Summary:


NtAddAtom(>) 
 1 
NtAccessCheck(>) 
 2 
NtFsControlFile(>) 
 7 
NtUserRegisterClassExWOW(>) 
 33 

NtConnectPort(>) 
 1 
NtCallbackReturn(>) 
 2 
NtOpenThreadToken(>) 
 7 
NtQuerySystemInformation(>) 
 34 

NtCreateProcessEx(>) 
 1 
NtCreateIoCompletion(>) 
 2 
NtCreateSemaphore(>) 
 8 
NtQueryInformationToken(>) 
 38 

NtDuplicateToken(>) 
 1 
NtGdiCreateSolidBrush(>) 
 2 
NtDeviceIoControlFile(>) 
 8 
NtCreateEvent(>) 
 40 

NtGdiCreateBitmap(>) 
 1 
NtOpenMutant(>) 
 2 
NtEnumerateKey(>) 
 8 
NtRequestWaitReplyPort(>) 
 41 

NtGdiInit(>) 
 1 
NtQueryInformationJobObject(>) 
 2 
NtWaitForMultipleObjects(>) 
 8 
NtCreateSection(>) 
 42 

NtGdiQueryFontAssocInfo(>) 
 1 
NtUserCloseWindowStation(>) 
 2 
NtQueryInformationFile(>) 
 11 
NtQueryInformationProcess(>) 
 43 

NtGdiSelectBitmap(>) 
 1 
NtGdiCreateCompatibleDC(>) 
 3 
NtWriteFile(>) 
 11 
NtSetInformationThread(>) 
 44 

NtNotifyChangeKey(>) 
 1 
NtOpenDirectoryObject(>) 
 3 
NtQueryDefaultUILanguage(>) 
 12 
NtQueryDefaultLocale(>) 
 51 

NtOpenKeyedEvent(>) 
 1 
NtOpenSymbolicLinkObject(>) 
 3 
NtQueryDebugFilterState(>) 
 14 
NtFreeVirtualMemory(>) 
 57 

NtOpenProcess(>) 
 1 
NtQuerySymbolicLinkObject(>) 
 3 
NtQuerySection(>) 
 17 
NtOpenFile(>) 
 57 

NtQueryInstallUILanguage(>) 
 1 
NtReadVirtualMemory(>) 
 3 
NtUserFindWindowEx(>) 
 17 
NtQueryAttributesFile(>) 
 63 

NtQueryObject(>) 
 1 
NtReleaseMutant(>) 
 3 
NtUserGetAtomName(>) 
 19 
NtQueryVirtualMemory(>) 
 67 

NtQueryPerformanceCounter(>) 
 1 
NtSetInformationObject(>) 
 3 
NtUserUnregisterClass(>) 
 19 
NtUnmapViewOfSection(>) 
 67 

NtQuerySystemTime(>) 
 1 
NtTerminateProcess(>) 
 3 
NtQueryDirectoryFile(>) 
 24 
NtSetEvent(>) 
 89 

NtQueryTimerResolution(>) 
 1 
NtUserQueryWindow(>) 
 3 
NtQueryInformationThread(>) 
 25 
NtMapViewOfSection(>) 
 92 

NtRaiseException(>) 
 1 
NtUserRegisterWindowMessage(>) 
 3 
NtSetInformationProcess(>) 
 25 
NtFlushInstructionCache(>) 
 95 

NtSecureConnectPort(>) 
 1 
NtDuplicateObject(>) 
 4 
NtUserFindExistingCursorIcon(>) 
 25 
NtWaitForSingleObject(>) 
 125 

NtSetValueKey(>) 
 1 
NtCreateKey(>) 
 5 
NtCreateFile(>) 
 26 
NtDelayExecution(>) 
 134 

NtUserCallNoParam(>) 
 1 
NtCreateMutant(>) 
 5 
NtCreateThread(>) 
 26 
NtOpenKey(>) 
 176 

NtUserGetDC(>) 
 1 
NtGdiGetStockObject(>) 
 5 
NtRegisterThreadTerminatePort(>) 
 26 
NtQueryValueKey(>) 
 198 

NtUserGetForegroundWindow(>) 
 1 
NtReadFile(>) 
 5 
NtResumeThread(>) 
 26 
NtProtectVirtualMemory(>) 
 223 

NtUserGetObjectInformation(>) 
 1 
NtSetInformationFile(>) 
 5 
NtTestAlert(>) 
 26 
NtAllocateVirtualMemory(>) 
 224 

NtUserGetProcessWindowStation(>) 
 1 
NtUserSystemParametersInfo(>) 
 5 
NtOpenProcessTokenEx(>) 
 30 
NtClose(>) 
 290 

NtUserGetThreadDesktop(>) 
 1 
NtWriteVirtualMemory(>) 
 5 
NtOpenThreadTokenEx(>) 
 30 

NtUserOpenWindowStation(>) 
 1 
NtOpenProcessToken(>) 
 6 
NtContinue(>) 
 32 

NtUserValidateHandleSecure(>) 
 1 

Trace:
 00001   860   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   860   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   860   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   860   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010   860   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011   860   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012   860   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013   860   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014   860   NtClose  (12, ... ) == 0x0
 00015   860   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016   860   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020   860   NtClose  (16, ... ) == 0x0
 00021   860   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022   860   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023   860   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024   860   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025   860   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027   860   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028   860   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029   860   NtClose  (16, ... ) == 0x0
 00030   860   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031   860   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033   860   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034   860   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 464, 860, 57959, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 464, 860, 57959, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 464, 860, 57959, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036   860   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037   860   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039   860   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040   860   NtClose  (16, ... ) == 0x0
 00041   860   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043   860   NtClose  (16, ... ) == 0x0
 00044   860   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045   860   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047   860   NtClose  (16, ... ) == 0x0
 00048   860   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050   860   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051   860   NtClose  (16, ... ) == 0x0
 00052   860   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054   860   NtClose  (16, ... ) == 0x0
 00055   860   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056   860   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057   860   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   860   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059   860   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 464, 860, 57960, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 464, 860, 57960, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 464, 860, 57960, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 464, 860, 57961, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 464, 860, 57961, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 464, 860, 57961, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061   860   NtProtectVirtualMemory  (-1, (0x514000), 4096, 4, ... (0x514000), 4096, 8, ) == 0x0
 00062   860   NtProtectVirtualMemory  (-1, (0x514000), 4096, 8, ... (0x514000), 4096, 4, ) == 0x0
 00063   860   NtFlushInstructionCache  (-1, 5324800, 4096, ... ) == 0x0
 00064   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00065   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 00066   860   NtClose  (16, ... ) == 0x0
 00067   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00068   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00069   860   NtClose  (16, ... ) == 0x0
 00070   860   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00071   860   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00072   860   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00073   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00074   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00075   860   NtClose  (16, ... ) == 0x0
 00076   860   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00077   860   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00078   860   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00079   860   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00080   860   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00081   860   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00082   860   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00083   860   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00084   860   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00085   860   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00086   860   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00087   860   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00088   860   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00089   860   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00090   860   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00091   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00092   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00093   860   NtClose  (16, ... ) == 0x0
 00094   860   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00095   860   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00096   860   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00097   860   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00098   860   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00099   860   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00100   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00101   860   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00102   860   NtClose  (16, ... ) == 0x0
 00103   860   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00104   860   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00105   860   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00106   860   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00107   860   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00108   860   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00109   860   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00110   860   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00111   860   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00112   860   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00113   860   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00114   860   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00115   860   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00116   860   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00117   860   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00118   860   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00119   860   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00120   860   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00121   860   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00122   860   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00123   860   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00124   860   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00125   860   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00126   860   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00127   860   NtProtectVirtualMemory  (-1, (0x514000), 4096, 4, ... (0x514000), 4096, 4, ) == 0x0
 00128   860   NtProtectVirtualMemory  (-1, (0x514000), 4096, 4, ... (0x514000), 4096, 4, ) == 0x0
 00129   860   NtFlushInstructionCache  (-1, 5324800, 4096, ... ) == 0x0
 00130   860   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00131   860   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00132   860   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00133   860   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00134   860   NtClose  (16, ... ) == 0x0
 00135   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00136   860   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00137   860   NtClose  (16, ... ) == 0x0
 00138   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139   860   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00140   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00141   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00142   860   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00143   860   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00144   860   NtClose  (16, ... ) == 0x0
 00145   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00146   860   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00147   860   NtClose  (16, ... ) == 0x0
 00148   860   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00149   860   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00150   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00151   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00153   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242016, 2090320424, 1242052, 1242044}  (24, {28, 56, new_msg, 0, 1242016, 2090320424, 1242052, 1242044} "\210\6\31\1\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 464, 860, 57962, 0} "\320G\26\0\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 464, 860, 57962, 0}  (24, {28, 56, new_msg, 0, 1242016, 2090320424, 1242052, 1242044} "\210\6\31\1\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 464, 860, 57962, 0} "\320G\26\0\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00154   860   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00155   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00156   860   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00157   860   NtClose  (28, ... ) == 0x0
 00158   860   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00159   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00160   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00161   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00162   860   NtClose  (28, ... ) == 0x0
 00163   860   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x620000), 0x0, 110592, ) == 0x0
 00164   860   NtClose  (32, ... ) == 0x0
 00165   860   NtUnmapViewOfSection  (-1, 0x620000, ... ) == 0x0
 00166   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00167   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00168   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00169   860   NtClose  (32, ... ) == 0x0
 00170   860   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x620000), 0x0, 110592, ) == 0x0
 00171   860   NtClose  (28, ... ) == 0x0
 00172   860   NtUnmapViewOfSection  (-1, 0x620000, ... ) == 0x0
 00173   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00174   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00175   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00176   860   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00177   860   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00178   860   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00179   860   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00180   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00181   860   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00182   860   NtClose  (40, ... ) == 0x0
 00183   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00184   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00185   860   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00186   860   NtClose  (40, ... ) == 0x0
 00187   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   860   NtClose  (36, ... ) == 0x0
 00189   860   NtClose  (28, ... ) == 0x0
 00190   860   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00191   860   NtClose  (32, ... ) == 0x0
 00192   860   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00193   860   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00194   860   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00195   860   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00196   860   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00197   860   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00198   860   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00199   860   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00200   860   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00201   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00202   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00203   860   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00204   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00205   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00206   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00207   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMCTL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00209   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00210   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00212   860   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00213   860   NtClose  (32, ... ) == 0x0
 00214   860   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x620000), 0x0, 1060864, ) == 0x0
 00215   860   NtClose  (-2147482740, ... ) == 0x0
 00216   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00217   860   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00218   860   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00219   860   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00220   860   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00221   860   NtClose  (-2147482740, ... ) == 0x0
 00222   860   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00223   860   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00224   860   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00225   860   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00226   860   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00227   860   NtClose  (-2147482740, ... ) == 0x0
 00228   860   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00229   860   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   860   NtClose  (-2147482740, ... ) == 0x0
 00231   860   NtQueryDefaultLocale  (0, -139609780, ... ) == 0x0
 00232   860   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00233   860   NtUserCallNoParam  (24, ... ) == 0x0
 00234   860   NtGdiCreateCompatibleDC  (0, ...
 00235   860   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00234   860   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00236   860   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00237   860   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00238   860   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00239   860   NtGdiCreateSolidBrush  (0, 0, ...
 00240   860   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 10682368, 4096, ) == 0x0
 00239   860   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00241   860   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00242   860   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00243   860   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00244   860   NtUserGetThreadDesktop  (860, 0, ... ) == 0x24
 00245   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00246   860   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00247   860   NtClose  (44, ... ) == 0x0
 00248   860   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00249   860   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x8173c017
 00250   860   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00251   860   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x8173c01c
 00252   860   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00253   860   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x8173c01e
 00254   860   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00255   860   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x81738002
 00256   860   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00257   860   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x8173c018
 00258   860   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00259   860   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x8173c01a
 00260   860   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00261   860   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x8173c01d
 00262   860   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00263   860   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x8173c026
 00264   860   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00265   860   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x8173c019
 00266   860   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8173c020
 00267   860   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8173c022
 00268   860   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8173c023
 00269   860   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8173c024
 00270   860   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8173c025
 00271   860   NtCallbackReturn  (0, 0, 0, ...
 00272   860   NtGdiInit  (... ) == 0x1
 00273   860   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00274   860   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00275   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00276   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10747904, 65536, ) == 0x0
 00277   860   NtAllocateVirtualMemory  (-1, 10747904, 0, 4096, 4096, 4, ... 10747904, 4096, ) == 0x0
 00278   860   NtAllocateVirtualMemory  (-1, 10752000, 0, 8192, 4096, 4, ... 10752000, 8192, ) == 0x0
 00279   860   NtAllocateVirtualMemory  (-1, 10760192, 0, 4096, 4096, 4, ... 10760192, 4096, ) == 0x0
 00280   860   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00281   860   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa50000), 0x0, 12288, ) == 0x0
 00282   860   NtClose  (44, ... ) == 0x0
 00283   860   NtAllocateVirtualMemory  (-1, 10764288, 0, 4096, 4096, 4, ... 10764288, 4096, ) == 0x0
 00284   860   NtQueryDefaultUILanguage  (1241688, ...
 00285   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00286   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00287   860   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00288   860   NtClose  (-2147482740, ... ) == 0x0
 00289   860   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00290   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00291   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00292   860   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293   860   NtClose  (-2147481328, ... ) == 0x0
 00294   860   NtClose  (-2147482740, ... ) == 0x0
 00284   860   NtQueryDefaultUILanguage  ... ) == 0x0
 00295   860   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMCTL32.dll"}, 1, 96, ... 44, {status=0x0, info=1}, ) }, 1, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00296   860   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 44, ... 48, ) == 0x0
 00297   860   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa60000), 0x0, 618496, ) == 0x0
 00298   860   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMCTL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   860   NtQueryDefaultUILanguage  (2090319928, ...
 00300   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00301   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00302   860   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00303   860   NtClose  (-2147482740, ... ) == 0x0
 00304   860   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00305   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00307   860   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   860   NtClose  (-2147481328, ... ) == 0x0
 00309   860   NtClose  (-2147482740, ... ) == 0x0
 00299   860   NtQueryDefaultUILanguage  ... ) == 0x0
 00310   860   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00311   860   NtQueryDefaultLocale  (1, 1239784, ... ) == 0x0
 00312   860   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMCTL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00313   860   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240820, 1179817, 1240544}  (24, {128, 156, new_msg, 0, 2088850039, 1240820, 1179817, 1240544} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1,\0\0\0\377\377\377\377\0\0\0\0\340q\255\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 860, 57971, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1,\0\0\0\377\377\377\377\0\0\0\0\340q\255\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 860, 57971, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240820, 1179817, 1240544} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1,\0\0\0\377\377\377\377\0\0\0\0\340q\255\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 860, 57971, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1,\0\0\0\377\377\377\377\0\0\0\0\340q\255\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" )  ) == 0x0
 00314   860   NtClose  (44, ... ) == 0x0
 00315   860   NtClose  (48, ... ) == 0x0
 00316   860   NtUnmapViewOfSection  (-1, 0xa60000, ... ) == 0x0
 00317   860   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00318   860   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {464, 0}, ... 48, ) == 0x0
 00319   860   NtQueryInformationProcess  (48, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00320   860   NtClose  (48, ... ) == 0x0
 00321   860   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00322   860   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 00323   860   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 00324   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00325   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 48, ) == 0x0
 00326   860   NtQueryInformationToken  (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00327   860   NtClose  (48, ... ) == 0x0
 00328   860   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 48, ) }, ... 48, ) == 0x0
 00329   860   NtOpenProcessToken  (-1, 0x8, ... 44, ) == 0x0
 00330   860   NtAccessCheck  (1329168, 44, 0x1, 1242880, 1242932, 56, 1242912, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00331   860   NtClose  (44, ... ) == 0x0
 00332   860   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Control Panel\Desktop"}, ... 44, ) }, ... 44, ) == 0x0
 00333   860   NtQueryValueKey  (44,  (44, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   860   NtClose  (44, ... ) == 0x0
 00335   860   NtUserSystemParametersInfo  (41, 500, 1243060, 0, ... ) == 0x1
 00336   860   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 00337   860   NtClose  (48, ... ) == 0x0
 00338   860   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00339   860   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00340   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c03b
 00341   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c03d
 00342   860   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00343   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c03f
 00344   860   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00345   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c041
 00346   860   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00347   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c043
 00348   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c045
 00349   860   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00350   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c047
 00351   860   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00352   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c049
 00353   860   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00354   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c04b
 00355   860   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00356   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c04d
 00357   860   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00358   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c04f
 00359   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c051
 00360   860   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00361   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c053
 00362   860   NtUserFindExistingCursorIcon  (1242808, 1242824, 1242872, ... ) == 0x10011
 00363   860   NtUserRegisterClassExWOW  (1242752, 1242820, 1242836, 1242852, 0, 384, 0, ... ) == 0x8173c055
 00364   860   NtUserFindExistingCursorIcon  (1242808, 1242824, 1242872, ... ) == 0x10011
 00365   860   NtUserRegisterClassExWOW  (1242752, 1242820, 1242836, 1242852, 0, 384, 0, ... ) == 0x8173c057
 00366   860   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00367   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c059
 00368   860   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10013
 00369   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c05b
 00370   860   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00371   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c05d
 00372   860   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00373   860   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c05f
 00374   860   NtTestAlert  (... ) == 0x0
 00375   860   NtContinue  (1244464, 1, ...
 00376   860   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x619000,}, 4, ... ) == 0x0
 00377   860   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\SICE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00378   860   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\SIWVID"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00379   860   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\NTICE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00380   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00381   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 48, ) == 0x0
 00382   860   NtQueryInformationToken  (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00383   860   NtClose  (48, ... ) == 0x0
 00384   860   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 48, ) }, ... 48, ) == 0x0
 00385   860   NtSetInformationObject  (48, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00386   860   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Wine"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00387   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00388   860   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00389   860   NtQueryVirtualMemory  (-1, 0x5b990c, Basic, 28, ... {BaseAddress=0x5b9000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x60000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00390   860   NtContinue  (1244368, 0, ...
 00391   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\system32\KERNEL32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 44, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 44, {status=0x0, info=1}, ) == 0x0
 00392   860   NtQueryInformationFile  (44, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00393   860   NtAllocateVirtualMemory  (-1, 0, 0, 984576, 4096, 64, ... 11599872, 987136, ) == 0x0
 00394   860   NtReadFile  (44, 0, 0, 0, 984576, 0x0, 0, ... {status=0x0, info=984576},  (44, 0, 0, 0, 984576, 0x0, 0, ... {status=0x0, info=984576}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\27\206 \244S\347N\367S\347N\367S\347N\367S\347O\367\332\346N\367\220\350\23\367P\347N\367\220\350\22\367R\347N\367\220\350\20\367R\347N\367\220\350A\367V\347N\367\220\350\21\367\216\347N\367\220\350.\367W\347N\367\220\350\24\367R\347N\367RichS\347N\367\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\325\233#F\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0"\10\0\0\0\7\0\0\0\0\0\256\265\0\0\0\20\0\0\0\360\7\0\0\0\200|\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\17\0\0\4\0\0\223\222\17\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\34&\0\0{l\0\0\314\7\10\0(\0\0\0\0\220\10\0\350^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\16\0\354[\0\0\2600\10\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\343\4\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\21!\10\0\0\20\0\0\0"\10\0", ) \10\0\0\0\7\0\0\0\0\0\256\265\0\0\0\20\0\0\0\360\7\0\0\0\200|\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\17\0\0\4\0\0\223\222\17\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\34&\0\0{l\0\0\314\7\10\0(\0\0\0\0\220\10\0\350^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\16\0\354[\0\0\2600\10\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\343\4\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\21!\10\0\0\20\0\0\0 (44, 0, 0, 0, 984576, 0x0, 0, ... {status=0x0, info=984576}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\27\206 \244S\347N\367S\347N\367S\347N\367S\347O\367\332\346N\367\220\350\23\367P\347N\367\220\350\22\367R\347N\367\220\350\20\367R\347N\367\220\350A\367V\347N\367\220\350\21\367\216\347N\367\220\350.\367W\347N\367\220\350\24\367R\347N\367RichS\347N\367\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\325\233#F\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0"\10\0\0\0\7\0\0\0\0\0\256\265\0\0\0\20\0\0\0\360\7\0\0\0\200|\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\17\0\0\4\0\0\223\222\17\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\34&\0\0{l\0\0\314\7\10\0(\0\0\0\0\220\10\0\350^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\16\0\354[\0\0\2600\10\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\343\4\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\21!\10\0\0\20\0\0\0"\10\0", ) , ) == 0x0
 00395   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\system32\USER32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 52, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 52, {status=0x0, info=1}, ) == 0x0
 00396   860   NtQueryInformationFile  (52, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00397   860   NtAllocateVirtualMemory  (-1, 0, 0, 577536, 4096, 64, ... 10878976, 577536, ) == 0x0
 00398   860   NtReadFile  (52, 0, 0, 0, 577536, 0x0, 0, ... {status=0x0, info=577536},  (52, 0, 0, 0, 577536, 0x0, 0, ... {status=0x0, info=577536}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\376\7\341\342\272f\217\261\272f\217\261\272f\217\261\272f\216\261\361g\217\261yi\322\261\275f\217\261yi\323\261\273f\217\261yi\321\261\273f\217\261yi\200\261\262f\217\261yi\320\261\315f\217\261yi\325\261\273f\217\261Rich\272f\217\261\0\0\0\0\0\0\0\0PE\0\0L\1\4\0|-\360E\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0\360\5\0\0\342\2\0\0\0\0\0f\351\1\0\0\20\0\0\0\260\5\0\0\0A~\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\0\11\0\0\4\0\0\341@\11\0\2\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\3708\0\0\251K\0\0\250\343\5\0P\0\0\0\0 \6\0\230\240\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\10\0\350-\0\0\210\377\5\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\355\3\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\344\4\0\0\234\340\5\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\347\357\5\0\0\20\0\0\0\360\5\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00399   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244956,  (0x80100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\system32\ADVAPI32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) == 0x0
 00400   860   NtQueryInformationFile  (56, 1245008, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00401   860   NtAllocateVirtualMemory  (-1, 0, 0, 616960, 4096, 64, ... 12648448, 618496, ) == 0x0
 00402   860   NtReadFile  (56, 0, 0, 0, 616960, 0x0, 0, ... {status=0x0, info=616960},  (56, 0, 0, 0, 616960, 0x0, 0, ... {status=0x0, info=616960}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\250j\342h\354\13\214;\354\13\214;\354\13\214;/\4\321;\353\13\214;/\4\203;\341\13\214;=\7\323;\356\13\214;\354\13\215;T\12\214;/\4\320;\355\13\214;/\4\322;\355\13\214;/\4\354;\361\13\214;/\4\323;~\13\214;/\4\326;\355\13\214;Rich\354\13\214;\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\247\226\20A\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0D\7\0\0<\2\0\0\0\0\0\324p\0\0\0\20\0\0\0 \7\0\0\0\335w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\260\11\0\0\4\0\0\344\15\12\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\244\26\0\0\23R\0\04(\7\0P\0\0\0\0\260\7\0\200\251\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\11\08K\0\0xR\7\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0V\2\0H\0\0\0\210\2\0\0L\0\0\0\0\20\0\0\244\6\0\0\340&\7\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\331B\7\0", ) , ) == 0x0
 00403   860   NtClose  (56, ... ) == 0x0
 00404   860   NtClose  (52, ... ) == 0x0
 00405   860   NtClose  (44, ... ) == 0x0
 00406   860   NtRaiseException  (1244376, 1243636, 1, ...
 00407   860   NtQueryVirtualMemory  (-1, 0x7c85a0a0, Basic, 28, ... {BaseAddress=0x7c85a000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x2a000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00408   860   NtContinue  (1242596, 0, ...
 00409   860   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00410   860   NtOpenMutant  (0x120001, {24, 44, 0x2, 0, 0,  (0x120001, {24, 44, 0x2, 0, 0, "DBWinMutex"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00411   860   NtCreateMutant  (0x1f0001, {24, 44, 0x82, 1244396, 0,  (0x1f0001, {24, 44, 0x82, 1244396, 0, "DBWinMutex"}, 0, ... 52, ) }, 0, ... 52, ) == 0x0
 00412   860   NtWaitForSingleObject  (52, 0, 0x0, ... ) == 0x0
 00413   860   NtOpenSection  (0x2, {24, 44, 0x0, 0, 0,  (0x2, {24, 44, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00414   860   NtReleaseMutant  (52, ... 0x0, ) == 0x0
 00415   860   NtAllocateVirtualMemory  (-1, 0, 0, 748, 4096, 4, ... 11468800, 4096, ) == 0x0
 00416   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "winmm.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00417   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\winmm.dll"}, 1242956, ... ) }, 1242956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\winmm.dll"}, 1242956, ... ) }, 1242956, ... ) == 0x0
 00419   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\winmm.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00420   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 60, ) == 0x0
 00421   860   NtQuerySection  (60, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00422   860   NtClose  (56, ... ) == 0x0
 00423   860   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 184320, ) == 0x0
 00424   860   NtClose  (60, ... ) == 0x0
 00425   860   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 00426   860   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 00427   860   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 00428   860   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 00429   860   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 00430   860   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 00431   860   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 00432   860   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 00433   860   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 00434   860   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 00435   860   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 00436   860   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 00437   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmm.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00438   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 60, ) == 0x0
 00439   860   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 56, ) == 0x0
 00440   860   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 64, ) == 0x0
 00441   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 68, ) }, ... 68, ) == 0x0
 00442   860   NtQueryValueKey  (68,  (68, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00443   860   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 13303808, 524288, ) == 0x0
 00444   860   NtAllocateVirtualMemory  (-1, 13303808, 0, 4096, 4096, 4, ... 13303808, 4096, ) == 0x0
 00445   860   NtQueryValueKey  (68,  (68, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00446   860   NtQueryValueKey  (68,  (68, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00447   860   NtQueryValueKey  (68,  (68, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00448   860   NtQueryValueKey  (68,  (68, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00449   860   NtQueryValueKey  (68,  (68, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00450   860   NtQueryValueKey  (68,  (68, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00451   860   NtQueryValueKey  (68,  (68, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00452   860   NtQueryValueKey  (68,  (68, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00453   860   NtQueryValueKey  (68,  (68, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00454   860   NtQueryValueKey  (68,  (68, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00455   860   NtQueryValueKey  (68,  (68, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00456   860   NtQueryValueKey  (68,  (68, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00457   860   NtQueryValueKey  (68,  (68, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00458   860   NtQueryValueKey  (68,  (68, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00459   860   NtQueryValueKey  (68,  (68, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00460   860   NtQueryValueKey  (68,  (68, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00461   860   NtQueryValueKey  (68,  (68, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00462   860   NtQueryValueKey  (68,  (68, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00463   860   NtQueryValueKey  (68,  (68, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00464   860   NtQueryValueKey  (68,  (68, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00465   860   NtQueryValueKey  (68,  (68, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00466   860   NtQueryValueKey  (68,  (68, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00467   860   NtQueryValueKey  (68,  (68, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00468   860   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 00469   860   NtQueryValueKey  (68,  (68, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00470   860   NtQueryValueKey  (68,  (68, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00471   860   NtQueryValueKey  (68,  (68, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00472   860   NtQueryValueKey  (68,  (68, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00473   860   NtQueryValueKey  (68,  (68, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00474   860   NtQueryValueKey  (68,  (68, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00475   860   NtQueryValueKey  (68,  (68, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00476   860   NtQueryValueKey  (68,  (68, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   860   NtQueryValueKey  (68,  (68, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00478   860   NtQueryValueKey  (68,  (68, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00479   860   NtQueryValueKey  (68,  (68, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00480   860   NtQueryValueKey  (68,  (68, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00481   860   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc076
 00482   860   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 72, ) }, ... 72, ) == 0x0
 00483   860   NtQueryValueKey  (72,  (72, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00484   860   NtClose  (72, ... ) == 0x0
 00485   860   NtCreateEvent  (0x1f0003, {24, 44, 0x80, 0, 0,  (0x1f0003, {24, 44, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00486   860   NtQueryValueKey  (68,  (68, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00487   860   NtQueryValueKey  (68,  (68, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00488   860   NtQueryValueKey  (68,  (68, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00489   860   NtQueryValueKey  (68,  (68, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (68, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00490   860   NtQueryValueKey  (68,  (68, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00491   860   NtQueryValueKey  (68,  (68, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00492   860   NtQueryValueKey  (68,  (68, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00493   860   NtQueryValueKey  (68,  (68, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00494   860   NtQueryValueKey  (68,  (68, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00495   860   NtQueryValueKey  (68,  (68, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00496   860   NtQueryValueKey  (68,  (68, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00497   860   NtQueryValueKey  (68,  (68, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00498   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13828096, 1048576, ) == 0x0
 00499   860   NtAllocateVirtualMemory  (-1, 14868480, 0, 8192, 4096, 4, ... 14868480, 8192, ) == 0x0
 00500   860   NtProtectVirtualMemory  (-1, (0xe2e000), 4096, 260, ... (0xe2e000), 4096, 4, ) == 0x0
 00501   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 72, {464, 1292}, ) == 0x0
 00502   860   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=464,Tid=1292,}, 0x0, ) == 0x0
 00503   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 6037467, 0, 65535, 2147348480}  (24, {28, 56, new_msg, 0, 6037467, 0, 65535, 2147348480} "\0\0\0\0\1\0\1\0\\23\264v\334\343\200|H\0\0\0\320\1\0\0\14\5\0\0" ... {28, 56, reply, 0, 464, 860, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|H\0\0\0\320\1\0\0\14\5\0\0" )  ... {28, 56, reply, 0, 464, 860, 57972, 0}  (24, {28, 56, new_msg, 0, 6037467, 0, 65535, 2147348480} "\0\0\0\0\1\0\1\0\\23\264v\334\343\200|H\0\0\0\320\1\0\0\14\5\0\0" ... {28, 56, reply, 0, 464, 860, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|H\0\0\0\320\1\0\0\14\5\0\0" )  ) == 0x0
 00504   860   NtResumeThread  (72, ... 1, ) == 0x0
 00505  1292   NtTestAlert  (... ) == 0x0
 00506  1292   NtContinue  (14875952, 1, ...
 00507  1292   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00508  1292   NtDelayExecution  (0, {-150000, -1}, ...
 00509   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14876672, 1048576, ) == 0x0
 00510   860   NtAllocateVirtualMemory  (-1, 15917056, 0, 8192, 4096, 4, ... 15917056, 8192, ) == 0x0
 00511   860   NtProtectVirtualMemory  (-1, (0xf2e000), 4096, 260, ... (0xf2e000), 4096, 4, ) == 0x0
 00512   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 76, {464, 1956}, ) == 0x0
 00513   860   NtQueryInformationThread  (76, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=464,Tid=1956,}, 0x0, ) == 0x0
 00514   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57972, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|L\0\0\0\320\1\0\0\244\7\0\0" ... {28, 56, reply, 0, 464, 860, 57973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|L\0\0\0\320\1\0\0\244\7\0\0" )  ... {28, 56, reply, 0, 464, 860, 57973, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|L\0\0\0\320\1\0\0\244\7\0\0" ... {28, 56, reply, 0, 464, 860, 57973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|L\0\0\0\320\1\0\0\244\7\0\0" )  ) == 0x0
 00515   860   NtResumeThread  (76, ... 1, ) == 0x0
 00516   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15925248, 1048576, ) == 0x0
 00517   860   NtAllocateVirtualMemory  (-1, 16965632, 0, 8192, 4096, 4, ...
 00518  1956   NtTestAlert  (... ) == 0x0
 00519  1956   NtContinue  (15924528, 1, ...
 00520  1956   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00521  1956   NtDelayExecution  (0, {-150000, -1}, ...
 00517   860   NtAllocateVirtualMemory  ... 16965632, 8192, ) == 0x0
 00522   860   NtProtectVirtualMemory  (-1, (0x102e000), 4096, 260, ... (0x102e000), 4096, 4, ) == 0x0
 00523   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 80, {464, 1980}, ) == 0x0
 00524   860   NtQueryInformationThread  (80, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=464,Tid=1980,}, 0x0, ) == 0x0
 00525   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57973, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|P\0\0\0\320\1\0\0\274\7\0\0" ... {28, 56, reply, 0, 464, 860, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|P\0\0\0\320\1\0\0\274\7\0\0" )  ... {28, 56, reply, 0, 464, 860, 57974, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|P\0\0\0\320\1\0\0\274\7\0\0" ... {28, 56, reply, 0, 464, 860, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|P\0\0\0\320\1\0\0\274\7\0\0" )  ) == 0x0
 00526   860   NtResumeThread  (80, ... 1, ) == 0x0
 00527  1980   NtTestAlert  (... ) == 0x0
 00528  1980   NtContinue  (16973104, 1, ...
 00529  1980   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00530  1980   NtDelayExecution  (0, {-150000, -1}, ...
 00531   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16973824, 1048576, ) == 0x0
 00532   860   NtAllocateVirtualMemory  (-1, 18014208, 0, 8192, 4096, 4, ... 18014208, 8192, ) == 0x0
 00533   860   NtProtectVirtualMemory  (-1, (0x112e000), 4096, 260, ... (0x112e000), 4096, 4, ) == 0x0
 00534   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 84, {464, 1784}, ) == 0x0
 00535   860   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=464,Tid=1784,}, 0x0, ) == 0x0
 00536   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57974, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|T\0\0\0\320\1\0\0\370\6\0\0" ... {28, 56, reply, 0, 464, 860, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|T\0\0\0\320\1\0\0\370\6\0\0" )  ... {28, 56, reply, 0, 464, 860, 57975, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|T\0\0\0\320\1\0\0\370\6\0\0" ... {28, 56, reply, 0, 464, 860, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|T\0\0\0\320\1\0\0\370\6\0\0" )  ) == 0x0
 00537   860   NtResumeThread  (84, ... 1, ) == 0x0
 00538   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18022400, 1048576, ) == 0x0
 00539   860   NtAllocateVirtualMemory  (-1, 19062784, 0, 8192, 4096, 4, ...
 00540  1784   NtTestAlert  (... ) == 0x0
 00541  1784   NtContinue  (18021680, 1, ...
 00542  1784   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00543  1784   NtDelayExecution  (0, {-150000, -1}, ...
 00539   860   NtAllocateVirtualMemory  ... 19062784, 8192, ) == 0x0
 00544   860   NtProtectVirtualMemory  (-1, (0x122e000), 4096, 260, ... (0x122e000), 4096, 4, ) == 0x0
 00545   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 88, {464, 1480}, ) == 0x0
 00546   860   NtQueryInformationThread  (88, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=464,Tid=1480,}, 0x0, ) == 0x0
 00547   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57975, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|X\0\0\0\320\1\0\0\310\5\0\0" ... {28, 56, reply, 0, 464, 860, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|X\0\0\0\320\1\0\0\310\5\0\0" )  ... {28, 56, reply, 0, 464, 860, 57976, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|X\0\0\0\320\1\0\0\310\5\0\0" ... {28, 56, reply, 0, 464, 860, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|X\0\0\0\320\1\0\0\310\5\0\0" )  ) == 0x0
 00548   860   NtResumeThread  (88, ... 1, ) == 0x0
 00549  1480   NtTestAlert  (... ) == 0x0
 00550  1480   NtContinue  (19070256, 1, ...
 00551  1480   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00552  1480   NtDelayExecution  (0, {-150000, -1}, ...
 00553   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19070976, 1048576, ) == 0x0
 00554   860   NtAllocateVirtualMemory  (-1, 20111360, 0, 8192, 4096, 4, ... 20111360, 8192, ) == 0x0
 00555   860   NtProtectVirtualMemory  (-1, (0x132e000), 4096, 260, ... (0x132e000), 4096, 4, ) == 0x0
 00556   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 92, {464, 1556}, ) == 0x0
 00557   860   NtQueryInformationThread  (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=464,Tid=1556,}, 0x0, ) == 0x0
 00558   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57976, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|\\0\0\0\320\1\0\0\24\6\0\0" ... {28, 56, reply, 0, 464, 860, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|\\0\0\0\320\1\0\0\24\6\0\0" )  ... {28, 56, reply, 0, 464, 860, 57977, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|\\0\0\0\320\1\0\0\24\6\0\0" ... {28, 56, reply, 0, 464, 860, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|\\0\0\0\320\1\0\0\24\6\0\0" )  ) == 0x0
 00559   860   NtResumeThread  (92, ... 1, ) == 0x0
 00560   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20119552, 1048576, ) == 0x0
 00561   860   NtAllocateVirtualMemory  (-1, 21159936, 0, 8192, 4096, 4, ...
 00562  1556   NtTestAlert  (... ) == 0x0
 00563  1556   NtContinue  (20118832, 1, ...
 00564  1556   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00565  1556   NtDelayExecution  (0, {-150000, -1}, ...
 00561   860   NtAllocateVirtualMemory  ... 21159936, 8192, ) == 0x0
 00566   860   NtProtectVirtualMemory  (-1, (0x142e000), 4096, 260, ... (0x142e000), 4096, 4, ) == 0x0
 00567   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 96, {464, 460}, ) == 0x0
 00568   860   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=464,Tid=460,}, 0x0, ) == 0x0
 00569   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57977, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|`\0\0\0\320\1\0\0\314\1\0\0" ... {28, 56, reply, 0, 464, 860, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|`\0\0\0\320\1\0\0\314\1\0\0" )  ... {28, 56, reply, 0, 464, 860, 57978, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|`\0\0\0\320\1\0\0\314\1\0\0" ... {28, 56, reply, 0, 464, 860, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|`\0\0\0\320\1\0\0\314\1\0\0" )  ) == 0x0
 00570   860   NtResumeThread  (96, ... 1, ) == 0x0
 00571   460   NtTestAlert  (... ) == 0x0
 00572   460   NtContinue  (21167408, 1, ...
 00573   460   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00574   460   NtDelayExecution  (0, {-150000, -1}, ...
 00575   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21168128, 1048576, ) == 0x0
 00576   860   NtAllocateVirtualMemory  (-1, 22208512, 0, 8192, 4096, 4, ... 22208512, 8192, ) == 0x0
 00577   860   NtProtectVirtualMemory  (-1, (0x152e000), 4096, 260, ... (0x152e000), 4096, 4, ) == 0x0
 00578   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 100, {464, 1068}, ) == 0x0
 00579   860   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=464,Tid=1068,}, 0x0, ) == 0x0
 00580   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57978, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|d\0\0\0\320\1\0\0,\4\0\0" ... {28, 56, reply, 0, 464, 860, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|d\0\0\0\320\1\0\0,\4\0\0" )  ... {28, 56, reply, 0, 464, 860, 57979, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|d\0\0\0\320\1\0\0,\4\0\0" ... {28, 56, reply, 0, 464, 860, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|d\0\0\0\320\1\0\0,\4\0\0" )  ) == 0x0
 00581   860   NtResumeThread  (100, ... 1, ) == 0x0
 00508  1292   NtDelayExecution  ... ) == 0x0
 00582  1292   NtDelayExecution  (0, {-20010000, -1}, ...
 00521  1956   NtDelayExecution  ... ) == 0x0
 00583  1956   NtDelayExecution  (0, {-20010000, -1}, ...
 00530  1980   NtDelayExecution  ... ) == 0x0
 00584  1980   NtDelayExecution  (0, {-20010000, -1}, ...
 00543  1784   NtDelayExecution  ... ) == 0x0
 00585  1784   NtDelayExecution  (0, {-20010000, -1}, ...
 00552  1480   NtDelayExecution  ... ) == 0x0
 00586  1480   NtDelayExecution  (0, {-20010000, -1}, ...
 00565  1556   NtDelayExecution  ... ) == 0x0
 00587  1556   NtDelayExecution  (0, {-20010000, -1}, ...
 00574   460   NtDelayExecution  ... ) == 0x0
 00588   460   NtDelayExecution  (0, {-20010000, -1}, ...
 00589  1068   NtTestAlert  (... ) == 0x0
 00590  1068   NtContinue  (22215984, 1, ...
 00591  1068   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00592  1068   NtDelayExecution  (0, {-20010000, -1}, ...
 00593   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 104, ) == 0x0
 00594   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00595   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00596   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00597   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 00598   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 00599   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 128, ) == 0x0
 00600   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0
 00601   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 136, ) == 0x0
 00602   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00603   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00604   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 00605   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 00606   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 00607   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 00608   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 164, ) == 0x0
 00609   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22216704, 1048576, ) == 0x0
 00610   860   NtAllocateVirtualMemory  (-1, 23257088, 0, 8192, 4096, 4, ... 23257088, 8192, ) == 0x0
 00611   860   NtProtectVirtualMemory  (-1, (0x162e000), 4096, 260, ... (0x162e000), 4096, 4, ) == 0x0
 00612   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 168, {464, 1856}, ) == 0x0
 00613   860   NtQueryInformationThread  (168, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=464,Tid=1856,}, 0x0, ) == 0x0
 00614   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1991507968, 1244878, 1244872, 1244872}  (24, {28, 56, new_msg, 0, 1991507968, 1244878, 1244872, 1244872} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\250\0\0\0\320\1\0\0@\7\0\0" ... {28, 56, reply, 0, 464, 860, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\250\0\0\0\320\1\0\0@\7\0\0" )  ... {28, 56, reply, 0, 464, 860, 57980, 0}  (24, {28, 56, new_msg, 0, 1991507968, 1244878, 1244872, 1244872} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\250\0\0\0\320\1\0\0@\7\0\0" ... {28, 56, reply, 0, 464, 860, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\250\0\0\0\320\1\0\0@\7\0\0" )  ) == 0x0
 00615   860   NtResumeThread  (168, ... 1, ) == 0x0
 00616   860   NtSetInformationThread  (168, BasePriority, {thread info, class 3, size 4}, 4, ...
 00617  1856   NtTestAlert  (... ) == 0x0
 00618  1856   NtContinue  (23264560, 1, ...
 00619  1856   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00620  1856   NtWaitForSingleObject  (104, 0, 0x0, ...
 00616   860   NtSetInformationThread  ... ) == 0x0
 00621   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23265280, 1048576, ) == 0x0
 00622   860   NtAllocateVirtualMemory  (-1, 24305664, 0, 8192, 4096, 4, ... 24305664, 8192, ) == 0x0
 00623   860   NtProtectVirtualMemory  (-1, (0x172e000), 4096, 260, ... (0x172e000), 4096, 4, ) == 0x0
 00624   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 172, {464, 1596}, ) == 0x0
 00625   860   NtQueryInformationThread  (172, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=464,Tid=1596,}, 0x0, ) == 0x0
 00626   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57980, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\254\0\0\0\320\1\0\0<\6\0\0" ... {28, 56, reply, 0, 464, 860, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\254\0\0\0\320\1\0\0<\6\0\0" )  ... {28, 56, reply, 0, 464, 860, 57981, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\254\0\0\0\320\1\0\0<\6\0\0" ... {28, 56, reply, 0, 464, 860, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\254\0\0\0\320\1\0\0<\6\0\0" )  ) == 0x0
 00627   860   NtResumeThread  (172, ... 1, ) == 0x0
 00628   860   NtSetInformationThread  (172, BasePriority, {thread info, class 3, size 4}, 4, ...
 00629  1596   NtTestAlert  (... ) == 0x0
 00630  1596   NtContinue  (24313136, 1, ...
 00631  1596   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00632  1596   NtWaitForSingleObject  (108, 0, 0x0, ...
 00628   860   NtSetInformationThread  ... ) == 0x0
 00633   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24313856, 1048576, ) == 0x0
 00634   860   NtAllocateVirtualMemory  (-1, 25354240, 0, 8192, 4096, 4, ... 25354240, 8192, ) == 0x0
 00635   860   NtProtectVirtualMemory  (-1, (0x182e000), 4096, 260, ... (0x182e000), 4096, 4, ) == 0x0
 00636   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 176, {464, 1128}, ) == 0x0
 00637   860   NtQueryInformationThread  (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=464,Tid=1128,}, 0x0, ) == 0x0
 00638   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57981, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\260\0\0\0\320\1\0\0h\4\0\0" ... {28, 56, reply, 0, 464, 860, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\260\0\0\0\320\1\0\0h\4\0\0" )  ... {28, 56, reply, 0, 464, 860, 57982, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\260\0\0\0\320\1\0\0h\4\0\0" ... {28, 56, reply, 0, 464, 860, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\260\0\0\0\320\1\0\0h\4\0\0" )  ) == 0x0
 00639   860   NtResumeThread  (176, ... 1, ) == 0x0
 00640   860   NtSetInformationThread  (176, BasePriority, {thread info, class 3, size 4}, 4, ...
 00641  1128   NtTestAlert  (... ) == 0x0
 00642  1128   NtContinue  (25361712, 1, ...
 00643  1128   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00644  1128   NtWaitForSingleObject  (112, 0, 0x0, ...
 00640   860   NtSetInformationThread  ... ) == 0x0
 00645   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25362432, 1048576, ) == 0x0
 00646   860   NtAllocateVirtualMemory  (-1, 26402816, 0, 8192, 4096, 4, ... 26402816, 8192, ) == 0x0
 00647   860   NtProtectVirtualMemory  (-1, (0x192e000), 4096, 260, ... (0x192e000), 4096, 4, ) == 0x0
 00648   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 180, {464, 1256}, ) == 0x0
 00649   860   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=464,Tid=1256,}, 0x0, ) == 0x0
 00650   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57982, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\320\1\0\0\350\4\0\0" ... {28, 56, reply, 0, 464, 860, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\320\1\0\0\350\4\0\0" )  ... {28, 56, reply, 0, 464, 860, 57983, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\320\1\0\0\350\4\0\0" ... {28, 56, reply, 0, 464, 860, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\320\1\0\0\350\4\0\0" )  ) == 0x0
 00651   860   NtResumeThread  (180, ... 1, ) == 0x0
 00652   860   NtSetInformationThread  (180, BasePriority, {thread info, class 3, size 4}, 4, ...
 00653  1256   NtTestAlert  (... ) == 0x0
 00654  1256   NtContinue  (26410288, 1, ...
 00655  1256   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00656  1256   NtWaitForSingleObject  (116, 0, 0x0, ...
 00652   860   NtSetInformationThread  ... ) == 0x0
 00657   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26411008, 1048576, ) == 0x0
 00658   860   NtAllocateVirtualMemory  (-1, 27451392, 0, 8192, 4096, 4, ... 27451392, 8192, ) == 0x0
 00659   860   NtProtectVirtualMemory  (-1, (0x1a2e000), 4096, 260, ... (0x1a2e000), 4096, 4, ) == 0x0
 00660   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 184, {464, 220}, ) == 0x0
 00661   860   NtQueryInformationThread  (184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=464,Tid=220,}, 0x0, ) == 0x0
 00662   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57983, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\320\1\0\0\334\0\0\0" ... {28, 56, reply, 0, 464, 860, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\320\1\0\0\334\0\0\0" )  ... {28, 56, reply, 0, 464, 860, 57984, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\320\1\0\0\334\0\0\0" ... {28, 56, reply, 0, 464, 860, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\320\1\0\0\334\0\0\0" )  ) == 0x0
 00663   860   NtResumeThread  (184, ... 1, ) == 0x0
 00664   860   NtSetInformationThread  (184, BasePriority, {thread info, class 3, size 4}, 4, ...
 00665   220   NtTestAlert  (... ) == 0x0
 00666   220   NtContinue  (27458864, 1, ...
 00667   220   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00668   220   NtWaitForSingleObject  (120, 0, 0x0, ...
 00664   860   NtSetInformationThread  ... ) == 0x0
 00669   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27459584, 1048576, ) == 0x0
 00670   860   NtAllocateVirtualMemory  (-1, 28499968, 0, 8192, 4096, 4, ... 28499968, 8192, ) == 0x0
 00671   860   NtProtectVirtualMemory  (-1, (0x1b2e000), 4096, 260, ... (0x1b2e000), 4096, 4, ) == 0x0
 00672   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 188, {464, 1800}, ) == 0x0
 00673   860   NtQueryInformationThread  (188, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=464,Tid=1800,}, 0x0, ) == 0x0
 00674   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57984, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\320\1\0\0\10\7\0\0" ... {28, 56, reply, 0, 464, 860, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\320\1\0\0\10\7\0\0" )  ... {28, 56, reply, 0, 464, 860, 57985, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\320\1\0\0\10\7\0\0" ... {28, 56, reply, 0, 464, 860, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\320\1\0\0\10\7\0\0" )  ) == 0x0
 00675   860   NtResumeThread  (188, ... 1, ) == 0x0
 00676  1800   NtTestAlert  (... ) == 0x0
 00677  1800   NtContinue  (28507440, 1, ...
 00678  1800   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00679  1800   NtWaitForSingleObject  (124, 0, 0x0, ...
 00680   860   NtSetInformationThread  (188, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00681   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28508160, 1048576, ) == 0x0
 00682   860   NtAllocateVirtualMemory  (-1, 29548544, 0, 8192, 4096, 4, ... 29548544, 8192, ) == 0x0
 00683   860   NtProtectVirtualMemory  (-1, (0x1c2e000), 4096, 260, ... (0x1c2e000), 4096, 4, ) == 0x0
 00684   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 192, {464, 1796}, ) == 0x0
 00685   860   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=464,Tid=1796,}, 0x0, ) == 0x0
 00686   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57985, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\320\1\0\0\4\7\0\0" ... {28, 56, reply, 0, 464, 860, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\320\1\0\0\4\7\0\0" )  ... {28, 56, reply, 0, 464, 860, 57986, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\320\1\0\0\4\7\0\0" ... {28, 56, reply, 0, 464, 860, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\320\1\0\0\4\7\0\0" )  ) == 0x0
 00687   860   NtResumeThread  (192, ... 1, ) == 0x0
 00688   860   NtSetInformationThread  (192, BasePriority, {thread info, class 3, size 4}, 4, ...
 00689  1796   NtTestAlert  (... ) == 0x0
 00690  1796   NtContinue  (29556016, 1, ...
 00691  1796   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00692  1796   NtWaitForSingleObject  (128, 0, 0x0, ...
 00688   860   NtSetInformationThread  ... ) == 0x0
 00693   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29556736, 1048576, ) == 0x0
 00694   860   NtAllocateVirtualMemory  (-1, 30597120, 0, 8192, 4096, 4, ... 30597120, 8192, ) == 0x0
 00695   860   NtProtectVirtualMemory  (-1, (0x1d2e000), 4096, 260, ... (0x1d2e000), 4096, 4, ) == 0x0
 00696   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 196, {464, 1808}, ) == 0x0
 00697   860   NtQueryInformationThread  (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=464,Tid=1808,}, 0x0, ) == 0x0
 00698   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57986, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\320\1\0\0\20\7\0\0" ... {28, 56, reply, 0, 464, 860, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\320\1\0\0\20\7\0\0" )  ... {28, 56, reply, 0, 464, 860, 57987, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\320\1\0\0\20\7\0\0" ... {28, 56, reply, 0, 464, 860, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\320\1\0\0\20\7\0\0" )  ) == 0x0
 00699   860   NtResumeThread  (196, ... 1, ) == 0x0
 00700   860   NtSetInformationThread  (196, BasePriority, {thread info, class 3, size 4}, 4, ...
 00701  1808   NtTestAlert  (... ) == 0x0
 00702  1808   NtContinue  (30604592, 1, ...
 00703  1808   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00704  1808   NtWaitForSingleObject  (132, 0, 0x0, ...
 00700   860   NtSetInformationThread  ... ) == 0x0
 00705   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30605312, 1048576, ) == 0x0
 00706   860   NtAllocateVirtualMemory  (-1, 31645696, 0, 8192, 4096, 4, ... 31645696, 8192, ) == 0x0
 00707   860   NtProtectVirtualMemory  (-1, (0x1e2e000), 4096, 260, ... (0x1e2e000), 4096, 4, ) == 0x0
 00708   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 200, {464, 1700}, ) == 0x0
 00709   860   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=464,Tid=1700,}, 0x0, ) == 0x0
 00710   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57987, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\320\1\0\0\244\6\0\0" ... {28, 56, reply, 0, 464, 860, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\320\1\0\0\244\6\0\0" )  ... {28, 56, reply, 0, 464, 860, 57988, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\320\1\0\0\244\6\0\0" ... {28, 56, reply, 0, 464, 860, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\320\1\0\0\244\6\0\0" )  ) == 0x0
 00711   860   NtResumeThread  (200, ... 1, ) == 0x0
 00712   860   NtSetInformationThread  (200, BasePriority, {thread info, class 3, size 4}, 4, ...
 00713  1700   NtTestAlert  (... ) == 0x0
 00714  1700   NtContinue  (31653168, 1, ...
 00715  1700   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00716  1700   NtWaitForSingleObject  (136, 0, 0x0, ...
 00712   860   NtSetInformationThread  ... ) == 0x0
 00717   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31653888, 1048576, ) == 0x0
 00718   860   NtAllocateVirtualMemory  (-1, 32694272, 0, 8192, 4096, 4, ... 32694272, 8192, ) == 0x0
 00719   860   NtProtectVirtualMemory  (-1, (0x1f2e000), 4096, 260, ... (0x1f2e000), 4096, 4, ) == 0x0
 00720   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 204, {464, 1156}, ) == 0x0
 00721   860   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=464,Tid=1156,}, 0x0, ) == 0x0
 00722   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57988, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\320\1\0\0\204\4\0\0" ... {28, 56, reply, 0, 464, 860, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\320\1\0\0\204\4\0\0" )  ... {28, 56, reply, 0, 464, 860, 57989, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\320\1\0\0\204\4\0\0" ... {28, 56, reply, 0, 464, 860, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\320\1\0\0\204\4\0\0" )  ) == 0x0
 00723   860   NtResumeThread  (204, ... 1, ) == 0x0
 00724   860   NtSetInformationThread  (204, BasePriority, {thread info, class 3, size 4}, 4, ...
 00725  1156   NtTestAlert  (... ) == 0x0
 00726  1156   NtContinue  (32701744, 1, ...
 00727  1156   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00728  1156   NtWaitForSingleObject  (140, 0, 0x0, ...
 00724   860   NtSetInformationThread  ... ) == 0x0
 00729   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32702464, 1048576, ) == 0x0
 00730   860   NtAllocateVirtualMemory  (-1, 33742848, 0, 8192, 4096, 4, ... 33742848, 8192, ) == 0x0
 00731   860   NtProtectVirtualMemory  (-1, (0x202e000), 4096, 260, ... (0x202e000), 4096, 4, ) == 0x0
 00732   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 208, {464, 712}, ) == 0x0
 00733   860   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=464,Tid=712,}, 0x0, ) == 0x0
 00734   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57989, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\320\1\0\0\310\2\0\0" ... {28, 56, reply, 0, 464, 860, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\320\1\0\0\310\2\0\0" )  ... {28, 56, reply, 0, 464, 860, 57990, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\320\1\0\0\310\2\0\0" ... {28, 56, reply, 0, 464, 860, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\320\1\0\0\310\2\0\0" )  ) == 0x0
 00735   860   NtResumeThread  (208, ... 1, ) == 0x0
 00736   860   NtSetInformationThread  (208, BasePriority, {thread info, class 3, size 4}, 4, ...
 00737   712   NtTestAlert  (... ) == 0x0
 00738   712   NtContinue  (33750320, 1, ...
 00739   712   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00740   712   NtWaitForSingleObject  (144, 0, 0x0, ...
 00736   860   NtSetInformationThread  ... ) == 0x0
 00741   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33751040, 1048576, ) == 0x0
 00742   860   NtAllocateVirtualMemory  (-1, 34791424, 0, 8192, 4096, 4, ... 34791424, 8192, ) == 0x0
 00743   860   NtProtectVirtualMemory  (-1, (0x212e000), 4096, 260, ... (0x212e000), 4096, 4, ) == 0x0
 00744   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 212, {464, 1728}, ) == 0x0
 00745   860   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=464,Tid=1728,}, 0x0, ) == 0x0
 00746   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57990, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\320\1\0\0\300\6\0\0" ... {28, 56, reply, 0, 464, 860, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\320\1\0\0\300\6\0\0" )  ... {28, 56, reply, 0, 464, 860, 57991, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\320\1\0\0\300\6\0\0" ... {28, 56, reply, 0, 464, 860, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\320\1\0\0\300\6\0\0" )  ) == 0x0
 00747   860   NtResumeThread  (212, ... 1, ) == 0x0
 00748  1728   NtTestAlert  (... ) == 0x0
 00749  1728   NtContinue  (34798896, 1, ...
 00750  1728   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00751  1728   NtWaitForSingleObject  (148, 0, 0x0, ...
 00752   860   NtSetInformationThread  (212, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00753   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34799616, 1048576, ) == 0x0
 00754   860   NtAllocateVirtualMemory  (-1, 35840000, 0, 8192, 4096, 4, ... 35840000, 8192, ) == 0x0
 00755   860   NtProtectVirtualMemory  (-1, (0x222e000), 4096, 260, ... (0x222e000), 4096, 4, ) == 0x0
 00756   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 216, {464, 1356}, ) == 0x0
 00757   860   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=464,Tid=1356,}, 0x0, ) == 0x0
 00758   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57991, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\320\1\0\0L\5\0\0" ... {28, 56, reply, 0, 464, 860, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\320\1\0\0L\5\0\0" )  ... {28, 56, reply, 0, 464, 860, 57992, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\320\1\0\0L\5\0\0" ... {28, 56, reply, 0, 464, 860, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\320\1\0\0L\5\0\0" )  ) == 0x0
 00759   860   NtResumeThread  (216, ... 1, ) == 0x0
 00760   860   NtSetInformationThread  (216, BasePriority, {thread info, class 3, size 4}, 4, ...
 00761  1356   NtTestAlert  (... ) == 0x0
 00762  1356   NtContinue  (35847472, 1, ...
 00763  1356   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00764  1356   NtWaitForSingleObject  (152, 0, 0x0, ...
 00760   860   NtSetInformationThread  ... ) == 0x0
 00765   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35848192, 1048576, ) == 0x0
 00766   860   NtAllocateVirtualMemory  (-1, 36888576, 0, 8192, 4096, 4, ... 36888576, 8192, ) == 0x0
 00767   860   NtProtectVirtualMemory  (-1, (0x232e000), 4096, 260, ... (0x232e000), 4096, 4, ) == 0x0
 00768   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 220, {464, 1536}, ) == 0x0
 00769   860   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=464,Tid=1536,}, 0x0, ) == 0x0
 00770   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57992, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\320\1\0\0\0\6\0\0" ... {28, 56, reply, 0, 464, 860, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\320\1\0\0\0\6\0\0" )  ... {28, 56, reply, 0, 464, 860, 57993, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\320\1\0\0\0\6\0\0" ... {28, 56, reply, 0, 464, 860, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\320\1\0\0\0\6\0\0" )  ) == 0x0
 00771   860   NtResumeThread  (220, ... 1, ) == 0x0
 00772   860   NtSetInformationThread  (220, BasePriority, {thread info, class 3, size 4}, 4, ...
 00773  1536   NtTestAlert  (... ) == 0x0
 00774  1536   NtContinue  (36896048, 1, ...
 00775  1536   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00776  1536   NtWaitForSingleObject  (156, 0, 0x0, ...
 00772   860   NtSetInformationThread  ... ) == 0x0
 00777   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36896768, 1048576, ) == 0x0
 00778   860   NtAllocateVirtualMemory  (-1, 37937152, 0, 8192, 4096, 4, ... 37937152, 8192, ) == 0x0
 00779   860   NtProtectVirtualMemory  (-1, (0x242e000), 4096, 260, ... (0x242e000), 4096, 4, ) == 0x0
 00780   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 224, {464, 444}, ) == 0x0
 00781   860   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=464,Tid=444,}, 0x0, ) == 0x0
 00782   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57993, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\320\1\0\0\274\1\0\0" ... {28, 56, reply, 0, 464, 860, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\320\1\0\0\274\1\0\0" )  ... {28, 56, reply, 0, 464, 860, 57994, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\320\1\0\0\274\1\0\0" ... {28, 56, reply, 0, 464, 860, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\320\1\0\0\274\1\0\0" )  ) == 0x0
 00783   860   NtResumeThread  (224, ... 1, ) == 0x0
 00784   860   NtSetInformationThread  (224, BasePriority, {thread info, class 3, size 4}, 4, ...
 00785   444   NtTestAlert  (... ) == 0x0
 00786   444   NtContinue  (37944624, 1, ...
 00787   444   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00788   444   NtWaitForSingleObject  (160, 0, 0x0, ...
 00784   860   NtSetInformationThread  ... ) == 0x0
 00789   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 37945344, 1048576, ) == 0x0
 00790   860   NtAllocateVirtualMemory  (-1, 38985728, 0, 8192, 4096, 4, ... 38985728, 8192, ) == 0x0
 00791   860   NtProtectVirtualMemory  (-1, (0x252e000), 4096, 260, ... (0x252e000), 4096, 4, ) == 0x0
 00792   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 228, {464, 1904}, ) == 0x0
 00793   860   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=464,Tid=1904,}, 0x0, ) == 0x0
 00794   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 464, 860, 57994, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\320\1\0\0p\7\0\0" ... {28, 56, reply, 0, 464, 860, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\320\1\0\0p\7\0\0" )  ... {28, 56, reply, 0, 464, 860, 57995, 0}  (24, {28, 56, new_msg, 0, 464, 860, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\320\1\0\0p\7\0\0" ... {28, 56, reply, 0, 464, 860, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\320\1\0\0p\7\0\0" )  ) == 0x0
 00795   860   NtResumeThread  (228, ... 1, ) == 0x0
 00796   860   NtSetInformationThread  (228, BasePriority, {thread info, class 3, size 4}, 4, ...
 00797  1904   NtTestAlert  (... ) == 0x0
 00798  1904   NtContinue  (38993200, 1, ...
 00799  1904   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00800  1904   NtWaitForSingleObject  (164, 0, 0x0, ...
 00796   860   NtSetInformationThread  ... ) == 0x0
 00801   860   NtSetEvent  (140, ...
 00728  1156   NtWaitForSingleObject  ... ) == 0x0
 00802  1156   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00803  1156   NtWaitForSingleObject  (140, 0, 0x0, ...
 00801   860   NtSetEvent  ... 0x0, ) == 0x0
 00804   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00805   860   NtSetEvent  (164, ...
 00800  1904   NtWaitForSingleObject  ... ) == 0x0
 00806  1904   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00807  1904   NtWaitForSingleObject  (164, 0, 0x0, ...
 00805   860   NtSetEvent  ... 0x0, ) == 0x0
 00808   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00809   860   NtSetEvent  (128, ...
 00692  1796   NtWaitForSingleObject  ... ) == 0x0
 00810  1796   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00811  1796   NtWaitForSingleObject  (128, 0, 0x0, ...
 00809   860   NtSetEvent  ... 0x0, ) == 0x0
 00812   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00813   860   NtQueryVirtualMemory  (-1, 0x10000, Basic, 28, ... {BaseAddress=0x10000,AllocationBase=0x10000,AllocationProtect=0x4,RegionSize=0x2000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 00814   860   NtSetEvent  (164, ...
 00807  1904   NtWaitForSingleObject  ... ) == 0x0
 00815  1904   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00816  1904   NtWaitForSingleObject  (164, 0, 0x0, ...
 00814   860   NtSetEvent  ... 0x0, ) == 0x0
 00817   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00818   860   NtSetEvent  (116, ...
 00656  1256   NtWaitForSingleObject  ... ) == 0x0
 00819  1256   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00820  1256   NtWaitForSingleObject  (116, 0, 0x0, ...
 00818   860   NtSetEvent  ... 0x0, ) == 0x0
 00821   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00822   860   NtSetEvent  (148, ...
 00751  1728   NtWaitForSingleObject  ... ) == 0x0
 00823  1728   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00824  1728   NtWaitForSingleObject  (148, 0, 0x0, ...
 00822   860   NtSetEvent  ... 0x0, ) == 0x0
 00825   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00826   860   NtUserGetForegroundWindow  (... ) == 0x70104
 00827   860   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 00828   860   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 00829   860   NtSetEvent  (132, ...
 00704  1808   NtWaitForSingleObject  ... ) == 0x0
 00830  1808   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00831  1808   NtWaitForSingleObject  (132, 0, 0x0, ...
 00829   860   NtSetEvent  ... 0x0, ) == 0x0
 00832   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00833   860   NtSetEvent  (152, ...
 00764  1356   NtWaitForSingleObject  ... ) == 0x0
 00834  1356   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00835  1356   NtWaitForSingleObject  (152, 0, 0x0, ...
 00833   860   NtSetEvent  ... 0x0, ) == 0x0
 00836   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00837   860   NtSetEvent  (132, ...
 00831  1808   NtWaitForSingleObject  ... ) == 0x0
 00838  1808   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00839  1808   NtWaitForSingleObject  (132, 0, 0x0, ...
 00837   860   NtSetEvent  ... 0x0, ) == 0x0
 00840   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00841   860   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00842   860   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00843   860   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00844   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 38993920, 65536, ) == 0x0
 00845   860   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00846   860   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 232, ) == 0x0
 00847   860   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x2540000), 0x0, 4194304, ) == 0x0
 00848   860   NtAllocateVirtualMemory  (-1, 39059456, 0, 1, 4096, 4, ... 39059456, 4096, ) == 0x0
 00849   860   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 236, ) == 0x0
 00850   860   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x2940000), 0x0, 4194304, ) == 0x0
 00851   860   NtAllocateVirtualMemory  (-1, 43253760, 0, 1, 4096, 4, ... 43253760, 4096, ) == 0x0
 00852   860   NtCreateSection  (0xf0007, 0x0, {37980, 0}, 4, 134217728, 0, ... 240, ) == 0x0
 00853   860   NtMapViewOfSection  (240, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2d40000), {0, 0}, 40960, ) == 0x0
 00854   860   NtUnmapViewOfSection  (-1, 0x2d40000, ... ) == 0x0
 00855   860   NtMapViewOfSection  (240, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2d40000), {0, 0}, 40960, ) == 0x0
 00856   860   NtClose  (236, ... ) == 0x0
 00857   860   NtUnmapViewOfSection  (-1, 0x2940000, ... ) == 0x0
 00858   860   NtClose  (232, ... ) == 0x0
 00859   860   NtUnmapViewOfSection  (-1, 0x2540000, ... ) == 0x0
 00860   860   NtFreeVirtualMemory  (-1, (0x2530000), 0, 32768, ... (0x2530000), 65536, ) == 0x0
 00861   860   NtUnmapViewOfSection  (-1, 0x2d40000, ... ) == 0x0
 00862   860   NtMapViewOfSection  (240, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2530000), {0, 0}, 40960, ) == 0x0
 00863   860   NtUnmapViewOfSection  (-1, 0x2530000, ... ) == 0x0
 00864   860   NtMapViewOfSection  (240, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2530000), {0, 0}, 40960, ) == 0x0
 00865   860   NtUnmapViewOfSection  (-1, 0x2530000, ... ) == 0x0
 00866   860   NtSetEvent  (104, ...
 00620  1856   NtWaitForSingleObject  ... ) == 0x0
 00867  1856   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00868  1856   NtWaitForSingleObject  (104, 0, 0x0, ...
 00866   860   NtSetEvent  ... 0x0, ) == 0x0
 00869   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00870   860   NtSetEvent  (120, ...
 00668   220   NtWaitForSingleObject  ... ) == 0x0
 00871   220   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00872   220   NtWaitForSingleObject  (120, 0, 0x0, ...
 00870   860   NtSetEvent  ... 0x0, ) == 0x0
 00873   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00874   860   NtSetEvent  (128, ...
 00811  1796   NtWaitForSingleObject  ... ) == 0x0
 00875  1796   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00876  1796   NtWaitForSingleObject  (128, 0, 0x0, ...
 00874   860   NtSetEvent  ... 0x0, ) == 0x0
 00877   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00878   860   NtQueryVirtualMemory  (-1, 0x7c809e68, Basic, 28, ... {BaseAddress=0x7c809000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x7b000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00879   860   NtContinue  (1243208, 0, ...
 00880   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 38993920, 65536, ) == 0x0
 00881   860   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00882   860   NtFreeVirtualMemory  (-1, (0x2530000), 0, 32768, ... (0x2530000), 65536, ) == 0x0
 00883   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 38993920, 65536, ) == 0x0
 00884   860   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00885   860   NtFreeVirtualMemory  (-1, (0x2530000), 0, 32768, ... (0x2530000), 65536, ) == 0x0
 00886   860   NtSetEvent  (108, ...
 00632  1596   NtWaitForSingleObject  ... ) == 0x0
 00887  1596   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00888  1596   NtWaitForSingleObject  (108, 0, 0x0, ...
 00886   860   NtSetEvent  ... 0x0, ) == 0x0
 00889   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00890   860   NtAllocateVirtualMemory  (-1, 0, 0, 1000, 4096, 4, ... 38993920, 4096, ) == 0x0
 00891   860   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 00892   860   NtFreeVirtualMemory  (-1, (0x2530000), 0, 32768, ... (0x2530000), 4096, ) == 0x0
 00893   860   NtSetEvent  (148, ...
 00824  1728   NtWaitForSingleObject  ... ) == 0x0
 00894  1728   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00895  1728   NtWaitForSingleObject  (148, 0, 0x0, ...
 00893   860   NtSetEvent  ... 0x0, ) == 0x0
 00896   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00897   860   NtUserFindWindowEx  (0, 0,  (0, 0, "FilemonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00898   860   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "File Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 00899   860   NtUserFindWindowEx  (0, 0,  (0, 0, "PROCMON_WINDOW_CLASS", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00900   860   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Process Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 00901   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 38993920, 65536, ) == 0x0
 00902   860   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00903   860   NtFreeVirtualMemory  (-1, (0x2530000), 0, 32768, ... (0x2530000), 65536, ) == 0x0
 00904   860   NtSetEvent  (164, ...
 00816  1904   NtWaitForSingleObject  ... ) == 0x0
 00905  1904   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00906  1904   NtWaitForSingleObject  (164, 0, 0x0, ...
 00904   860   NtSetEvent  ... 0x0, ) == 0x0
 00907   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00908   860   NtUserFindWindowEx  (0, 0,  (0, 0, "RegmonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00909   860   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Registry Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 00910   860   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00911   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 38993920, 65536, ) == 0x0
 00912   860   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00913   860   NtFreeVirtualMemory  (-1, (0x2530000), 0, 32768, ... (0x2530000), 65536, ) == 0x0
 00914   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 38993920, 65536, ) == 0x0
 00915   860   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00916   860   NtFreeVirtualMemory  (-1, (0x2530000), 0, 32768, ... (0x2530000), 65536, ) == 0x0
 00917   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 38993920, 65536, ) == 0x0
 00918   860   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00919   860   NtFreeVirtualMemory  (-1, (0x2530000), 0, 32768, ... (0x2530000), 65536, ) == 0x0
 00920   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 38993920, 65536, ) == 0x0
 00921   860   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00922   860   NtFreeVirtualMemory  (-1, (0x2530000), 0, 32768, ... (0x2530000), 65536, ) == 0x0
 00923   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "SOFTWARE\NuMega\DriverStudio"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00924   860   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work"}, 3, 33, ... 232, {status=0x0, info=1}, ) }, 3, 33, ... 232, {status=0x0, info=1}, ) == 0x0
 00925   860   NtQueryVolumeInformationFile  (232, 1244936, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00926   860   NtClose  (12, ... ) == 0x0
 00927   860   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 38993920, 4096, ) == 0x0
 00928   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 12, ) }, ... 12, ) == 0x0
 00929   860   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00930   860   NtClose  (12, ... ) == 0x0
 00931   860   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00932   860   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00933   860   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00934   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCRT.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00936   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39059456, 65536, ) == 0x0
 00937   860   NtAllocateVirtualMemory  (-1, 39059456, 0, 4096, 4096, 4, ... 39059456, 4096, ) == 0x0
 00938   860   NtAllocateVirtualMemory  (-1, 39063552, 0, 8192, 4096, 4, ... 39063552, 8192, ) == 0x0
 00939   860   NtAllocateVirtualMemory  (-1, 39071744, 0, 4096, 4096, 4, ... 39071744, 4096, ) == 0x0
 00940   860   NtAllocateVirtualMemory  (-1, 39075840, 0, 4096, 4096, 4, ... 39075840, 4096, ) == 0x0
 00941   860   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00942   860   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00943   860   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00944   860   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00945   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCP60.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSVCP60.dll"}, 1242956, ... ) }, 1242956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVCP60.dll"}, 1242956, ... ) }, 1242956, ... ) == 0x0
 00948   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVCP60.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 00949   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 12, ... 236, ) == 0x0
 00950   860   NtQuerySection  (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00951   860   NtClose  (12, ... ) == 0x0
 00952   860   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76080000), 0x0, 413696, ) == 0x0
 00953   860   NtClose  (236, ... ) == 0x0
 00954   860   NtProtectVirtualMemory  (-1, (0x760ac000), 392, 4, ... (0x760ac000), 4096, 2, ) == 0x0
 00955   860   NtProtectVirtualMemory  (-1, (0x760ac000), 4096, 2, ... (0x760ac000), 4096, 4, ) == 0x0
 00956   860   NtFlushInstructionCache  (-1, 1980416000, 392, ... ) == 0x0
 00957   860   NtProtectVirtualMemory  (-1, (0x760ac000), 392, 4, ... (0x760ac000), 4096, 2, ) == 0x0
 00958   860   NtProtectVirtualMemory  (-1, (0x760ac000), 4096, 2, ... (0x760ac000), 4096, 4, ) == 0x0
 00959   860   NtFlushInstructionCache  (-1, 1980416000, 392, ... ) == 0x0
 00960   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCP60.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1242956, ... ) }, 1242956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 1242956, ... ) }, 1242956, ... ) == 0x0
 00964   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 00965   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 12, ) == 0x0
 00966   860   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00967   860   NtClose  (236, ... ) == 0x0
 00968   860   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 102400, ) == 0x0
 00969   860   NtClose  (12, ... ) == 0x0
 00970   860   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00971   860   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00972   860   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00973   860   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00974   860   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00975   860   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00976   860   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00977   860   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00978   860   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00979   860   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00980   860   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00981   860   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00982   860   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00983   860   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00984   860   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00985   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242168, ... ) }, 1242168, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00987   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242168, ... ) }, 1242168, ... ) == 0x0
 00988   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 00989   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 12, ... 236, ) == 0x0
 00990   860   NtQuerySection  (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00991   860   NtClose  (12, ... ) == 0x0
 00992   860   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00993   860   NtClose  (236, ... ) == 0x0
 00994   860   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00995   860   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00996   860   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00997   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00998   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241352, ... ) }, 1241352, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00999   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1241352, ... ) }, 1241352, ... ) == 0x0
 01000   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 01001   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 12, ) == 0x0
 01002   860   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01003   860   NtClose  (236, ... ) == 0x0
 01004   860   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 01005   860   NtClose  (12, ... ) == 0x0
 01006   860   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 01007   860   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 01008   860   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 01009   860   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 01010   860   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 01011   860   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 01012   860   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01013   860   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01014   860   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01015   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01016   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01017   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01018   860   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01019   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01020   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01021   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39124992, 65536, ) == 0x0
 01022   860   NtAllocateVirtualMemory  (-1, 39124992, 0, 4096, 4096, 4, ... 39124992, 4096, ) == 0x0
 01023   860   NtAllocateVirtualMemory  (-1, 39129088, 0, 8192, 4096, 4, ... 39129088, 8192, ) == 0x0
 01024   860   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 12, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 12, {status=0x0, info=0}, ) == 0x0
 01025   860   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 236, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 236, {status=0x0, info=0}, ) == 0x0
 01026   860   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 244, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 244, {status=0x0, info=0}, ) == 0x0
 01027   860   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 248, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 248, {status=0x0, info=0}, ) == 0x0
 01028   860   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1242884,  (0x20100080, {24, 0, 0x40, 0, 1242884, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 252, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 252, {status=0x0, info=0}, ) == 0x0
 01029   860   NtAllocateVirtualMemory  (-1, 39137280, 0, 36864, 4096, 4, ... 39137280, 36864, ) == 0x0
 01030   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 256, ) == 0x0
 01031   860   NtDeviceIoControlFile  (12, 256, 0x0, 0x0, 0x120003,  (12, 256, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (12, 256, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01032   860   NtClose  (256, ... ) == 0x0
 01033   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 256, ) == 0x0
 01034   860   NtDeviceIoControlFile  (12, 256, 0x0, 0x0, 0x120003,  (12, 256, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (12, 256, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01035   860   NtClose  (256, ... ) == 0x0
 01036   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 256, ) == 0x0
 01037   860   NtDeviceIoControlFile  (12, 256, 0x0, 0x0, 0x120003,  (12, 256, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363\232\201\1\0\0\0\5\0\0\0\232A\250\25\36\363P\3\331\277\0\0\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Y\31&\0\357B\0\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (12, 256, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363\232\201\1\0\0\0\5\0\0\0\232A\250\25\36\363P\3\331\277\0\0\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Y\31&\0\357B\0\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 01038   860   NtClose  (256, ... ) == 0x0
 01039   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 256, ) == 0x0
 01040   860   NtDeviceIoControlFile  (12, 256, 0x0, 0x0, 0x120003,  (12, 256, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (12, 256, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01041   860   NtClose  (256, ... ) == 0x0
 01042   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 256, ) == 0x0
 01043   860   NtDeviceIoControlFile  (12, 256, 0x0, 0x0, 0x120003,  (12, 256, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (12, 256, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01044   860   NtClose  (256, ... ) == 0x0
 01045   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 256, ) == 0x0
 01046   860   NtDeviceIoControlFile  (12, 256, 0x0, 0x0, 0x120003,  (12, 256, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (12, 256, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01047   860   NtClose  (256, ... ) == 0x0
 01048   860   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 256, ) == 0x0
 01049   860   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 260, ) == 0x0
 01050   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01051   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01052   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01053   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01054   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01055   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01056   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01057   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01058   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01059   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01060   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01061   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01062   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01063   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01064   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01065   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01066   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01067   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01068   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01069   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01070   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01071   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01072   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01073   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01074   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01075   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01076   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01077   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01078   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01079   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01080   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01081   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01082   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01083   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01084   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01085   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01086   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01087   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01088   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01089   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01090   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01091   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01092   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01093   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01094   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01095   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01096   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01097   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01098   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01099   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01100   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01101   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01102   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01103   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01104   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01105   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01106   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01107   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01108   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01109   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01110   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01111   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01112   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01113   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01114   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01115   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01116   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01117   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01118   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01119   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01120   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01121   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01122   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01123   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01124   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01125   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01126   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01127   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01128   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01129   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01130   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01131   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01132   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01133   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01134   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01135   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01136   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01137   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01138   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01139   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01140   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01141   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01142   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01143   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01144   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01145   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01146   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01147   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01148   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01149   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01150   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01151   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01152   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01153   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01154   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01155   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01156   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01157   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01158   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01159   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01160   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01161   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01162   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01163   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01164   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01165   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01166   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01167   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01168   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01169   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01170   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39190528, 65536, ) == 0x0
 01171   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01172   860   NtAllocateVirtualMemory  (-1, 39190528, 0, 1, 4096, 4, ... 39190528, 4096, ) == 0x0
 01173   860   NtQueryVirtualMemory  (-1, 0x2560000, Basic, 28, ... {BaseAddress=0x2560000,AllocationBase=0x2560000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01174   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 65536, ) == 0x0
 01175   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 264, ) }, ... 264, ) == 0x0
 01176   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 268, ) }, ... 268, ) == 0x0
 01177   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 272, ) }, ... 272, ) == 0x0
 01178   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 276, ) }, ... 276, ) == 0x0
 01179   860   NtQueryDefaultLocale  (1, 1242864, ... ) == 0x0
 01180   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 280, ) }, ... 280, ) == 0x0
 01181   860   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 01182   860   NtClose  (280, ... ) == 0x0
 01183   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01184   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01185   860   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01186   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01187   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01188   860   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01189   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01190   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01191   860   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01192   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01193   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01194   860   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01195   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01196   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01197   860   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01198   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01199   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01200   860   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01201   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 280, ) }, ... 280, ) == 0x0
 01202   860   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 01203   860   NtClose  (280, ... ) == 0x0
 01204   860   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01205   860   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01206   860   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01207   860   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01208   860   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01209   860   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01210   860   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01211   860   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01212   860   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01213   860   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01214   860   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01215   860   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01216   860   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01217   860   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01218   860   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01219   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01220   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01221   860   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01222   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01223   860   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01224   860   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01225   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01226   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   860   NtCreateSemaphore  (0x1f0003, {24, 44, 0x80, 1332592, 0,  (0x1f0003, {24, 44, 0x80, 1332592, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 280, ) }, 0, 2147483647, ... 280, ) == STATUS_OBJECT_NAME_EXISTS
 01228   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01229   860   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 284, ) }, ... 284, ) == 0x0
 01230   860   NtQueryValueKey  (284,  (284, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (284, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01231   860   NtClose  (284, ... ) == 0x0
 01232   860   NtQueryDefaultUILanguage  (1241288, ...
 01233   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01234   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01235   860   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01236   860   NtClose  (-2147482740, ... ) == 0x0
 01237   860   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01238   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01239   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 01240   860   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01241   860   NtClose  (-2147481328, ... ) == 0x0
 01242   860   NtClose  (-2147482740, ... ) == 0x0
 01232   860   NtQueryDefaultUILanguage  ... ) == 0x0
 01243   860   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 284, {status=0x0, info=1}, ) }, 1, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 01244   860   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 284, ... 288, ) == 0x0
 01245   860   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2560000), 0x0, 8462336, ) == 0x0
 01246   860   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   860   NtQueryDefaultLocale  (1, 1239384, ... ) == 0x0
 01248   860   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   860   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240420, 1179817, 1240144}  (24, {128, 156, new_msg, 0, 2088850039, 1240420, 1179817, 1240144} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\34\1\0\0\377\377\377\377\0\0\0\0@ y\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0X\361\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 860, 57996, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\34\1\0\0\377\377\377\377\0\0\0\0@ y\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0X\361\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 860, 57996, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240420, 1179817, 1240144} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\34\1\0\0\377\377\377\377\0\0\0\0@ y\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0X\361\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 860, 57996, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\34\1\0\0\377\377\377\377\0\0\0\0@ y\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0X\361\22\0\0\0\0\0" )  ) == 0x0
 01250   860   NtClose  (284, ... ) == 0x0
 01251   860   NtClose  (288, ... ) == 0x0
 01252   860   NtUnmapViewOfSection  (-1, 0x2560000, ... ) == 0x0
 01253   860   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01254   860   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01255   860   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01256   860   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01257   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238576, ... ) }, 1238576, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258   860   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01259   860   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01260   860   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01261   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1238640, ... ) }, 1238640, ... ) == 0x0
 01262   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 288, {status=0x0, info=1}, ) }, 3, 33, ... 288, {status=0x0, info=1}, ) == 0x0
 01263   860   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01264   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 01265   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 284, ... 292, ) == 0x0
 01266   860   NtClose  (284, ... ) == 0x0
 01267   860   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2560000), 0x0, 1056768, ) == 0x0
 01268   860   NtClose  (292, ... ) == 0x0
 01269   860   NtUnmapViewOfSection  (-1, 0x2560000, ... ) == 0x0
 01270   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 292, {status=0x0, info=1}, ) }, 5, 96, ... 292, {status=0x0, info=1}, ) == 0x0
 01271   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 292, ... 284, ) == 0x0
 01272   860   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01273   860   NtClose  (292, ... ) == 0x0
 01274   860   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 01275   860   NtClose  (284, ... ) == 0x0
 01276   860   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01277   860   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01278   860   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01279   860   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01280   860   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01281   860   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01282   860   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01283   860   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01284   860   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01285   860   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01286   860   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01287   860   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01288   860   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01289   860   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01290   860   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01291   860   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01292   860   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01293   860   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01294   860   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01295   860   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01296   860   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01297   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01298   860   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240120, ... ) , 42, 1240120, ... ) == 0x0
 01299   860   NtQueryDefaultUILanguage  (1238804, ...
 01300   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01301   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01302   860   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01303   860   NtClose  (-2147482740, ... ) == 0x0
 01304   860   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01305   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01306   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 01307   860   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01308   860   NtClose  (-2147481328, ... ) == 0x0
 01309   860   NtClose  (-2147482740, ... ) == 0x0
 01299   860   NtQueryDefaultUILanguage  ... ) == 0x0
 01310   860   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 01311   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237644, ... ) }, 1237644, ... ) == 0x0
 01312   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 01313   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 284, ... 292, ) == 0x0
 01314   860   NtClose  (284, ... ) == 0x0
 01315   860   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2560000), 0x0, 4096, ) == 0x0
 01316   860   NtClose  (292, ... ) == 0x0
 01317   860   NtUnmapViewOfSection  (-1, 0x2560000, ... ) == 0x0
 01318   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237240, ... ) }, 1237240, ... ) == 0x0
 01319   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237984,  (0x80100080, {24, 0, 0x40, 0, 1237984, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 292, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 292, {status=0x0, info=1}, ) == 0x0
 01320   860   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 292, ... 284, ) == 0x0
 01321   860   NtClose  (292, ... ) == 0x0
 01322   860   NtMapViewOfSection  (284, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2560000), {0, 0}, 4096, ) == 0x0
 01323   860   NtClose  (284, ... ) == 0x0
 01324   860   NtUnmapViewOfSection  (-1, 0x2560000, ... ) == 0x0
 01325   860   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 284, {status=0x0, info=1}, ) }, 1, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 01326   860   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 284, ... 292, ) == 0x0
 01327   860   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2560000), 0x0, 4096, ) == 0x0
 01328   860   NtQueryInformationFile  (284, 1237636, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01329   860   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01330   860   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1237936, 1179817, 1237660}  (24, {128, 156, new_msg, 0, 2088850039, 1237936, 1179817, 1237660} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\34\1\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\244\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 860, 57997, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\34\1\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\244\347\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 860, 57997, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1237936, 1179817, 1237660} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\34\1\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\244\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 860, 57997, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\34\1\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\244\347\22\0\0\0\0\0" )  ) == 0x0
 01331   860   NtClose  (284, ... ) == 0x0
 01332   860   NtClose  (292, ... ) == 0x0
 01333   860   NtUnmapViewOfSection  (-1, 0x2560000, ... ) == 0x0
 01334   860   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01335   860   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01336   860   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 01337   860   NtUserGetDC  (0, ... ) == 0x1010051
 01338   860   NtQueryVirtualMemory  (-1, 0x7c91ca50, Basic, 28, ... {BaseAddress=0x7c91c000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x60000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01339   860   NtQueryVirtualMemory  (-1, 0x7c9163a8, Basic, 28, ... {BaseAddress=0x7c916000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x66000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01340   860   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01341   860   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01342   860   NtContinue  (1237844, 0, ...
 01343   860   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01344   860   NtUnmapViewOfSection  (-1, 0x773d0000, ... ) == 0x0
 01345   860   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01346   860   NtUnmapViewOfSection  (-1, 0x2d80000, ... ) == 0x0
 01347   860   NtClose  (288, ... ) == 0x0
 01348   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 288, ) }, ... 288, ) == 0x0
 01349   860   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 73728, ) == 0x0
 01350   860   NtClose  (288, ... ) == 0x0
 01351   860   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 01352   860   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 01353   860   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 01354   860   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 01355   860   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 01356   860   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 01357   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPR.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01358   860   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 288, ) == 0x0
 01359   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 292, ) == 0x0
 01360   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 284, ) }, ... 284, ) == 0x0
 01361   860   NtNotifyChangeKey  (284, 292, 0, 0, 2011455960, 4, 0, 0, 0, 1, ... ) == 0x103
 01362   860   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 01363   860   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 296, ) == 0x0
 01364   860   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 300, ) == 0x0
 01365   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "PSAPI.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01366   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\PSAPI.DLL"}, 1242956, ... ) }, 1242956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01367   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\PSAPI.DLL"}, 1242956, ... ) }, 1242956, ... ) == 0x0
 01368   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\PSAPI.DLL"}, 5, 96, ... 304, {status=0x0, info=1}, ) }, 5, 96, ... 304, {status=0x0, info=1}, ) == 0x0
 01369   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 304, ... 308, ) == 0x0
 01370   860   NtQuerySection  (308, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01371   860   NtClose  (304, ... ) == 0x0
 01372   860   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 01373   860   NtClose  (308, ... ) == 0x0
 01374   860   NtProtectVirtualMemory  (-1, (0x76bf1000), 236, 4, ... (0x76bf1000), 4096, 32, ) == 0x0
 01375   860   NtProtectVirtualMemory  (-1, (0x76bf1000), 4096, 32, ... (0x76bf1000), 4096, 4, ) == 0x0
 01376   860   NtFlushInstructionCache  (-1, 1992232960, 236, ... ) == 0x0
 01377   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSAPI.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01378   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1242956, ... ) }, 1242956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01380   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 1242956, ... ) }, 1242956, ... ) == 0x0
 01381   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... 308, {status=0x0, info=1}, ) }, 5, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 01382   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 308, ... 304, ) == 0x0
 01383   860   NtQuerySection  (304, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01384   860   NtClose  (308, ... ) == 0x0
 01385   860   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 01386   860   NtClose  (304, ... ) == 0x0
 01387   860   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01388   860   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01389   860   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01390   860   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01391   860   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01392   860   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01393   860   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01394   860   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01395   860   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01396   860   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01397   860   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01398   860   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01399   860   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01400   860   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01401   860   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01402   860   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01403   860   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01404   860   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01405   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01406   860   NtCreateKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 304, 2, ) }, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 304, 2, ) , 0, ... 304, 2, ) == 0x0
 01407   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 308, ) }, ... 308, ) == 0x0
 01408   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01409   860   NtQueryValueKey  (308,  (308, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01410   860   NtQueryValueKey  (304,  (304, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01411   860   NtQueryValueKey  (308,  (308, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01412   860   NtQueryValueKey  (304,  (304, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (304, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01413   860   NtQueryValueKey  (308,  (308, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01414   860   NtQueryValueKey  (304,  (304, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415   860   NtQueryValueKey  (308,  (308, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416   860   NtQueryValueKey  (304,  (304, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01417   860   NtQueryValueKey  (308,  (308, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01418   860   NtQueryValueKey  (308,  (308, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01419   860   NtQueryValueKey  (308,  (308, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01420   860   NtQueryValueKey  (308,  (308, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01421   860   NtQueryValueKey  (308,  (308, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01422   860   NtQueryValueKey  (308,  (308, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01423   860   NtQueryValueKey  (308,  (308, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01424   860   NtQueryValueKey  (308,  (308, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01425   860   NtQueryValueKey  (308,  (308, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426   860   NtQueryValueKey  (304,  (304, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01427   860   NtQueryValueKey  (308,  (308, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01428   860   NtQueryValueKey  (308,  (308, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01429   860   NtQueryValueKey  (304,  (304, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01430   860   NtQueryValueKey  (308,  (308, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431   860   NtQueryValueKey  (304,  (304, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   860   NtQueryValueKey  (308,  (308, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01433   860   NtQueryValueKey  (304,  (304, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434   860   NtQueryValueKey  (308,  (308, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01435   860   NtQueryValueKey  (304,  (304, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01436   860   NtQueryValueKey  (308,  (308, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01437   860   NtQueryValueKey  (304,  (304, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438   860   NtQueryValueKey  (308,  (308, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   860   NtQueryValueKey  (304,  (304, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   860   NtQueryValueKey  (308,  (308, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   860   NtQueryValueKey  (304,  (304, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   860   NtQueryValueKey  (308,  (308, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   860   NtQueryValueKey  (308,  (308, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444   860   NtQueryValueKey  (308,  (308, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445   860   NtQueryValueKey  (308,  (308, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446   860   NtQueryValueKey  (308,  (308, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01447   860   NtQueryValueKey  (308,  (308, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448   860   NtQueryValueKey  (308,  (308, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449   860   NtQueryValueKey  (308,  (308, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01450   860   NtQueryValueKey  (308,  (308, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01451   860   NtQueryValueKey  (308,  (308, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452   860   NtQueryValueKey  (308,  (308, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01453   860   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 312, ) }, ... 312, ) == 0x0
 01454   860   NtQueryValueKey  (312,  (312, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01455   860   NtClose  (312, ... ) == 0x0
 01456   860   NtClose  (304, ... ) == 0x0
 01457   860   NtClose  (308, ... ) == 0x0
 01458   860   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 308, ) }, ... 308, ) == 0x0
 01459   860   NtQueryValueKey  (308,  (308, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460   860   NtQueryValueKey  (308,  (308, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461   860   NtQueryValueKey  (308,  (308, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01462   860   NtClose  (308, ... ) == 0x0
 01463   860   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts"}, 3, 33, ... 308, {status=0x0, info=1}, ) }, 3, 33, ... 308, {status=0x0, info=1}, ) == 0x0
 01464   860   NtQueryVolumeInformationFile  (308, 1244940, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01465   860   NtClose  (232, ... ) == 0x0
 01466   860   NtSetEvent  (136, ...
 00716  1700   NtWaitForSingleObject  ... ) == 0x0
 01467  1700   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01468  1700   NtWaitForSingleObject  (136, 0, 0x0, ...
 01466   860   NtSetEvent  ... 0x0, ) == 0x0
 01469   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01470   860   NtSetEvent  (120, ...
 00872   220   NtWaitForSingleObject  ... ) == 0x0
 01471   220   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01472   220   NtWaitForSingleObject  (120, 0, 0x0, ...
 01470   860   NtSetEvent  ... 0x0, ) == 0x0
 01473   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01474   860   NtSetEvent  (144, ...
 00740   712   NtWaitForSingleObject  ... ) == 0x0
 01475   712   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01476   712   NtWaitForSingleObject  (144, 0, 0x0, ...
 01474   860   NtSetEvent  ... 0x0, ) == 0x0
 01477   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01478   860   NtSetEvent  (152, ...
 00835  1356   NtWaitForSingleObject  ... ) == 0x0
 01479  1356   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01480  1356   NtWaitForSingleObject  (152, 0, 0x0, ...
 01478   860   NtSetEvent  ... 0x0, ) == 0x0
 01481   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01482   860   NtAllocateVirtualMemory  (-1, 0, 0, 200000, 4096, 4, ... 39321600, 200704, ) == 0x0
 01483   860   NtAllocateVirtualMemory  (-1, 0, 0, 1024, 4096, 4, ... 39190528, 4096, ) == 0x0
 01484   860   NtSetEvent  (156, ...
 00776  1536   NtWaitForSingleObject  ... ) == 0x0
 01485  1536   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01486  1536   NtWaitForSingleObject  (156, 0, 0x0, ...
 01484   860   NtSetEvent  ... 0x0, ) == 0x0
 01487   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01488   860   NtSetEvent  (112, ...
 00644  1128   NtWaitForSingleObject  ... ) == 0x0
 01489  1128   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01490  1128   NtWaitForSingleObject  (112, 0, 0x0, ...
 01488   860   NtSetEvent  ... 0x0, ) == 0x0
 01491   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01492   860   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 01493   860   NtSetEvent  (136, ...
 01468  1700   NtWaitForSingleObject  ... ) == 0x0
 01494  1700   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01495  1700   NtWaitForSingleObject  (136, 0, 0x0, ...
 01493   860   NtSetEvent  ... 0x0, ) == 0x0
 01496   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01497   860   NtSetEvent  (144, ...
 01476   712   NtWaitForSingleObject  ... ) == 0x0
 01498   712   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01499   712   NtWaitForSingleObject  (144, 0, 0x0, ...
 01497   860   NtSetEvent  ... 0x0, ) == 0x0
 01500   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01501   860   NtSetEvent  (156, ...
 01486  1536   NtWaitForSingleObject  ... ) == 0x0
 01502  1536   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01503  1536   NtWaitForSingleObject  (156, 0, 0x0, ...
 01501   860   NtSetEvent  ... 0x0, ) == 0x0
 01504   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01505   860   NtSetEvent  (164, ...
 00906  1904   NtWaitForSingleObject  ... ) == 0x0
 01506  1904   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01507  1904   NtWaitForSingleObject  (164, 0, 0x0, ...
 01505   860   NtSetEvent  ... 0x0, ) == 0x0
 01508   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01509   860   NtSetEvent  (156, ...
 01503  1536   NtWaitForSingleObject  ... ) == 0x0
 01510  1536   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01511  1536   NtWaitForSingleObject  (156, 0, 0x0, ...
 01509   860   NtSetEvent  ... 0x0, ) == 0x0
 01512   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01513   860   NtSetEvent  (108, ...
 00888  1596   NtWaitForSingleObject  ... ) == 0x0
 01514  1596   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01515  1596   NtWaitForSingleObject  (108, 0, 0x0, ...
 01513   860   NtSetEvent  ... 0x0, ) == 0x0
 01516   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01517   860   NtSetEvent  (156, ...
 01511  1536   NtWaitForSingleObject  ... ) == 0x0
 01518  1536   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01519  1536   NtWaitForSingleObject  (156, 0, 0x0, ...
 01517   860   NtSetEvent  ... 0x0, ) == 0x0
 01520   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01521   860   NtSetEvent  (132, ...
 00839  1808   NtWaitForSingleObject  ... ) == 0x0
 01522  1808   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01523  1808   NtWaitForSingleObject  (132, 0, 0x0, ...
 01521   860   NtSetEvent  ... 0x0, ) == 0x0
 01524   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01525   860   NtSetEvent  (120, ...
 01472   220   NtWaitForSingleObject  ... ) == 0x0
 01526   220   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01527   220   NtWaitForSingleObject  (120, 0, 0x0, ...
 01525   860   NtSetEvent  ... 0x0, ) == 0x0
 01528   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01529   860   NtSetEvent  (116, ...
 00820  1256   NtWaitForSingleObject  ... ) == 0x0
 01530  1256   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01531  1256   NtWaitForSingleObject  (116, 0, 0x0, ...
 01529   860   NtSetEvent  ... 0x0, ) == 0x0
 01532   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01533   860   NtSetEvent  (152, ...
 01480  1356   NtWaitForSingleObject  ... ) == 0x0
 01534  1356   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01535  1356   NtWaitForSingleObject  (152, 0, 0x0, ...
 01533   860   NtSetEvent  ... 0x0, ) == 0x0
 01536   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01537   860   NtUserFindWindowEx  (0, 0,  (0, 0, "FilemonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01538   860   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "File Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 01539   860   NtUserFindWindowEx  (0, 0,  (0, 0, "PROCMON_WINDOW_CLASS", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01540   860   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Process Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 01541   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 39583744, 65536, ) == 0x0
 01542   860   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01543   860   NtFreeVirtualMemory  (-1, (0x25c0000), 0, 32768, ... (0x25c0000), 65536, ) == 0x0
 01544   860   NtSetEvent  (132, ...
 01523  1808   NtWaitForSingleObject  ... ) == 0x0
 01545  1808   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01546  1808   NtWaitForSingleObject  (132, 0, 0x0, ...
 01544   860   NtSetEvent  ... 0x0, ) == 0x0
 01547   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01548   860   NtProtectVirtualMemory  (-1, (0x401000), 96631, 64, ... (0x401000), 98304, 128, ) == 0x0
 01549   860   NtSetEvent  (120, ...
 01527   220   NtWaitForSingleObject  ... ) == 0x0
 01550   220   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01551   220   NtWaitForSingleObject  (120, 0, 0x0, ...
 01549   860   NtSetEvent  ... 0x0, ) == 0x0
 01552   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01553   860   NtAllocateVirtualMemory  (-1, 0, 0, 1122304, 4096, 4, ... 39583744, 1122304, ) == 0x0
 01554   860   NtFreeVirtualMemory  (-1, (0x25c0000), 0, 32768, ... (0x25c0000), 1122304, ) == 0x0
 01555   860   NtSetEvent  (104, ...
 00868  1856   NtWaitForSingleObject  ... ) == 0x0
 01556  1856   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01557  1856   NtWaitForSingleObject  (104, 0, 0x0, ...
 01555   860   NtSetEvent  ... 0x0, ) == 0x0
 01558   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01559   860   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 39583744, 1048576, ) == 0x0
 01560   860   NtAllocateVirtualMemory  (-1, 40624128, 0, 8192, 4096, 4, ... 40624128, 8192, ) == 0x0
 01561   860   NtProtectVirtualMemory  (-1, (0x26be000), 4096, 260, ... (0x26be000), 4096, 4, ) == 0x0
 01562   860   NtCreateThread  (0x1f03ff, 0x0, -1, 1244044, 1243988, 1, ... 232, {464, 148}, ) == 0x0
 01563   860   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=464,Tid=148,}, 0x0, ) == 0x0
 01564   860   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2090320088, 2089917163, 6032430, 6032430}  (24, {28, 56, new_msg, 0, 2090320088, 2089917163, 6032430, 6032430} "\0\0\0\0\1\0\1\0`+$\0\10\374\22\0\350\0\0\0\320\1\0\0\224\0\0\0" ... {28, 56, reply, 0, 464, 860, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\374\22\0\350\0\0\0\320\1\0\0\224\0\0\0" )  ... {28, 56, reply, 0, 464, 860, 57998, 0}  (24, {28, 56, new_msg, 0, 2090320088, 2089917163, 6032430, 6032430} "\0\0\0\0\1\0\1\0`+$\0\10\374\22\0\350\0\0\0\320\1\0\0\224\0\0\0" ... {28, 56, reply, 0, 464, 860, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\374\22\0\350\0\0\0\320\1\0\0\224\0\0\0" )  ) == 0x0
 01565   860   NtResumeThread  (232, ... 1, ) == 0x0
 01566   148   NtTestAlert  (... ) == 0x0
 01567   148   NtContinue  (40631600, 1, ...
 01568   148   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01569   148   NtDelayExecution  (0, {-40000000, -1}, ...
 01570   860   NtSetEvent  (116, ...
 01531  1256   NtWaitForSingleObject  ... ) == 0x0
 01571  1256   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01572  1256   NtWaitForSingleObject  (116, 0, 0x0, ...
 01570   860   NtSetEvent  ... 0x0, ) == 0x0
 01573   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01574   860   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 01575   860   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 01576   860   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 40632320, 4096, ) == 0x0
 01577   860   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 4, ... 40697856, 8192, ) == 0x0
 01578   860   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 64, ... 40763392, 65536, ) == 0x0
 01579   860   NtAllocateVirtualMemory  (-1, 0, 0, 3320, 4096, 4, ... 40828928, 4096, ) == 0x0
 01580   860   NtFreeVirtualMemory  (-1, (0x26f0000), 0, 32768, ... (0x26f0000), 4096, ) == 0x0
 01581   860   NtAllocateVirtualMemory  (-1, 0, 0, 9152, 4096, 4, ... 40828928, 12288, ) == 0x0
 01582   860   NtFreeVirtualMemory  (-1, (0x26f0000), 0, 32768, ... (0x26f0000), 12288, ) == 0x0
 01583   860   NtAllocateVirtualMemory  (-1, 0, 0, 620, 4096, 4, ... 40828928, 4096, ) == 0x0
 01584   860   NtFreeVirtualMemory  (-1, (0x26f0000), 0, 32768, ... (0x26f0000), 4096, ) == 0x0
 01585   860   NtAllocateVirtualMemory  (-1, 0, 0, 3796, 4096, 4, ... 40828928, 4096, ) == 0x0
 01586   860   NtAllocateVirtualMemory  (-1, 0, 0, 1474, 4096, 64, ... 40894464, 4096, ) == 0x0
 01587   860   NtAllocateVirtualMemory  (-1, 0, 0, 2748, 4096, 64, ... 40960000, 4096, ) == 0x0
 01588   860   NtAllocateVirtualMemory  (-1, 0, 0, 1781, 4096, 64, ... 41025536, 4096, ) == 0x0
 01589   860   NtAllocateVirtualMemory  (-1, 0, 0, 1618, 4096, 64, ... 41091072, 4096, ) == 0x0
 01590   860   NtAllocateVirtualMemory  (-1, 0, 0, 1795, 4096, 64, ... 41156608, 4096, ) == 0x0
 01591   860   NtAllocateVirtualMemory  (-1, 0, 0, 803, 4096, 64, ... 41222144, 4096, ) == 0x0
 01592   860   NtAllocateVirtualMemory  (-1, 0, 0, 1321, 4096, 64, ... 41287680, 4096, ) == 0x0
 01593   860   NtAllocateVirtualMemory  (-1, 0, 0, 428, 4096, 64, ... 41353216, 4096, ) == 0x0
 01594   860   NtAllocateVirtualMemory  (-1, 0, 0, 1702, 4096, 64, ... 41418752, 4096, ) == 0x0
 01595   860   NtAllocateVirtualMemory  (-1, 0, 0, 305, 4096, 64, ... 41484288, 4096, ) == 0x0
 01596   860   NtAllocateVirtualMemory  (-1, 0, 0, 914, 4096, 64, ... 41549824, 4096, ) == 0x0
 01597   860   NtAllocateVirtualMemory  (-1, 0, 0, 3111, 4096, 64, ... 41615360, 4096, ) == 0x0
 01598   860   NtAllocateVirtualMemory  (-1, 0, 0, 2239, 4096, 64, ... 41680896, 4096, ) == 0x0
 01599   860   NtAllocateVirtualMemory  (-1, 0, 0, 3204, 4096, 64, ... 41746432, 4096, ) == 0x0
 01600   860   NtAllocateVirtualMemory  (-1, 0, 0, 2353, 4096, 64, ... 41811968, 4096, ) == 0x0
 01601   860   NtAllocateVirtualMemory  (-1, 0, 0, 1167, 4096, 64, ... 41877504, 4096, ) == 0x0
 01602   860   NtAllocateVirtualMemory  (-1, 0, 0, 4913, 4096, 64, ... 41943040, 8192, ) == 0x0
 01603   860   NtAllocateVirtualMemory  (-1, 0, 0, 2693, 4096, 64, ... 42008576, 4096, ) == 0x0
 01604   860   NtAllocateVirtualMemory  (-1, 0, 0, 5644, 4096, 64, ... 42074112, 8192, ) == 0x0
 01605   860   NtAllocateVirtualMemory  (-1, 0, 0, 2165, 4096, 64, ... 42139648, 4096, ) == 0x0
 01606   860   NtAllocateVirtualMemory  (-1, 0, 0, 2810, 4096, 64, ... 42205184, 4096, ) == 0x0
 01607   860   NtAllocateVirtualMemory  (-1, 0, 0, 909, 4096, 64, ... 42270720, 4096, ) == 0x0
 01608   860   NtAllocateVirtualMemory  (-1, 0, 0, 4198, 4096, 64, ... 42336256, 8192, ) == 0x0
 01609   860   NtAllocateVirtualMemory  (-1, 0, 0, 4229, 4096, 64, ... 42401792, 8192, ) == 0x0
 01610   860   NtAllocateVirtualMemory  (-1, 0, 0, 1861, 4096, 64, ... 42467328, 4096, ) == 0x0
 01611   860   NtAllocateVirtualMemory  (-1, 0, 0, 1008, 4096, 64, ... 42532864, 4096, ) == 0x0
 01612   860   NtFreeVirtualMemory  (-1, (0x26f0000), 0, 32768, ... (0x26f0000), 4096, ) == 0x0
 01613   860   NtAllocateVirtualMemory  (-1, 0, 0, 2928, 4096, 4, ... 40828928, 4096, ) == 0x0
 01614   860   NtFreeVirtualMemory  (-1, (0x26f0000), 0, 32768, ... (0x26f0000), 4096, ) == 0x0
 01615   860   NtAllocateVirtualMemory  (-1, 0, 0, 2700, 4096, 4, ... 40828928, 4096, ) == 0x0
 01616   860   NtAllocateVirtualMemory  (-1, 0, 0, 809, 4096, 64, ... 42598400, 4096, ) == 0x0
 01617   860   NtAllocateVirtualMemory  (-1, 0, 0, 5035, 4096, 64, ... 42663936, 8192, ) == 0x0
 01618   860   NtAllocateVirtualMemory  (-1, 0, 0, 4900, 4096, 64, ... 42729472, 8192, ) == 0x0
 01619   860   NtAllocateVirtualMemory  (-1, 0, 0, 2461, 4096, 64, ... 42795008, 4096, ) == 0x0
 01620   860   NtAllocateVirtualMemory  (-1, 0, 0, 3505, 4096, 64, ... 42860544, 4096, ) == 0x0
 01621   860   NtAllocateVirtualMemory  (-1, 0, 0, 1180, 4096, 64, ... 42926080, 4096, ) == 0x0
 01622   860   NtAllocateVirtualMemory  (-1, 0, 0, 1257, 4096, 64, ... 42991616, 4096, ) == 0x0
 01623   860   NtAllocateVirtualMemory  (-1, 0, 0, 1064, 4096, 64, ... 43057152, 4096, ) == 0x0
 01624   860   NtAllocateVirtualMemory  (-1, 0, 0, 3425, 4096, 64, ... 43122688, 4096, ) == 0x0
 01625   860   NtAllocateVirtualMemory  (-1, 0, 0, 3341, 4096, 64, ... 43188224, 4096, ) == 0x0
 01626   860   NtAllocateVirtualMemory  (-1, 0, 0, 4021, 4096, 64, ... 43253760, 4096, ) == 0x0
 01627   860   NtAllocateVirtualMemory  (-1, 0, 0, 1935, 4096, 64, ... 43319296, 4096, ) == 0x0
 01628   860   NtFreeVirtualMemory  (-1, (0x26f0000), 0, 32768, ... (0x26f0000), 4096, ) == 0x0
 01629   860   NtAllocateVirtualMemory  (-1, 0, 0, 1236, 4096, 4, ... 40828928, 4096, ) == 0x0
 01630   860   NtFreeVirtualMemory  (-1, (0x26f0000), 0, 32768, ... (0x26f0000), 4096, ) == 0x0
 01631   860   NtAllocateVirtualMemory  (-1, 0, 0, 468, 4096, 4, ... 40828928, 4096, ) == 0x0
 01632   860   NtFreeVirtualMemory  (-1, (0x26f0000), 0, 32768, ... (0x26f0000), 4096, ) == 0x0
 01633   860   NtAllocateVirtualMemory  (-1, 0, 0, 312, 4096, 4, ... 40828928, 4096, ) == 0x0
 01634   860   NtFreeVirtualMemory  (-1, (0x26f0000), 0, 32768, ... (0x26f0000), 4096, ) == 0x0
 01635   860   NtAllocateVirtualMemory  (-1, 0, 0, 96, 4096, 4, ... 40828928, 4096, ) == 0x0
 01636   860   NtFreeVirtualMemory  (-1, (0x26f0000), 0, 32768, ... (0x26f0000), 4096, ) == 0x0
 01637   860   NtAllocateVirtualMemory  (-1, 0, 0, 640, 4096, 4, ... 40828928, 4096, ) == 0x0
 01638   860   NtFreeVirtualMemory  (-1, (0x26f0000), 0, 32768, ... (0x26f0000), 4096, ) == 0x0
 01639   860   NtFreeVirtualMemory  (-1, (0x2580000), 0, 32768, ... (0x2580000), 200704, ) == 0x0
 01640   860   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 4096, ) == 0x0
 01641   860   NtFreeVirtualMemory  (-1, (0x26d0000), 0, 32768, ... (0x26d0000), 8192, ) == 0x0
 01642   860   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01643   860   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 4096, ) == 0x0
 01644   860   NtSetEvent  (132, ...
 01546  1808   NtWaitForSingleObject  ... ) == 0x0
 01645  1808   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01646  1808   NtWaitForSingleObject  (132, 0, 0x0, ...
 01644   860   NtSetEvent  ... 0x0, ) == 0x0
 01647   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01648   860   NtSetEvent  (160, ...
 00788   444   NtWaitForSingleObject  ... ) == 0x0
 01649   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01650   444   NtWaitForSingleObject  (160, 0, 0x0, ...
 01648   860   NtSetEvent  ... 0x0, ) == 0x0
 01651   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01652   860   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 01653   860   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 01654   860   NtSetEvent  (116, ...
 01572  1256   NtWaitForSingleObject  ... ) == 0x0
 01655  1256   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01656  1256   NtWaitForSingleObject  (116, 0, 0x0, ...
 01654   860   NtSetEvent  ... 0x0, ) == 0x0
 01657   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01658   860   NtSetEvent  (160, ...
 01650   444   NtWaitForSingleObject  ... ) == 0x0
 01659   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01660   444   NtWaitForSingleObject  (160, 0, 0x0, ...
 01658   860   NtSetEvent  ... 0x0, ) == 0x0
 01661   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01662   860   NtSetEvent  (116, ...
 01656  1256   NtWaitForSingleObject  ... ) == 0x0
 01663  1256   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01664  1256   NtWaitForSingleObject  (116, 0, 0x0, ...
 01662   860   NtSetEvent  ... 0x0, ) == 0x0
 01665   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01666   860   NtSetEvent  (132, ...
 01646  1808   NtWaitForSingleObject  ... ) == 0x0
 01667  1808   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01668  1808   NtWaitForSingleObject  (132, 0, 0x0, ...
 01666   860   NtSetEvent  ... 0x0, ) == 0x0
 01669   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01670   860   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 01671   860   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 01672   860   NtSetEvent  (132, ...
 01668  1808   NtWaitForSingleObject  ... ) == 0x0
 01673  1808   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01674  1808   NtWaitForSingleObject  (132, 0, 0x0, ...
 01672   860   NtSetEvent  ... 0x0, ) == 0x0
 01675   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01676   860   NtQueryVirtualMemory  (-1, 0x437f0e, Basic, 28, ... {BaseAddress=0x437000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0xdc000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 01677   860   NtQueryVirtualMemory  (-1, 0x43f1d8, Basic, 28, ... {BaseAddress=0x43f000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0xd4000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 01678   860   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 01679   860   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01680   860   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01681   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01682   860   NtQueryInformationJobObject  (0, BasicLimit, 48, ... ) == STATUS_ACCESS_DENIED
 01683   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"}, ... 304, ) }, ... 304, ) == 0x0
 01684   860   NtQueryValueKey  (304,  (304, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) , Partial, 526, ... TitleIdx=0, Type=1, Data= (304, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01685   860   NtQueryValueKey  (304,  (304, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) , Partial, 526, ... TitleIdx=0, Type=1, Data=" (304, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) \0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) == 0x0
 01686   860   NtClose  (304, ... ) == 0x0
 01687   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1239748, ... ) }, 1239748, ... ) == 0x0
 01688   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 304, {status=0x0, info=1}, ) }, 5, 96, ... 304, {status=0x0, info=1}, ) == 0x0
 01689   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 304, ... 312, ) == 0x0
 01690   860   NtClose  (304, ... ) == 0x0
 01691   860   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2580000), 0x0, 81920, ) == 0x0
 01692   860   NtClose  (312, ... ) == 0x0
 01693   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 01694   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1240056, ... ) }, 1240056, ... ) == 0x0
 01695   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01696   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 304, ) == 0x0
 01697   860   NtQuerySection  (304, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01698   860   NtClose  (312, ... ) == 0x0
 01699   860   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x69450000), 0x0, 90112, ) == 0x0
 01700   860   NtClose  (304, ... ) == 0x0
 01701   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 304, ) }, ... 304, ) == 0x0
 01702   860   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 01703   860   NtClose  (304, ... ) == 0x0
 01704   860   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 01705   860   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 01706   860   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 01707   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 304, ) }, ... 304, ) == 0x0
 01708   860   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 733184, ) == 0x0
 01709   860   NtClose  (304, ... ) == 0x0
 01710   860   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 01711   860   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 01712   860   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 01713   860   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 01714   860   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 01715   860   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 01716   860   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 01717   860   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 01718   860   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 01719   860   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 01720   860   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 01721   860   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 01722   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01723   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1239232, ... ) }, 1239232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01724   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 1239232, ... ) }, 1239232, ... ) == 0x0
 01725   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 5, 96, ... 304, {status=0x0, info=1}, ) }, 5, 96, ... 304, {status=0x0, info=1}, ) == 0x0
 01726   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 304, ... 312, ) == 0x0
 01727   860   NtQuerySection  (312, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01728   860   NtClose  (304, ... ) == 0x0
 01729   860   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 65536, ) == 0x0
 01730   860   NtClose  (312, ... ) == 0x0
 01731   860   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 01732   860   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 01733   860   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 01734   860   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 01735   860   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 01736   860   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 01737   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... 312, ) }, ... 312, ) == 0x0
 01738   860   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 01739   860   NtClose  (312, ... ) == 0x0
 01740   860   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01741   860   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01742   860   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01743   860   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01744   860   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01745   860   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01746   860   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01747   860   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01748   860   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01749   860   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01750   860   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01751   860   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01752   860   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01753   860   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01754   860   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01755   860   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 01756   860   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 01757   860   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 01758   860   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 01759   860   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 01760   860   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 01761   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01762   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1239232, ... ) }, 1239232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01763   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 1239232, ... ) }, 1239232, ... ) == 0x0
 01764   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01765   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 304, ) == 0x0
 01766   860   NtQuerySection  (304, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01767   860   NtClose  (312, ... ) == 0x0
 01768   860   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 01769   860   NtClose  (304, ... ) == 0x0
 01770   860   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 01771   860   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 01772   860   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 01773   860   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 01774   860   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 01775   860   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 01776   860   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 01777   860   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 01778   860   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 01779   860   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 01780   860   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 01781   860   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 01782   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01783   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1239232, ... ) }, 1239232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01784   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 1239232, ... ) }, 1239232, ... ) == 0x0
 01785   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 304, {status=0x0, info=1}, ) }, 5, 96, ... 304, {status=0x0, info=1}, ) == 0x0
 01786   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 304, ... 312, ) == 0x0
 01787   860   NtQuerySection  (312, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01788   860   NtClose  (304, ... ) == 0x0
 01789   860   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 01790   860   NtClose  (312, ... ) == 0x0
 01791   860   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01792   860   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01793   860   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01794   860   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01795   860   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01796   860   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01797   860   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01798   860   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01799   860   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01800   860   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01801   860   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01802   860   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01803   860   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01804   860   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01805   860   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01806   860   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 01807   860   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 01808   860   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 01809   860   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 01810   860   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 01811   860   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 01812   860   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 01813   860   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 01814   860   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 01815   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01816   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01817   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 312, ) }, ... 312, ) == 0x0
 01818   860   NtQueryValueKey  (312,  (312, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01819   860   NtClose  (312, ... ) == 0x0
 01820   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 312, ) }, ... 312, ) == 0x0
 01821   860   NtQueryValueKey  (312,  (312, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01822   860   NtClose  (312, ... ) == 0x0
 01823   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 312, ) }, ... 312, ) == 0x0
 01824   860   NtQueryValueKey  (312,  (312, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 01825   860   NtClose  (312, ... ) == 0x0
 01826   860   NtCreateEvent  (0x1f0003, {24, 44, 0x80, 1237824, 0,  (0x1f0003, {24, 44, 0x80, 1237824, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 312, ) }, 0, 1, ... 312, ) == STATUS_OBJECT_NAME_EXISTS
 01827   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01828   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01829   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01830   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01831   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01832   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01833   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01834   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01835   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01836   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01837   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01838   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01839   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01840   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01841   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01842   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01843   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01844   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01845   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01846   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01847   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01848   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01849   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01850   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01851   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01852   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01853   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01854   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 01855   860   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01856   860   NtClose  (304, ... ) == 0x0
 01857   860   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 304, ) }, ... 304, ) == 0x0
 01858   860   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 316, ) }, ... 316, ) == 0x0
 01859   860   NtQueryValueKey  (316,  (316, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01860   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01861   860   NtQueryValueKey  (316,  (316, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 01862   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01863   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01864   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01865   860   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 01866   860   NtClose  (316, ... ) == 0x0
 01867   860   NtClose  (304, ... ) == 0x0
 01868   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 304, ) }, ... 304, ) == 0x0
 01869   860   NtQueryValueKey  (304,  (304, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01870   860   NtClose  (304, ... ) == 0x0
 01871   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 304, ) }, ... 304, ) == 0x0
 01872   860   NtQueryValueKey  (304,  (304, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01873   860   NtQueryValueKey  (304,  (304, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01874   860   NtClose  (304, ... ) == 0x0
 01875   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01876   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 304, ) }, ... 304, ) == 0x0
 01877   860   NtQueryValueKey  (304,  (304, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01878   860   NtClose  (304, ... ) == 0x0
 01879   860   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01880   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01881   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01882   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01883   860   NtQueryPerformanceCounter  (... {927599555, 10}, {3579545, 0}, ) == 0x0
 01884   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01885   860   NtQueryDefaultLocale  (1, 1239952, ... ) == 0x0
 01886   860   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01887   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 304, ) }, ... 304, ) == 0x0
 01888   860   NtQueryValueKey  (304,  (304, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (304, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01889   860   NtClose  (304, ... ) == 0x0
 01890   860   NtUserGetProcessWindowStation  (... ) == 0x1c
 01891   860   NtUserGetObjectInformation  (28, 1, 1239548, 12, 1239560, ... ) == 0x1
 01892   860   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01893   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\WPA\PnP"}, ... 304, ) }, ... 304, ) == 0x0
 01894   860   NtQueryValueKey  (304,  (304, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (304, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 01895   860   NtClose  (304, ... ) == 0x0
 01896   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 304, ) }, ... 304, ) == 0x0
 01897   860   NtQueryValueKey  (304,  (304, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01898   860   NtQueryValueKey  (304,  (304, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01899   860   NtClose  (304, ... ) == 0x0
 01900   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 304, ) }, ... 304, ) == 0x0
 01901   860   NtQueryValueKey  (304,  (304, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01902   860   NtQueryValueKey  (304,  (304, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01903   860   NtClose  (304, ... ) == 0x0
 01904   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 304, ) }, ... 304, ) == 0x0
 01905   860   NtQueryValueKey  (304,  (304, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01906   860   NtQueryValueKey  (304,  (304, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01907   860   NtClose  (304, ... ) == 0x0
 01908   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 304, ) }, ... 304, ) == 0x0
 01909   860   NtQueryValueKey  (304,  (304, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01910   860   NtQueryValueKey  (304,  (304, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01911   860   NtClose  (304, ... ) == 0x0
 01912   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 304, ) }, ... 304, ) == 0x0
 01913   860   NtQueryValueKey  (304,  (304, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 01914   860   NtQueryValueKey  (304,  (304, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 01915   860   NtClose  (304, ... ) == 0x0
 01916   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 304, ) }, ... 304, ) == 0x0
 01917   860   NtQueryValueKey  (304,  (304, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (304, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01918   860   NtQueryValueKey  (304,  (304, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (304, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01919   860   NtClose  (304, ... ) == 0x0
 01920   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 304, ) }, ... 304, ) == 0x0
 01921   860   NtQueryValueKey  (304,  (304, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01922   860   NtQueryValueKey  (304,  (304, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (304, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 01923   860   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 01924   860   NtClose  (304, ... ) == 0x0
 01925   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 304, ) == 0x0
 01926   860   NtCreateMutant  (0x1f0001, 0x0, 0, ... 316, ) == 0x0
 01927   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 320, ) == 0x0
 01928   860   NtCreateMutant  (0x1f0001, 0x0, 0, ... 324, ) == 0x0
 01929   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 328, ) == 0x0
 01930   860   NtCreateMutant  (0x1f0001, 0x0, 0, ... 332, ) == 0x0
 01931   860   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 336, ) }, ... 336, ) == 0x0
 01932   860   NtQueryValueKey  (336,  (336, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (336, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01933   860   NtQueryValueKey  (336,  (336, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (336, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01934   860   NtQueryValueKey  (336,  (336, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01935   860   NtOpenKey  (0x1, {24, 336, 0x40, 0, 0,  (0x1, {24, 336, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01936   860   NtClose  (336, ... ) == 0x0
 01937   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1239464, ... ) }, 1239464, ... ) == 0x0
 01938   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 336, ) }, ... 336, ) == 0x0
 01939   860   NtQueryValueKey  (336,  (336, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (336, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (336, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01940   860   NtClose  (336, ... ) == 0x0
 01941   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 01942   860   NtQueryValueKey  (336,  (336, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (336, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (336, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 01943   860   NtClose  (336, ... ) == 0x0
 01944   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01945   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 01946   860   NtQueryValueKey  (336,  (336, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (336, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (336, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01947   860   NtClose  (336, ... ) == 0x0
 01948   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\faultrep.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01949   860   NtOpenKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\PCHealth\ErrorReporting"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01950   860   NtCreateKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Microsoft\PCHealth\ErrorReporting"}, 0, 0x0, 0, ... 336, 2, ) }, 0, 0x0, 0, ... 336, 2, ) == 0x0
 01951   860   NtOpenKey  (0x10000, {24, 336, 0x40, 0, 0,  (0x10000, {24, 336, 0x40, 0, 0, "DW"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01952   860   NtQueryValueKey  (336,  (336, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (336, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01953   860   NtQueryValueKey  (336,  (336, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (336, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01954   860   NtQueryValueKey  (336,  (336, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (336, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01955   860   NtQueryValueKey  (336,  (336, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (336, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01956   860   NtQueryValueKey  (336,  (336, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (336, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01957   860   NtQueryValueKey  (336,  (336, "DoTextLog", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01958   860   NtQueryValueKey  (336,  (336, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (336, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01959   860   NtQueryValueKey  (336,  (336, "IncludeShutdownErrs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01960   860   NtQueryValueKey  (336,  (336, "NumberOfFaultPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01961   860   NtQueryValueKey  (336,  (336, "NumberOfHangPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01962   860   NtQueryValueKey  (336,  (336, "MaxUserQueueSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01963   860   NtQueryValueKey  (336,  (336, "ForceQueueMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01964   860   NtCreateKey  (0x20119, {24, 336, 0x40, 0, 0,  (0x20119, {24, 336, 0x40, 0, 0, "ExclusionList"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 01965   860   NtCreateKey  (0x20119, {24, 336, 0x40, 0, 0,  (0x20119, {24, 336, 0x40, 0, 0, "InclusionList"}, 0, 0x0, 0, ... 344, 2, ) }, 0, 0x0, 0, ... 344, 2, ) == 0x0
 01966   860   NtClose  (336, ... ) == 0x0
 01967   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 336, ) }, ... 336, ) == 0x0
 01968   860   NtQueryValueKey  (336,  (336, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (336, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01969   860   NtClose  (336, ... ) == 0x0
 01970   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01971   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01972   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1236992, ... ) }, 1236992, ... ) == 0x0
 01973   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 336, {status=0x0, info=1}, ) }, 3, 16417, ... 336, {status=0x0, info=1}, ) == 0x0
 01974   860   NtQueryDirectoryFile  (336, 0, 0, 0, 1236420, 616, BothDirectory, 1,  (336, 0, 0, 0, 1236420, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01975   860   NtClose  (336, ... ) == 0x0
 01976   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 336, {status=0x0, info=1}, ) }, 3, 16417, ... 336, {status=0x0, info=1}, ) == 0x0
 01977   860   NtQueryDirectoryFile  (336, 0, 0, 0, 1236420, 616, BothDirectory, 1,  (336, 0, 0, 0, 1236420, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01978   860   NtClose  (336, ... ) == 0x0
 01979   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01980   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01981   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01982   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01983   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1235640, ... ) }, 1235640, ... ) == 0x0
 01984   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234412, ... ) }, 1234412, ... ) == 0x0
 01985   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01986   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01987   860   NtQueryValueKey  (340,  (340, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01988   860   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 01989   860   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01990   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01991   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01992   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 336, ) }, ... 336, ) == 0x0
 01993   860   NtQueryValueKey  (336,  (336, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01994   860   NtClose  (336, ... ) == 0x0
 01995   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01996   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 336, ) == 0x0
 01997   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 01998   860   NtQuerySystemTime  (... {-589599562, 29917446}, ) == 0x0
 01999   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 352, ) == 0x0
 02000   860   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02001   860   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 02002   860   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 02003   860   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 02004   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 356, ) == 0x0
 02005   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 360, ) == 0x0
 02006   860   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 02007   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 364, {status=0x0, info=0}, ) }, 7, 16, ... 364, {status=0x0, info=0}, ) == 0x0
 02008   860   NtDeviceIoControlFile  (364, 0, 0x0, 0x0, 0x390008,  (364, 0, 0x0, 0x0, 0x390008, "\315\203\232\233/\271\235\230\370\374\5\355\342l@\374\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02009   860   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02010   860   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02011   860   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02012   860   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02013   860   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02014   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02015   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02016   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 02017   860   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\205\231\362\226\213\222\337\336\27Wa\37\305*u;\10#\276\277B\355\355\252\377\361\334\253\202\247\0\300R\230\351\3\206\376)\243\0\3461\335\272\222\377\215\177\201\36z\315\240\5\247\215\177\342I\302=\375\320\301\263\255\1\257\32"&\244\10]\3254\361\236", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\205\231\362\226\213\222\337\336\27Wa\37\305*u;\10#\276\277B\355\355\252\377\361\334\253\202\247\0\300R\230\351\3\206\376)\243\0\3461\335\272\222\377\215\177\201\36z\315\240\5\247\215\177\342I\302=\375\320\301\263\255\1\257\32"&\244\10]\3254\361\236", 80, ... ) &\244\10]\3254\361\236", 80, ... ) == 0x0
 02018   860   NtClose  (-2147482740, ... ) == 0x0
 02008   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\211\162Q\.\3\2\244L\263 \235e\305\331\137\374`\3\251B\234\374\321z!\257y\272\202\25j\251z\232G\215;\270u6\271o\227\2363\30\36\250\36\12@\307\205\300\324\321\253\343\335L\311\271\36\230D\224\216\214L\2116\3A\207,\206\322\1|R\271G\\236j;j\322*\215\313\234\375\263\376\341`\25\16\262\241\310\210y\261l%\264j]\24\367\0\274\L\247\244\373\271\364\362\206\341\3246VJ\203\305\333`\347$\221\230)O\326\253T\357\2055\212\261%\252&\6\271\344\300\34\366p\1\350\236\212\7Lw\365\2\352jn^Qy\273\\304\227v\323\223\247\213x\205\263\4M\226\16\212\373z/\355\5\24\32\257\24\13\234\262P\277P\253(\6)\274", ) , ) == 0x0
 02019   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 368, ) == 0x0
 02020   860   NtConnectPort  ( ("\RPC Control\IcaApi", {12, 2, 1, 0}, 0x0, 0x0, 1234784, 188, ... 372, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1234784, 188, ... 372, 0x0, 0x0, 0x0, 188, ) == 0x0
 02021   860   NtRequestWaitReplyPort  (372, {200, 224, new_msg, 0, 2621478, 1346952, 12, 2}  (372, {200, 224, new_msg, 0, 2621478, 1346952, 12, 2} "\0\0\24\0 \4\24\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\0\260/\24\0\1\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\08:\221/\205q\365\235X\215\24\0d\1\24\0\12\0\0\0\0\0\0\0X\215\24\0(\0\0\0`\215\24\0\270\261\36\234 \4\24\0(\0\0\0\272\30\0\0\0\0\24\0\274\325\22\0U\0\0\0\0\0\0\0\300H\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\325\22\0\372\31\221|t\335\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 464, 860, 58000, 0} "\7\0\24\0 \4\24\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\260/\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\08:\221/\205q\365\235X\215\24\0d\1\24\0\12\0\0\0\0\0\0\0X\215\24\0(\0\0\0`\215\24\0\270\261\36\234 \4\24\0(\0\0\0\272\30\0\0\0\0\24\0\274\325\22\0U\0\0\0\0\0\0\0\300H\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\325\22\0\372\31\221|t\335\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ... {200, 224, reply, 0, 464, 860, 58000, 0}  (372, {200, 224, new_msg, 0, 2621478, 1346952, 12, 2} "\0\0\24\0 \4\24\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\0\260/\24\0\1\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\08:\221/\205q\365\235X\215\24\0d\1\24\0\12\0\0\0\0\0\0\0X\215\24\0(\0\0\0`\215\24\0\270\261\36\234 \4\24\0(\0\0\0\272\30\0\0\0\0\24\0\274\325\22\0U\0\0\0\0\0\0\0\300H\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\325\22\0\372\31\221|t\335\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 464, 860, 58000, 0} "\7\0\24\0 \4\24\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\260/\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\08:\221/\205q\365\235X\215\24\0d\1\24\0\12\0\0\0\0\0\0\0X\215\24\0(\0\0\0`\215\24\0\270\261\36\234 \4\24\0(\0\0\0\272\30\0\0\0\0\24\0\274\325\22\0U\0\0\0\0\0\0\0\300H\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\325\22\0\372\31\221|t\335\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 02022   860   NtRequestWaitReplyPort  (372, {32, 56, new_msg, 0, 0, 0, 0, 0}  (372, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 464, 860, 58001, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201\0;\251\201\1`\202\201\0\0\0\0\0\376?\300\344\243n\371\20W\271\201\2\0\0\0\240V\271\201\240V\271\201" )  ... {124, 148, reply, 0, 464, 860, 58001, 0}  (372, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 464, 860, 58001, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201\0;\251\201\1`\202\201\0\0\0\0\0\376?\300\344\243n\371\20W\271\201\2\0\0\0\240V\271\201\240V\271\201" )  ) == 0x0
 02023   860   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 02024   860   NtRequestWaitReplyPort  (372, {44, 68, new_msg, 56, 464, 860, 58001, 0}  (372, {44, 68, new_msg, 56, 464, 860, 58001, 0} "\1\356\0\0B\2\5\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\10\220\24\0\10\5\0\0" ... {40, 64, reply, 0, 464, 860, 58002, 0} "\2\376\255\201\4\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 464, 860, 58002, 0}  (372, {44, 68, new_msg, 56, 464, 860, 58001, 0} "\1\356\0\0B\2\5\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\10\220\24\0\10\5\0\0" ... {40, 64, reply, 0, 464, 860, 58002, 0} "\2\376\255\201\4\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\14\5\0\0\320\371\15\0" )  ) == 0x0
 02025   860   NtRequestWaitReplyPort  (372, {64, 88, new_msg, 56, 1347312, 1235360, 1347584, 0}  (372, {64, 88, new_msg, 56, 1347312, 1235360, 1347584, 0} "\10\0\0\0@\0\1\1\0\2\0\0\230\330\22\0\10\220\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0\10\220\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 464, 860, 58003, 0} "\10\0\0\0@\0\1\1\0\2\0\0\230\330\22\0\10\220\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0\10\220\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 464, 860, 58003, 0}  (372, {64, 88, new_msg, 56, 1347312, 1235360, 1347584, 0} "\10\0\0\0@\0\1\1\0\2\0\0\230\330\22\0\10\220\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0\10\220\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 464, 860, 58003, 0} "\10\0\0\0@\0\1\1\0\2\0\0\230\330\22\0\10\220\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0\10\220\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02026   860   NtRequestWaitReplyPort  (372, {44, 68, new_msg, 56, 464, 860, 58002, 0}  (372, {44, 68, new_msg, 56, 464, 860, 58002, 0} "\1\376\0\0B\2\5\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200\377\377\377\377\324\376\255\201\1\0\0\0\10\220\24\0\10\5\0\0" ... {40, 64, reply, 0, 464, 860, 58004, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 464, 860, 58004, 0}  (372, {44, 68, new_msg, 56, 464, 860, 58002, 0} "\1\376\0\0B\2\5\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200\377\377\377\377\324\376\255\201\1\0\0\0\10\220\24\0\10\5\0\0" ... {40, 64, reply, 0, 464, 860, 58004, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\14\5\0\0\320\371\15\0" )  ) == 0x0
 02027   860   NtRequestWaitReplyPort  (372, {64, 88, new_msg, 56, 1347312, 1235360, 1347584, 0}  (372, {64, 88, new_msg, 56, 1347312, 1235360, 1347584, 0} "\10\0\0\0@\0\1\1\0\2\0\0\230\330\22\0\10\220\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0\10\220\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 464, 860, 58005, 0} "\10\0\0\0@\0\1\1\0\2\0\0\230\330\22\0\10\220\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0\10\220\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 464, 860, 58005, 0}  (372, {64, 88, new_msg, 56, 1347312, 1235360, 1347584, 0} "\10\0\0\0@\0\1\1\0\2\0\0\230\330\22\0\10\220\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0\10\220\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 464, 860, 58005, 0} "\10\0\0\0@\0\1\1\0\2\0\0\230\330\22\0\10\220\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0\10\220\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02028   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 376, ) }, ... 376, ) == 0x0
 02029   860   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "ActiveComputerName"}, ... 380, ) }, ... 380, ) == 0x0
 02030   860   NtQueryValueKey  (380,  (380, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (380, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (380, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02031   860   NtClose  (380, ... ) == 0x0
 02032   860   NtClose  (376, ... ) == 0x0
 02033   860   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 376, ) == 0x0
 02034   860   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 380, ) == 0x0
 02035   860   NtDuplicateObject  (-1, 376, -1, 0x0, 0, 2, ... 384, ) == 0x0
 02036   860   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02037   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 388, ) == 0x0
 02038   860   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02039   860   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02040   860   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234820,  (0xc0100080, {24, 0, 0x40, 0, 1234820, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) == 0x0
 02041   860   NtSetInformationFile  (392, 1234876, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02042   860   NtSetInformationFile  (392, 1234864, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02043   860   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02044   860   NtWriteFile  (392, 357, 0, 0,  (392, 357, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02045   860   NtReadFile  (392, 357, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (392, 357, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02046   860   NtFsControlFile  (392, 357, 0x0, 0x0, 0x11c017,  (392, 357, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (392, 357, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02047   860   NtFsControlFile  (392, 357, 0x0, 0x0, 0x11c017,  (392, 357, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\0\341\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (392, 357, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\0\341\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , ) == 0x103
 02048   860   NtFsControlFile  (392, 357, 0x0, 0x0, 0x11c017,  (392, 357, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\200\233\24\0\1\0\0\0\214\233\24\0 \0\0\0\1\0\0\0\16\0\20\0\230\233\24\0\250\233\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\350\233\24\0\1\0\0\0\1\0\0\0\370\233\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (392, 357, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\200\233\24\0\1\0\0\0\214\233\24\0 \0\0\0\1\0\0\0\16\0\20\0\230\233\24\0\250\233\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\350\233\24\0\1\0\0\0\1\0\0\0\370\233\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02049   860   NtClose  (388, ... ) == 0x0
 02050   860   NtClose  (392, ... ) == 0x0
 02051   860   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02052   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 392, ) == 0x0
 02053   860   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02054   860   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02055   860   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234792,  (0xc0100080, {24, 0, 0x40, 0, 1234792, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 388, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 388, {status=0x0, info=1}, ) == 0x0
 02056   860   NtSetInformationFile  (388, 1234848, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02057   860   NtSetInformationFile  (388, 1234836, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02058   860   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02059   860   NtWriteFile  (388, 357, 0, 0,  (388, 357, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02060   860   NtReadFile  (388, 357, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (388, 357, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02061   860   NtFsControlFile  (388, 357, 0x0, 0x0, 0x11c017,  (388, 357, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (388, 357, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02062   860   NtFsControlFile  (388, 357, 0x0, 0x0, 0x11c017,  (388, 357, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\0\341\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (388, 357, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\0\341\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , ) == 0x103
 02063   860   NtFsControlFile  (388, 357, 0x0, 0x0, 0x11c017,  (388, 357, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\200\233\24\0\1\0\0\0\214\233\24\0 \0\0\0\1\0\0\0\16\0\20\0\230\233\24\0\250\233\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\350\233\24\0\1\0\0\0\1\0\0\0\370\233\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (388, 357, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\200\233\24\0\1\0\0\0\214\233\24\0 \0\0\0\1\0\0\0\16\0\20\0\230\233\24\0\250\233\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\350\233\24\0\1\0\0\0\1\0\0\0\370\233\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02064   860   NtClose  (392, ... ) == 0x0
 02065   860   NtClose  (388, ... ) == 0x0
 02066   860   NtOpenProcessToken  (-1, 0x20008, ... 388, ) == 0x0
 02067   860   NtQueryInformationToken  (388, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02068   860   NtQueryInformationToken  (388, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 02069   860   NtOpenDirectoryObject  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Windows\WindowStations"}, ... 392, ) }, ... 392, ) == 0x0
 02070   860   NtUserOpenWindowStation  ({24, 392, 0x40, 0, 0,  ({24, 392, 0x40, 0, 0, "winsta0"}, 0x37f, ... ) }, 0x37f, ... ) == 0x18c
 02071   860   NtClose  (392, ... ) == 0x0
 02072   860   NtUserCloseWindowStation  (396, ...
 02073   860   NtClose  (396, ... ) == 0x0
 02072   860   NtUserCloseWindowStation  ... ) == 0x1
 02074   860   NtClose  (388, ... ) == 0x0
 02075   860   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 388, ) == 0x0
 02076   860   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 396, ) == 0x0
 02077   860   NtCreateMutant  (0x1f0001, {24, 0, 0x2, 0, 0, 0x0}, 0, ... 392, ) == 0x0
 02078   860   NtDuplicateObject  (-1, -1, -1, 0x1f0fff, 2, 0, ... 400, ) == 0x0
 02079   860   NtCreateSection  (0xf0007, {24, 0, 0x2, 0, 0, 0x0}, {7248, 0}, 4, 134217728, 0, ... 404, ) == 0x0
 02080   860   NtMapViewOfSection  (404, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2560000), {0, 0}, 8192, ) == 0x0
 02081   860   NtQueryDefaultUILanguage  (1235484, ...
 02082   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02083   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 02084   860   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02085   860   NtClose  (-2147482740, ... ) == 0x0
 02086   860   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 02087   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02088   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 02089   860   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02090   860   NtClose  (-2147481328, ... ) == 0x0
 02091   860   NtClose  (-2147482740, ... ) == 0x0
 02081   860   NtQueryDefaultUILanguage  ... ) == 0x0
 02092   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02093   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02094   860   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 02095   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233728, ... ) }, 1233728, ... ) == 0x0
 02096   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232500, ... ) }, 1232500, ... ) == 0x0
 02097   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02098   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02099   860   NtCreateFile  (0x10100080, {24, 0, 0x40, 0, 1234836,  (0x10100080, {24, 0, 0x40, 0, 1234836, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\a28_appcompat.txt"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 02100   860   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -518905856, 4096, Names, 1,  (-2147482740, 0, 0, 0, -518905856, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 02101   860   NtClose  (-2147482740, ... ) == 0x0
 02102   860   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -518905856, 4096, Names, 1,  (-2147482740, 0, 0, 0, -518905856, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02103   860   NtClose  (-2147482740, ... ) == 0x0
 02104   860   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -518905856, 4096, Names, 1,  (-2147482740, 0, 0, 0, -518905856, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02105   860   NtClose  (-2147482740, ... ) == 0x0
 02099   860   NtCreateFile  ... 408, {status=0x0, info=2}, ) == 0x0
 02106   860   NtClose  (408, ... ) == 0x0
 02107   860   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 408, ) == 0x0
 02108   860   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x2960000), 0x0, 4194304, ) == 0x0
 02109   860   NtAllocateVirtualMemory  (-1, 43384832, 0, 1, 4096, 4, ... 43384832, 4096, ) == 0x0
 02110   860   NtAllocateVirtualMemory  (-1, 43388928, 0, 3672, 4096, 4, ... 43388928, 4096, ) == 0x0
 02111   860   NtCreateSection  (0xf0007, 0x0, {28780, 0}, 4, 134217728, 0, ... 412, ) == 0x0
 02112   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02113   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02114   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02115   860   NtClose  (408, ... ) == 0x0
 02116   860   NtUnmapViewOfSection  (-1, 0x2960000, ... ) == 0x0
 02117   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02118   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02119   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02120   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02121   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02122   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02123   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02124   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02125   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02126   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02127   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02128   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02129   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02130   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02131   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02132   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02133   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02134   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02135   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02136   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02137   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02138   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02139   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02140   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02141   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02142   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02143   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02144   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02145   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02146   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02147   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02148   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02149   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02150   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02151   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02152   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02153   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02154   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02155   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02156   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02157   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02158   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02159   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02160   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02161   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02162   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02163   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02164   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02165   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02166   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02167   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02168   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02169   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02170   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02171   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02172   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 32768, ) == 0x0
 02173   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02174   860   NtClose  (412, ... ) == 0x0
 02175   860   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02176   860   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 412, {status=0x0, info=1}, ) }, 3, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 02177   860   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 408, ) }, ... 408, ) == 0x0
 02178   860   NtQuerySymbolicLinkObject  (408, ...  (408, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0
 02179   860   NtClose  (408, ... ) == 0x0
 02180   860   NtQueryVolumeInformationFile  (412, 1234052, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02181   860   NtClose  (412, ... ) == 0x0
 02182   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1232848, ... ) }, 1232848, ... ) == 0x0
 02183   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 02184   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 412, ... 408, ) == 0x0
 02185   860   NtClose  (412, ... ) == 0x0
 02186   860   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2580000), 0x0, 126976, ) == 0x0
 02187   860   NtClose  (408, ... ) == 0x0
 02188   860   NtUnmapViewOfSection  (-1, 0x2580000, ... ) == 0x0
 02189   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1233156, ... ) }, 1233156, ... ) == 0x0
 02190   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 02191   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 408, ... 412, ) == 0x0
 02192   860   NtQuerySection  (412, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02193   860   NtClose  (408, ... ) == 0x0
 02194   860   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 02195   860   NtClose  (412, ... ) == 0x0
 02196   860   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 02197   860   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 02198   860   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 02199   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02200   860   NtAllocateVirtualMemory  (-1, 1351680, 0, 12288, 4096, 4, ... 1351680, 12288, ) == 0x0
 02201   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234544, ... ) }, 1234544, ... ) == 0x0
 02202   860   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234552,  (0x40100080, {24, 0, 0x40, 0, 1234552, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\a28_appcompat.txt"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 02203   860   NtClose  (-2147482740, ... ) == 0x0
 02204   860   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -518905856, 4096, Names, 1,  (-2147482740, 0, 0, 0, -518905856, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 02205   860   NtClose  (-2147482740, ... ) == 0x0
 02206   860   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -518905856, 4096, Names, 1,  (-2147482740, 0, 0, 0, -518905856, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02207   860   NtClose  (-2147482740, ... ) == 0x0
 02208   860   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -518905856, 4096, Names, 1,  (-2147482740, 0, 0, 0, -518905856, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02209   860   NtClose  (-2147482740, ... ) == 0x0
 02202   860   NtCreateFile  ... 412, {status=0x0, info=3}, ) == 0x0
 02210   860   NtAllocateVirtualMemory  (-1, 1363968, 0, 12288, 4096, 4, ... 1363968, 12288, ) == 0x0
 02211   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 408, {status=0x0, info=1}, ) }, 3, 16417, ... 408, {status=0x0, info=1}, ) == 0x0
 02212   860   NtQueryDirectoryFile  (408, 0, 0, 0, 1233256, 616, BothDirectory, 1,  (408, 0, 0, 0, 1233256, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 02213   860   NtWriteFile  (412, 0, 0, 0,  (412, 0, 0, 0, "\377\376", 2, 0x0, 0, ... {status=0x0, info=2}, ) , 2, 0x0, 0, ... {status=0x0, info=2}, ) == 0x0
 02214   860   NtWriteFile  (412, 0, 0, 0,  (412, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \01\0.\00\0 (412, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \0U\0T\0F\0-\01\06\0 (412, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) , 106, 0x0, 0, ... {status=0x0, info=106}, ) == 0x0
 02215   860   NtWriteFile  (412, 0, 0, 0,  (412, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (412, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (412, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 02216   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233636, ... ) }, 1233636, ... ) == 0x0
 02217   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work"}, 3, 16417, ... 416, {status=0x0, info=1}, ) }, 3, 16417, ... 416, {status=0x0, info=1}, ) == 0x0
 02218   860   NtQueryDirectoryFile  (416, 0, 0, 0, 1233248, 592, Directory, 1,  (416, 0, 0, 0, 1233248, 592, Directory, 1, "packed.exe", 0, ... {status=0x0, info=84}, ) , 0, ... {status=0x0, info=84}, ) == 0x0
 02219   860   NtClose  (416, ... ) == 0x0
 02220   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02221   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02222   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232168, ... ) }, 1232168, ... ) == 0x0
 02223   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1230940, ... ) }, 1230940, ... ) == 0x0
 02224   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02225   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02226   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 02227   860   NtQueryInformationFile  (416, 1233724, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02228   860   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 416, ... 420, ) == 0x0
 02229   860   NtMapViewOfSection  (420, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2960000), 0x0, 1179648, ) == 0x0
 02230   860   NtUnmapViewOfSection  (-1, 0x2960000, ... ) == 0x0
 02231   860   NtClose  (420, ... ) == 0x0
 02232   860   NtClose  (416, ... ) == 0x0
 02233   860   NtWriteFile  (412, 0, 0, 0,  (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\01\07\09\06\04\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\0E\04\08\05\0C\03\08\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0/\0>\0\15\0\12\0", 412, 0x0, 0, ... \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\01\07\09\06\04\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\0E\04\08\05\0C\03\08\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0/\0>\0\15\0\12\0", 412, 0x0, 0, ... \01\01\07\09\06\04\08\0 (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\01\07\09\06\04\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\0E\04\08\05\0C\03\08\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0/\0>\0\15\0\12\0", 412, 0x0, 0, ... \00\0x\06\0E\04\08\05\0C\03\08\0 (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\01\07\09\06\04\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\0E\04\08\05\0C\03\08\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0/\0>\0\15\0\12\0", 412, 0x0, 0, ... \0W\0I\0N\03\02\0 (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\01\07\09\06\04\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\0E\04\08\05\0C\03\08\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0/\0>\0\15\0\12\0", 412, 0x0, 0, ... \00\0x\00\0 (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\01\07\09\06\04\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\0E\04\08\05\0C\03\08\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0/\0>\0\15\0\12\0", 412, 0x0, 0, ... \00\0x\00\0 (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\01\07\09\06\04\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\0E\04\08\05\0C\03\08\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0/\0>\0\15\0\12\0", 412, 0x0, 0, ... \00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0 (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\01\07\09\06\04\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\0E\04\08\05\0C\03\08\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0/\0>\0\15\0\12\0", 412, 0x0, 0, ... \00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0 (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\01\07\09\06\04\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\0E\04\08\05\0C\03\08\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\02\0/\01\07\0/\02\00\00\08\0 \01\03\0:\00\02\0:\05\06\0"\0 \0/\0>\0\15\0\12\0", 412, 0x0, 0, ... , 412, 0x0, 0, ...
 02234   860   NtContinue  (-139612716, 0, ...
 02233   860   NtWriteFile  ... {status=0x0, info=412}, ) == 0x0
 02235   860   NtQueryDirectoryFile  (408, 0, 0, 0, 1367624, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 02236   860   NtClose  (408, ... ) == 0x0
 02237   860   NtWriteFile  (412, 0, 0, 0,  (412, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0", 16, 0x0, 0, ... {status=0x0, info=16}, ) , 16, 0x0, 0, ... {status=0x0, info=16}, ) == 0x0
 02238   860   NtClose  (412, ... ) == 0x0
 02239   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1234544, ... ) }, 1234544, ... ) == 0x0
 02240   860   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234552,  (0x40100080, {24, 0, 0x40, 0, 1234552, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\a28_appcompat.txt"}, 0x0, 128, 0, 3, 96, 0, 0, ... 412, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 412, {status=0x0, info=1}, ) == 0x0
 02241   860   NtQueryInformationFile  (412, 1234576, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02242   860   NtSetInformationFile  (412, 1234608, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02243   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 408, {status=0x0, info=1}, ) }, 3, 16417, ... 408, {status=0x0, info=1}, ) == 0x0
 02244   860   NtQueryDirectoryFile  (408, 0, 0, 0, 1233256, 616, BothDirectory, 1,  (408, 0, 0, 0, 1233256, 616, BothDirectory, 1, "kernel32.dll", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 02245   860   NtWriteFile  (412, 0, 0, 0,  (412, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (412, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (412, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) , 126, 0x0, 0, ... {status=0x0, info=126}, ) == 0x0
 02246   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1233608, ... ) }, 1233608, ... ) == 0x0
 02247   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 3, 16417, ... 416, {status=0x0, info=1}, ) }, 3, 16417, ... 416, {status=0x0, info=1}, ) == 0x0
 02248   860   NtQueryDirectoryFile  (416, 0, 0, 0, 1233248, 592, Directory, 1,  (416, 0, 0, 0, 1233248, 592, Directory, 1, "kernel32.dll", 0, ... {status=0x0, info=88}, ) , 0, ... {status=0x0, info=88}, ) == 0x0
 02249   860   NtClose  (416, ... ) == 0x0
 02250   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02251   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02252   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232168, ... ) }, 1232168, ... ) == 0x0
 02253   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230940, ... ) }, 1230940, ... ) == 0x0
 02254   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02255   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02256   860   NtQueryDefaultLocale  (1, 1233128, ... ) == 0x0
 02257   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02258   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02259   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232160, ... ) }, 1232160, ... ) == 0x0
 02260   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230932, ... ) }, 1230932, ... ) == 0x0
 02261   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02262   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02263   860   NtQueryDefaultLocale  (1, 1233120, ... ) == 0x0
 02264   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 02265   860   NtQueryInformationFile  (416, 1233724, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02266   860   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 416, ... 420, ) == 0x0
 02267   860   NtMapViewOfSection  (420, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2960000), 0x0, 987136, ) == 0x0
 02268   860   NtUnmapViewOfSection  (-1, 0x2960000, ... ) == 0x0
 02269   860   NtClose  (420, ... ) == 0x0
 02270   860   NtClose  (416, ... ) == 0x0
 02271   860   NtQueryDefaultUILanguage  (1233080, ...
 02272   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02273   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 02274   860   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02275   860   NtClose  (-2147482740, ... ) == 0x0
 02276   860   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 02277   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02278   860   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 02279   860   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02280   860   NtClose  (-2147481328, ... ) == 0x0
 02281   860   NtClose  (-2147482740, ... ) == 0x0
 02271   860   NtQueryDefaultUILanguage  ... ) == 0x0
 02282   860   NtWriteFile  (412, 0, 0, 0,  (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \09\08\04\05\07\06\0 (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \00\0x\0F\00\0B\03\03\01\0F\06\0 (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0 (412, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) == 0x0
 02283   860   NtQueryDirectoryFile  (408, 0, 0, 0, 1359456, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 02284   860   NtClose  (408, ... ) == 0x0
 02285   860   NtWriteFile  (412, 0, 0, 0,  (412, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0<\0/\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 42, 0x0, 0, ... {status=0x0, info=42}, ) , 42, 0x0, 0, ... {status=0x0, info=42}, ) == 0x0
 02286   860   NtClose  (412, ... ) == 0x0
 02287   860   NtUnmapViewOfSection  (-1, 0x77b40000, ... ) == 0x0
 02288   860   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02289   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1231816, ... ) }, 1231816, ... ) == 0x0
 02290   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1232552, ... ) }, 1232552, ... ) == 0x0
 02291   860   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 02292   860   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 412, ... 408, ) == 0x0
 02293   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02294   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 416, ) }, ... 416, ) == 0x0
 02295   860   NtQueryValueKey  (416,  (416, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02296   860   NtClose  (416, ... ) == 0x0
 02297   860   NtQueryVolumeInformationFile  (412, 1231828, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02298   860   NtOpenMutant  (0x120001, {24, 44, 0x0, 0, 0,  (0x120001, {24, 44, 0x0, 0, 0, "ShimCacheMutex"}, ... 416, ) }, ... 416, ) == 0x0
 02299   860   NtWaitForSingleObject  (416, 0, {-1000000, -1}, ... ) == 0x0
 02300   860   NtOpenSection  (0x2, {24, 44, 0x0, 0, 0,  (0x2, {24, 44, 0x0, 0, 0, "ShimSharedMemory"}, ... 420, ) }, ... 420, ) == 0x0
 02301   860   NtMapViewOfSection  (420, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2580000), {0, 0}, 57344, ) == 0x0
 02302   860   NtReleaseMutant  (416, ... 0x0, ) == 0x0
 02303   860   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 02304   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229760, ... ) }, 1229760, ... ) == 0x0
 02305   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 424, {status=0x0, info=1}, ) }, 5, 96, ... 424, {status=0x0, info=1}, ) == 0x0
 02306   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 424, ... 428, ) == 0x0
 02307   860   NtClose  (424, ... ) == 0x0
 02308   860   NtMapViewOfSection  (428, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2590000), 0x0, 126976, ) == 0x0
 02309   860   NtClose  (428, ... ) == 0x0
 02310   860   NtUnmapViewOfSection  (-1, 0x2590000, ... ) == 0x0
 02311   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1230068, ... ) }, 1230068, ... ) == 0x0
 02312   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 428, {status=0x0, info=1}, ) }, 5, 96, ... 428, {status=0x0, info=1}, ) == 0x0
 02313   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 428, ... 424, ) == 0x0
 02314   860   NtQuerySection  (424, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02315   860   NtClose  (428, ... ) == 0x0
 02316   860   NtMapViewOfSection  (424, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 02317   860   NtClose  (424, ... ) == 0x0
 02318   860   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 02319   860   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 02320   860   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 02321   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02322   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 424, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 424, {status=0x0, info=1}, ) == 0x0
 02323   860   NtQueryInformationFile  (424, 1230084, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02324   860   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 424, ... 428, ) == 0x0
 02325   860   NtMapViewOfSection  (428, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2960000), 0x0, 1191936, ) == 0x0
 02326   860   NtQueryInformationFile  (424, 1230184, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02327   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02328   860   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02329   860   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02330   860   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02331   860   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 432, ) }, ... 432, ) == 0x0
 02332   860   NtQueryValueKey  (432,  (432, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (432, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02333   860   NtClose  (432, ... ) == 0x0
 02334   860   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02335   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02336   860   NtQueryDirectoryFile  (432, 0, 0, 0, 1227780, 616, BothDirectory, 1,  (432, 0, 0, 0, 1227780, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02337   860   NtClose  (432, ... ) == 0x0
 02338   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02339   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02340   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228156, ... ) }, 1228156, ... ) == 0x0
 02341   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02342   860   NtQueryDirectoryFile  (432, 0, 0, 0, 1227584, 616, BothDirectory, 1,  (432, 0, 0, 0, 1227584, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02343   860   NtClose  (432, ... ) == 0x0
 02344   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02345   860   NtQueryDirectoryFile  (432, 0, 0, 0, 1227584, 616, BothDirectory, 1,  (432, 0, 0, 0, 1227584, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02346   860   NtClose  (432, ... ) == 0x0
 02347   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02348   860   NtQueryDirectoryFile  (432, 0, 0, 0, 1227584, 616, BothDirectory, 1,  (432, 0, 0, 0, 1227584, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02349   860   NtClose  (432, ... ) == 0x0
 02350   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02351   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02352   860   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02353   860   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02354   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02355   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 02356   860   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02357   860   NtClose  (432, ... ) == 0x0
 02358   860   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02359   860   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02360   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228988, ... ) }, 1228988, ... ) == 0x0
 02361   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02362   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02363   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227856, ... ) }, 1227856, ... ) == 0x0
 02364   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 432, {status=0x0, info=1}, ) }, 5, 96, ... 432, {status=0x0, info=1}, ) == 0x0
 02365   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 432, ... 436, ) == 0x0
 02366   860   NtClose  (432, ... ) == 0x0
 02367   860   NtMapViewOfSection  (436, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2590000), 0x0, 180224, ) == 0x0
 02368   860   NtClose  (436, ... ) == 0x0
 02369   860   NtUnmapViewOfSection  (-1, 0x2590000, ... ) == 0x0
 02370   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227452, ... ) }, 1227452, ... ) == 0x0
 02371   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228196,  (0x80100080, {24, 0, 0x40, 0, 1228196, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 436, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 436, {status=0x0, info=1}, ) == 0x0
 02372   860   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 436, ... 432, ) == 0x0
 02373   860   NtClose  (436, ... ) == 0x0
 02374   860   NtMapViewOfSection  (432, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2590000), {0, 0}, 180224, ) == 0x0
 02375   860   NtClose  (432, ... ) == 0x0
 02376   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02377   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02378   860   NtQueryDefaultLocale  (1, 1228816, ... ) == 0x0
 02379   860   NtQueryVirtualMemory  (-1, 0x2590000, Basic, 28, ... {BaseAddress=0x2590000,AllocationBase=0x2590000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02380   860   NtQueryVirtualMemory  (-1, 0x2590000, Basic, 28, ... {BaseAddress=0x2590000,AllocationBase=0x2590000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02381   860   NtUnmapViewOfSection  (-1, 0x2590000, ... ) == 0x0
 02382   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02383   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02384   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227848, ... ) }, 1227848, ... ) == 0x0
 02385   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 432, {status=0x0, info=1}, ) }, 5, 96, ... 432, {status=0x0, info=1}, ) == 0x0
 02386   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 432, ... 436, ) == 0x0
 02387   860   NtClose  (432, ... ) == 0x0
 02388   860   NtMapViewOfSection  (436, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2590000), 0x0, 180224, ) == 0x0
 02389   860   NtClose  (436, ... ) == 0x0
 02390   860   NtUnmapViewOfSection  (-1, 0x2590000, ... ) == 0x0
 02391   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227444, ... ) }, 1227444, ... ) == 0x0
 02392   860   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228188,  (0x80100080, {24, 0, 0x40, 0, 1228188, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 436, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 436, {status=0x0, info=1}, ) == 0x0
 02393   860   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 436, ... 432, ) == 0x0
 02394   860   NtClose  (436, ... ) == 0x0
 02395   860   NtMapViewOfSection  (432, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2590000), {0, 0}, 180224, ) == 0x0
 02396   860   NtClose  (432, ... ) == 0x0
 02397   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02398   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02399   860   NtQueryDefaultLocale  (1, 1228808, ... ) == 0x0
 02400   860   NtQueryVirtualMemory  (-1, 0x2590000, Basic, 28, ... {BaseAddress=0x2590000,AllocationBase=0x2590000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02401   860   NtUnmapViewOfSection  (-1, 0x2590000, ... ) == 0x0
 02402   860   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02403   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02404   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 02405   860   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02406   860   NtClose  (432, ... ) == 0x0
 02407   860   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02408   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02409   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02410   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1229408, ... ) }, 1229408, ... ) == 0x0
 02411   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02412   860   NtQueryDirectoryFile  (432, 0, 0, 0, 1228836, 616, BothDirectory, 1,  (432, 0, 0, 0, 1228836, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02413   860   NtClose  (432, ... ) == 0x0
 02414   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02415   860   NtQueryDirectoryFile  (432, 0, 0, 0, 1228836, 616, BothDirectory, 1,  (432, 0, 0, 0, 1228836, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02416   860   NtClose  (432, ... ) == 0x0
 02417   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02418   860   NtQueryDirectoryFile  (432, 0, 0, 0, 1228836, 616, BothDirectory, 1,  (432, 0, 0, 0, 1228836, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02419   860   NtClose  (432, ... ) == 0x0
 02420   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02421   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02422   860   NtWaitForSingleObject  (416, 0, {-1000000, -1}, ... ) == 0x0
 02423   860   NtReleaseMutant  (416, ... 0x0, ) == 0x0
 02424   860   NtUnmapViewOfSection  (-1, 0x2960000, ... ) == 0x0
 02425   860   NtClose  (428, ... ) == 0x0
 02426   860   NtClose  (424, ... ) == 0x0
 02427   860   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02428   860   NtOpenProcessToken  (-1, 0xa, ... 424, ) == 0x0
 02429   860   NtQueryInformationToken  (424, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 02430   860   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02431   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 428, ) }, ... 428, ) == 0x0
 02432   860   NtQueryValueKey  (428,  (428, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (428, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02433   860   NtQueryValueKey  (428,  (428, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (428, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02434   860   NtClose  (428, ... ) == 0x0
 02435   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02436   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 428, ) }, ... 428, ) == 0x0
 02437   860   NtQueryValueKey  (428,  (428, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02438   860   NtClose  (428, ... ) == 0x0
 02439   860   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02440   860   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02441   860   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02442   860   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02443   860   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02444   860   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02445   860   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02446   860   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02447   860   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02448   860   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02449   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 428, ) }, ... 428, ) == 0x0
 02450   860   NtEnumerateKey  (428, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (428, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02451   860   NtOpenKey  (0x20019, {24, 428, 0x40, 0, 0,  (0x20019, {24, 428, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 432, ) }, ... 432, ) == 0x0
 02452   860   NtQueryValueKey  (432,  (432, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (432, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02453   860   NtQueryValueKey  (432,  (432, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (432, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02454   860   NtClose  (432, ... ) == 0x0
 02455   860   NtEnumerateKey  (428, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02456   860   NtClose  (428, ... ) == 0x0
 02457   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 428, ) }, ... 428, ) == 0x0
 02458   860   NtEnumerateKey  (428, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (428, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 02459   860   NtOpenKey  (0x20019, {24, 428, 0x40, 0, 0,  (0x20019, {24, 428, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 432, ) }, ... 432, ) == 0x0
 02460   860   NtQueryValueKey  (432,  (432, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (432, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 02461   860   NtQueryValueKey  (432,  (432, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (432, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02462   860   NtQueryValueKey  (432,  (432, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (432, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02463   860   NtQueryValueKey  (432,  (432, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (432, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02464   860   NtClose  (432, ... ) == 0x0
 02465   860   NtEnumerateKey  (428, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (428, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 02466   860   NtOpenKey  (0x20019, {24, 428, 0x40, 0, 0,  (0x20019, {24, 428, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 432, ) }, ... 432, ) == 0x0
 02467   860   NtQueryValueKey  (432,  (432, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (432, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 02468   860   NtQueryValueKey  (432,  (432, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (432, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02469   860   NtQueryValueKey  (432,  (432, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (432, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02470   860   NtQueryValueKey  (432,  (432, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (432, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02471   860   NtClose  (432, ... ) == 0x0
 02472   860   NtEnumerateKey  (428, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (428, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 02473   860   NtOpenKey  (0x20019, {24, 428, 0x40, 0, 0,  (0x20019, {24, 428, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 432, ) }, ... 432, ) == 0x0
 02474   860   NtQueryValueKey  (432,  (432, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (432, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 02475   860   NtQueryValueKey  (432,  (432, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (432, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02476   860   NtQueryValueKey  (432,  (432, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (432, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02477   860   NtQueryValueKey  (432,  (432, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (432, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02478   860   NtClose  (432, ... ) == 0x0
 02479   860   NtEnumerateKey  (428, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (428, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 02480   860   NtOpenKey  (0x20019, {24, 428, 0x40, 0, 0,  (0x20019, {24, 428, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 432, ) }, ... 432, ) == 0x0
 02481   860   NtQueryValueKey  (432,  (432, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (432, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 02482   860   NtQueryValueKey  (432,  (432, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (432, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02483   860   NtQueryValueKey  (432,  (432, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (432, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02484   860   NtQueryValueKey  (432,  (432, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (432, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02485   860   NtClose  (432, ... ) == 0x0
 02486   860   NtEnumerateKey  (428, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (428, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 02487   860   NtOpenKey  (0x20019, {24, 428, 0x40, 0, 0,  (0x20019, {24, 428, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 432, ) }, ... 432, ) == 0x0
 02488   860   NtQueryValueKey  (432,  (432, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (432, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 02489   860   NtQueryValueKey  (432,  (432, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (432, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02490   860   NtQueryValueKey  (432,  (432, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (432, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02491   860   NtQueryValueKey  (432,  (432, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (432, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02492   860   NtClose  (432, ... ) == 0x0
 02493   860   NtEnumerateKey  (428, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02494   860   NtClose  (428, ... ) == 0x0
 02495   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02496   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02497   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02498   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02499   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02500   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02501   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02502   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02503   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02504   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02505   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02506   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02507   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02508   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02509   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02510   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02511   860   NtClose  (428, ... ) == 0x0
 02512   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02513   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02514   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02515   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02516   860   NtClose  (428, ... ) == 0x0
 02517   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02518   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02519   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02520   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02521   860   NtClose  (428, ... ) == 0x0
 02522   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02523   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02524   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02525   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02526   860   NtClose  (428, ... ) == 0x0
 02527   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02528   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02529   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02530   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02531   860   NtClose  (428, ... ) == 0x0
 02532   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02533   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02534   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02535   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02536   860   NtClose  (428, ... ) == 0x0
 02537   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02538   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02539   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02540   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02541   860   NtClose  (428, ... ) == 0x0
 02542   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02543   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02544   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02545   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02546   860   NtClose  (428, ... ) == 0x0
 02547   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02548   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02549   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02550   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02551   860   NtClose  (428, ... ) == 0x0
 02552   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02553   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02554   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02555   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02556   860   NtClose  (428, ... ) == 0x0
 02557   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02558   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02559   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02560   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02561   860   NtClose  (428, ... ) == 0x0
 02562   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02563   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02564   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02565   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02566   860   NtClose  (428, ... ) == 0x0
 02567   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02568   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02569   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02570   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02571   860   NtClose  (428, ... ) == 0x0
 02572   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02573   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02574   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02575   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02576   860   NtClose  (428, ... ) == 0x0
 02577   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02578   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02579   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02580   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02581   860   NtClose  (428, ... ) == 0x0
 02582   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02583   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 428, ) }, ... 428, ) == 0x0
 02584   860   NtQueryValueKey  (428,  (428, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (428, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (428, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02585   860   NtClose  (428, ... ) == 0x0
 02586   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02587   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02588   860   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02589   860   NtClose  (428, ... ) == 0x0
 02590   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02591   860   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02592   860   NtOpenProcessToken  (-1, 0xa, ... 428, ) == 0x0
 02593   860   NtDuplicateToken  (428, 0xc, {24, 0, 0x0, 0, 1231688, 0x0}, 0, 2, ... 432, ) == 0x0
 02594   860   NtClose  (428, ... ) == 0x0
 02595   860   NtAccessCheck  (1339064, 432, 0x1, 1231764, 1231816, 56, 1231796, ... (0x1), ) == 0x0
 02596   860   NtClose  (432, ... ) == 0x0
 02597   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 432, ) }, ... 432, ) == 0x0
 02598   860   NtQueryValueKey  (432,  (432, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (432, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02599   860   NtClose  (432, ... ) == 0x0
 02600   860   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 432, ) }, ... 432, ) == 0x0
 02601   860   NtQuerySymbolicLinkObject  (432, ...  (432, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02602   860   NtClose  (432, ... ) == 0x0
 02603   860   NtQueryVolumeInformationFile  (412, 1229520, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02604   860   NtQueryInformationFile  (412, 1229636, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 02605   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02606   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02607   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228808, ... ) }, 1228808, ... ) == 0x0
 02608   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02609   860   NtQueryDirectoryFile  (432, 0, 0, 0, 1228236, 616, BothDirectory, 1,  (432, 0, 0, 0, 1228236, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02610   860   NtClose  (432, ... ) == 0x0
 02611   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02612   860   NtQueryDirectoryFile  (432, 0, 0, 0, 1228236, 616, BothDirectory, 1,  (432, 0, 0, 0, 1228236, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02613   860   NtClose  (432, ... ) == 0x0
 02614   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02615   860   NtQueryDirectoryFile  (432, 0, 0, 0, 1228236, 616, BothDirectory, 1,  (432, 0, 0, 0, 1228236, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02616   860   NtClose  (432, ... ) == 0x0
 02617   860   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02618   860   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02619   860   NtQueryInformationFile  (412, 1231676, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02620   860   NtCreateSection  (0xf0005, 0x0, {180224, 0}, 2, 134217728, 412, ... 432, ) == 0x0
 02621   860   NtMapViewOfSection  (432, -1, (0x0), 0, 0, {0, 0}, 180224, 1, 0, 2, ... (0x2590000), {0, 0}, 180224, ) == 0x0
 02622   860   NtClose  (432, ... ) == 0x0
 02623   860   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02624   860   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 02625   860   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02626   860   NtClose  (432, ... ) == 0x0
 02627   860   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 432, ) }, ... 432, ) == 0x0
 02628   860   NtOpenKey  (0x20019, {24, 432, 0x40, 0, 0,  (0x20019, {24, 432, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 428, ) }, ... 428, ) == 0x0
 02629   860   NtClose  (432, ... ) == 0x0
 02630   860   NtQueryValueKey  (428,  (428, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02631   860   NtQueryValueKey  (428,  (428, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (428, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 02632   860   NtClose  (428, ... ) == 0x0
 02633   860   NtUnmapViewOfSection  (-1, 0x2590000, ... ) == 0x0
 02634   860   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 39387136, 4096, ) == 0x0
 02635   860   NtAllocateVirtualMemory  (-1, 39387136, 0, 4096, 4096, 4, ... 39387136, 4096, ) == 0x0
 02636   860   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 428, ) }, ... 428, ) == 0x0
 02637   860   NtQueryValueKey  (428,  (428, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02638   860   NtClose  (428, ... ) == 0x0
 02639   860   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02640   860   NtQueryInformationToken  (424, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02641   860   NtQueryInformationToken  (424, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02642   860   NtClose  (424, ... ) == 0x0
 02643   860   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02644   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02645   860   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 02646   860   NtCreateProcessEx  (1233600, 2035711, 0, -1, 4, 408, 0, 0, 0, ... ) == 0x0
 02647   860   NtSetInformationProcess  (424, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 02648   860   NtSetInformationProcess  (424, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02649   860   NtQueryInformationProcess  (424, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd9000,AffinityMask=0x1,BasePriority=8,Pid=380,ParentPid=464,}, 0x0, ) == 0x0
 02650   860   NtReadVirtualMemory  (424, 0x7ffd9008, 4, ...  (424, 0x7ffd9008, 4, ... "\0\0\00", 0x0, ) , 0x0, ) == 0x0
 02651   860   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02652   860   NtReadVirtualMemory  (424, 0x30000000, 4096, ...  (424, 0x30000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0$\206\244\23`\347\312@`\347\312@`\347\312@9\304\331@b\347\312@`\347\313@d\347\312@\210\370\301@a\347\312@\343\373\304@j\347\312@\210\370\300@I\347\312@6\370\331@h\347\312@\272\304\326@i\347\312@\220\370\301@p\347\312@`\347\312@H\346\312@Rich`\347\312@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0N\23\216?\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\24\0\220\2\0\0\240\0\0\0\0\0\0\232t\0\0\0\20\0\0\0\320\3\0\0\0\00\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\3\0\0\20\0\0\237*\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\327\211\2\0z\1\0\0\00\3\0\244\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Z\236\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0\370\0\0\0\0\20\0\0\270\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222\216\2\0", 4096, ) , 4096, ) == 0x0
 02653   860   NtReadVirtualMemory  (424, 0x30033000, 256, ...  (424, 0x30033000, 256, ... "\0\0\0\0J\23\216?\0\0\0\0\0\0\3\0\5\0\0\0(\0\0\200\13\0\0\0@\0\0\200\20\0\0\0X\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0e\0\0\0p\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\210\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\240\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\270\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\310\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\330\0\0\0\3600\3\0\26\3\0\0\0\0\0\0\0\0\0\0\104\3\0\254\1\0\0\0\0\0\0\0\0\0\0\2645\3\0\360\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\0\310\200\0\0\0\0\14\0\0\0\0\0f\1", 256, ) , 256, ) == 0x0
 02654   860   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02655   860   NtQueryInformationProcess  (424, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd9000,AffinityMask=0x1,BasePriority=8,Pid=380,ParentPid=464,}, 0x0, ) == 0x0
 02656   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 1232552, ... ) }, 1232552, ... ) == 0x0
 02657   860   NtAllocateVirtualMemory  (-1, 0, 0, 2428, 4096, 4, ... 39452672, 4096, ) == 0x0
 02658   860   NtAllocateVirtualMemory  (424, 0, 0, 6464, 4096, 4, ... 65536, 8192, ) == 0x0
 02659   860   NtWriteVirtualMemory  (424, 0x10000,  (424, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6464, ... 0x0, ) , 6464, ... 0x0, ) == 0x0
 02660   860   NtAllocateVirtualMemory  (424, 0, 0, 2428, 4096, 4, ... 131072, 4096, ) == 0x0
 02661   860   NtWriteVirtualMemory  (424, 0x20000,  (424, 0x20000, "\0\20\0\0|\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0&\0\10\2\220\2\0\06\1\0\0\364\3\366\3\230\4\0\0:\0<\0\220\10\0\0N\0P\0\314\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\34\11\0\0\36\0 \0X\11\0\0\0\0\2\0x\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2428, ... 0x0, ) , 2428, ... 0x0, ) == 0x0
 02662   860   NtWriteVirtualMemory  (424, 0x7ffd9010,  (424, 0x7ffd9010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02663   860   NtAllocateVirtualMemory  (424, 0, 0, 388, 4096, 4, ... 196608, 4096, ) == 0x0
 02664   860   NtWriteVirtualMemory  (424, 0x30000,  (424, 0x30000, "S\0h\0i\0m\0E\0n\0g\0.\0d\0l\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\1\0\0\253\355\15\254\210\255\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 388, ... 0x0, ) , 388, ... 0x0, ) == 0x0
 02665   860   NtWriteVirtualMemory  (424, 0x7ffd91e8,  (424, 0x7ffd91e8, "\0\0\3\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02666   860   NtFreeVirtualMemory  (-1, (0x25a0000), 0, 32768, ... (0x25a0000), 4096, ) == 0x0
 02667   860   NtAllocateVirtualMemory  (424, 0, 0, 1048576, 8192, 4, ... 262144, 1048576, ) == 0x0
 02668   860   NtAllocateVirtualMemory  (424, 1302528, 0, 8192, 4096, 4, ... 1302528, 8192, ) == 0x0
 02669   860   NtProtectVirtualMemory  (424, (0x13e000), 4096, 260, ... (0x13e000), 4096, 4, ) == 0x0
 02670   860   NtCreateThread  (0x1f03ff, 0x0, 424, 1233608, 1233272, 1, ... 428, {380, 1692}, ) == 0x0
 02671   860   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\253\1\0\0\254\1\0\0|\1\0\0\234\6\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 464, 860, 58008, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\250\1\0\0\254\1\0\0|\1\0\0\234\6\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ... {168, 196, reply, 0, 464, 860, 58008, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\253\1\0\0\254\1\0\0|\1\0\0\234\6\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 464, 860, 58008, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\250\1\0\0\254\1\0\0|\1\0\0\234\6\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ) == 0x0
 02672   860   NtResumeThread  (428, ... 1, ) == 0x0
 02673   860   NtClose  (412, ... ) == 0x0
 02674   860   NtClose  (408, ... ) == 0x0
 02675   860   NtClose  (428, ... ) == 0x0
 02676   860   NtWaitForMultipleObjects  (2, (396, 424, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 02677   860   NtWaitForSingleObject  (388, 0, {0, 0}, ... ) == 0x102
 02678   860   NtWaitForMultipleObjects  (2, (396, 424, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 02679   860   NtWaitForSingleObject  (388, 0, {0, 0}, ... ) == 0x102
 02680   860   NtWaitForMultipleObjects  (2, (396, 424, ), 1, 0, {1294967296, -1}, ...
 00582  1292   NtDelayExecution  ... ) == 0x0
 02681  1292   NtDelayExecution  (0, {-20010000, -1}, ...
 00583  1956   NtDelayExecution  ... ) == 0x0
 02682  1956   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 428, ) == 0x0
 02683  1956   NtCallbackReturn  (0, 0, 0, ...
 02684  1956   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00584  1980   NtDelayExecution  ... ) == 0x0
 00585  1784   NtDelayExecution  ... ) == 0x0
 00586  1480   NtDelayExecution  ... ) == 0x0
 00587  1556   NtDelayExecution  ... ) == 0x0
 00588   460   NtDelayExecution  ... ) == 0x0
 00592  1068   NtDelayExecution  ... ) == 0x0
 02685  1980   NtDelayExecution  (0, {-20010000, -1}, ...
 02686  1784   NtDelayExecution  (0, {-20010000, -1}, ...
 02687  1480   NtDelayExecution  (0, {-20010000, -1}, ...
 02688  1556   NtDelayExecution  (0, {-20010000, -1}, ...
 02689   460   NtDelayExecution  (0, {-20010000, -1}, ...
 02690  1068   NtDelayExecution  (0, {-20010000, -1}, ...
 02691  1956   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02692  1956   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02693  1956   NtDelayExecution  (0, {-20010000, -1}, ...
 02680   860   NtWaitForMultipleObjects  ... ) == 0x0
 02694   860   NtWaitForSingleObject  (388, 0, {0, 0}, ... ) == 0x102
 02695   860   NtWaitForMultipleObjects  (2, (396, 424, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 02696   860   NtWaitForSingleObject  (388, 0, {0, 0}, ... ) == 0x0
 02697   860   NtClose  (424, ... ) == 0x0
 02698   860   NtUnmapViewOfSection  (-1, 0x2560000, ... ) == 0x0
 02699   860   NtClose  (404, ... ) == 0x0
 02700   860   NtClose  (388, ... ) == 0x0
 02701   860   NtClose  (396, ... ) == 0x0
 02702   860   NtClose  (392, ... ) == 0x0
 02703   860   NtClose  (400, ... ) == 0x0
 02704   860   NtClose  (340, ... ) == 0x0
 02705   860   NtClose  (344, ... ) == 0x0
 02706   860   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 02707   860   NtWaitForMultipleObjects  (2, (304, 316, ), 1, 0, 0x0, ... ) == 0x1
 02708   860   NtClose  (316, ... ) == 0x0
 02709   860   NtSetEvent  (304, ... 0x0, ) == 0x0
 02710   860   NtClose  (304, ... ) == 0x0
 02711   860   NtWaitForMultipleObjects  (2, (320, 324, ), 1, 0, 0x0, ... ) == 0x1
 02712   860   NtClose  (324, ... ) == 0x0
 02713   860   NtSetEvent  (320, ... 0x0, ) == 0x0
 02714   860   NtClose  (320, ... ) == 0x0
 02715   860   NtWaitForMultipleObjects  (2, (328, 332, ), 1, 0, 0x0, ... ) == 0x1
 02716   860   NtClose  (332, ... ) == 0x0
 02717   860   NtSetEvent  (328, ... 0x0, ) == 0x0
 02718   860   NtClose  (328, ... ) == 0x0
 02719   860   NtRequestWaitReplyPort  (372, {88, 112, new_msg, 0, 464, 860, 58004, 0}  (372, {88, 112, new_msg, 0, 464, 860, 58004, 0} "\1\356\0\0A\2<\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201" ... {124, 148, reply, 0, 464, 860, 58148, 0} "\2\31\221|\1\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\1\365\11\0\1\0\0\0d\365\11\0\0\0\0\0\0\0\0\0\1\0\0\0\10\376\257\0\0\0\0\0\334\377\257\0\30\356\220|p\5\221|\377\377\377\377m\5\221|\344f\347w" )  ... {124, 148, reply, 0, 464, 860, 58148, 0}  (372, {88, 112, new_msg, 0, 464, 860, 58004, 0} "\1\356\0\0A\2<\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201" ... {124, 148, reply, 0, 464, 860, 58148, 0} "\2\31\221|\1\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\1\365\11\0\1\0\0\0d\365\11\0\0\0\0\0\0\0\0\0\1\0\0\0\10\376\257\0\0\0\0\0\334\377\257\0\30\356\220|p\5\221|\377\377\377\377m\5\221|\344f\347w" )  ) == 0x0
 02720   860   NtClose  (368, ... ) == 0x0
 02721   860   NtClose  (372, ... ) == 0x0
 02722   860   NtClose  (312, ... ) == 0x0
 02723   860   NtUnmapViewOfSection  (-1, 0x69450000, ... ) == 0x0
 02724   860   NtUnmapViewOfSection  (-1, 0x77920000, ... ) == 0x0
 02725   860   NtUnmapViewOfSection  (-1, 0x76f50000, ... ) == 0x0
 02726   860   NtUnmapViewOfSection  (-1, 0x76360000, ... ) == 0x0
 02727   860   NtUnmapViewOfSection  (-1, 0x5b860000, ... ) == 0x0
 02728   860   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 02729   860   NtContinue  (1242968, 0, ...
 02730   860   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02731   860   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02732   860   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02733   860   NtTerminateProcess  (0, -1073741681, ...
 02681  1292   NtDelayExecution  ... ) == 0xc0
 02693  1956   NtDelayExecution  ... ) == 0xc0
 02685  1980   NtDelayExecution  ... ) == 0xc0
 02686  1784   NtDelayExecution  ... ) == 0xc0
 02687  1480   NtDelayExecution  ... ) == 0xc0
 02688  1556   NtDelayExecution  ... ) == 0xc0
 02689   460   NtDelayExecution  ... ) == 0xc0
 02690  1068   NtDelayExecution  ... ) == 0xc0
 01557  1856   NtWaitForSingleObject  ... ) == 0xc0
 01515  1596   NtWaitForSingleObject  ... ) == 0xc0
 01490  1128   NtWaitForSingleObject  ... ) == 0xc0
 01664  1256   NtWaitForSingleObject  ... ) == 0xc0
 01551   220   NtWaitForSingleObject  ... ) == 0xc0
 00679  1800   NtWaitForSingleObject  ... ) == 0xc0
 00876  1796   NtWaitForSingleObject  ... ) == 0xc0
 01674  1808   NtWaitForSingleObject  ... ) == 0xc0
 01495  1700   NtWaitForSingleObject  ... ) == 0xc0
 00803  1156   NtWaitForSingleObject  ... ) == 0xc0
 01499   712   NtWaitForSingleObject  ... ) == 0xc0
 00895  1728   NtWaitForSingleObject  ... ) == 0xc0
 01535  1356   NtWaitForSingleObject  ... ) == 0xc0
 01519  1536   NtWaitForSingleObject  ... ) == 0xc0
 01660   444   NtWaitForSingleObject  ... ) == 0xc0
 01507  1904   NtWaitForSingleObject  ... ) == 0xc0
 01569   148   NtDelayExecution  ... ) == 0xc0
 02733   860   NtTerminateProcess  ... ) == 0x0
 02734   860   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 02735   860   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 02736   860   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 02737   860   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 02738   860   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02739   860   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 02740   860   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 02741   860   NtClose  (280, ... ) == 0x0
 02742   860   NtFreeVirtualMemory  (-1, (0x2550000), 0, 32768, ... (0x2550000), 65536, ) == 0x0
 02743   860   NtClose  (12, ... ) == 0x0
 02744   860   NtClose  (236, ... ) == 0x0
 02745   860   NtClose  (248, ... ) == 0x0
 02746   860   NtClose  (244, ... ) == 0x0
 02747   860   NtClose  (252, ... ) == 0x0
 02748   860   NtClose  (256, ... ) == 0x0
 02749   860   NtClose  (260, ... ) == 0x0
 02750   860   NtClose  (276, ... ) == 0x0
 02751   860   NtClose  (272, ... ) == 0x0
 02752   860   NtClose  (268, ... ) == 0x0
 02753   860   NtClose  (264, ... ) == 0x0
 02754   860   NtClose  (68, ... ) == 0x0
 02755   860   NtClose  (60, ... ) == 0x0
 02756   860   NtClose  (56, ... ) == 0x0
 02757   860   NtClose  (64, ... ) == 0x0
 02758   860   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 02759   860   NtUserGetAtomName  (49211, 1243560, ... ) == 0xf
 02760   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02761   860   NtUserGetAtomName  (49213, 1243560, ... ) == 0xd
 02762   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02763   860   NtUserGetAtomName  (49215, 1243560, ... ) == 0x10
 02764   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02765   860   NtUserGetAtomName  (49217, 1243560, ... ) == 0x12
 02766   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02767   860   NtUserGetAtomName  (49219, 1243560, ... ) == 0xd
 02768   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02769   860   NtUserGetAtomName  (49221, 1243560, ... ) == 0xb
 02770   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02771   860   NtUserGetAtomName  (49223, 1243560, ... ) == 0xf
 02772   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02773   860   NtUserGetAtomName  (49225, 1243560, ... ) == 0xd
 02774   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02775   860   NtUserGetAtomName  (49227, 1243560, ... ) == 0x11
 02776   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02777   860   NtUserGetAtomName  (49229, 1243560, ... ) == 0xf
 02778   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02779   860   NtUserGetAtomName  (49231, 1243560, ... ) == 0x11
 02780   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02781   860   NtUserGetAtomName  (49233, 1243560, ... ) == 0xf
 02782   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02783   860   NtUserGetAtomName  (49235, 1243560, ... ) == 0xc
 02784   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02785   860   NtUserGetAtomName  (49237, 1243552, ... ) == 0xd
 02786   860   NtUserUnregisterClass  (1243612, 1560870912, 1243600, ... ) == 0x1
 02787   860   NtUserGetAtomName  (49239, 1243552, ... ) == 0x11
 02788   860   NtUserUnregisterClass  (1243612, 1560870912, 1243600, ... ) == 0x1
 02789   860   NtUserGetAtomName  (49241, 1243560, ... ) == 0xc
 02790   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02791   860   NtUserGetAtomName  (49243, 1243560, ... ) == 0xe
 02792   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02793   860   NtUserGetAtomName  (49245, 1243560, ... ) == 0x8
 02794   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02795   860   NtUserGetAtomName  (49247, 1243560, ... ) == 0xd
 02796   860   NtUserUnregisterClass  (1243620, 1560870912, 1243608, ... ) == 0x1
 02797   860   NtUnmapViewOfSection  (-1, 0xb00000, ... ) == 0x0
 02798   860   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 02799   860   NtFreeVirtualMemory  (-1, (0xa40000), 0, 32768, ... (0xa40000), 65536, ) == 0x0
 02800   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 64, ) }, ... 64, ) == 0x0
 02801   860   NtQueryValueKey  (64,  (64, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02802   860   NtClose  (64, ... ) == 0x0
 02803   860   NtClose  (364, ... ) == 0x0
 02804   860   NtFreeVirtualMemory  (-1, (0x2590000), 4096, 32768, ... (0x2590000), 4096, ) == 0x0
 02805   860   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1177928, 2011674340, 1, 1337824}  (24, {20, 48, new_msg, 0, 1177928, 2011674340, 1, 1337824} "\0\0\0\0\3\0\1\0\340i\24\0\354\371\21\0\217\0\0\300" ... {20, 48, reply, 0, 464, 860, 58175, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\354\371\21\0\217\0\0\300" )  ... {20, 48, reply, 0, 464, 860, 58175, 0}  (24, {20, 48, new_msg, 0, 1177928, 2011674340, 1, 1337824} "\0\0\0\0\3\0\1\0\340i\24\0\354\371\21\0\217\0\0\300" ... {20, 48, reply, 0, 464, 860, 58175, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\354\371\21\0\217\0\0\300" )  ) == 0x0
 02806   860   NtTerminateProcess  (-1, -1073741681, ...