498   860   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00499   860   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00500   860   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00501   860   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00502   860   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00503   860   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00504   860   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00505   860   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00506   860   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00507   860   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00508   860   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00509   860   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00510   860   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00511   860   NtAllocateVirtualMemory  (-1, 3297280, 0, 4096, 4096, 4, ... 3297280, 4096, ) == 0x0
 00512   860   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00513   860   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ... ) == 0x72100798
 00514   860   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00515   860   NtUserCallNoParam  (29, ...
 00516   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241064, ... ) }, 1241064, ... ) == 0x0
 00515   860   NtUserCallNoParam  ... ) == 0x0
 00517   860   NtUserCallNoParam  (29, ...
 00518   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241060, ... ) }, 1241060, ... ) == 0x0
 00517   860   NtUserCallNoParam  ... ) == 0x0
 00434   860   NtUserCallNoParam  ... ) == 0x1
 00519   860   NtQueryVirtualMemory  (-1, 0x373313, Basic, 28, ... {BaseAddress=0x373000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xa000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00520   860   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00521   860   NtContinue  (1244356, 0, ...
 00522   860   NtQueryVirtualMemory  (-1, 0x372d5c, Basic, 28, ... {BaseAddress=0x372000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xb000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00523   860   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00524   860   NtContinue  (1244032, 0, ...
 00525   860   NtQueryVirtualMemory  (-1, 0x372dc0, Basic, 28, ... {BaseAddress=0x372000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xb000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00526   860   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00527   860   NtContinue  (1244032, 0, ...
 00528   860   NtQueryVirtualMemory  (-1, 0x370d71, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xd000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00529   860   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00530   860   NtQueryVirtualMemory  (-1, 0x373132, Basic, 28, ... {BaseAddress=0x373000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xa000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00531   860   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00532   860   NtQueryVirtualMemory  (-1, 0x7c816fe0, Basic, 28, ... {BaseAddress=0x7c816000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x6e000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00533   860   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 00534   860   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00535   860   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00536   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00537   860   NtQueryInformationJobObject  (0, BasicLimit, 48, ... ) == STATUS_ACCESS_DENIED
 00538   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"}, ... 64, ) }, ... 64, ) == 0x0
 00539   860   NtQueryValueKey  (64,  (64, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) , Partial, 526, ... TitleIdx=0, Type=1, Data= (64, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00540   860   NtQueryValueKey  (64,  (64, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) , Partial, 526, ... TitleIdx=0, Type=1, Data=" (64, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) \0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) == 0x0
 00541   860   NtClose  (64, ... ) == 0x0
 00542   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1239712, ... ) }, 1239712, ... ) == 0x0
 00543   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00544   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 64, ... 68, ) == 0x0
 00545   860   NtClose  (64, ... ) == 0x0
 00546   860   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3d0000), 0x0, 81920, ) == 0x0
 00547   860   NtClose  (68, ... ) == 0x0
 00548   860   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 00549   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1240020, ... ) }, 1240020, ... ) == 0x0
 00550   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00551   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 64, ) == 0x0
 00552   860   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00553   860   NtClose  (68, ... ) == 0x0
 00554   860   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x69450000), 0x0, 90112, ) == 0x0
 00555   860   NtClose  (64, ... ) == 0x0
 00556   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00557   860   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 00558   860   NtClose  (64, ... ) == 0x0
 00559   860   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 00560   860   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 00561   860   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 00562   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00563   860   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 733184, ) == 0x0
 00564   860   NtClose  (64, ... ) == 0x0
 00565   860   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00566   860   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00567   860   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00568   860   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00569   860   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00570   860   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00571   860   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00572   860   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00573   860   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00574   860   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00575   860   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00576   860   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00577   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00578   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1239196, ... ) }, 1239196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 00580   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00581   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00582   860   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00583   860   NtClose  (64, ... ) == 0x0
 00584   860   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 65536, ) == 0x0
 00585   860   NtClose  (68, ... ) == 0x0
 00586   860   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00587   860   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00588   860   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00589   860   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00590   860   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00591   860   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00592   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00593   860   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 00594   860   NtClose  (68, ... ) == 0x0
 00595   860   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00596   860   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00597   860   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00598   860   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00599   860   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00600   860   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00601   860   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00602   860   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00603   860   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00604   860   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00605   860   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00606   860   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00607   860   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00608   860   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00609   860   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00610   860   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00611   860   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00612   860   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00613   860   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00614   860   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00615   860   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00616   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00617   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1239196, ... ) }, 1239196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00618   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 00619   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00620   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 64, ) == 0x0
 00621   860   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00622   860   NtClose  (68, ... ) == 0x0
 00623   860   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 00624   860   NtClose  (64, ... ) == 0x0
 00625   860   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00626   860   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00627   860   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00628   860   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00629   860   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00630   860   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00631   860   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00632   860   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00633   860   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00634   860   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00635   860   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00636   860   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00637   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00638   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1239196, ... ) }, 1239196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00639   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 00640   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00641   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00642   860   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00643   860   NtClose  (64, ... ) == 0x0
 00644   860   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 00645   860   NtClose  (68, ... ) == 0x0
 00646   860   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00647   860   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00648   860   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00649   860   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00650   860   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00651   860   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00652   860   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00653   860   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00654   860   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00655   860   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00656   860   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00657   860   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00658   860   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00659   860   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00660   860   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00661   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00662   860   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00663   860   NtClose  (68, ... ) == 0x0
 00664   860   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00665   860   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00666   860   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00667   860   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00668   860   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00669   860   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00670   860   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00671   860   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00672   860   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00673   860   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00674   860   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00675   860   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00676   860   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00677   860   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00678   860   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00679   860   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 00680   860   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 00681   860   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 00682   860   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 00683   860   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 00684   860   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 00685   860   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 00686   860   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 00687   860   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 00688   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00689   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00690   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 68, ) }, ... 68, ) == 0x0
 00691   860   NtQueryValueKey  (68,  (68, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00692   860   NtClose  (68, ... ) == 0x0
 00693   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 68, ) }, ... 68, ) == 0x0
 00694   860   NtQueryValueKey  (68,  (68, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00695   860   NtClose  (68, ... ) == 0x0
 00696   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 68, ) }, ... 68, ) == 0x0
 00697   860   NtQueryValueKey  (68,  (68, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 00698   860   NtClose  (68, ... ) == 0x0
 00699   860   NtCreateEvent  (0x1f0003, {24, 48, 0x80, 1237788, 0,  (0x1f0003, {24, 48, 0x80, 1237788, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 68, ) }, 0, 1, ... 68, ) == STATUS_OBJECT_NAME_EXISTS
 00700   860   NtQueryDefaultUILanguage  (2090319928, ...
 00701   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00702   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00703   860   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00704   860   NtClose  (-2147482740, ... ) == 0x0
 00705   860   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00706   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00707   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00708   860   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00709   860   NtClose  (-2147481328, ... ) == 0x0
 00710   860   NtClose  (-2147482740, ... ) == 0x0
 00700   860   NtQueryDefaultUILanguage  ... ) == 0x0
 00711   860   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00712   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00713   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00714   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00715   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00716   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00717   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00718   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00719   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00720   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00721   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00722   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00723   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00724   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00725   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00726   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00727   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00728   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00729   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00730   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00731   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00732   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00733   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00734   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00735   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00736   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00737   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00738   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00739   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00740   860   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00741   860   NtClose  (64, ... ) == 0x0
 00742   860   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00743   860   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 72, ) }, ... 72, ) == 0x0
 00744   860   NtQueryValueKey  (72,  (72, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (72, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 00745   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00746   860   NtQueryValueKey  (72,  (72, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (72, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 00747   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00748   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00749   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00750   860   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00751   860   NtClose  (72, ... ) == 0x0
 00752   860   NtClose  (64, ... ) == 0x0
 00753   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 64, ) }, ... 64, ) == 0x0
 00754   860   NtQueryValueKey  (64,  (64, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00755   860   NtClose  (64, ... ) == 0x0
 00756   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 64, ) }, ... 64, ) == 0x0
 00757   860   NtQueryValueKey  (64,  (64, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00758   860   NtQueryValueKey  (64,  (64, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00759   860   NtClose  (64, ... ) == 0x0
 00760   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 64, ) }, ... 64, ) == 0x0
 00762   860   NtQueryValueKey  (64,  (64, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00763   860   NtClose  (64, ... ) == 0x0
 00764   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00765   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00766   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00767   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00768   860   NtQueryPerformanceCounter  (... {924539739, 10}, {3579545, 0}, ) == 0x0
 00769   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770   860   NtQueryDefaultLocale  (1, 1239916, ... ) == 0x0
 00771   860   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00772   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00773   860   NtQueryValueKey  (64,  (64, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00774   860   NtClose  (64, ... ) == 0x0
 00775   860   NtUserGetProcessWindowStation  (... ) == 0x1c
 00776   860   NtUserGetObjectInformation  (28, 1, 1239512, 12, 1239524, ... ) == 0x1
 00777   860   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\WPA\PnP"}, ... 64, ) }, ... 64, ) == 0x0
 00779   860   NtQueryValueKey  (64,  (64, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 00780   860   NtClose  (64, ... ) == 0x0
 00781   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00782   860   NtQueryValueKey  (64,  (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00783   860   NtQueryValueKey  (64,  (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00784   860   NtClose  (64, ... ) == 0x0
 00785   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00786   860   NtQueryValueKey  (64,  (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00787   860   NtQueryValueKey  (64,  (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00788   860   NtClose  (64, ... ) == 0x0
 00789   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00790   860   NtQueryValueKey  (64,  (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00791   860   NtQueryValueKey  (64,  (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00792   860   NtClose  (64, ... ) == 0x0
 00793   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00794   860   NtQueryValueKey  (64,  (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00795   860   NtQueryValueKey  (64,  (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00796   860   NtClose  (64, ... ) == 0x0
 00797   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00798   860   NtQueryValueKey  (64,  (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 00799   860   NtQueryValueKey  (64,  (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 00800   860   NtClose  (64, ... ) == 0x0
 00801   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00802   860   NtQueryValueKey  (64,  (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00803   860   NtQueryValueKey  (64,  (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00804   860   NtClose  (64, ... ) == 0x0
 00805   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 64, ) }, ... 64, ) == 0x0
 00806   860   NtQueryValueKey  (64,  (64, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00807   860   NtQueryValueKey  (64,  (64, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (64, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 00808   860   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00809   860   NtClose  (64, ... ) == 0x0
 00810   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00811   860   NtCreateMutant  (0x1f0001, 0x0, 0, ... 72, ) == 0x0
 00812   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 76, ) == 0x0
 00813   860   NtCreateMutant  (0x1f0001, 0x0, 0, ... 80, ) == 0x0
 00814   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00815   860   NtCreateMutant  (0x1f0001, 0x0, 0, ... 88, ) == 0x0
 00816   860   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 92, ) }, ... 92, ) == 0x0
 00817   860   NtQueryValueKey  (92,  (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00818   860   NtQueryValueKey  (92,  (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00819   860   NtQueryValueKey  (92,  (92, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820   860   NtOpenKey  (0x1, {24, 92, 0x40, 0, 0,  (0x1, {24, 92, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00821   860   NtClose  (92, ... ) == 0x0
 00822   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1239428, ... ) }, 1239428, ... ) == 0x0
 00823   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 92, ) }, ... 92, ) == 0x0
 00824   860   NtQueryValueKey  (92,  (92, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (92, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (92, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00825   860   NtClose  (92, ... ) == 0x0
 00826   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00827   860   NtQueryValueKey  (92,  (92, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (92, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (92, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 00828   860   NtClose  (92, ... ) == 0x0
 00829   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00830   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00831   860   NtQueryValueKey  (92,  (92, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (92, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (92, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 00832   860   NtClose  (92, ... ) == 0x0
 00833   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00834   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   860   NtCreateSemaphore  (0x1f0003, {24, 48, 0x80, 1343256, 0,  (0x1f0003, {24, 48, 0x80, 1343256, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 92, ) }, 0, 2147483647, ... 92, ) == STATUS_OBJECT_NAME_EXISTS
 00836   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\faultrep.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837   860   NtOpenKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\PCHealth\ErrorReporting"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00838   860   NtCreateKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Microsoft\PCHealth\ErrorReporting"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00839   860   NtOpenKey  (0x10000, {24, 96, 0x40, 0, 0,  (0x10000, {24, 96, 0x40, 0, 0, "DW"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00840   860   NtQueryValueKey  (96,  (96, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00841   860   NtQueryValueKey  (96,  (96, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00842   860   NtQueryValueKey  (96,  (96, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00843   860   NtQueryValueKey  (96,  (96, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00844   860   NtQueryValueKey  (96,  (96, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00845   860   NtQueryValueKey  (96,  (96, "DoTextLog", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00846   860   NtQueryValueKey  (96,  (96, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00847   860   NtQueryValueKey  (96,  (96, "IncludeShutdownErrs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00848   860   NtQueryValueKey  (96,  (96, "NumberOfFaultPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00849   860   NtQueryValueKey  (96,  (96, "NumberOfHangPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00850   860   NtQueryValueKey  (96,  (96, "MaxUserQueueSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   860   NtQueryValueKey  (96,  (96, "ForceQueueMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00852   860   NtCreateKey  (0x20119, {24, 96, 0x40, 0, 0,  (0x20119, {24, 96, 0x40, 0, 0, "ExclusionList"}, 0, 0x0, 0, ... 100, 2, ) }, 0, 0x0, 0, ... 100, 2, ) == 0x0
 00853   860   NtCreateKey  (0x20119, {24, 96, 0x40, 0, 0,  (0x20119, {24, 96, 0x40, 0, 0, "InclusionList"}, 0, 0x0, 0, ... 104, 2, ) }, 0, 0x0, 0, ... 104, 2, ) == 0x0
 00854   860   NtClose  (96, ... ) == 0x0
 00855   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 96, ) }, ... 96, ) == 0x0
 00856   860   NtQueryValueKey  (96,  (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00857   860   NtClose  (96, ... ) == 0x0
 00858   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00859   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00860   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1236956, ... ) }, 1236956, ... ) == 0x0
 00861   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 96, {status=0x0, info=1}, ) }, 3, 16417, ... 96, {status=0x0, info=1}, ) == 0x0
 00862   860   NtQueryDirectoryFile  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1,  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 00863   860   NtClose  (96, ... ) == 0x0
 00864   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 96, {status=0x0, info=1}, ) }, 3, 16417, ... 96, {status=0x0, info=1}, ) == 0x0
 00865   860   NtQueryDirectoryFile  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1,  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 00866   860   NtClose  (96, ... ) == 0x0
 00867   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00868   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00869   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00870   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00871   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1235604, ... ) }, 1235604, ... ) == 0x0
 00872   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234376, ... ) }, 1234376, ... ) == 0x0
 00873   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00874   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00875   860   NtQueryValueKey  (100,  (100, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876   860   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 00877   860   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00878   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00879   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 96, ) }, ... 96, ) == 0x0
 00881   860   NtQueryValueKey  (96,  (96, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   860   NtClose  (96, ... ) == 0x0
 00883   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 96, ) == 0x0
 00885   860   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00886   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00887   860   NtQuerySystemTime  (... {-1692633028, 29915842}, ) == 0x0
 00888   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 00889   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   860   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00891   860   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00892   860   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00893   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00894   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 120, ) == 0x0
 00895   860   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Mh\230,\17W\350\204J\340)\345\312\246\30\3{\22\220\260\344\204\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00896   860   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00897   860   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00898   860   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00899   860   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00900   860   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00901   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00902   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00903   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00904   860   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\234\34\35\266\275|\204\332?>\254\322t$9\34\233\250\12\224\\316\243\260\210\254\272\370\340n\340\342\346#\366>\360\3249H]\252\271Bwz\372\215\37\266c1\(\254\307\23\240s-\271+\314\34\306:$\324>\213\223\302\304f\226d\12\330\301\266", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\234\34\35\266\275|\204\332?>\254\322t$9\34\233\250\12\224\\316\243\260\210\254\272\370\340n\340\342\346#\366>\360\3249H]\252\271Bwz\372\215\37\266c1\(\254\307\23\240s-\271+\314\34\306:$\324>\213\223\302\304f\226d\12\330\301\266", 80, ... ) , 80, ... ) == 0x0
 00905   860   NtClose  (-2147482740, ... ) == 0x0
 00895   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "h\302\346D\353\327\31\246\223\374\332\263J\30\214/\241~u\365\221%^k(lOz\374\353\3368w\1\16\316\16X\265\373B\213\335xK\3>\313j\273g\313O\243 S/\334\341\13[\365\222\275"(Z\200\257\215r\3350\2527!\202\2171\344\234Ua\370\27376\211\340}\277\236\23\370\334*\10q\325\2\217\374SF\11R\26\262\146\305i\212\12x\0T\25\326Y\233\366\271+\235\24\21\271\0s\305\211\20\3338\3054@?&O\20*V&\313\261\233[+\20\30\252\301\344\337b\6s\251*L7\302\15\312c\323F\22&N\374\353m\2q\311}B\21066~<\307%\31\352>9\320\230au\252\370~\345\336B\217\17\5\3Ef\367D\352J\336\5\6\250\332\345\270\31j0\316\260\276\257\377K\263\2379\27$fe\352\225?\363\346"\224esF\350u@\306<\253\345l\310f\210\11", ) (Z\200\257\215r\3350\2527!\202\2171\344\234Ua\370\27376\211\340}\277\236\23\370\334*\10q\325\2\217\374SF\11R\26\262\146\305i\212\12x\0T\25\326Y\233\366\271+\235\24\21\271\0s\305\211\20\3338\3054@?&O\20*V&\313\261\233[+\20\30\252\301\344\337b\6s\251*L7\302\15\312c\323F\22&N\374\353m\2q\311}B\21066~<\307%\31\352>9\320\230au\252\370~\345\336B\217\17\5\3Ef\367D\352J\336\5\6\250\332\345\270\31j0\316\260\276\257\377K\263\2379\27$fe\352\225?\363\346 ... {status=0x0, info=256}, "h\302\346D\353\327\31\246\223\374\332\263J\30\214/\241~u\365\221%^k(lOz\374\353\3368w\1\16\316\16X\265\373B\213\335xK\3>\313j\273g\313O\243 S/\334\341\13[\365\222\275"(Z\200\257\215r\3350\2527!\202\2171\344\234Ua\370\27376\211\340}\277\236\23\370\334*\10q\325\2\217\374SF\11R\26\262\146\305i\212\12x\0T\25\326Y\233\366\271+\235\24\21\271\0s\305\211\20\3338\3054@?&O\20*V&\313\261\233[+\20\30\252\301\344\337b\6s\251*L7\302\15\312c\323F\22&N\374\353m\2q\311}B\21066~<\307%\31\352>9\320\230au\252\370~\345\336B\217\17\5\3Ef\367D\352J\336\5\6\250\332\345\270\31j0\316\260\276\257\377K\263\2379\27$fe\352\225?\363\346"\224esF\350u@\306<\253\345l\310f\210\11", ) , ) == 0x0
 00906   860   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Mh\230,\17W\350\204J\340)\345\312\246\246\2p\374\301\14\367\203\277{\22\220\260\344\204\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00907   860   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00908   860   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00909   860   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00910   860   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00911   860   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00912   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00913   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00914   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00915   860   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "n\252\23\336|(\211\36i\305\224\260P\357\0\372\365\269\206`\5_;\237\220\271\264 \355\33\270\343\343\34\330\375\36\15c\345\242\226!mJld\241@\326\2+\351\357\362@W-YB\364\211\4!g>Z\365\234\257(M\1\231\254\233\304'\337", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "n\252\23\336|(\211\36i\305\224\260P\357\0\372\365\269\206`\5_;\237\220\271\264 \355\33\270\343\343\34\330\375\36\15c\345\242\226!mJld\241@\326\2+\351\357\362@W-YB\364\211\4!g>Z\365\234\257(M\1\231\254\233\304'\337", 80, ... ) , 80, ... ) == 0x0
 00916   860   NtClose  (-2147482740, ... ) == 0x0
 00906   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\323.\252Gz\13\343Z\342E/\210\375\217\373\331\367L\23\315\35L\271\231\377\221\177z\353\1l\251\323w;"*\304]\273\23&oF#\276X\35\216\276=P\354/BB<_\241\14^\235\324\264\5P\10}\257\305\262\243$JISd\304\275\10Z"t\257\217\203\316\245S\275\242\375S\363\271^3\250z\363w$\264\10h\362\21\221\311\345\377Dy\234\231\350\234e\351\260H\220\236\313B\246RkA\333+$6K\336m\333\\243\6\322\23\262+\346\276W\372\117\264\221\21s\346\232\371\362\221;\261\267\224\353\264-\254\354G\264\243P\224\224\31059\13\317\231{=\317\276\14/\377\306)\277\334\277\211\352\233!\12\331\222q\303\4\202\320S\30G\21\36\270\370\217>\344L\246g\347#Q\266\343\326+\bQ\211\346\237`3Q\202v\245\10\231IDdP\25\200q\376{\266\312!\30\342E/\336", ) *\304]\273\23&oF#\276X\35\216\276=P\354/BB<_\241\14^\235\324\264\5P\10}\257\305\262\243$JISd\304\275\10Z ... {status=0x0, info=256}, "\323.\252Gz\13\343Z\342E/\210\375\217\373\331\367L\23\315\35L\271\231\377\221\177z\353\1l\251\323w;"*\304]\273\23&oF#\276X\35\216\276=P\354/BB<_\241\14^\235\324\264\5P\10}\257\305\262\243$JISd\304\275\10Z"t\257\217\203\316\245S\275\242\375S\363\271^3\250z\363w$\264\10h\362\21\221\311\345\377Dy\234\231\350\234e\351\260H\220\236\313B\246RkA\333+$6K\336m\333\\243\6\322\23\262+\346\276W\372\117\264\221\21s\346\232\371\362\221;\261\267\224\353\264-\254\354G\264\243P\224\224\31059\13\317\231{=\317\276\14/\377\306)\277\334\277\211\352\233!\12\331\222q\303\4\202\320S\30G\21\36\270\370\217>\344L\246g\347#Q\266\343\326+\bQ\211\346\237`3Q\202v\245\10\231IDdP\25\200q\376{\266\312!\30\342E/\336", ) , ) == 0x0
 00917   860   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Mh\230,\17W\350\204J\340)\345\312\246\246\2p\374\301\14\367=\276p\374\301\14\367\203\277{\22\220\260\344\204\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00918   860   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00919   860   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00920   860   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00921   860   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00922   860   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00923   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00924   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00925   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00926   860   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\6\225v3TQ\242\17\275rHk\3522+\302\350-s\265\312A\360\33\374\320\32o\266\324\214_\213\324\364\227\333d\205\376L4=\323\314W\242\271;\214\343O\207a\207\254b\301\23\333\1dm\345\232\22\270\227\210\236\4n@i\230\356w\376\221", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\6\225v3TQ\242\17\275rHk\3522+\302\350-s\265\312A\360\33\374\320\32o\266\324\214_\213\324\364\227\333d\205\376L4=\323\314W\242\271;\214\343O\207a\207\254b\301\23\333\1dm\345\232\22\270\227\210\236\4n@i\230\356w\376\221", 80, ... ) , 80, ... ) == 0x0
 00927   860   NtClose  (-2147482740, ... ) == 0x0
 00917   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "?\30\5/\237\264IC\12\311\0\335P\311\206\5>\360\362\341\240\310\23\343\255\305\355\257x{\25\352\277w\207o\235\240,\315\1287\09p\217]\254\3756\15\346\341\234M\362\13I\235O5\13n\321\317\315\34\270\5\347\2671\204"J\33o\271;\243c\236\263q\356\206\350\317w\341\214\367\364\352\241\301\207\345\31!\244j\332\254J\37\344dg\377\267\313kh\272.\7\2747~#?X\240s\216\342E\322L\24+\240\177\2405\232\252\251\347\7\356]M?\322\237}\337\210\325\324\255\351\214,B\252\275\256%\313\305\311'^%(*\271u\217+l\247[\12\204\333\207r_\20o\264\32\323E\340\1x\217 \220\331\305\322\17{\2161\215\21\302\314\302f\304\233\373e\223\221~\245\252\235\230<&/B\207s\346<}\225\274d\30\247\301\327f-\2535e|)\24\315\32\344\336O\7\177\26\4\205\227\346D", ) J\33o\271;\243c\236\263q\356\206\350\317w\341\214\367\364\352\241\301\207\345\31!\244j\332\254J\37\344dg\377\267\313kh\272.\7\2747~#?X\240s\216\342E\322L\24+\240\177\2405\232\252\251\347\7\356]M?\322\237}\337\210\325\324\255\351\214,B\252\275\256%\313\305\311'^%(*\271u\217+l\247[\12\204\333\207r_\20o\264\32\323E\340\1x\217 \220\331\305\322\17{\2161\215\21\302\314\302f\304\233\373e\223\221~\245\252\235\230<&/B\207s\346<}\225\274d\30\247\301\327f-\2535e|)\24\315\32\344\336O\7\177\26\4\205\227\346D", ) == 0x0
 00928   860   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Mh\230,\17W\350\204J\340)\345\312\246\246\2p\374\301\14\367=\276p\374\301\14\367=\276p\374\301\14\367\203\277{\22\220\260\344\204\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00929   860   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00930   860   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00931   860   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00932   860   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00933   860   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00934   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00935   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00936   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00937   860   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\271\271\244\314e\370m\346\247l@B\223\232\27\351\210;Y\262T\370\331\22\337\7\312`D<\13'p\246J\27?EBX\364\310N\10\261U\36\263\305\300L\3525\34\365\3108\322\317K\305\13\272W83\354T\317\331hp\247\374\234\345\201\4\236\254", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\271\271\244\314e\370m\346\247l@B\223\232\27\351\210;Y\262T\370\331\22\337\7\312`D<\13'p\246J\27?EBX\364\310N\10\261U\36\263\305\300L\3525\34\365\3108\322\317K\305\13\272W83\354T\317\331hp\247\374\234\345\201\4\236\254", 80, ... ) , 80, ... ) == 0x0
 00938   860   NtClose  (-2147482740, ... ) == 0x0
 00928   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\274\251h\330\15B2\376\261\314\313\246j\15;\322\224 ijt\3X4\273\263\3074Z\1779\332\371\246AX\227\24\266E(\301\350\275\7\17\337}:\206\242l\315J.\257j\310\337\17\34\234\234\225H\30/\361\314Z\204\30W\3\370\257P\253\252\331\357^:h>6\353\\377\366+>\33c\230V\202\356y@Y\7(\355\331\21\263\311\253\324(\256\327\337\356V\211\302hG0m5\352u\316\232^\344b\313\344i\222\225\232e\310\210\315\302\15\317\12\212LI\327\263,\305E\266|kTM\307GeQ\266\306p~\254\313t\213\331\273?L\313]J8\303\337[\24\316\21Ad\312\232K\345\324{\202\360i\334\12b\225H\25yv1~:1\346\206\331,~\341GT0\317\366q\263\330\25\331\204\202IM\361GI\306\2727\256^\323\0S.q\357 \265\177'\15j\335\15j\207\347+\270\5$\7", ) , ) == 0x0
 00939   860   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Mh\230,\17W\350\204J\340)\345\312\246\246\2p\374\301\14\367=\276p\374\301\14\367=\276p\374\301\14\367=\276p\374\301\14\367\203\277{\22\220\260\344\204\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00940   860   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00941   860   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00942   860   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00943   860   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00944   860   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00945   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00946   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00947   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00948   860   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\3418\320\273\314\352\364\311\353\272\347\207!q%\272\341aV\340Z\3018\19\324[\315\237Q\337\23C~\365e\12\231\244\272\345\20\261sO<\300:\253\315\236\333\364\377w\360\337\15\205@kW\322\272f\275\214J\367z\257\226*\225\2\26\202%GG", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\3418\320\273\314\352\364\311\353\272\347\207!q%\272\341aV\340Z\3018\19\324[\315\237Q\337\23C~\365e\12\231\244\272\345\20\261sO<\300:\253\315\236\333\364\377w\360\337\15\205@kW\322\272f\275\214J\367z\257\226*\225\2\26\202%GG", 80, ... ) , 80, ... ) == 0x0
 00949   860   NtClose  (-2147482740, ... ) == 0x0
 00939   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\34%rqaYr0]\251\361s\5W\\346\305\14\320\315\325=\335\21\377\225zud;o\362\275j\32\306l0\323\177\254\341^\222\245)S\265\250BZ+S\270\337\242qS\256\302\27QF=\210\314%w\16\276\315L\323\275\201\364\33\350\254=h (\304\203\316\300\367K7\334\217\2757|n\27?t5\317p\10\373\221\201\325\345\306\271\33\3134\271\251\242\21\216\10\200\0m\360\222Q\363t\3217\201\12\7\304\262y{\333\203\12\37\12\217\314\333Dv\234\13\264Q\266\3\26\254q\222\7\264\202Y\374j\307\12\217\272~\302n\37\342$\32@Z\242UC\362\374\30[*\317\317.\265Ic\371\177\350\267E*\27>\341\373\10\201\210\242-=\236\230\365\313\215\274\276\315\335\311_\263\336~\362\357iW\22\201\360N\3029$\232\331\270\254\314[\235\214u8'Oh\263\315\355#\362\\351\214|\320\214\313", ) , ) == 0x0
 00950   860   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Mh\230,\17W\350\204J\340)\345\312\246\246\2p\374\301\14\367=\276p\374\301\14\367=\276p\374\301\14\367=\276p\374\301\14\367=\276p\374\301\14\367\203\277{\22\220\260\344\204\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00951   860   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00952   860   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00953   860   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00954   860   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00955   860   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00956   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00957   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00958   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00959   860   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "a3\233\210\334p\322v\326Vr\322\13)\341a_\3\237\301\233\317\256\177\233I\272R\365\320\246\270\25\271\323\256F\31@8\262\255V\23GW\373\34G\333\304\255\253|\211\356\366\210&z5y\216\0\4[\336\251 \245\344\256\264\366\340]\332\236\200\320", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "a3\233\210\334p\322v\326Vr\322\13)\341a_\3\237\301\233\317\256\177\233I\272R\365\320\246\270\25\271\323\256F\31@8\262\255V\23GW\373\34G\333\304\255\253|\211\356\366\210&z5y\216\0\4[\336\251 \245\344\256\264\366\340]\332\236\200\320", 80, ... ) , 80, ... ) == 0x0
 00960   860   NtClose  (-2147482740, ... ) == 0x0
 00950   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "@\274\377d\235\233\213\256\267G&\316\312F\237\2344\303\1S\365\246\250U\221{\271\24\3250\206\223\26[\304B\236\313%\367\363\302\212r|\225\33]KOP\367:=\35"\336{\264\310\22\32Q\204\363\205(\11U\341\305\234\223\3140\30\30BV\3068kR\337\306\231tx\244\220\37M\352M\230\212\266\271\363t\307t\23\332\3\322G\305Q2\345\344\264o\236=\16\233c\265\3234\234\245\367G3\373\213\252\323.;1t\336+\35pzS\222\247^8em=\275\344b\367\331h'\263\177\21\262\304\32\33X\276\257V\335#\3055#t\250\364\264k$\263\351/\233\24\244x\314Tq\227\374\264w\225\10\230\37\357aPx\241=d&s\215\320\12nl\2652n-\312RT\370\375dq\223d\21Z  ?\356pP\17\223\31\336\313\206\200\342\265$/e\317\30\15\350\273\355\204.\14\205\321B]", ) \336{\264\310\22\32Q\204\363\205(\11U\341\305\234\223\3140\30\30BV\3068kR\337\306\231tx\244\220\37M\352M\230\212\266\271\363t\307t\23\332\3\322G\305Q2\345\344\264o\236=\16\233c\265\3234\234\245\367G3\373\213\252\323.;1t\336+\35pzS\222\247^8em=\275\344b\367\331h'\263\177\21\262\304\32\33X\276\257V\335#\3055#t\250\364\264k$\263\351/\233\24\244x\314Tq\227\374\264w\225\10\230\37\357aPx\241=d&s\215\320\12nl\2652n-\312RT\370\375dq\223d\21Z  ?\356pP\17\223\31\336\313\206\200\342\265$/e\317\30\15\350\273\355\204.\14\205\321B]", ) == 0x0
 00961   860   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Mh\230,\17W\350\204J\340)\345\312\246\246\2p\374\301\14\367=\276p\374\301\14\367=\276p\374\301\14\367=\276p\374\301\14\367=\276p\374\301\14\367=\276p\374\301\14\367\203\277{\22\220\260\344\204\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00962   860   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00963   860   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00964   860   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00965   860   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00966   860   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00967   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00968   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00969   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00970   860   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "Iu4\364\274xu\334\317\277\3213\233\227\333\354@\370i\220]\34G\307:\33\217\273\202\351\272\276Y;3\203\2117\355X\346Y\35\205\265\270m\232\255\215\203\232\341\331\31\211f\274x8\27\253\27`\261\354\244m\10\205\237\252x\365\203\0\302\177d'", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "Iu4\364\274xu\334\317\277\3213\233\227\333\354@\370i\220]\34G\307:\33\217\273\202\351\272\276Y;3\203\2117\355X\346Y\35\205\265\270m\232\255\215\203\232\341\331\31\211f\274x8\27\253\27`\261\354\244m\10\205\237\252x\365\203\0\302\177d'", 80, ... ) , 80, ... ) == 0x0
 00971   860   NtClose  (-2147482740, ... ) == 0x0
 00961   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\322\1?\272\207\371Ky\233M\334=\362\312\216\235\254S\210\244X\371S\336\371\320F\232eDa\240\327\233/\23?\337.\366\217\0\3379\336\16\203\211\11\314\227\351\312\321)\261\371c\212wy\362\324\335\255\2267\305\354\227\270\32\211\225q\15\204\236m\30\1\7\210\261\357\333eo\356b\353\220\36\0\274Ej\343\347\306h6~\243\14B\374\3026\22^\351F\355E>\220\325z\255\345\360\232\336\278\204\344\365\346W\201\250\377\242\233\263\331\377\360ml\362\210S\266\255O\336,\376x\3238~I{v\276R\20\225\257\0e\21\3\34\363\261\275J\314\317\227qZ\103\250\366\26\355\224\366\261/\325\247\375\265\300\214\233 \301J\361\234;\360\214\341=P1\237\255\233\32\347qy\226-\261i\363\3\314\336y\376\3023\367\230\210\365\266\7\321\363QU\234\365\P\267\276\11\367X\313R\252\252i\3\350\0\244\21", ) , ) == 0x0
 00972   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 00973   860   NtConnectPort  ( ("\RPC Control\IcaApi", {12, 2, 1, 0}, 0x0, 0x0, 1234748, 188, ... 128, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1234748, 188, ... 128, 0x0, 0x0, 0x0, 188, ) == 0x0
 00974   860   NtRequestWaitReplyPort  (128, {200, 224, new_msg, 0, 1350664, 12, 2, 1310721}  (128, {200, 224, new_msg, 0, 1350664, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\08\232\24\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\13\235_\14\6\7:\342\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0\35\267\320\352x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 464, 860, 57973, 0} "\7\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\13\235_\14\6\7:\342\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0\35\267\320\352x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 464, 860, 57973, 0}  (128, {200, 224, new_msg, 0, 1350664, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\08\232\24\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\13\235_\14\6\7:\342\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0\35\267\320\352x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 464, 860, 57973, 0} "\7\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\13\235_\14\6\7:\342\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0\35\267\320\352x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 00975   860   NtRequestWaitReplyPort  (128, {32, 56, new_msg, 0, 0, 0, 0, 0}  (128, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 464, 860, 57974, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201\0;\251\201\1`\202\201\0\0\0\0\0\376?\300\344\243n\371\20W\271\201\2\0\0\0\240V\271\201\240V\271\201" )  ... {124, 148, reply, 0, 464, 860, 57974, 0}  (128, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 464, 860, 57974, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201\0;\251\201\1`\202\201\0\0\0\0\0\376?\300\344\243n\371\20W\271\201\2\0\0\0\240V\271\201\240V\271\201" )  ) == 0x0
 00976   860   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00977   860   NtRequestWaitReplyPort  (128, {44, 68, new_msg, 56, 464, 860, 57974, 0}  (128, {44, 68, new_msg, 56, 464, 860, 57974, 0} "\1\356\0\0B\2\5\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 464, 860, 57975, 0} "\2\31\221|\4\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 464, 860, 57975, 0}  (128, {44, 68, new_msg, 56, 464, 860, 57974, 0} "\1\356\0\0B\2\5\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 464, 860, 57975, 0} "\2\31\221|\4\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\14\5\0\0\320\371\15\0" )  ) == 0x0
 00978   860   NtRequestWaitReplyPort  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 464, 860, 57976, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 464, 860, 57976, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 464, 860, 57976, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 00979   860   NtRequestWaitReplyPort  (128, {44, 68, new_msg, 56, 464, 860, 57975, 0}  (128, {44, 68, new_msg, 56, 464, 860, 57975, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 464, 860, 57977, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 464, 860, 57977, 0}  (128, {44, 68, new_msg, 56, 464, 860, 57975, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 464, 860, 57977, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\14\5\0\0\320\371\15\0" )  ) == 0x0
 00980   860   NtRequestWaitReplyPort  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 464, 860, 57978, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 464, 860, 57978, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 464, 860, 57978, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 00981   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00982   860   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "ActiveComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00983   860   NtQueryValueKey  (136,  (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00984   860   NtClose  (136, ... ) == 0x0
 00985   860   NtClose  (132, ... ) == 0x0
 00986   860   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 132, ) == 0x0
 00987   860   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 136, ) == 0x0
 00988   860   NtDuplicateObject  (-1, 132, -1, 0x0, 0, 2, ... 140, ) == 0x0
 00989   860   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00990   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00991   860   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00992   860   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00993   860   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234784,  (0xc0100080, {24, 0, 0x40, 0, 1234784, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 00994   860   NtSetInformationFile  (148, 1234840, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00995   860   NtSetInformationFile  (148, 1234828, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00996   860   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00997   860   NtWriteFile  (148, 117, 0, 0,  (148, 117, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00998   860   NtReadFile  (148, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (148, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00999   860   NtFsControlFile  (148, 117, 0x0, 0x0, 0x11c017,  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01000   860   NtFsControlFile  (148, 117, 0x0, 0x0, 0x11c017,  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , ) == 0x103
 01001   860   NtFsControlFile  (148, 117, 0x0, 0x0, 0x11c017,  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01002   860   NtClose  (144, ... ) == 0x0
 01003   860   NtClose  (148, ... ) == 0x0
 01004   860   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01005   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01006   860   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01007   860   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01008   860   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234756,  (0xc0100080, {24, 0, 0x40, 0, 1234756, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 01009   860   NtSetInformationFile  (144, 1234812, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01010   860   NtSetInformationFile  (144, 1234800, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01011   860   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01012   860   NtWriteFile  (144, 117, 0, 0,  (144, 117, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01013   860   NtReadFile  (144, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (144, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01014   860   NtFsControlFile  (144, 117, 0x0, 0x0, 0x11c017,  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01015   860   NtFsControlFile  (144, 117, 0x0, 0x0, 0x11c017,  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , ) == 0x103
 01016   860   NtFsControlFile  (144, 117, 0x0, 0x0, 0x11c017,  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01017   860   NtClose  (148, ... ) == 0x0
 01018   860   NtClose  (144, ... ) == 0x0
 01019   860   NtOpenProcessToken  (-1, 0x20008, ... 144, ) == 0x0
 01020   860   NtQueryInformationToken  (144, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01021   860   NtQueryInformationToken  (144, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 01022   860   NtOpenDirectoryObject  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Windows\WindowStations"}, ... 148, ) }, ... 148, ) == 0x0
 01023   860   NtUserOpenWindowStation  ({24, 148, 0x40, 0, 0,  ({24, 148, 0x40, 0, 0, "winsta0"}, 0x37f, ... ) }, 0x37f, ... ) == 0x98
 01024   860   NtClose  (148, ... ) == 0x0
 01025   860   NtUserCloseWindowStation  (152, ...
 01026   860   NtClose  (152, ... ) == 0x0
 01025   860   NtUserCloseWindowStation  ... ) == 0x1
 01027   860   NtClose  (144, ... ) == 0x0
 01028   860   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 144, ) == 0x0
 01029   860   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 152, ) == 0x0
 01030   860   NtCreateMutant  (0x1f0001, {24, 0, 0x2, 0, 0, 0x0}, 0, ... 148, ) == 0x0
 01031   860   NtDuplicateObject  (-1, -1, -1, 0x1f0fff, 2, 0, ... 156, ) == 0x0
 01032   860   NtCreateSection  (0xf0007, {24, 0, 0x2, 0, 0, 0x0}, {7248, 0}, 4, 134217728, 0, ... 160, ) == 0x0
 01033   860   NtMapViewOfSection  (160, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3d0000), {0, 0}, 8192, ) == 0x0
 01034   860   NtQueryDefaultUILanguage  (1235448, ...
 01035   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01036   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01037   860   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01038   860   NtClose  (-2147482740, ... ) == 0x0
 01039   860   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01040   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 01042   860   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01043   860   NtClose  (-2147481328, ... ) == 0x0
 01044   860   NtClose  (-2147482740, ... ) == 0x0
 01034   860   NtQueryDefaultUILanguage  ... ) == 0x0
 01045   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01046   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01047   860   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01048   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233692, ... ) }, 1233692, ... ) == 0x0
 01049   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232464, ... ) }, 1232464, ... ) == 0x0
 01050   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01051   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01052   860   NtCreateFile  (0x10100080, {24, 0, 0x40, 0, 1234800,  (0x10100080, {24, 0, 0x40, 0, 1234800, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\95d_appcompat.txt"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 01053   860   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 01054   860   NtClose  (-2147482740, ... ) == 0x0
 01055   860   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01056   860   NtClose  (-2147482740, ... ) == 0x0
 01057   860   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01058   860   NtClose  (-2147482740, ... ) == 0x0
 01052   860   NtCreateFile  ... 164, {status=0x0, info=2}, ) == 0x0
 01059   860   NtClose  (164, ... ) == 0x0
 01060   860   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 164, ) == 0x0
 01061   860   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0xa90000), 0x0, 4194304, ) == 0x0
 01062   860   NtAllocateVirtualMemory  (-1, 11075584, 0, 1, 4096, 4, ... 11075584, 4096, ) == 0x0
 01063   860   NtAllocateVirtualMemory  (-1, 11079680, 0, 1968, 4096, 4, ... 11079680, 4096, ) == 0x0
 01064   860   NtCreateSection  (0xf0007, 0x0, {22396, 0}, 4, 134217728, 0, ... 168, ) == 0x0
 01065   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01066   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01067   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01068   860   NtClose  (164, ... ) == 0x0
 01069   860   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01070   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01071   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01072   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01073   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01074   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01075   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01076   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01077   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01078   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01079   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01080   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01081   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01082   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01083   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01084   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01085   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01086   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01087   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01088   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01089   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01090   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01091   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01092   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01093   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01094   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01095   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01096   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01097   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01098   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01099   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01100   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01101   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01102   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01103   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01104   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01105   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01106   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01107   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01108   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01109   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01110   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01111   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01112   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01113   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01114   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01115   860   NtClose  (168, ... ) == 0x0
 01116   860   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01117   860   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 168, {status=0x0, info=1}, ) }, 3, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01118   860   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 164, ) }, ... 164, ) == 0x0
 01119   860   NtQuerySymbolicLinkObject  (164, ...  (164, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0
 01120   860   NtClose  (164, ... ) == 0x0
 01121   860   NtQueryVolumeInformationFile  (168, 1234016, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01122   860   NtClose  (168, ... ) == 0x0
 01123   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1232812, ... ) }, 1232812, ... ) == 0x0
 01124   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01125   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 168, ... 164, ) == 0x0
 01126   860   NtClose  (168, ... ) == 0x0
 01127   860   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 126976, ) == 0x0
 01128   860   NtClose  (164, ... ) == 0x0
 01129   860   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01130   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1233120, ... ) }, 1233120, ... ) == 0x0
 01131   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 164, {status=0x0, info=1}, ) }, 5, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 01132   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 164, ... 168, ) == 0x0
 01133   860   NtQuerySection  (168, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01134   860   NtClose  (164, ... ) == 0x0
 01135   860   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 01136   860   NtClose  (168, ... ) == 0x0
 01137   860   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 01138   860   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 01139   860   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 01140   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01141   860   NtAllocateVirtualMemory  (-1, 1355776, 0, 12288, 4096, 4, ... 1355776, 12288, ) == 0x0
 01142   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234508, ... ) }, 1234508, ... ) == 0x0
 01143   860   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234516,  (0x40100080, {24, 0, 0x40, 0, 1234516, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\95d_appcompat.txt"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 01144   860   NtClose  (-2147482740, ... ) == 0x0
 01145   860   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 01146   860   NtClose  (-2147482740, ... ) == 0x0
 01147   860   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01148   860   NtClose  (-2147482740, ... ) == 0x0
 01149   860   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01150   860   NtClose  (-2147482740, ... ) == 0x0
 01143   860   NtCreateFile  ... 168, {status=0x0, info=3}, ) == 0x0
 01151   860   NtAllocateVirtualMemory  (-1, 1368064, 0, 12288, 4096, 4, ... 1368064, 12288, ) == 0x0
 01152   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 164, {status=0x0, info=1}, ) }, 3, 16417, ... 164, {status=0x0, info=1}, ) == 0x0
 01153   860   NtQueryDirectoryFile  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1,  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01154   860   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "\377\376", 2, 0x0, 0, ... {status=0x0, info=2}, ) , 2, 0x0, 0, ... {status=0x0, info=2}, ) == 0x0
 01155   860   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \01\0.\00\0 (168, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \0U\0T\0F\0-\01\06\0 (168, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) , 106, 0x0, 0, ... {status=0x0, info=106}, ) == 0x0
 01156   860   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 01157   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233600, ... ) }, 1233600, ... ) == 0x0
 01158   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01159   860   NtQueryDirectoryFile  (172, 0, 0, 0, 1233212, 592, Directory, 1,  (172, 0, 0, 0, 1233212, 592, Directory, 1, "packed.exe", 0, ... {status=0x0, info=84}, ) , 0, ... {status=0x0, info=84}, ) == 0x0
 01160   860   NtClose  (172, ... ) == 0x0
 01161   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01162   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01163   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232132, ... ) }, 1232132, ... ) == 0x0
 01164   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1230904, ... ) }, 1230904, ... ) == 0x0
 01165   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01166   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01167   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0
 01168   860   NtQueryInformationFile  (172, 1233688, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01169   860   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 172, ... 176, ) == 0x0
 01170   860   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 188416, ) == 0x0
 01171   860   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01172   860   NtClose  (176, ... ) == 0x0
 01173   860   NtClose  (172, ... ) == 0x0
 01174   860   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\08\04\01\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\08\04\01\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\08\08\04\01\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\08\04\01\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\01\03\08\07\07\0E\01\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\08\04\01\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0W\0I\0N\03\02\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\08\04\01\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\02\09\04\0A\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\08\04\01\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\00\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\08\04\01\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\08\04\01\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\08\04\01\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... , 418, 0x0, 0, ...
 01175   860   NtContinue  (-106648108, 0, ...
 01174   860   NtWriteFile  ... {status=0x0, info=418}, ) == 0x0
 01176   860   NtQueryDirectoryFile  (164, 0, 0, 0, 1371248, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01177   860   NtClose  (164, ... ) == 0x0
 01178   860   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0", 16, 0x0, 0, ... {status=0x0, info=16}, ) , 16, 0x0, 0, ... {status=0x0, info=16}, ) == 0x0
 01179   860   NtClose  (168, ... ) == 0x0
 01180   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1234508, ... ) }, 1234508, ... ) == 0x0
 01181   860   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234516,  (0x40100080, {24, 0, 0x40, 0, 1234516, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\95d_appcompat.txt"}, 0x0, 128, 0, 3, 96, 0, 0, ... 168, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 168, {status=0x0, info=1}, ) == 0x0
 01182   860   NtQueryInformationFile  (168, 1234540, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01183   860   NtSetInformationFile  (168, 1234572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01184   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 164, {status=0x0, info=1}, ) }, 3, 16417, ... 164, {status=0x0, info=1}, ) == 0x0
 01185   860   NtQueryDirectoryFile  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1,  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1, "kernel32.dll", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01186   860   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) , 126, 0x0, 0, ... {status=0x0, info=126}, ) == 0x0
 01187   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1233572, ... ) }, 1233572, ... ) == 0x0
 01188   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01189   860   NtQueryDirectoryFile  (172, 0, 0, 0, 1233212, 592, Directory, 1,  (172, 0, 0, 0, 1233212, 592, Directory, 1, "kernel32.dll", 0, ... {status=0x0, info=88}, ) , 0, ... {status=0x0, info=88}, ) == 0x0
 01190   860   NtClose  (172, ... ) == 0x0
 01191   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01192   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01193   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232132, ... ) }, 1232132, ... ) == 0x0
 01194   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230904, ... ) }, 1230904, ... ) == 0x0
 01195   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01196   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01197   860   NtQueryDefaultLocale  (1, 1233092, ... ) == 0x0
 01198   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01199   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01200   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232124, ... ) }, 1232124, ... ) == 0x0
 01201   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230896, ... ) }, 1230896, ... ) == 0x0
 01202   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01203   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01204   860   NtQueryDefaultLocale  (1, 1233084, ... ) == 0x0
 01205   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0
 01206   860   NtQueryInformationFile  (172, 1233688, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01207   860   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 172, ... 176, ) == 0x0
 01208   860   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 987136, ) == 0x0
 01209   860   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01210   860   NtClose  (176, ... ) == 0x0
 01211   860   NtClose  (172, ... ) == 0x0
 01212   860   NtQueryDefaultUILanguage  (1233044, ...
 01213   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01214   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01215   860   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01216   860   NtClose  (-2147482740, ... ) == 0x0
 01217   860   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01218   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 01220   860   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221   860   NtClose  (-2147481328, ... ) == 0x0
 01222   860   NtClose  (-2147482740, ... ) == 0x0
 01212   860   NtQueryDefaultUILanguage  ... ) == 0x0
 01223   860   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \09\08\04\05\07\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \00\0x\0F\00\0B\03\03\01\0F\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) == 0x0
 01224   860   NtQueryDirectoryFile  (164, 0, 0, 0, 1362544, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01225   860   NtClose  (164, ... ) == 0x0
 01226   860   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0<\0/\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 42, 0x0, 0, ... {status=0x0, info=42}, ) , 42, 0x0, 0, ... {status=0x0, info=42}, ) == 0x0
 01227   860   NtClose  (168, ... ) == 0x0
 01228   860   NtUnmapViewOfSection  (-1, 0x77b40000, ... ) == 0x0
 01229   860   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01230   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1231780, ... ) }, 1231780, ... ) == 0x0
 01231   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1232516, ... ) }, 1232516, ... ) == 0x0
 01232   860   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01233   860   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 168, ... 164, ) == 0x0
 01234   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 172, ) }, ... 172, ) == 0x0
 01236   860   NtQueryValueKey  (172,  (172, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   860   NtClose  (172, ... ) == 0x0
 01238   860   NtQueryVolumeInformationFile  (168, 1231792, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01239   860   NtOpenMutant  (0x120001, {24, 48, 0x0, 0, 0,  (0x120001, {24, 48, 0x0, 0, 0, "ShimCacheMutex"}, ... 172, ) }, ... 172, ) == 0x0
 01240   860   NtWaitForSingleObject  (172, 0, {-1000000, -1}, ... ) == 0x0
 01241   860   NtOpenSection  (0x2, {24, 48, 0x0, 0, 0,  (0x2, {24, 48, 0x0, 0, 0, "ShimSharedMemory"}, ... 176, ) }, ... 176, ) == 0x0
 01242   860   NtMapViewOfSection  (176, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 57344, ) == 0x0
 01243   860   NtReleaseMutant  (172, ... 0x0, ) == 0x0
 01244   860   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01245   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229724, ... ) }, 1229724, ... ) == 0x0
 01246   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01247   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 180, ... 184, ) == 0x0
 01248   860   NtClose  (180, ... ) == 0x0
 01249   860   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa90000), 0x0, 126976, ) == 0x0
 01250   860   NtClose  (184, ... ) == 0x0
 01251   860   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01252   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1230032, ... ) }, 1230032, ... ) == 0x0
 01253   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01254   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01255   860   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01256   860   NtClose  (184, ... ) == 0x0
 01257   860   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 01258   860   NtClose  (180, ... ) == 0x0
 01259   860   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 01260   860   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 01261   860   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 01262   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 180, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 180, {status=0x0, info=1}, ) == 0x0
 01264   860   NtQueryInformationFile  (180, 1230048, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01265   860   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 180, ... 184, ) == 0x0
 01266   860   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 1191936, ) == 0x0
 01267   860   NtQueryInformationFile  (180, 1230148, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01268   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01269   860   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01270   860   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01271   860   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272   860   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 188, ) }, ... 188, ) == 0x0
 01273   860   NtQueryValueKey  (188,  (188, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (188, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01274   860   NtClose  (188, ... ) == 0x0
 01275   860   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01276   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01277   860   NtQueryDirectoryFile  (188, 0, 0, 0, 1227744, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227744, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01278   860   NtClose  (188, ... ) == 0x0
 01279   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01280   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01281   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228120, ... ) }, 1228120, ... ) == 0x0
 01282   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01283   860   NtQueryDirectoryFile  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01284   860   NtClose  (188, ... ) == 0x0
 01285   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01286   860   NtQueryDirectoryFile  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01287   860   NtClose  (188, ... ) == 0x0
 01288   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01289   860   NtQueryDirectoryFile  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01290   860   NtClose  (188, ... ) == 0x0
 01291   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01292   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01293   860   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01294   860   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01296   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01297   860   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01298   860   NtClose  (188, ... ) == 0x0
 01299   860   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   860   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228952, ... ) }, 1228952, ... ) == 0x0
 01302   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01303   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01304   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227820, ... ) }, 1227820, ... ) == 0x0
 01305   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 188, {status=0x0, info=1}, ) }, 5, 96, ... 188, {status=0x0, info=1}, ) == 0x0
 01306   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 188, ... 192, ) == 0x0
 01307   860   NtClose  (188, ... ) == 0x0
 01308   860   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbc0000), 0x0, 180224, ) == 0x0
 01309   860   NtClose  (192, ... ) == 0x0
 01310   860   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01311   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227416, ... ) }, 1227416, ... ) == 0x0
 01312   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228160,  (0x80100080, {24, 0, 0x40, 0, 1228160, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01313   860   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 192, ... 188, ) == 0x0
 01314   860   NtClose  (192, ... ) == 0x0
 01315   860   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbc0000), {0, 0}, 180224, ) == 0x0
 01316   860   NtClose  (188, ... ) == 0x0
 01317   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01318   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01319   860   NtQueryDefaultLocale  (1, 1228780, ... ) == 0x0
 01320   860   NtQueryVirtualMemory  (-1, 0xbc0000, Basic, 28, ... {BaseAddress=0xbc0000,AllocationBase=0xbc0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01321   860   NtQueryVirtualMemory  (-1, 0xbc0000, Basic, 28, ... {BaseAddress=0xbc0000,AllocationBase=0xbc0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01322   860   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01323   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01324   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01325   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227812, ... ) }, 1227812, ... ) == 0x0
 01326   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 188, {status=0x0, info=1}, ) }, 5, 96, ... 188, {status=0x0, info=1}, ) == 0x0
 01327   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 188, ... 192, ) == 0x0
 01328   860   NtClose  (188, ... ) == 0x0
 01329   860   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbc0000), 0x0, 180224, ) == 0x0
 01330   860   NtClose  (192, ... ) == 0x0
 01331   860   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01332   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227408, ... ) }, 1227408, ... ) == 0x0
 01333   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228152,  (0x80100080, {24, 0, 0x40, 0, 1228152, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01334   860   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 192, ... 188, ) == 0x0
 01335   860   NtClose  (192, ... ) == 0x0
 01336   860   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbc0000), {0, 0}, 180224, ) == 0x0
 01337   860   NtClose  (188, ... ) == 0x0
 01338   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01339   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01340   860   NtQueryDefaultLocale  (1, 1228772, ... ) == 0x0
 01341   860   NtQueryVirtualMemory  (-1, 0xbc0000, Basic, 28, ... {BaseAddress=0xbc0000,AllocationBase=0xbc0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01342   860   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01343   860   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01345   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01346   860   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01347   860   NtClose  (188, ... ) == 0x0
 01348   860   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01350   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01351   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1229372, ... ) }, 1229372, ... ) == 0x0
 01352   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01353   860   NtQueryDirectoryFile  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01354   860   NtClose  (188, ... ) == 0x0
 01355   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01356   860   NtQueryDirectoryFile  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01357   860   NtClose  (188, ... ) == 0x0
 01358   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01359   860   NtQueryDirectoryFile  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01360   860   NtClose  (188, ... ) == 0x0
 01361   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01362   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01363   860   NtWaitForSingleObject  (172, 0, {-1000000, -1}, ... ) == 0x0
 01364   860   NtReleaseMutant  (172, ... 0x0, ) == 0x0
 01365   860   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01366   860   NtClose  (184, ... ) == 0x0
 01367   860   NtClose  (180, ... ) == 0x0
 01368   860   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01369   860   NtOpenProcessToken  (-1, 0xa, ... 180, ) == 0x0
 01370   860   NtQueryInformationToken  (180, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01371   860   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01372   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01373   860   NtQueryValueKey  (184,  (184, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (184, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01374   860   NtQueryValueKey  (184,  (184, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (184, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01375   860   NtClose  (184, ... ) == 0x0
 01376   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01377   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01378   860   NtQueryValueKey  (184,  (184, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379   860   NtClose  (184, ... ) == 0x0
 01380   860   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01381   860   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01382   860   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01383   860   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01384   860   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01385   860   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01386   860   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01387   860   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01388   860   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01389   860   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01390   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 184, ) }, ... 184, ) == 0x0
 01391   860   NtEnumerateKey  (184, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (184, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01392   860   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 188, ) }, ... 188, ) == 0x0
 01393   860   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01394   860   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01395   860   NtClose  (188, ... ) == 0x0
 01396   860   NtEnumerateKey  (184, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01397   860   NtClose  (184, ... ) == 0x0
 01398   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 184, ) }, ... 184, ) == 0x0
 01399   860   NtEnumerateKey  (184, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 01400   860   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 188, ) }, ... 188, ) == 0x0
 01401   860   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 01402   860   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01403   860   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01404   860   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01405   860   NtClose  (188, ... ) == 0x0
 01406   860   NtEnumerateKey  (184, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 01407   860   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 188, ) }, ... 188, ) == 0x0
 01408   860   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 01409   860   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01410   860   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01411   860   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01412   860   NtClose  (188, ... ) == 0x0
 01413   860   NtEnumerateKey  (184, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 01414   860   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 188, ) }, ... 188, ) == 0x0
 01415   860   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 01416   860   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01417   860   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01418   860   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01419   860   NtClose  (188, ... ) == 0x0
 01420   860   NtEnumerateKey  (184, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 01421   860   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 188, ) }, ... 188, ) == 0x0
 01422   860   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 01423   860   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01424   860   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01425   860   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01426   860   NtClose  (188, ... ) == 0x0
 01427   860   NtEnumerateKey  (184, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 01428   860   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 188, ) }, ... 188, ) == 0x0
 01429   860   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 01430   860   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01431   860   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01432   860   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01433   860   NtClose  (188, ... ) == 0x0
 01434   860   NtEnumerateKey  (184, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01435   860   NtClose  (184, ... ) == 0x0
 01436   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01437   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01447   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01450   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01451   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01452   860   NtClose  (184, ... ) == 0x0
 01453   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01454   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01455   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01456   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01457   860   NtClose  (184, ... ) == 0x0
 01458   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01460   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01461   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01462   860   NtClose  (184, ... ) == 0x0
 01463   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01465   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01466   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01467   860   NtClose  (184, ... ) == 0x0
 01468   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01470   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01471   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01472   860   NtClose  (184, ... ) == 0x0
 01473   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01475   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01476   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01477   860   NtClose  (184, ... ) == 0x0
 01478   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01480   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01481   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01482   860   NtClose  (184, ... ) == 0x0
 01483   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01485   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01486   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01487   860   NtClose  (184, ... ) == 0x0
 01488   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01490   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01491   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01492   860   NtClose  (184, ... ) == 0x0
 01493   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01495   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01496   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01497   860   NtClose  (184, ... ) == 0x0
 01498   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01500   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01501   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01502   860   NtClose  (184, ... ) == 0x0
 01503   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01505   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01506   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01507   860   NtClose  (184, ... ) == 0x0
 01508   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01510   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01511   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01512   860   NtClose  (184, ... ) == 0x0
 01513   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01515   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01516   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01517   860   NtClose  (184, ... ) == 0x0
 01518   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01519   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01520   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01521   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01522   860   NtClose  (184, ... ) == 0x0
 01523   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01525   860   NtQueryValueKey  (184,  (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01526   860   NtClose  (184, ... ) == 0x0
 01527   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01528   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01529   860   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01530   860   NtClose  (184, ... ) == 0x0
 01531   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   860   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01533   860   NtOpenProcessToken  (-1, 0xa, ... 184, ) == 0x0
 01534   860   NtDuplicateToken  (184, 0xc, {24, 0, 0x0, 0, 1231652, 0x0}, 0, 2, ... 188, ) == 0x0
 01535   860   NtClose  (184, ... ) == 0x0
 01536   860   NtAccessCheck  (1379984, 188, 0x1, 1231728, 1231780, 56, 1231760, ... (0x1), ) == 0x0
 01537   860   NtClose  (188, ... ) == 0x0
 01538   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 188, ) }, ... 188, ) == 0x0
 01539   860   NtQueryValueKey  (188,  (188, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (188, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01540   860   NtClose  (188, ... ) == 0x0
 01541   860   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 188, ) }, ... 188, ) == 0x0
 01542   860   NtQuerySymbolicLinkObject  (188, ...  (188, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01543   860   NtClose  (188, ... ) == 0x0
 01544   860   NtQueryVolumeInformationFile  (168, 1229484, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01545   860   NtQueryInformationFile  (168, 1229600, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 01546   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01547   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01548   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228772, ... ) }, 1228772, ... ) == 0x0
 01549   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01550   860   NtQueryDirectoryFile  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01551   860   NtClose  (188, ... ) == 0x0
 01552   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01553   860   NtQueryDirectoryFile  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01554   860   NtClose  (188, ... ) == 0x0
 01555   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01556   860   NtQueryDirectoryFile  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01557   860   NtClose  (188, ... ) == 0x0
 01558   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01559   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01560   860   NtQueryInformationFile  (168, 1231640, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01561   860   NtCreateSection  (0xf0005, 0x0, {180224, 0}, 2, 134217728, 168, ... 188, ) == 0x0
 01562   860   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 180224, 1, 0, 2, ... (0xa90000), {0, 0}, 180224, ) == 0x0
 01563   860   NtClose  (188, ... ) == 0x0
 01564   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01565   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01566   860   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01567   860   NtClose  (188, ... ) == 0x0
 01568   860   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 188, ) }, ... 188, ) == 0x0
 01569   860   NtOpenKey  (0x20019, {24, 188, 0x40, 0, 0,  (0x20019, {24, 188, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 184, ) }, ... 184, ) == 0x0
 01570   860   NtClose  (188, ... ) == 0x0
 01571   860   NtQueryValueKey  (184,  (184, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01572   860   NtQueryValueKey  (184,  (184, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (184, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 01573   860   NtClose  (184, ... ) == 0x0
 01574   860   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01575   860   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 4128768, 4096, ) == 0x0
 01576   860   NtAllocateVirtualMemory  (-1, 4128768, 0, 4096, 4096, 4, ... 4128768, 4096, ) == 0x0
 01577   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01578   860   NtQueryValueKey  (184,  (184, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579   860   NtClose  (184, ... ) == 0x0
 01580   860   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581   860   NtQueryInformationToken  (180, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01582   860   NtQueryInformationToken  (180, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01583   860   NtClose  (180, ... ) == 0x0
 01584   860   NtQuerySection  (164, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01585   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586   860   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 01587   860   NtCreateProcessEx  (1233564, 2035711, 0, -1, 4, 164, 0, 0, 0, ... ) == 0x0
 01588   860   NtSetInformationProcess  (180, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 01589   860   NtSetInformationProcess  (180, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01590   860   NtQueryInformationProcess  (180, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdb000,AffinityMask=0x1,BasePriority=8,Pid=1956,ParentPid=464,}, 0x0, ) == 0x0
 01591   860   NtReadVirtualMemory  (180, 0x7ffdb008, 4, ...  (180, 0x7ffdb008, 4, ... "\0\0\00", 0x0, ) , 0x0, ) == 0x0
 01592   860   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593   860   NtReadVirtualMemory  (180, 0x30000000, 4096, ...  (180, 0x30000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0$\206\244\23`\347\312@`\347\312@`\347\312@9\304\331@b\347\312@`\347\313@d\347\312@\210\370\301@a\347\312@\343\373\304@j\347\312@\210\370\300@I\347\312@6\370\331@h\347\312@\272\304\326@i\347\312@\220\370\301@p\347\312@`\347\312@H\346\312@Rich`\347\312@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0N\23\216?\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\24\0\220\2\0\0\240\0\0\0\0\0\0\232t\0\0\0\20\0\0\0\320\3\0\0\0\00\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\3\0\0\20\0\0\237*\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\327\211\2\0z\1\0\0\00\3\0\244\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Z\236\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0\370\0\0\0\0\20\0\0\270\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222\216\2\0", 4096, ) , 4096, ) == 0x0
 01594   860   NtReadVirtualMemory  (180, 0x30033000, 256, ...  (180, 0x30033000, 256, ... "\0\0\0\0J\23\216?\0\0\0\0\0\0\3\0\5\0\0\0(\0\0\200\13\0\0\0@\0\0\200\20\0\0\0X\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0e\0\0\0p\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\210\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\240\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\270\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\310\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\330\0\0\0\3600\3\0\26\3\0\0\0\0\0\0\0\0\0\0\104\3\0\254\1\0\0\0\0\0\0\0\0\0\0\2645\3\0\360\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\0\310\200\0\0\0\0\14\0\0\0\0\0f\1", 256, ) , 256, ) == 0x0
 01595   860   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01596   860   NtQueryInformationProcess  (180, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdb000,AffinityMask=0x1,BasePriority=8,Pid=1956,ParentPid=464,}, 0x0, ) == 0x0
 01597   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 1232516, ... ) }, 1232516, ... ) == 0x0
 01598   860   NtAllocateVirtualMemory  (-1, 0, 0, 2428, 4096, 4, ... 11075584, 4096, ) == 0x0
 01599   860   NtAllocateVirtualMemory  (180, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 01600   860   NtWriteVirtualMemory  (180, 0x10000,  (180, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 01601   860   NtAllocateVirtualMemory  (180, 0, 0, 2428, 4096, 4, ... 131072, 4096, ) == 0x0
 01602   860   NtWriteVirtualMemory  (180, 0x20000,  (180, 0x20000, "\0\20\0\0|\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\364\3\366\3\230\4\0\0:\0<\0\220\10\0\0N\0P\0\314\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\34\11\0\0\36\0 \0X\11\0\0\0\0\2\0x\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2428, ... 0x0, ) , 2428, ... 0x0, ) == 0x0
 01603   860   NtWriteVirtualMemory  (180, 0x7ffdb010,  (180, 0x7ffdb010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01604   860   NtAllocateVirtualMemory  (180, 0, 0, 388, 4096, 4, ... 196608, 4096, ) == 0x0
 01605   860   NtWriteVirtualMemory  (180, 0x30000,  (180, 0x30000, "S\0h\0i\0m\0E\0n\0g\0.\0d\0l\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\1\0\0\253\355\15\254\210\255\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 388, ... 0x0, ) , 388, ... 0x0, ) == 0x0
 01606   860   NtWriteVirtualMemory  (180, 0x7ffdb1e8,  (180, 0x7ffdb1e8, "\0\0\3\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01607   860   NtFreeVirtualMemory  (-1, (0xa90000), 0, 32768, ... (0xa90000), 4096, ) == 0x0
 01608   860   NtAllocateVirtualMemory  (180, 0, 0, 1048576, 8192, 4, ... 262144, 1048576, ) == 0x0
 01609   860   NtAllocateVirtualMemory  (180, 1302528, 0, 8192, 4096, 4, ... 1302528, 8192, ) == 0x0
 01610   860   NtProtectVirtualMemory  (180, (0x13e000), 4096, 260, ... (0x13e000), 4096, 4, ) == 0x0
 01611   860   NtCreateThread  (0x1f03ff, 0x0, 180, 1233572, 1233236, 1, ... 184, {1956, 1980}, ) == 0x0
 01612   860   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\267\0\0\0\270\0\0\0\244\7\0\0\274\7\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 464, 860, 57981, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\264\0\0\0\270\0\0\0\244\7\0\0\274\7\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ... {168, 196, reply, 0, 464, 860, 57981, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\267\0\0\0\270\0\0\0\244\7\0\0\274\7\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 464, 860, 57981, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\264\0\0\0\270\0\0\0\244\7\0\0\274\7\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ) == 0x0
 01613   860   NtResumeThread  (184, ... 1, ) == 0x0
 01614   860   NtClose  (168, ... ) == 0x0
 01615   860   NtClose  (164, ... ) == 0x0
 01616   860   NtClose  (184, ... ) == 0x0
 01617   860   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01618   860   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x102
 01619   860   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01620   860   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x102
 01621   860   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01622   860   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x102
 01623   860   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01624   860   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x0
 01625   860   NtClose  (180, ... ) == 0x0
 01626   860   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 01627   860   NtClose  (160, ... ) == 0x0
 01628   860   NtClose  (144, ... ) == 0x0
 01629   860   NtClose  (152, ... ) == 0x0
 01630   860   NtClose  (148, ... ) == 0x0
 01631   860   NtClose  (156, ... ) == 0x0
 01632   860   NtClose  (100, ... ) == 0x0
 01633   860   NtClose  (104, ... ) == 0x0
 01634   860   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 01635   860   NtWaitForMultipleObjects  (2, (64, 72, ), 1, 0, 0x0, ... ) == 0x1
 01636   860   NtClose  (72, ... ) == 0x0
 01637   860   NtSetEvent  (64, ... 0x0, ) == 0x0
 01638   860   NtClose  (64, ... ) == 0x0
 01639   860   NtWaitForMultipleObjects  (2, (76, 80, ), 1, 0, 0x0, ... ) == 0x1
 01640   860   NtClose  (80, ... ) == 0x0
 01641   860   NtSetEvent  (76, ... 0x0, ) == 0x0
 01642   860   NtClose  (76, ... ) == 0x0
 01643   860   NtWaitForMultipleObjects  (2, (84, 88, ), 1, 0, 0x0, ... ) == 0x1
 01644   860   NtClose  (88, ... ) == 0x0
 01645   860   NtSetEvent  (84, ... 0x0, ) == 0x0
 01646   860   NtClose  (84, ... ) == 0x0
 01647   860   NtRequestWaitReplyPort  (128, {88, 112, new_msg, 0, 464, 860, 57977, 0}  (128, {88, 112, new_msg, 0, 464, 860, 57977, 0} "\1\356\0\0A\2<\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201" ... {124, 148, reply, 0, 464, 860, 58116, 0} "\2\376\255\201\1\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371R\250S\200\304;\350\371\4\0\0\0\0\0\0\0\220\276u\201<(\255\201\7\0\0\0\304\277u\201]\0\0\0" )  ... {124, 148, reply, 0, 464, 860, 58116, 0}  (128, {88, 112, new_msg, 0, 464, 860, 57977, 0} "\1\356\0\0A\2<\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201" ... {124, 148, reply, 0, 464, 860, 58116, 0} "\2\376\255\201\1\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371R\250S\200\304;\350\371\4\0\0\0\0\0\0\0\220\276u\201<(\255\201\7\0\0\0\304\277u\201]\0\0\0" )  ) == 0x0
 01648   860   NtClose  (124, ... ) == 0x0
 01649   860   NtClose  (128, ... ) == 0x0
 01650   860   NtClose  (68, ... ) == 0x0
 01651   860   NtUnmapViewOfSection  (-1, 0x69450000, ... ) == 0x0
 01652   860   NtUnmapViewOfSection  (-1, 0x77920000, ... ) == 0x0
 01653   860   NtUnmapViewOfSection  (-1, 0x76f50000, ... ) == 0x0
 01654   860   NtUnmapViewOfSection  (-1, 0x76360000, ... ) == 0x0
 01655   860   NtUnmapViewOfSection  (-1, 0x5b860000, ... ) == 0x0
 01656   860   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 01657   860   NtContinue  (1242900, 0, ...
 01658   860   NtTerminateProcess  (0, -1073741682, ... ) == 0x0
 01659   860   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01660   860   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 01661   860   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01662   860   NtClose  (92, ... ) == 0x0
 01663   860   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 01664   860   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01665   860   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 01666   860   NtClose  (60, ... ) == 0x0
 01667   860   NtGdiDeleteObjectApp  (1913653144, ... ) == 0x1
 01668   860   NtUserGetProcessWindowStation  (... ) == 0x1c
 01669   860   NtUserBuildNameList  (28, 522, 1379448, 1244228, ... ) == 0x0
 01670   860   NtUserGetProcessWindowStation  (... ) == 0x1c
 01671   860   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x3c
 01672   860   NtUserBuildHwndList  (60, 0, 0, 0, 64, ... (0x5009e, 0x400fa, 0x10074, 0x10080, 0x10070, 0x10084, 0x30048, 0x10072, 0x20052, 0x5009c, 0x10090, 0x500a2, 0x100d0, 0x200b0, 0x100cc, 0xa0102, 0x70104, 0x70100, 0x20118, 0x3014c, 0x1011c, 0x100e6, 0x100d6, 0x100d2, 0x100ca, 0x100c8, 0x100ba, 0x100ae, 0x100ac, 0x300a6, 0x10078, 0x30062, 0x50036, 0x5005c, 0x100be, 0x400fe, 0x10092, 0x10086, 0x40034, 0x50050, 0x1013c, 0x10120, 0x100c2, 0x100bc, 0x2014e, 0x100d8, 0x100b6, 0x100b8, 0x100b4, 0x100c0, 0x1009a, 0x5005e, 0x1, ), 53, ) == 0x0
 01673   860   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 01674   860   NtUserQueryWindow  (327838, 0, ... ) == 0x6b8
 01675   860   NtUserQueryWindow  (327838, 1, ... ) == 0x6d4
 01676   860   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 01677   860   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 01678   860   NtUserQueryWindow  (262394, 0, ... ) == 0x6b8
 01679   860   NtUserQueryWindow  (262394, 1, ... ) == 0x6d4
 01680   860   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 01681   860   NtUserBuildHwndList  (0, 262394, 1, 0, 64, ... (0x80064, 0x60068, 0x6006c, 0x50094, 0x50096, 0x60066, 0x7006a, 0x90058, 0x6006e, 0x5008a, 0x50088, 0x500a0, 0x1, ), 13, ) == 0x0
 01682   860   NtUserValidateHandleSecure  (524388, ... ) == 0x1
 01683   860   NtUserQueryWindow  (524388, 0, ... ) == 0x6b8
 01684   860   NtUserQueryWindow  (524388, 1, ... ) == 0x6d4
 01685   860   NtUserValidateHandleSecure  (393320, ... ) == 0x1
 01686   860   NtUserQueryWindow  (393320, 0, ... ) == 0x6b8
 01687   860   NtUserQueryWindow  (393320, 1, ... ) == 0x6d4
 01688   860   NtUserValidateHandleSecure  (393324, ... ) == 0x1
 01689   860   NtUserQueryWindow  (393324, 0, ... ) == 0x6b8
 01690   860   NtUserQueryWindow  (393324, 1, ... ) == 0x6d4
 01691   860   NtUserValidateHandleSecure  (327828, ... ) == 0x1
 01692   860   NtUserQueryWindow  (327828, 0, ... ) == 0x6b8
 01693   860   NtUserQueryWindow  (327828, 1, ... ) == 0x6d4
 01694   860   NtUserValidateHandleSecure  (327830, ... ) == 0x1
 01695   860   NtUserQueryWindow  (327830, 0, ... ) == 0x6b8
 01696   860   NtUserQueryWindow  (327830, 1, ... ) == 0x6d4
 01697   860   NtUserValidateHandleSecure  (393318, ... ) == 0x1
 01698   860   NtUserQueryWindow  (393318, 0, ... ) == 0x6b8
 01699   860   NtUserQueryWindow  (393318, 1, ... ) == 0x6d4
 01700   860   NtUserValidateHandleSecure  (458858, ... ) == 0x1
 01701   860   NtUserQueryWindow  (458858, 0, ... ) == 0x6b8
 01702   860   NtUserQueryWindow  (458858, 1, ... ) == 0x6d4
 01703   860   NtUserValidateHandleSecure  (589912, ... ) == 0x1
 01704   860   NtUserQueryWindow  (589912, 0, ... ) == 0x6b8
 01705   860   NtUserQueryWindow  (589912, 1, ... ) == 0x6d4
 01706   860   NtUserValidateHandleSecure  (393326, ... ) == 0x1
 01707   860   NtUserQueryWindow  (393326, 0, ... ) == 0x6b8
 01708   860   NtUserQueryWindow  (393326, 1, ... ) == 0x6d4
 01709   860   NtUserValidateHandleSecure  (327818, ... ) == 0x1
 01710   860   NtUserQueryWindow  (327818, 0, ... ) == 0x6b8
 01711   860   NtUserQueryWindow  (327818, 1, ... ) == 0x6d4
 01712   860   NtUserValidateHandleSecure  (327816, ... ) == 0x1
 01713   860   NtUserQueryWindow  (327816, 0, ... ) == 0x6b8
 01714   860   NtUserQueryWindow  (327816, 1, ... ) == 0x6d4
 01715   860   NtUserValidateHandleSecure  (327840, ... ) == 0x1
 01716   860   NtUserQueryWindow  (327840, 0, ... ) == 0x6b8
 01717   860   NtUserQueryWindow  (327840, 1, ... ) == 0x6d4
 01718   860   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 01719   860   NtUserQueryWindow  (65652, 0, ... ) == 0x6b8
 01720   860   NtUserQueryWindow  (65652, 1, ... ) == 0x6d4
 01721   860   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 01722   860   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 01723   860   NtUserQueryWindow  (65664, 0, ... ) == 0x6b8
 01724   860   NtUserQueryWindow  (65664, 1, ... ) == 0x6d4
 01725   860   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 01726   860   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 01727   860   NtUserQueryWindow  (65648, 0, ... ) == 0x6b8
 01728   860   NtUserQueryWindow  (65648, 1, ... ) == 0x6d4
 01729   860   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 01730   860   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 01731   860   NtUserQueryWindow  (65668, 0, ... ) == 0x6b8
 01732   860   NtUserQueryWindow  (65668, 1, ... ) == 0x6d4
 01733   860   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 01734   860   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 01735   860   NtUserQueryWindow  (196680, 0, ... ) == 0x6b8
 01736   860   NtUserQueryWindow  (196680, 1, ... ) == 0x6d4
 01737   860   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 01738   860   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 01739   860   NtUserQueryWindow  (65650, 0, ... ) == 0x6b8
 01740   860   NtUserQueryWindow  (65650, 1, ... ) == 0x6d4
 01741   860   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 01742   860   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 01743   860   NtUserQueryWindow  (131154, 0, ... ) == 0x6b8
 01744   860   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 01745   860   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 01746   860   NtUserBuildHwndList  (0, 131154, 1, 0, 64, ... (0x3003e, 0x3003c, 0x30040, 0x30042, 0x30044, 0x30046, 0x10076, 0x10082, 0x1007a, 0x1007e, 0x1, ), 11, ) == 0x0
 01747   860   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 01748   860   NtUserQueryWindow  (196670, 0, ... ) == 0x6b8
 01749   860   NtUserQueryWindow  (196670, 1, ... ) == 0x6d4
 01750   860   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 01751   860   NtUserQueryWindow  (196668, 0, ... ) == 0x6b8
 01752   860   NtUserQueryWindow  (196668, 1, ... ) == 0x6d4
 01753   860   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 01754   860   NtUserQueryWindow  (196672, 0, ... ) == 0x6b8
 01755   860   NtUserQueryWindow  (196672, 1, ... ) == 0x6d4
 01756   860   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 01757   860   NtUserQueryWindow  (196674, 0, ... ) == 0x6b8
 01758   860   NtUserQueryWindow  (196674, 1, ... ) == 0x6d4
 01759   860   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 01760   860   NtUserQueryWindow  (196676, 0, ... ) == 0x6b8
 01761   860   NtUserQueryWindow  (196676, 1, ... ) == 0x6d4
 01762   860   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 01763   860   NtUserQueryWindow  (196678, 0, ... ) == 0x6b8
 01764   860   NtUserQueryWindow  (196678, 1, ... ) == 0x6d4
 01765   860   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 01766   860   NtUserQueryWindow  (65654, 0, ... ) == 0x6b8
 01767   860   NtUserQueryWindow  (65654, 1, ... ) == 0x6d4
 01768   860   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 01769   860   NtUserQueryWindow  (65666, 0, ... ) == 0x6b8
 01770   860   NtUserQueryWindow  (65666, 1, ... ) == 0x6d4
 01771   860   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 01772   860   NtUserQueryWindow  (65658, 0, ... ) == 0x6b8
 01773   860   NtUserQueryWindow  (65658, 1, ... ) == 0x6d4
 01774   860   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 01775   860   NtUserQueryWindow  (65662, 0, ... ) == 0x6b8
 01776   860   NtUserQueryWindow  (65662, 1, ... ) == 0x6d4
 01777   860   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 01778   860   NtUserQueryWindow  (327836, 0, ... ) == 0x6b8
 01779   860   NtUserQueryWindow  (327836, 1, ... ) == 0x6d4
 01780   860   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 01781   860   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 01782   860   NtUserQueryWindow  (65680, 0, ... ) == 0x6b8
 01783   860   NtUserQueryWindow  (65680, 1, ... ) == 0x6bc
 01784   860   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 01785   860   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 01786   860   NtUserQueryWindow  (327842, 0, ... ) == 0x6b8
 01787   860   NtUserQueryWindow  (327842, 1, ... ) == 0x6d4
 01788   860   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 01789   860   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 01790   860   NtUserQueryWindow  (65744, 0, ... ) == 0x19c
 01791   860   NtUserQueryWindow  (65744, 1, ... ) == 0x1a0
 01792   860   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 01793   860   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 01794   860   NtUserQueryWindow  (131248, 0, ... ) == 0xa0
 01795   860   NtUserQueryWindow  (131248, 1, ... ) == 0xe4
 01796   860   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 01797   860   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 01798   860   NtUserQueryWindow  (65740, 0, ... ) == 0x19c
 01799   860   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 01800   860   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 01801   860   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01802   860   NtUserQueryWindow  (655618, 0, ... ) == 0x7a4
 01803   860   NtUserQueryWindow  (655618, 1, ... ) == 0x7bc
 01804   860   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01805   860   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 01806   860   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 01807   860   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 01808   860   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 01809   860   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 01810   860   NtUserQueryWindow  (459008, 0, ... ) == 0x5e8
 01811   860   NtUserQueryWindow  (459008, 1, ... ) == 0x1dc
 01812   860   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 01813   860   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 01814   860   NtUserQueryWindow  (131352, 0, ... ) == 0x6ac
 01815   860   NtUserQueryWindow  (131352, 1, ... ) == 0x7f4
 01816   860   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 01817   860   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 01818   860   NtUserQueryWindow  (196940, 0, ... ) == 0x4b4
 01819   860   NtUserQueryWindow  (196940, 1, ... ) == 0x474
 01820   860   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 01821   860   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 01822   860   NtUserQueryWindow  (65820, 0, ... ) == 0x22c
 01823   860   NtUserQueryWindow  (65820, 1, ... ) == 0x220
 01824   860   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 01825   860   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 01826   860   NtUserQueryWindow  (65766, 0, ... ) == 0x6b8
 01827   860   NtUserQueryWindow  (65766, 1, ... ) == 0x13c
 01828   860   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 01829   860   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 01830   860   NtUserQueryWindow  (65750, 0, ... ) == 0x6b8
 01831   860   NtUserQueryWindow  (65750, 1, ... ) == 0x13c
 01832   860   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 01833   860   NtUserBuildHwndList  (0, 65750, 1, 0, 64, ... (0x100da, 0x100dc, 0x100de, 0x100e0, 0x1, ), 5, ) == 0x0
 01834   860   NtUserValidateHandleSecure  (65754, ... ) == 0x1
 01835   860   NtUserQueryWindow  (65754, 0, ... ) == 0x6b8
 01836   860   NtUserQueryWindow  (65754, 1, ... ) == 0x13c
 01837   860   NtUserValidateHandleSecure  (65756, ... ) == 0x1
 01838   860   NtUserQueryWindow  (65756, 0, ... ) == 0x6b8
 01839   860   NtUserQueryWindow  (65756, 1, ... ) == 0x13c
 01840   860   NtUserValidateHandleSecure  (65758, ... ) == 0x1
 01841   860   NtUserQueryWindow  (65758, 0, ... ) == 0x6b8
 01842   860   NtUserQueryWindow  (65758, 1, ... ) == 0x13c
 01843   860   NtUserValidateHandleSecure  (65760, ... ) == 0x1
 01844   860   NtUserQueryWindow  (65760, 0, ... ) == 0x6b8
 01845   860   NtUserQueryWindow  (65760, 1, ... ) == 0x13c
 01846   860   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 01847   860   NtUserQueryWindow  (65746, 0, ... ) == 0x6b8
 01848   860   NtUserQueryWindow  (65746, 1, ... ) == 0x6d4
 01849   860   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 01850   860   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 01851   860   NtUserQueryWindow  (65738, 0, ... ) == 0x19c
 01852   860   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 01853   860   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 01854   860   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 01855   860   NtUserQueryWindow  (65736, 0, ... ) == 0xa0
 01856   860   NtUserQueryWindow  (65736, 1, ... ) == 0xe4
 01857   860   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 01858   860   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 01859   860   NtUserQueryWindow  (65722, 0, ... ) == 0x104
 01860   860   NtUserQueryWindow  (65722, 1, ... ) == 0x108
 01861   860   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 01862   860   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 01863   860   NtUserQueryWindow  (65710, 0, ... ) == 0x104
 01864   860   NtUserQueryWindow  (65710, 1, ... ) == 0x108
 01865   860   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 01866   860   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 01867   860   NtUserQueryWindow  (65708, 0, ... ) == 0x120
 01868   860   NtUserQueryWindow  (65708, 1, ... ) == 0x124
 01869   860   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 01870   860   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 01871   860   NtUserQueryWindow  (196774, 0, ... ) == 0xc4
 01872   860   NtUserQueryWindow  (196774, 1, ... ) == 0xc8
 01873   860   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 01874   860   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 01875   860   NtUserQueryWindow  (65656, 0, ... ) == 0x6b8
 01876   860   NtUserQueryWindow  (65656, 1, ... ) == 0x6ec
 01877   860   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 01878   860   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 01879   860   NtUserQueryWindow  (196706, 0, ... ) == 0x6b8
 01880   860   NtUserQueryWindow  (196706, 1, ... ) == 0x6bc
 01881   860   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 01882   860   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 01883   860   NtUserQueryWindow  (327734, 0, ... ) == 0x6b8
 01884   860   NtUserQueryWindow  (327734, 1, ... ) == 0x6bc
 01885   860   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 01886   860   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 01887   860   NtUserQueryWindow  (327772, 0, ... ) == 0x6b8
 01888   860   NtUserQueryWindow  (327772, 1, ... ) == 0x6bc
 01889   860   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 01890   860   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 01891   860   NtUserQueryWindow  (65726, 0, ... ) == 0x19c
 01892   860   NtUserQueryWindow  (65726, 1, ... ) == 0x1a0
 01893   860   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 01894   860   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 01895   860   NtUserQueryWindow  (262398, 0, ... ) == 0x6b8
 01896   860   NtUserQueryWindow  (262398, 1, ... ) == 0x6d4
 01897   860   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 01898   860   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 01899   860   NtUserQueryWindow  (65682, 0, ... ) == 0x6b8
 01900   860   NtUserQueryWindow  (65682, 1, ... ) == 0x6bc
 01901   860   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 01902   860   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 01903   860   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 01904   860   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 01905   860   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 01906   860   NtUserBuildHwndList  (0, 65670, 1, 0, 64, ... (0x1008c, 0x1008e, 0x1, ), 3, ) == 0x0
 01907   860   NtUserValidateHandleSecure  (65676, ... ) == 0x1
 01908   860   NtUserQueryWindow  (65676, 0, ... ) == 0x6b8
 01909   860   NtUserQueryWindow  (65676, 1, ... ) == 0x6bc
 01910   860   NtUserValidateHandleSecure  (65678, ... ) == 0x1
 01911   860   NtUserQueryWindow  (65678, 0, ... ) == 0x6b8
 01912   860   NtUserQueryWindow  (65678, 1, ... ) == 0x6bc
 01913   860   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 01914   860   NtUserQueryWindow  (262196, 0, ... ) == 0x6b8
 01915   860   NtUserQueryWindow  (262196, 1, ... ) == 0x6d4
 01916   860   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 01917   860   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 01918   860   NtUserQueryWindow  (327760, 0, ... ) == 0x6b8
 01919   860   NtUserQueryWindow  (327760, 1, ... ) == 0x6d4
 01920   860   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 01921   860   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 01922   860   NtUserQueryWindow  (65852, 0, ... ) == 0x22c
 01923   860   NtUserQueryWindow  (65852, 1, ... ) == 0x220
 01924   860   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 01925   860   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 01926   860   NtUserQueryWindow  (65824, 0, ... ) == 0x22c
 01927   860   NtUserQueryWindow  (65824, 1, ... ) == 0x220
 01928   860   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 01929   860   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 01930   860   NtUserQueryWindow  (65730, 0, ... ) == 0xa0
 01931   860   NtUserQueryWindow  (65730, 1, ... ) == 0xe4
 01932   860   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 01933   860   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 01934   860   NtUserQueryWindow  (65724, 0, ... ) == 0xa0
 01935   860   NtUserQueryWindow  (65724, 1, ... ) == 0xe4
 01936   860   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 01937   860   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 01938   860   NtUserQueryWindow  (131406, 0, ... ) == 0x4b4
 01939   860   NtUserQueryWindow  (131406, 1, ... ) == 0x474
 01940   860   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 01941   860   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 01942   860   NtUserQueryWindow  (65752, 0, ... ) == 0x6b8
 01943   860   NtUserQueryWindow  (65752, 1, ... ) == 0x13c
 01944   860   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 01945   860   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 01946   860   NtUserQueryWindow  (65718, 0, ... ) == 0x104
 01947   860   NtUserQueryWindow  (65718, 1, ... ) == 0x108
 01948   860   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 01949   860   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 01950   860   NtUserQueryWindow  (65720, 0, ... ) == 0x120
 01951   860   NtUserQueryWindow  (65720, 1, ... ) == 0x124
 01952   860   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 01953   860   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 01954   860   NtUserQueryWindow  (65716, 0, ... ) == 0xc4
 01955   860   NtUserQueryWindow  (65716, 1, ... ) == 0xc8
 01956   860   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 01957   860   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 01958   860   NtUserQueryWindow  (65728, 0, ... ) == 0x19c
 01959   860   NtUserQueryWindow  (65728, 1, ... ) == 0x1a0
 01960   860   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 01961   860   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 01962   860   NtUserQueryWindow  (65690, 0, ... ) == 0x6b8
 01963   860   NtUserQueryWindow  (65690, 1, ... ) == 0x6bc
 01964   860   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 01965   860   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 01966   860   NtUserQueryWindow  (327774, 0, ... ) == 0x6b8
 01967   860   NtUserQueryWindow  (327774, 1, ... ) == 0x6bc
 01968   860   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 01969   860   NtUserCloseDesktop  (60, ... ) == 0x1
 01970   860   NtUserGetProcessWindowStation  (... ) == 0x1c
 01971   860   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01972   860   NtUserGetProcessWindowStation  (... ) == 0x1c
 01973   860   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01974   860   NtGdiDeleteObjectApp  (856294625, ... ) == 0x1
 01975   860   NtGdiDeleteObjectApp  (1376388660, ... ) == 0x1
 01976   860   NtClose  (56, ... ) == 0x0
 01977   860   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01978   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 56, ) }, ... 56, ) == 0x0
 01979   860   NtQueryValueKey  (56,  (56, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01980   860   NtClose  (56, ... ) == 0x0
 01981   860   NtClose  (44, ... ) == 0x0
 01982   860   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 01983   860   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01984   860   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01985   860   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01986   860   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1177968, 2011678370, 1178092, 1177980}  (24, {20, 48, new_msg, 0, 1177968, 2011678370, 1178092, 1177980} "\0\0\0\0\3\0\1\0\214\371\21\0\320\220\347w\216\0\0\300" ... {20, 48, reply, 0, 464, 860, 58119, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\320\220\347w\216\0\0\300" )  ... {20, 48, reply, 0, 464, 860, 58119, 0}  (24, {20, 48, new_msg, 0, 1177968, 2011678370, 1178092, 1177980} "\0\0\0\0\3\0\1\0\214\371\21\0\320\220\347w\216\0\0\300" ... {20, 48, reply, 0, 464, 860, 58119, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\320\220\347w\216\0\0\300" )  ) == 0x0
 01987   860   NtTerminateProcess  (-1, -1073741682, ...
NtAccessCheck(>)	1	NtUserGetThreadDesktop(>)	1	NtSetInformationFile(>)	5	NtQueryVirtualMemory(>)	15
NtCallbackReturn(>)	1	NtUserOpenWindowStation(>)	1	NtUserBuildHwndList(>)	5	NtDeviceIoControlFile(>)	16
NtCreateProcessEx(>)	1	NtUserSystemParametersInfo(>)	1	NtWriteVirtualMemory(>)	5	NtRequestWaitReplyPort(>)	16
NtCreateSemaphore(>)	1	NtConnectPort(>)	2	NtContinue(>)	6	NtOpenSection(>)	24
NtCreateThread(>)	1	NtCreateIoCompletion(>)	2	NtOpenProcessToken(>)	6	NtQueryDirectoryFile(>)	24
NtDuplicateToken(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryDefaultUILanguage(>)	6	NtSetInformationProcess(>)	25
NtGdiCreateBitmap(>)	1	NtGdiHfontCreate(>)	2	NtUserGetProcessWindowStation(>)	6	NtOpenProcessTokenEx(>)	28
NtGdiCreatePatternBrushInternal(>)	1	NtQueryInformationJobObject(>)	2	NtWaitForSingleObject(>)	6	NtOpenThreadTokenEx(>)	28
NtGdiInit(>)	1	NtReleaseMutant(>)	2	NtFsControlFile(>)	7	NtCreateSection(>)	29
NtGdiQueryFontAssocInfo(>)	1	NtTerminateProcess(>)	2	NtOpenThreadToken(>)	7	NtQueryInformationToken(>)	37
NtGdiSelectBitmap(>)	1	NtUserCloseWindowStation(>)	2	NtQueryInformationFile(>)	7	NtOpenFile(>)	41
NtOpenEvent(>)	1	NtUserGetObjectInformation(>)	2	NtWaitForMultipleObjects(>)	7	NtQueryInformationProcess(>)	44
NtOpenKeyedEvent(>)	1	NtGdiCreateCompatibleDC(>)	3	NtEnumerateKey(>)	8	NtQueryDefaultLocale(>)	48
NtOpenMutant(>)	1	NtGdiDeleteObjectApp(>)	3	NtSetValueKey(>)	8	NtUnmapViewOfSection(>)	48
NtQueryDebugFilterState(>)	1	NtOpenDirectoryObject(>)	3	NtUserCallNoParam(>)	9	NtAllocateVirtualMemory(>)	51
NtQueryInstallUILanguage(>)	1	NtOpenSymbolicLinkObject(>)	3	NtUserFindExistingCursorIcon(>)	9	NtQueryAttributesFile(>)	54
NtQueryObject(>)	1	NtQuerySymbolicLinkObject(>)	3	NtUserGetWindowDC(>)	10	NtFlushInstructionCache(>)	65
NtQueryPerformanceCounter(>)	1	NtReadVirtualMemory(>)	3	NtCreateKey(>)	11	NtMapViewOfSection(>)	69
NtQuerySystemTime(>)	1	NtSetEvent(>)	3	NtFreeVirtualMemory(>)	11	NtQuerySystemInformation(>)	76
NtRegisterThreadTerminatePort(>)	1	NtSetInformationObject(>)	3	NtUserCallOneParam(>)	11	NtQueryValueKey(>)	105
NtResumeThread(>)	1	NtUserOpenDesktop(>)	3	NtWriteFile(>)	11	NtUserValidateHandleSecure(>)	132
NtSecureConnectPort(>)	1	NtCreateMutant(>)	4	NtQuerySection(>)	12	NtOpenKey(>)	153
NtTestAlert(>)	1	NtDuplicateObject(>)	4	NtSetInformationThread(>)	13	NtProtectVirtualMemory(>)	156
NtUserBuildNameList(>)	1	NtQueryVolumeInformationFile(>)	4	NtCreateEvent(>)	14	NtUserQueryWindow(>)	160
NtUserCloseDesktop(>)	1	NtGdiGetStockObject(>)	5	NtCreateFile(>)	14	NtClose(>)	240
NtUserGetGUIThreadInfo(>)	1	NtReadFile(>)	5	NtUserRegisterClassExWOW(>)	14