Summary:


NtCallbackReturn(>)  1 
NtTestAlert(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUserRegisterWindowMessage(>)  20 

NtDuplicateObject(>)  1 
NtUserCallNoParam(>)  1 
NtSetInformationObject(>)  3 
NtQueryValueKey(>)  23 

NtFsControlFile(>)  1 
NtUserGetThreadDesktop(>)  1 
NtGdiGetStockObject(>)  5 
NtContinue(>)  24 

NtGdiCreateBitmap(>)  1 
NtAddAtom(>)  2 
NtQueryDefaultLocale(>)  5 
NtOpenFile(>)  24 

NtGdiInit(>)  1 
NtCreateKey(>)  2 
NtCreateFile(>)  6 
NtQueryDebugFilterState(>)  24 

NtGdiQueryFontAssocInfo(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtSetInformationThread(>)  6 
NtUserFindExistingCursorIcon(>)  24 

NtGdiSelectBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtUserSystemParametersInfo(>)  6 
NtQuerySystemInformation(>)  25 

NtNotifyChangeKey(>)  1 
NtOpenEvent(>)  2 
NtQuerySection(>)  7 
NtOpenSection(>)  26 

NtOpenKeyedEvent(>)  1 
NtOpenProcessToken(>)  2 
NtOpenProcessTokenEx(>)  8 
NtUserRegisterClassExWOW(>)  34 

NtOpenMutant(>)  1 
NtQueryInformationFile(>)  2 
NtOpenThreadTokenEx(>)  8 
NtProtectVirtualMemory(>)  35 

NtOpenProcess(>)  1 
NtQueryInformationProcess(>)  2 
NtRequestWaitReplyPort(>)  8 
NtAllocateVirtualMemory(>)  36 

NtOpenSymbolicLinkObject(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtMapViewOfSection(>)  39 

NtQueryInformationThread(>)  1 
NtQueryVirtualMemory(>)  2 
NtQueryInformationToken(>)  11 
NtOpenKey(>)  54 

NtQueryObject(>)  1 
NtTerminateProcess(>)  2 
NtFlushInstructionCache(>)  17 
NtUserGetClassInfo(>)  54 

NtQuerySymbolicLinkObject(>)  1 
NtUserGetDC(>)  2 
NtCreateSection(>)  18 
NtClose(>)  98 

NtQueryVolumeInformationFile(>)  1 
NtCreateEvent(>)  3 
NtUserUnregisterClass(>)  18 

NtRegisterThreadTerminatePort(>)  1 
NtCreateSemaphore(>)  3 
NtUnmapViewOfSection(>)  19 

NtSecureConnectPort(>)  1 

Trace:
 00001   456   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   456   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   456   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   456   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   456   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   456   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   456   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   456   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   456   NtClose  (12, ... ) == 0x0
 00014   456   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   456   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   456   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   456   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   456   NtClose  (16, ... ) == 0x0
 00021   456   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   456   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   456   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   456   NtClose  (16, ... ) == 0x0
 00026   456   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   456   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   456   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   456   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 452, 456, 1479, 0} "\240\25\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ... {28, 56, reply, 0, 452, 456, 1479, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 452, 456, 1479, 0} "\240\25\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ) == 0x0
 00032   456   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   456   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   456   NtClose  (16, ... ) == 0x0
 00036   456   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   456   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   456   NtClose  (28, ... ) == 0x0
 00041   456   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   456   NtClose  (28, ... ) == 0x0
 00045   456   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   456   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   456   NtClose  (28, ... ) == 0x0
 00049   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   456   NtClose  (28, ... ) == 0x0
 00052   456   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 452, 456, 1480, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ... {28, 56, reply, 0, 452, 456, 1480, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 452, 456, 1480, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ) == 0x0
 00056   456   NtProtectVirtualMemory  (-1, (0x436000), 45056, 4, ... (0x436000), 45056, 8, ) == 0x0
 00057   456   NtProtectVirtualMemory  (-1, (0x436000), 45056, 8, ... (0x436000), 45056, 4, ) == 0x0
 00058   456   NtFlushInstructionCache  (-1, 4415488, 45056, ... ) == 0x0
 00059   456   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   456   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   456   NtClose  (28, ... ) == 0x0
 00062   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   456   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   456   NtClose  (28, ... ) == 0x0
 00065   456   NtTestAlert  (... ) == 0x0
 00066   456   NtContinue  (1244464, 1, ...
 00067   456   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x43605c,}, 4, ... ) == 0x0
 00068   456   NtAllocateVirtualMemory  (-1, 0, 0, 73728, 12288, 64, ... 3342336, 73728, ) == 0x0
 00069   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00070   456   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00071   456   NtClose  (28, ... ) == 0x0
 00072   456   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00073   456   NtContinue  (1244388, 0, ...
 00074   456   NtContinue  (1244388, 0, ...
 00075   456   NtProtectVirtualMemory  (-1, (0x40000c), 512, 4, ... (0x400000), 4096, 2, ) == 0x0
 00076   456   NtContinue  (1244388, 0, ...
 00077   456   NtContinue  (1244388, 0, ...
 00078   456   NtContinue  (1244388, 0, ...
 00079   456   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244988,  (0x100080, {24, 0, 0x40, 0, 1244988, "\??\SUPERBPM"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080   456   NtContinue  (1244388, 0, ...
 00081   456   NtContinue  (1244388, 0, ...
 00082   456   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244988,  (0x100080, {24, 0, 0x40, 0, 1244988, "\??\NTICE"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083   456   NtContinue  (1244388, 0, ...
 00084   456   NtContinue  (1244388, 0, ...
 00085   456   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244988,  (0x100080, {24, 0, 0x40, 0, 1244988, "\??\REGVXD"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086   456   NtAllocateVirtualMemory  (-1, 0, 0, 135168, 12288, 64, ... 3473408, 135168, ) == 0x0
 00087   456   NtContinue  (1244372, 0, ...
 00088   456   NtContinue  (1244372, 0, ...
 00089   456   NtContinue  (1244372, 0, ...
 00090   456   NtContinue  (1244372, 0, ...
 00091   456   NtContinue  (1244372, 0, ...
 00092   456   NtContinue  (1244372, 0, ...
 00093   456   NtContinue  (1244376, 0, ...
 00094   456   NtContinue  (1244376, 0, ...
 00095   456   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244976,  (0x100080, {24, 0, 0x40, 0, 1244976, "\??\FILEVXD"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   456   NtContinue  (1244376, 0, ...
 00097   456   NtContinue  (1244376, 0, ...
 00098   456   NtContinue  (1244376, 0, ...
 00099   456   NtContinue  (1244376, 0, ...
 00100   456   NtAllocateVirtualMemory  (-1, 0, 0, 47552, 12288, 64, ... 3670016, 49152, ) == 0x0
 00101   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00102   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00103   456   NtClose  (28, ... ) == 0x0
 00104   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00105   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00106   456   NtClose  (28, ... ) == 0x0
 00107   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00108   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00109   456   NtClose  (28, ... ) == 0x0
 00110   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00111   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00112   456   NtClose  (28, ... ) == 0x0
 00113   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00114   456   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00115   456   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00116   456   NtClose  (28, ... ) == 0x0
 00117   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00118   456   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119   456   NtClose  (28, ... ) == 0x0
 00120   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00121   456   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00122   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00124   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\35\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 452, 456, 1485, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" )  ... {28, 56, reply, 0, 452, 456, 1485, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\35\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 452, 456, 1485, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" )  ) == 0x0
 00125   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   456   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x520000), 0x0, 1060864, ) == 0x0
 00127   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00128   456   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00129   456   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00130   456   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00131   456   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00132   456   NtClose  (-2147482208, ... ) == 0x0
 00133   456   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3735552, 4096, ) == 0x0
 00134   456   NtFreeVirtualMemory  (-1, (0x390000), 4096, 32768, ... (0x390000), 4096, ) == 0x0
 00135   456   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00136   456   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00137   456   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   456   NtClose  (-2147482208, ... ) == 0x0
 00139   456   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00140   456   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00141   456   NtClose  (-2147482208, ... ) == 0x0
 00142   456   NtQueryDefaultLocale  (0, -130840052, ... ) == 0x0
 00143   456   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00144   456   NtUserCallNoParam  (24, ... ) == 0x0
 00145   456   NtGdiCreateCompatibleDC  (0, ...
 00146   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3735552, 4096, ) == 0x0
 00145   456   NtGdiCreateCompatibleDC  ... ) == 0x160103c6
 00147   456   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00148   456   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00149   456   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xe05040a
 00150   456   NtGdiCreateSolidBrush  (0, 0, ...
 00151   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3801088, 4096, ) == 0x0
 00150   456   NtGdiCreateSolidBrush  ... ) == 0x161003fd
 00152   456   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00153   456   NtGdiCreateCompatibleDC  (0, ... ) == 0xd01040b
 00154   456   NtGdiSelectBitmap  (218170379, 235209738, ... ) == 0x185000f
 00155   456   NtUserGetThreadDesktop  (456, 0, ... ) == 0x2c
 00156   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00157   456   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00158   456   NtClose  (52, ... ) == 0x0
 00159   456   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00160   456   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 673, 128, 0, ... ) == 0x810dc017
 00161   456   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00162   456   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 674, 128, 0, ... ) == 0x810dc01c
 00163   456   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00164   456   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 675, 128, 0, ... ) == 0x810dc01e
 00165   456   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00166   456   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 676, 128, 0, ... ) == 0x810d8002
 00167   456   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10013
 00168   456   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 677, 128, 0, ... ) == 0x810dc018
 00169   456   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00170   456   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 678, 128, 0, ... ) == 0x810dc01a
 00171   456   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00172   456   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 679, 128, 0, ... ) == 0x810dc01d
 00173   456   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00174   456   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 681, 128, 0, ... ) == 0x810dc026
 00175   456   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00176   456   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 680, 128, 0, ... ) == 0x810dc019
 00177   456   NtUserRegisterClassExWOW  (1241348, 1241428, 1241412, 1241444, 0, 128, 0, ...
 00178   456   NtAllocateVirtualMemory  (-1, 6582272, 0, 4096, 4096, 32, ... 6582272, 4096, ) == 0x0
 00177   456   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00179   456   NtUserRegisterClassExWOW  (1241348, 1241424, 1241440, 1241412, 0, 130, 0, ... ) == 0x810dc022
 00180   456   NtUserRegisterClassExWOW  (1241348, 1241428, 1241412, 1241444, 0, 128, 0, ... ) == 0x810dc023
 00181   456   NtUserRegisterClassExWOW  (1241348, 1241424, 1241440, 1241412, 0, 130, 0, ... ) == 0x810dc024
 00182   456   NtUserRegisterClassExWOW  (1241348, 1241428, 1241412, 1241444, 0, 128, 0, ... ) == 0x810dc025
 00183   456   NtCallbackReturn  (0, 0, 0, ...
 00184   456   NtGdiInit  (... ) == 0x1
 00185   456   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00186   456   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00187   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00188   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00189   456   NtClose  (52, ... ) == 0x0
 00190   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00191   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00192   456   NtClose  (52, ... ) == 0x0
 00193   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00194   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00195   456   NtClose  (52, ... ) == 0x0
 00196   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00197   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3866624, 65536, ) == 0x0
 00198   456   NtAllocateVirtualMemory  (-1, 3866624, 0, 4096, 4096, 4, ... 3866624, 4096, ) == 0x0
 00199   456   NtAllocateVirtualMemory  (-1, 3870720, 0, 8192, 4096, 4, ... 3870720, 8192, ) == 0x0
 00200   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00201   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x3c0000), 0x0, 12288, ) == 0x0
 00202   456   NtClose  (52, ... ) == 0x0
 00203   456   NtAllocateVirtualMemory  (-1, 3878912, 0, 4096, 4096, 4, ... 3878912, 4096, ) == 0x0
 00204   456   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00205   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00206   456   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00207   456   NtClose  (52, ... ) == 0x0
 00208   456   NtQueryDefaultUILanguage  (1241428, ...
 00209   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00210   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00211   456   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00212   456   NtClose  (-2147482208, ... ) == 0x0
 00213   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00214   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00215   456   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00216   456   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00217   456   NtClose  (-2147482196, ... ) == 0x0
 00218   456   NtClose  (-2147482208, ... ) == 0x0
 00208   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00219   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00220   456   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00221   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00222   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00223   456   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x930000), 0x0, 8323072, ) == 0x0
 00224   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00225   456   NtQueryDefaultUILanguage  (2013024600, ...
 00226   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00227   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00228   456   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00229   456   NtClose  (-2147482208, ... ) == 0x0
 00230   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00231   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00232   456   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00233   456   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00234   456   NtClose  (-2147482196, ... ) == 0x0
 00235   456   NtClose  (-2147482208, ... ) == 0x0
 00225   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00236   456   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00237   456   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00238   456   NtQueryDefaultLocale  (1, 1239464, ... ) == 0x0
 00239   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240320, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240320, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\312\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\0\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1493, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\312\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\0\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 452, 456, 1493, 0}  (24, {128, 156, new_msg, 0, 1240320, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\312\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\0\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1493, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\312\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\0\364\22\0\0\0\0\0" )  ) == 0x0
 00241   456   NtClose  (52, ... ) == 0x0
 00242   456   NtClose  (56, ... ) == 0x0
 00243   456   NtUnmapViewOfSection  (-1, 0x930000, ... ) == 0x0
 00244   456   NtUnmapViewOfSection  (-1, 0x12f400, ... ) == STATUS_NOT_MAPPED_VIEW
 00245   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00246   456   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00247   456   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00249   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00250   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238548, ... ) }, 1238548, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00252   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00253   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00254   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239140, ... ) }, 1239140, ... ) == 0x0
 00255   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00256   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00257   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00258   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00259   456   NtClose  (52, ... ) == 0x0
 00260   456   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x930000), 0x0, 921600, ) == 0x0
 00261   456   NtClose  (60, ... ) == 0x0
 00262   456   NtUnmapViewOfSection  (-1, 0x930000, ... ) == 0x0
 00263   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00264   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00265   456   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00266   456   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00267   456   NtQueryInformationToken  (64, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00268   456   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00269   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 68, ) }, ... 68, ) == 0x0
 00270   456   NtQueryValueKey  (68,  (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00271   456   NtClose  (68, ... ) == 0x0
 00272   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00273   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00274   456   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00275   456   NtClose  (68, ... ) == 0x0
 00276   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00277   456   NtClose  (64, ... ) == 0x0
 00278   456   NtClose  (60, ... ) == 0x0
 00279   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00280   456   NtClose  (52, ... ) == 0x0
 00281   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00282   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00283   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00284   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00285   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00286   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00287   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00288   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00289   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00290   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00291   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00292   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00293   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00294   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00295   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00296   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00297   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00298   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00299   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00300   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00301   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00302   456   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240324, ... ) , 42, 1240324, ... ) == 0x0
 00303   456   NtQueryDefaultUILanguage  (1239040, ...
 00304   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00305   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00306   456   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00307   456   NtClose  (-2147482208, ... ) == 0x0
 00308   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00309   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   456   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00311   456   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   456   NtClose  (-2147482196, ... ) == 0x0
 00313   456   NtClose  (-2147482208, ... ) == 0x0
 00303   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00314   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237892, ... ) }, 1237892, ... ) == 0x0
 00316   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00317   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00318   456   NtClose  (52, ... ) == 0x0
 00319   456   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 4096, ) == 0x0
 00320   456   NtClose  (60, ... ) == 0x0
 00321   456   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00322   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237532, ... ) }, 1237532, ... ) == 0x0
 00323   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238232,  (0x80100080, {24, 0, 0x40, 0, 1238232, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00324   456   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00325   456   NtClose  (60, ... ) == 0x0
 00326   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 4096, ) == 0x0
 00327   456   NtClose  (52, ... ) == 0x0
 00328   456   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00329   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00330   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00331   456   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3e0000), 0x0, 4096, ) == 0x0
 00332   456   NtQueryInformationFile  (52, 1237852, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00333   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237932, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237932, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\254\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1494, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\254\352\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 452, 456, 1494, 0}  (24, {128, 156, new_msg, 0, 1237932, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\254\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1494, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\254\352\22\0\0\0\0\0" )  ) == 0x0
 00335   456   NtClose  (52, ... ) == 0x0
 00336   456   NtClose  (60, ... ) == 0x0
 00337   456   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00338   456   NtUnmapViewOfSection  (-1, 0x12eaac, ... ) == STATUS_NOT_MAPPED_VIEW
 00339   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00340   456   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00341   456   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00342   456   NtUserGetDC  (0, ... ) == 0x1010051
 00343   456   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00344   456   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00345   456   NtContinue  (1237888, 0, ...
 00346   456   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00347   456   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 00348   456   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00349   456   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 00350   456   NtClose  (56, ... ) == 0x0
 00351   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00352   456   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00353   456   NtClose  (56, ... ) == 0x0
 00354   456   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {452, 0}, ... 56, ) == 0x0
 00355   456   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00356   456   NtClose  (56, ... ) == 0x0
 00357   456   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00358   456   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00359   456   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00360   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00361   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00362   456   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00363   456   NtClose  (56, ... ) == 0x0
 00364   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00365   456   NtSetInformationObject  (56, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00366   456   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 60, ) }, ... 60, ) == 0x0
 00367   456   NtQueryValueKey  (60,  (60, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00368   456   NtClose  (60, ... ) == 0x0
 00369   456   NtUserSystemParametersInfo  (41, 500, 1239912, 0, ... ) == 0x1
 00370   456   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00371   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00372   456   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00373   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc03b
 00374   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00375   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc03d
 00376   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00377   456   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00378   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc03f
 00379   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00380   456   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00381   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc041
 00382   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00383   456   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00384   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc043
 00385   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00386   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc045
 00387   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00388   456   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00389   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc047
 00390   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00391   456   NtUserFindExistingCursorIcon  (1239700, 1239716, 1240284, ... ) == 0x10011
 00392   456   NtUserRegisterClassExWOW  (1240152, 1240232, 1240216, 1240248, 0, 384, 0, ... ) == 0x810dc049
 00393   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00394   456   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00395   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc04b
 00396   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00397   456   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00398   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc04d
 00399   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00400   456   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00401   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc04f
 00402   456   NtUserGetClassInfo  (1999896576, 1240324, 1240276, 1240352, 0, ... ) == 0x0
 00403   456   NtUserRegisterClassExWOW  (1240160, 1240240, 1240224, 1240256, 0, 384, 0, ... ) == 0x810dc051
 00404   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00405   456   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00406   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc053
 00407   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00408   456   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00409   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc055
 00410   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc057
 00411   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00412   456   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00413   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc059
 00414   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00415   456   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10013
 00416   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc05b
 00417   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00418   456   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00419   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc05d
 00420   456   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00421   456   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00422   456   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc05f
 00423   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc03b
 00424   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc03d
 00425   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc03f
 00426   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc041
 00427   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc043
 00428   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc045
 00429   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc047
 00430   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc049
 00431   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc04b
 00432   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc04d
 00433   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc04f
 00434   456   NtUserGetClassInfo  (1999896576, 1243168, 1243120, 1243196, 0, ... ) == 0xc051
 00435   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc053
 00436   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc055
 00437   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc059
 00438   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc05b
 00439   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc05d
 00440   456   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc05f
 00441   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00442   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1243072, ... ) }, 1243072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00443   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1243072, ... ) }, 1243072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00444   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1243072, ... ) }, 1243072, ... ) == 0x0
 00445   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00446   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00447   456   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00448   456   NtClose  (60, ... ) == 0x0
 00449   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00450   456   NtClose  (52, ... ) == 0x0
 00451   456   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00452   456   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00453   456   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00454   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00455   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00456   456   NtClose  (52, ... ) == 0x0
 00457   456   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00458   456   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00459   456   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00460   456   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00461   456   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00462   456   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00463   456   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00464   456   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00465   456   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00466   456   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00467   456   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00468   456   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00469   456   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00470   456   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00471   456   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00472   456   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00473   456   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00474   456   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00475   456   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00476   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00478   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00479   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00480   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9633792, 262144, ) == 0x0
 00481   456   NtAllocateVirtualMemory  (-1, 9633792, 0, 4096, 4096, 4, ... 9633792, 4096, ) == 0x0
 00482   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00483   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9895936, 262144, ) == 0x0
 00484   456   NtAllocateVirtualMemory  (-1, 9895936, 0, 4096, 4096, 4, ... 9895936, 4096, ) == 0x0
 00485   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00486   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10158080, 262144, ) == 0x0
 00487   456   NtAllocateVirtualMemory  (-1, 10158080, 0, 4096, 4096, 4, ... 10158080, 4096, ) == 0x0
 00488   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00489   456   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10420224, 262144, ) == 0x0
 00490   456   NtAllocateVirtualMemory  (-1, 10420224, 0, 4096, 4096, 4, ... 10420224, 4096, ) == 0x0
 00491   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00492   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00493   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00494   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00495   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1239044, ... ) }, 1239044, ... ) == 0x0
 00496   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00497   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00498   456   NtClose  (52, ... ) == 0x0
 00499   456   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3d0000), 0x0, 90112, ) == 0x0
 00500   456   NtClose  (60, ... ) == 0x0
 00501   456   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 00502   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1239360, ... ) }, 1239360, ... ) == 0x0
 00503   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00504   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00505   456   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00506   456   NtClose  (60, ... ) == 0x0
 00507   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00508   456   NtClose  (52, ... ) == 0x0
 00509   456   NtQueryDefaultLocale  (1, 1241048, ... ) == 0x0
 00510   456   NtAllocateVirtualMemory  (-1, 9637888, 0, 4096, 4096, 4, ... 9637888, 4096, ) == 0x0
 00511   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 52, ) }, ... 52, ) == 0x0
 00512   456   NtClose  (52, ... ) == 0x0
 00513   456   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00514   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   456   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00516   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00517   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00518   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1243072, ... ) }, 1243072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00519   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1243072, ... ) }, 1243072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00520   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1243072, ... ) }, 1243072, ... ) == 0x0
 00521   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00522   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 60, ) == 0x0
 00523   456   NtQuerySection  (60, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00524   456   NtClose  (52, ... ) == 0x0
 00525   456   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00526   456   NtClose  (60, ... ) == 0x0
 00527   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00528   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242268, ... ) }, 1242268, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00529   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1242268, ... ) }, 1242268, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1242268, ... ) }, 1242268, ... ) == 0x0
 00531   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00532   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00533   456   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00534   456   NtClose  (60, ... ) == 0x0
 00535   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00536   456   NtClose  (52, ... ) == 0x0
 00537   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00538   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00539   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00540   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00541   456   NtClose  (52, ... ) == 0x0
 00542   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00543   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00544   456   NtClose  (52, ... ) == 0x0
 00545   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00546   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00547   456   NtClose  (52, ... ) == 0x0
 00548   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00549   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00550   456   NtClose  (52, ... ) == 0x0
 00551   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 52, ) }, ... 52, ) == 0x0
 00552   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00553   456   NtClose  (52, ... ) == 0x0
 00554   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555   456   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00556   456   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00557   456   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00558   456   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00559   456   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00560   456   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243204, 0,  (0x1f0003, {24, 52, 0x80, 1243204, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00561   456   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 60, ) }, ... 60, ) == 0x0
 00562   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00563   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00564   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 64, ) }, ... 64, ) == 0x0
 00565   456   NtQueryValueKey  (64,  (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00566   456   NtClose  (64, ... ) == 0x0
 00567   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00568   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00569   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00570   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00571   456   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00572   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 64, ) }, ... 64, ) == 0x0
 00573   456   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   456   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   456   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   456   NtClose  (64, ... ) == 0x0
 00577   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 64, ) }, ... 64, ) == 0x0
 00578   456   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   456   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00580   456   NtClose  (64, ... ) == 0x0
 00581   456   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00582   456   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00583   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00584   456   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00585   456   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00586   456   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00587   456   NtCreateKey  (0xf003f, {24, 56, 0x40, 0, 0,  (0xf003f, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00588   456   NtQueryDefaultUILanguage  (1241440, ...
 00589   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00590   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00591   456   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00592   456   NtClose  (-2147482208, ... ) == 0x0
 00593   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00594   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   456   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00596   456   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00597   456   NtClose  (-2147482196, ... ) == 0x0
 00598   456   NtClose  (-2147482208, ... ) == 0x0
 00588   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00599   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00601   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00602   456   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa30000), 0x0, 593920, ) == 0x0
 00603   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604   456   NtQueryDefaultLocale  (1, 1239476, ... ) == 0x0
 00605   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00606   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240332, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240332, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\252\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\14\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1495, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\252\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\14\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 452, 456, 1495, 0}  (24, {128, 156, new_msg, 0, 1240332, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\252\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\14\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1495, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\252\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\14\364\22\0\0\0\0\0" )  ) == 0x0
 00607   456   NtClose  (68, ... ) == 0x0
 00608   456   NtClose  (72, ... ) == 0x0
 00609   456   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 00610   456   NtUnmapViewOfSection  (-1, 0x12f40c, ... ) == STATUS_NOT_MAPPED_VIEW
 00611   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00612   456   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00613   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00614   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00615   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238016, ... ) }, 1238016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00616   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00617   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00618   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00619   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238608, ... ) }, 1238608, ... ) == 0x0
 00620   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00621   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00622   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00623   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00624   456   NtClose  (68, ... ) == 0x0
 00625   456   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa30000), 0x0, 921600, ) == 0x0
 00626   456   NtClose  (76, ... ) == 0x0
 00627   456   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 00628   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00629   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00630   456   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00631   456   NtClose  (76, ... ) == 0x0
 00632   456   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00633   456   NtClose  (68, ... ) == 0x0
 00634   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00635   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00636   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00637   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00638   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00639   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00640   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00641   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00642   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00643   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00644   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00645   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00646   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00647   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00648   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00649   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00650   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00651   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00652   456   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00653   456   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00654   456   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00655   456   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1239792, ... ) , 42, 1239792, ... ) == 0x0
 00656   456   NtQueryDefaultUILanguage  (1238508, ...
 00657   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00658   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00659   456   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00660   456   NtClose  (-2147482208, ... ) == 0x0
 00661   456   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00662   456   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00663   456   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00664   456   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   456   NtClose  (-2147482196, ... ) == 0x0
 00666   456   NtClose  (-2147482208, ... ) == 0x0
 00656   456   NtQueryDefaultUILanguage  ... ) == 0x0
 00667   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237360, ... ) }, 1237360, ... ) == 0x0
 00669   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00670   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00671   456   NtClose  (68, ... ) == 0x0
 00672   456   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 4096, ) == 0x0
 00673   456   NtClose  (76, ... ) == 0x0
 00674   456   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00675   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237000, ... ) }, 1237000, ... ) == 0x0
 00676   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237700,  (0x80100080, {24, 0, 0x40, 0, 1237700, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00677   456   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00678   456   NtClose  (76, ... ) == 0x0
 00679   456   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 4096, ) == 0x0
 00680   456   NtClose  (68, ... ) == 0x0
 00681   456   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00682   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00683   456   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00684   456   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3e0000), 0x0, 4096, ) == 0x0
 00685   456   NtQueryInformationFile  (68, 1237320, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00686   456   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00687   456   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237400, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237400, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\230\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1496, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\230\350\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 452, 456, 1496, 0}  (24, {128, 156, new_msg, 0, 1237400, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\230\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 452, 456, 1496, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\230\350\22\0\0\0\0\0" )  ) == 0x0
 00688   456   NtClose  (68, ... ) == 0x0
 00689   456   NtClose  (76, ... ) == 0x0
 00690   456   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00691   456   NtUnmapViewOfSection  (-1, 0x12e898, ... ) == STATUS_NOT_MAPPED_VIEW
 00692   456   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00693   456   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00694   456   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00695   456   NtUserGetDC  (0, ... ) == 0x1010054
 00696   456   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00697   456   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00698   456   NtContinue  (1237364, 0, ...
 00699   456   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00700   456   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 00701   456   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00702   456   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 00703   456   NtClose  (72, ... ) == 0x0
 00704   456   NtCreateKey  (0x2001f, {24, 56, 0x40, 0, 0,  (0x2001f, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 72, 2, ) }, 0, 0x0, 0, ... 72, 2, ) == 0x0
 00705   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 76, ) }, ... 76, ) == 0x0
 00706   456   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00707   456   NtClose  (76, ... ) == 0x0
 00708   456   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 76, ) == 0x0
 00709   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00710   456   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 80, ) }, ... 80, ) == 0x0
 00711   456   NtNotifyChangeKey  (80, 68, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00712   456   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00713   456   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 84, ) == 0x0
 00714   456   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00715   456   NtFreeVirtualMemory  (-1, (0x350000), 135168, 16384, ... (0x350000), 135168, ) == 0x0
 00716   456   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00717   456   NtTerminateProcess  (0, 0, ... ) == 0x0
 00718   456   NtClose  (72, ... ) == 0x0
 00719   456   NtClose  (64, ... ) == 0x0
 00720   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 00721   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc03b
 00722   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00723   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc03d
 00724   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00725   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc03f
 00726   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00727   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc041
 00728   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00729   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc043
 00730   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00731   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc045
 00732   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00733   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc047
 00734   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00735   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc049
 00736   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00737   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc04b
 00738   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00739   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc04d
 00740   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00741   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc04f
 00742   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00743   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc051
 00744   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00745   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc053
 00746   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00747   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc057
 00748   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00749   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc059
 00750   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00751   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc05b
 00752   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00753   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc05d
 00754   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00755   456   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc05f
 00756   456   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00757   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 00758   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 00759   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 00760   456   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 00761   456   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00762   456   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 560, 2147344384, 0, 16216908}  (24, {20, 48, new_msg, 0, 560, 2147344384, 0, 16216908} "\0\0\0\0\3\0\1\0L\0.\0D\0L\0\0\0\0\0" ... {20, 48, reply, 0, 452, 456, 1497, 0} "\0\0\0\0\3\0\1\0\0\0\0\0D\0L\0\0\0\0\0" )  ... {20, 48, reply, 0, 452, 456, 1497, 0}  (24, {20, 48, new_msg, 0, 560, 2147344384, 0, 16216908} "\0\0\0\0\3\0\1\0L\0.\0D\0L\0\0\0\0\0" ... {20, 48, reply, 0, 452, 456, 1497, 0} "\0\0\0\0\3\0\1\0\0\0\0\0D\0L\0\0\0\0\0" )  ) == 0x0
 00763   456   NtTerminateProcess  (-1, 0, ...
 00764   456   NtClose  (44, ... ) == 0x0
NtCallbackReturn(>)	1	NtTestAlert(>)	1	NtGdiCreateCompatibleDC(>)	3	NtUserRegisterWindowMessage(>)	20
NtDuplicateObject(>)	1	NtUserCallNoParam(>)	1	NtSetInformationObject(>)	3	NtQueryValueKey(>)	23
NtFsControlFile(>)	1	NtUserGetThreadDesktop(>)	1	NtGdiGetStockObject(>)	5	NtContinue(>)	24
NtGdiCreateBitmap(>)	1	NtAddAtom(>)	2	NtQueryDefaultLocale(>)	5	NtOpenFile(>)	24
NtGdiInit(>)	1	NtCreateKey(>)	2	NtCreateFile(>)	6	NtQueryDebugFilterState(>)	24
NtGdiQueryFontAssocInfo(>)	1	NtGdiCreateSolidBrush(>)	2	NtSetInformationThread(>)	6	NtUserFindExistingCursorIcon(>)	24
NtGdiSelectBitmap(>)	1	NtOpenDirectoryObject(>)	2	NtUserSystemParametersInfo(>)	6	NtQuerySystemInformation(>)	25
NtNotifyChangeKey(>)	1	NtOpenEvent(>)	2	NtQuerySection(>)	7	NtOpenSection(>)	26
NtOpenKeyedEvent(>)	1	NtOpenProcessToken(>)	2	NtOpenProcessTokenEx(>)	8	NtUserRegisterClassExWOW(>)	34
NtOpenMutant(>)	1	NtQueryInformationFile(>)	2	NtOpenThreadTokenEx(>)	8	NtProtectVirtualMemory(>)	35
NtOpenProcess(>)	1	NtQueryInformationProcess(>)	2	NtRequestWaitReplyPort(>)	8	NtAllocateVirtualMemory(>)	36
NtOpenSymbolicLinkObject(>)	1	NtQueryInstallUILanguage(>)	2	NtQueryDefaultUILanguage(>)	10	NtMapViewOfSection(>)	39
NtQueryInformationThread(>)	1	NtQueryVirtualMemory(>)	2	NtQueryInformationToken(>)	11	NtOpenKey(>)	54
NtQueryObject(>)	1	NtTerminateProcess(>)	2	NtFlushInstructionCache(>)	17	NtUserGetClassInfo(>)	54
NtQuerySymbolicLinkObject(>)	1	NtUserGetDC(>)	2	NtCreateSection(>)	18	NtClose(>)	98
NtQueryVolumeInformationFile(>)	1	NtCreateEvent(>)	3	NtUserUnregisterClass(>)	18
NtRegisterThreadTerminatePort(>)	1	NtCreateSemaphore(>)	3	NtUnmapViewOfSection(>)	19
NtSecureConnectPort(>)	1