Summary:





NtAccessCheck(>)  1 
NtUserGetThreadDesktop(>)  1 
NtSetInformationFile(>)  5 
NtQueryVirtualMemory(>)  15 


NtCallbackReturn(>)  1 
NtUserOpenWindowStation(>)  1 
NtUserBuildHwndList(>)  5 
NtDeviceIoControlFile(>)  16 


NtCreateProcessEx(>)  1 
NtUserSystemParametersInfo(>)  1 
NtWriteVirtualMemory(>)  5 
NtRequestWaitReplyPort(>)  16 


NtCreateSemaphore(>)  1 
NtConnectPort(>)  2 
NtContinue(>)  6 
NtOpenSection(>)  24 


NtCreateThread(>)  1 
NtCreateIoCompletion(>)  2 
NtOpenProcessToken(>)  6 
NtQueryDirectoryFile(>)  24 


NtDuplicateToken(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryDefaultUILanguage(>)  6 
NtSetInformationProcess(>)  25 


NtGdiCreateBitmap(>)  1 
NtGdiHfontCreate(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtOpenProcessTokenEx(>)  28 


NtGdiCreatePatternBrushInternal(>)  1 
NtQueryInformationJobObject(>)  2 
NtWaitForSingleObject(>)  6 
NtOpenThreadTokenEx(>)  28 


NtGdiInit(>)  1 
NtReleaseMutant(>)  2 
NtFsControlFile(>)  7 
NtCreateSection(>)  29 


NtGdiQueryFontAssocInfo(>)  1 
NtTerminateProcess(>)  2 
NtOpenThreadToken(>)  7 
NtQueryInformationToken(>)  37 


NtGdiSelectBitmap(>)  1 
NtUserCloseWindowStation(>)  2 
NtQueryInformationFile(>)  7 
NtOpenFile(>)  41 


NtOpenEvent(>)  1 
NtUserGetObjectInformation(>)  2 
NtWaitForMultipleObjects(>)  7 
NtQueryInformationProcess(>)  44 


NtOpenKeyedEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtEnumerateKey(>)  8 
NtQueryDefaultLocale(>)  48 


NtOpenMutant(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtSetValueKey(>)  8 
NtUnmapViewOfSection(>)  48 


NtQueryDebugFilterState(>)  1 
NtOpenDirectoryObject(>)  3 
NtUserCallNoParam(>)  9 
NtAllocateVirtualMemory(>)  51 


NtQueryInstallUILanguage(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtUserFindExistingCursorIcon(>)  9 
NtQueryAttributesFile(>)  54 


NtQueryObject(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtUserGetWindowDC(>)  10 
NtFlushInstructionCache(>)  65 


NtQueryPerformanceCounter(>)  1 
NtReadVirtualMemory(>)  3 
NtCreateKey(>)  11 
NtMapViewOfSection(>)  69 


NtQuerySystemTime(>)  1 
NtSetEvent(>)  3 
NtFreeVirtualMemory(>)  11 
NtQuerySystemInformation(>)  76 


NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 
NtUserCallOneParam(>)  11 
NtQueryValueKey(>)  105 


NtResumeThread(>)  1 
NtUserOpenDesktop(>)  3 
NtWriteFile(>)  11 
NtUserValidateHandleSecure(>)  130 


NtSecureConnectPort(>)  1 
NtCreateMutant(>)  4 
NtQuerySection(>)  12 
NtOpenKey(>)  153 


NtTestAlert(>)  1 
NtDuplicateObject(>)  4 
NtSetInformationThread(>)  13 
NtProtectVirtualMemory(>)  156 


NtUserBuildNameList(>)  1 
NtQueryVolumeInformationFile(>)  4 
NtCreateEvent(>)  14 
NtUserQueryWindow(>)  158 


NtUserCloseDesktop(>)  1 
NtGdiGetStockObject(>)  5 
NtCreateFile(>)  14 
NtClose(>)  240 


NtUserGetGUIThreadInfo(>)  1 
NtReadFile(>)  5 
NtUserRegisterClassExWOW(>)  14 



Trace:

 00001   808   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   808   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   808   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   808   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   808   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   808   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010   808   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011   808   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012   808   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013   808   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014   808   NtClose  (12, ... ) == 0x0
 00015   808   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016   808   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020   808   NtClose  (16, ... ) == 0x0
 00021   808   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022   808   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023   808   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024   808   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025   808   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027   808   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028   808   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029   808   NtClose  (16, ... ) == 0x0
 00030   808   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031   808   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033   808   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034   808   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035   808   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1928, 808, 57953, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 1928, 808, 57953, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1928, 808, 57953, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036   808   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037   808   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039   808   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040   808   NtClose  (16, ... ) == 0x0
 00041   808   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043   808   NtClose  (16, ... ) == 0x0
 00044   808   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045   808   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047   808   NtClose  (16, ... ) == 0x0
 00048   808   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050   808   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051   808   NtClose  (16, ... ) == 0x0
 00052   808   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054   808   NtClose  (16, ... ) == 0x0
 00055   808   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056   808   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057   808   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   808   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059   808   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1928, 808, 57954, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 1928, 808, 57954, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1928, 808, 57954, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060   808   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1928, 808, 57955, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 1928, 808, 57955, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1928, 808, 57955, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061   808   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 4, ... (0x47c000), 155648, 128, ) == 0x0
 00062   808   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 128, ... (0x47c000), 155648, 4, ) == 0x0
 00063   808   NtFlushInstructionCache  (-1, 4702208, 155648, ... ) == 0x0
 00064   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00065   808   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00066   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.DLL"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00067   808   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00068   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.DLL"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00069   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00070   808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00071   808   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00072   808   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00073   808   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00074   808   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075   808   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00076   808   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00077   808   NtClose  (36, ... ) == 0x0
 00078   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00079   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00080   808   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00081   808   NtClose  (36, ... ) == 0x0
 00082   808   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083   808   NtClose  (32, ... ) == 0x0
 00084   808   NtClose  (16, ... ) == 0x0
 00085   808   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00086   808   NtClose  (28, ... ) == 0x0
 00087   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00088   808   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00089   808   NtClose  (28, ... ) == 0x0
 00090   808   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00091   808   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00092   808   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00093   808   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00094   808   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00095   808   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00096   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00097   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == 0x0
 00099   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00100   808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 16, ) == 0x0
 00101   808   NtQuerySection  (16, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00102   808   NtClose  (28, ... ) == 0x0
 00103   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00104   808   NtClose  (16, ... ) == 0x0
 00105   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00106   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00107   808   NtClose  (16, ... ) == 0x0
 00108   808   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00109   808   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00110   808   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00111   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00112   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00113   808   NtClose  (16, ... ) == 0x0
 00114   808   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00115   808   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00116   808   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00117   808   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00118   808   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00119   808   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00120   808   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00121   808   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00122   808   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00123   808   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00124   808   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00125   808   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00126   808   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00127   808   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00128   808   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00129   808   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00130   808   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00131   808   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00132   808   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 4, ... (0x47c000), 155648, 64, ) == 0x0
 00133   808   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 64, ... (0x47c000), 155648, 4, ) == 0x0
 00134   808   NtFlushInstructionCache  (-1, 4702208, 155648, ... ) == 0x0
 00135   808   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00136   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00137   808   NtReadFile  (16, 0, 0, 0, 4, {178172, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {178172, 0}, 0, ... {status=0x0, info=4}, "\300 \0\0", ) , ) == 0x0
 00138   808   NtReadFile  (16, 0, 0, 0, 8, {8380, 0}, 0, ... {status=0x0, info=8},  (16, 0, 0, 0, 8, {8380, 0}, 0, ... {status=0x0, info=8}, "\320J\233Dhs5\223", ) , ) == 0x0
 00139   808   NtReadFile  (16, 0, 0, 0, 8, {169780, 0}, 0, ... {status=0x0, info=8},  (16, 0, 0, 0, 8, {169780, 0}, 0, ... {status=0x0, info=8}, "\362;\213\12\257\312\207\325", ) , ) == 0x0
 00140   808   NtClose  (16, ... ) == 0x0
 00141   808   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00142   808   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00143   808   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00144   808   NtClose  (16, ... ) == 0x0
 00145   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00146   808   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00147   808   NtClose  (16, ... ) == 0x0
 00148   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00150   808   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00151   808   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00152   808   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00153   808   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00154   808   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 16, ) }, ... 16, ) == 0x0
 00155   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00156   808   NtClose  (16, ... ) == 0x0
 00157   808   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00158   808   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00159   808   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00160   808   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00161   808   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00162   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00163   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00165   808   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00166   808   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00167   808   NtClose  (16, ... ) == 0x0
 00168   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00169   808   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00170   808   NtClose  (16, ... ) == 0x0
 00171   808   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00172   808   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00173   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00174   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00177   808   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00178   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00180   808   NtTestAlert  (... ) == 0x0
 00181   808   NtContinue  (1244464, 1, ...
 00182   808   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x47c17a,}, 4, ... ) == 0x0
 00183   808   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 3407872, 4096, ) == 0x0
 00184   808   NtAllocateVirtualMemory  (-1, 0, 0, 15980, 4096, 4, ... 3473408, 16384, ) == 0x0
 00185   808   NtFreeVirtualMemory  (-1, (0x350000), 0, 32768, ... (0x350000), 16384, ) == 0x0
 00186   808   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00187   808   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00188   808   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   808   NtClose  (28, ... ) == 0x0
 00190   808   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00191   808   NtProtectVirtualMemory  (-1, (0x40e860), -1662053999, -238816909, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00192   808   NtProtectVirtualMemory  (-1, (0x3fff02), -1920137235, -2091057152, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00193   808   NtProtectVirtualMemory  (-1, (0x141c600), 148100, 251738496, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00194   808   NtProtectVirtualMemory  (-1, (0xfed68589), -362, -2060728949, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00195   808   NtProtectVirtualMemory  (-1, (0xff4ab58d), -314, -2063466497, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00196   808   NtProtectVirtualMemory  (-1, (0x500068), 1080710741, 100794367, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00197   808   NtProtectVirtualMemory  (-1, (0xff6e95ff), 6946816, 268462080, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00198   808   NtProtectVirtualMemory  (-1, (0x85c90000), 57246735, -1064960001, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00199   808   NtProtectVirtualMemory  (-1, (0x67f95b00), 232, -322, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00200   808   NtProtectVirtualMemory  (-1, (0x4002b0), -397192999, 50331651, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00201   808   NtProtectVirtualMemory  (-1, (0x3ffe86), -1123811957, 915103070, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00202   808   NtProtectVirtualMemory  (-1, (0xf904c7), -2096466688, 1065607051, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00203   808   NtProtectVirtualMemory  (-1, (0x3b430000), 112918, -352321536, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00204   808   NtProtectVirtualMemory  (-1, (0x33cb1301), 880017467, -2096839805, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00205   808   NtProtectVirtualMemory  (-1, (0x3fff32), -1241558191, 1459911427, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00206   808   NtProtectVirtualMemory  (-1, (0x85cbcf8b), -695468033, -13715969, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00207   808   NtProtectVirtualMemory  (-1, (0x5c10ff00), 371205, -322, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00208   808   NtProtectVirtualMemory  (-1, (0xc82b08c3), -2096794624, -108830887, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00209   808   NtProtectVirtualMemory  (-1, (0x3ebeb5), -16750080, 8388712, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00210   808   NtProtectVirtualMemory  (-1, (0x3ec6b5), -1912602625, 848691199, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00211   808   NtProtectVirtualMemory  (-1, (0x843e8b36), -1961863539, 139365375, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00212   808   NtProtectVirtualMemory  (-1, (0x77413ce8), 742852490, 1064567033, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00213   808   NtProtectVirtualMemory  (-1, (0x385a8a14), 1946157434, -2146989065, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00214   808   NtProtectVirtualMemory  (-1, (0xc10108e8), -1050278817, -1964411617, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00215   808   NtProtectVirtualMemory  (-1, (0xc101c486), 73370122, -339442160, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00216   808   NtAllocateVirtualMemory  (-1, 0, 0, 118784, 4096, 4, ... 3407872, 118784, ) == 0x0
 00217   808   NtAllocateVirtualMemory  (-1, 0, 0, 118784, 4096, 4, ... 3538944, 118784, ) == 0x0
 00218   808   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 118784, ) == 0x0
 00219   808   NtAllocateVirtualMemory  (-1, 0, 0, 1350, 4096, 4, ... 3407872, 4096, ) == 0x0
 00220   808   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00221   808   NtAllocateVirtualMemory  (-1, 0, 0, 79872, 4096, 4, ... 3407872, 81920, ) == 0x0
 00222   808   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 81920, ) == 0x0
 00223   808   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 4, ... 3407872, 4096, ) == 0x0
 00224   808   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00225   808   NtAllocateVirtualMemory  (-1, 0, 0, 2560, 4096, 4, ... 3407872, 4096, ) == 0x0
 00226   808   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00227   808   NtAllocateVirtualMemory  (-1, 0, 0, 5120, 4096, 4, ... 3407872, 8192, ) == 0x0
 00228   808   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 8192, ) == 0x0
 00229   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00230   808   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00231   808   NtClose  (28, ... ) == 0x0
 00232   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00233   808   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00234   808   NtClose  (28, ... ) == 0x0
 00235   808   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00236   808   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00237   808   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00238   808   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00239   808   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00240   808   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00241   808   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00242   808   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00243   808   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00244   808   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00245   808   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00246   808   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00247   808   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00248   808   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00249   808   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00250   808   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00251   808   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00252   808   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00253   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00256   808   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 7274606, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 7274606, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1928, 808, 57963, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 1928, 808, 57963, 0}  (24, {28, 56, new_msg, 0, 2089900645, 7274606, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1928, 808, 57963, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00257   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00258   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00259   808   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00260   808   NtClose  (28, ... ) == 0x0
 00261   808   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00262   808   NtClose  (32, ... ) == 0x0
 00263   808   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00264   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00265   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00266   808   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00267   808   NtClose  (32, ... ) == 0x0
 00268   808   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00269   808   NtClose  (28, ... ) == 0x0
 00270   808   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00271   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00272   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00273   808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00274   808   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00275   808   NtClose  (28, ... ) == 0x0
 00276   808   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00277   808   NtClose  (32, ... ) == 0x0
 00278   808   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00279   808   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00280   808   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00281   808   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00282   808   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00283   808   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00284   808   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00285   808   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00286   808   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00287   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00288   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00289   808   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00290   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00291   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00292   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00294   808   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00295   808   NtClose  (32, ... ) == 0x0
 00296   808   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x580000), 0x0, 1060864, ) == 0x0
 00297   808   NtClose  (-2147482740, ... ) == 0x0
 00298   808   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00299   808   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00300   808   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00301   808   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00302   808   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00303   808   NtClose  (-2147482740, ... ) == 0x0
 00304   808   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00305   808   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00306   808   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00307   808   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00308   808   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   808   NtClose  (-2147482740, ... ) == 0x0
 00310   808   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00311   808   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   808   NtClose  (-2147482740, ... ) == 0x0
 00313   808   NtQueryDefaultLocale  (0, -106645172, ... ) == 0x0
 00314   808   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00315   808   NtUserCallNoParam  (24, ... ) == 0x0
 00316   808   NtGdiCreateCompatibleDC  (0, ...
 00317   808   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00316   808   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00318   808   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00319   808   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00320   808   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00321   808   NtGdiCreateSolidBrush  (0, 0, ...
 00322   808   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00321   808   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00323   808   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00324   808   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00325   808   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00326   808   NtUserGetThreadDesktop  (808, 0, ... ) == 0x24
 00327   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00328   808   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00329   808   NtClose  (44, ... ) == 0x0
 00330   808   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00331   808   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8178c017
 00332   808   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00333   808   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8178c01c
 00334   808   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00335   808   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8178c01e
 00336   808   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00337   808   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81788002
 00338   808   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00339   808   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8178c018
 00340   808   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00341   808   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8178c01a
 00342   808   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00343   808   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8178c01d
 00344   808   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00345   808   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8178c026
 00346   808   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00347   808   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8178c019
 00348   808   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8178c020
 00349   808   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8178c022
 00350   808   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8178c023
 00351   808   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8178c024
 00352   808   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8178c025
 00353   808   NtCallbackReturn  (0, 0, 0, ...
 00354   808   NtGdiInit  (... ) == 0x1
 00355   808   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00356   808   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00357   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00358   808   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00359   808   NtClose  (44, ... ) == 0x0
 00360   808   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00361   808   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00362   808   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00363   808   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00364   808   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00365   808   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00366   808   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00367   808   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00368   808   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00369   808   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00370   808   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00371   808   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00372   808   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00373   808   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00374   808   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00375   808   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00376   808   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00377   808   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00378   808   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00379   808   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00380   808   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00381   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382   808   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00383   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 44, {status=0x0, info=0}, ) }, 7, 16, ... 44, {status=0x0, info=0}, ) == 0x0
 00384   808   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Do\211!m(}\22\254\35g;a[A\330\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00385   808   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00386   808   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00387   808   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00388   808   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00389   808   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00390   808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00391   808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00392   808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00393   808   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\352\355\363N\1\250z\211D\340\226\15\264\353\320\216z_dk\376\2l\324L\343*\244\31b{\301'\371?\32\30M\367\2447\340\2150\213&\240\254\2752\265\356\11\31\260\27\212\245\212\25\5\253^|\26\332\320\366\6Z\237\331\265\231\212\177(\32L\214", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\352\355\363N\1\250z\211D\340\226\15\264\353\320\216z_dk\376\2l\324L\343*\244\31b{\301'\371?\32\30M\367\2447\340\2150\213&\240\254\2752\265\356\11\31\260\27\212\245\212\25\5\253^|\26\332\320\366\6Z\237\331\265\231\212\177(\32L\214", 80, ... ) , 80, ... ) == 0x0
 00394   808   NtClose  (-2147482740, ... ) == 0x0
 00384   808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\241\326\305\243\306\335;\364j\372\335.\262\327\362\234>\273#\277\354VSvrvX\216c\330V\275\236*\234\336n\264\214\253\251'\270\2v_\214\26\207f\30j)\225\203=\36T\267 \27\337\313\33CN\314\310\304\3570b\244\68w9r\6\252\210h\311\273$\30\5n\11f\325\240\234^^\307h\255\316Q-`\353-\17Wk\214>Yz7`\13\340V\372V\304\3028\224\302\16\250\273^a\224\255\225\207'\32\243\351}q\333\271,\355\336g\344\16\203FZTe\354\331\350\246\240;uaj3\3269/\222\15\253?\374\301\371\334i\220\201\242\240\313\313Q4\274\210\276\273\273\320\36\245,&\216v\355\267Nv\6\203V\211:\201\365n3\37z\12K\330\373\304\341p\324\2218\205.Y\30=\365\321\2D\13\367\315\204\331\3501\350\322\243@l\27\332\251\214\205\16B7\304\266\343jF1\3\352", ) , ) == 0x0
 00395   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00396   808   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00397   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 48, ) }, ... 48, ) == 0x0
 00398   808   NtQueryValueKey  (48,  (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00399   808   NtClose  (48, ... ) == 0x0
 00400   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 48, ) }, ... 48, ) == 0x0
 00401   808   NtQueryValueKey  (48,  (48, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   808   NtClose  (48, ... ) == 0x0
 00403   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00404   808   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00405   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00406   808   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00407   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 48, ) }, ... 48, ) == 0x0
 00408   808   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00409   808   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00410   808   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00411   808   NtClose  (48, ... ) == 0x0
 00412   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 48, ) }, ... 48, ) == 0x0
 00413   808   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00414   808   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00415   808   NtClose  (48, ... ) == 0x0
 00416   808   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 48, ) }, ... 48, ) == 0x0
 00417   808   NtOpenEvent  (0x1f0003, {24, 48, 0x0, 0, 0,  (0x1f0003, {24, 48, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00419   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00420   808   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00421   808   NtClose  (52, ... ) == 0x0
 00422   808   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00423   808   NtSetInformationObject  (52, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00424   808   NtOpenKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00425   808   NtOpenKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00426   808   NtOpenProcessToken  (-1, 0x8, ... 56, ) == 0x0
 00427   808   NtQueryInformationToken  (56, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00428   808   NtClose  (56, ... ) == 0x0
 00429   808   NtUserCallOneParam  (0, 41, ... ) == 0x4
 00430   808   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00431   808   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 10027008, 1048576, ) == 0x0
 00432   808   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00433   808   NtAllocateVirtualMemory  (-1, 10027008, 0, 16384, 4096, 4, ... 10027008, 16384, ) == 0x0
 00434   808   NtUserCallNoParam  (29, ...
 00435   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242268, ... ) }, 1242268, ... ) == 0x0
 00436   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00437   808   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 60, ) == 0x0
 00438   808   NtClose  (56, ... ) == 0x0
 00439   808   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x380000), 0x0, 221184, ) == 0x0
 00440   808   NtClose  (60, ... ) == 0x0
 00441   808   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00442   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242576, ... ) }, 1242576, ... ) == 0x0
 00443   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00444   808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 56, ) == 0x0
 00445   808   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00446   808   NtClose  (60, ... ) == 0x0
 00447   808   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 00448   808   NtClose  (56, ... ) == 0x0
 00449   808   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00450   808   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00451   808   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00452   808   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00453   808   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00454   808   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00455   808   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00456   808   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00457   808   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00458   808   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00459   808   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00460   808   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00461   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00462   808   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00463   808   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00464   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00465   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00466   808   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00467   808   NtClose  (56, ... ) == 0x0
 00468   808   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00469   808   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 60, ) }, ... 60, ) == 0x0
 00470   808   NtQueryValueKey  (60,  (60, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00471   808   NtClose  (60, ... ) == 0x0
 00472   808   NtClose  (56, ... ) == 0x0
 00473   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00474   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00475   808   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00476   808   NtClose  (56, ... ) == 0x0
 00477   808   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00478   808   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 60, ) }, ... 60, ) == 0x0
 00479   808   NtQueryValueKey  (60,  (60, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00480   808   NtClose  (60, ... ) == 0x0
 00481   808   NtClose  (56, ... ) == 0x0
 00482   808   NtUserGetProcessWindowStation  (... ) == 0x1c
 00483   808   NtUserGetObjectInformation  (28, 2, 1244364, 64, 1244360, ... ) == 0x1
 00484   808   NtUserGetGUIThreadInfo  (808, 1244384, ... ) == 0x1
 00485   808   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1244228, 64, ... 56, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1244228, 64, ... 56, 0x0, 0x0, 0x0, 64, ) == 0x0
 00486   808   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1928, 808, 57965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1928, 808, 57965, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1928, 808, 57965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00487   808   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1928, 808, 57966, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1928, 808, 57966, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1928, 808, 57966, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00488   808   NtUserCallNoParam  (29, ...
 00489   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241624, ... ) }, 1241624, ... ) == 0x0
 00488   808   NtUserCallNoParam  ... ) == 0x0
 00490   808   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ... ) == 0x1
 00491   808   NtGdiHfontCreate  (1243752, 356, 0, 0, 1340336, ... ) == 0x330a04e1
 00492   808   NtGdiHfontCreate  (1243752, 356, 0, 0, 1340328, ... ) == 0x520a0634
 00493   808   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1928, 808, 57967, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1928, 808, 57967, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1928, 808, 57967, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00494   808   NtMapViewOfSection  (60, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x380000), {0, 0}, 327680, ) == 0x0
 00495   808   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00496   808   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00497   808   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00498   808   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00499   808   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00500   808   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00501   808   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00502   808   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00503   808   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00504   808   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00505   808   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00506   808   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00507   808   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00508   808   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00509   808   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00510   808   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00511   808   NtAllocateVirtualMemory  (-1, 3297280, 0, 4096, 4096, 4, ... 3297280, 4096, ) == 0x0
 00512   808   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00513   808   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ... ) == 0x72100798
 00514   808   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00515   808   NtUserCallNoParam  (29, ...
 00516   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241064, ... ) }, 1241064, ... ) == 0x0
 00515   808   NtUserCallNoParam  ... ) == 0x0
 00517   808   NtUserCallNoParam  (29, ...
 00518   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241060, ... ) }, 1241060, ... ) == 0x0
 00517   808   NtUserCallNoParam  ... ) == 0x0
 00434   808   NtUserCallNoParam  ... ) == 0x1
 00519   808   NtQueryVirtualMemory  (-1, 0x373313, Basic, 28, ... {BaseAddress=0x373000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xa000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00520   808   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00521   808   NtContinue  (1244356, 0, ...
 00522   808   NtQueryVirtualMemory  (-1, 0x372d5c, Basic, 28, ... {BaseAddress=0x372000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xb000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00523   808   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00524   808   NtContinue  (1244032, 0, ...
 00525   808   NtQueryVirtualMemory  (-1, 0x372dc0, Basic, 28, ... {BaseAddress=0x372000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xb000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00526   808   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00527   808   NtContinue  (1244032, 0, ...
 00528   808   NtQueryVirtualMemory  (-1, 0x370d71, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xd000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00529   808   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00530   808   NtQueryVirtualMemory  (-1, 0x373132, Basic, 28, ... {BaseAddress=0x373000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xa000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00531   808   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00532   808   NtQueryVirtualMemory  (-1, 0x7c816fe0, Basic, 28, ... {BaseAddress=0x7c816000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x6e000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00533   808   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 00534   808   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00535   808   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00536   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00537   808   NtQueryInformationJobObject  (0, BasicLimit, 48, ... ) == STATUS_ACCESS_DENIED
 00538   808   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"}, ... 64, ) }, ... 64, ) == 0x0
 00539   808   NtQueryValueKey  (64,  (64, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) , Partial, 526, ... TitleIdx=0, Type=1, Data= (64, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00540   808   NtQueryValueKey  (64,  (64, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) , Partial, 526, ... TitleIdx=0, Type=1, Data=" (64, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) \0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) == 0x0
 00541   808   NtClose  (64, ... ) == 0x0
 00542   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1239712, ... ) }, 1239712, ... ) == 0x0
 00543   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00544   808   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 64, ... 68, ) == 0x0
 00545   808   NtClose  (64, ... ) == 0x0
 00546   808   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3d0000), 0x0, 81920, ) == 0x0
 00547   808   NtClose  (68, ... ) == 0x0
 00548   808   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 00549   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1240020, ... ) }, 1240020, ... ) == 0x0
 00550   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00551   808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 64, ) == 0x0
 00552   808   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00553   808   NtClose  (68, ... ) == 0x0
 00554   808   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x69450000), 0x0, 90112, ) == 0x0
 00555   808   NtClose  (64, ... ) == 0x0
 00556   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00557   808   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 00558   808   NtClose  (64, ... ) == 0x0
 00559   808   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 00560   808   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 00561   808   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 00562   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00563   808   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 733184, ) == 0x0
 00564   808   NtClose  (64, ... ) == 0x0
 00565   808   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00566   808   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00567   808   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00568   808   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00569   808   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00570   808   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00571   808   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00572   808   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00573   808   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00574   808   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00575   808   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00576   808   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00577   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00578   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1239196, ... ) }, 1239196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 00580   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00581   808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00582   808   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00583   808   NtClose  (64, ... ) == 0x0
 00584   808   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 65536, ) == 0x0
 00585   808   NtClose  (68, ... ) == 0x0
 00586   808   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00587   808   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00588   808   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00589   808   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00590   808   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00591   808   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00592   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00593   808   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 00594   808   NtClose  (68, ... ) == 0x0
 00595   808   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00596   808   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00597   808   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00598   808   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00599   808   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00600   808   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00601   808   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00602   808   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00603   808   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00604   808   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00605   808   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00606   808   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00607   808   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00608   808   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00609   808   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00610   808   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00611   808   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00612   808   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00613   808   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00614   808   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00615   808   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00616   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00617   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1239196, ... ) }, 1239196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00618   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 00619   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00620   808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 64, ) == 0x0
 00621   808   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00622   808   NtClose  (68, ... ) == 0x0
 00623   808   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 00624   808   NtClose  (64, ... ) == 0x0
 00625   808   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00626   808   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00627   808   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00628   808   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00629   808   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00630   808   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00631   808   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00632   808   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00633   808   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00634   808   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00635   808   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00636   808   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00637   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00638   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1239196, ... ) }, 1239196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00639   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 00640   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00641   808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00642   808   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00643   808   NtClose  (64, ... ) == 0x0
 00644   808   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 00645   808   NtClose  (68, ... ) == 0x0
 00646   808   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00647   808   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00648   808   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00649   808   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00650   808   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00651   808   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00652   808   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00653   808   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00654   808   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00655   808   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00656   808   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00657   808   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00658   808   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00659   808   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00660   808   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00661   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00662   808   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00663   808   NtClose  (68, ... ) == 0x0
 00664   808   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00665   808   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00666   808   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00667   808   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00668   808   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00669   808   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00670   808   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00671   808   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00672   808   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00673   808   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00674   808   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00675   808   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00676   808   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00677   808   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00678   808   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00679   808   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 00680   808   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 00681   808   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 00682   808   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 00683   808   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 00684   808   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 00685   808   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 00686   808   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 00687   808   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 00688   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00689   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00690   808   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 68, ) }, ... 68, ) == 0x0
 00691   808   NtQueryValueKey  (68,  (68, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00692   808   NtClose  (68, ... ) == 0x0
 00693   808   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 68, ) }, ... 68, ) == 0x0
 00694   808   NtQueryValueKey  (68,  (68, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00695   808   NtClose  (68, ... ) == 0x0
 00696   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 68, ) }, ... 68, ) == 0x0
 00697   808   NtQueryValueKey  (68,  (68, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 00698   808   NtClose  (68, ... ) == 0x0
 00699   808   NtCreateEvent  (0x1f0003, {24, 48, 0x80, 1237788, 0,  (0x1f0003, {24, 48, 0x80, 1237788, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 68, ) }, 0, 1, ... 68, ) == STATUS_OBJECT_NAME_EXISTS
 00700   808   NtQueryDefaultUILanguage  (2090319928, ...
 00701   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00702   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00703   808   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00704   808   NtClose  (-2147482740, ... ) == 0x0
 00705   808   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00706   808   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00707   808   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00708   808   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00709   808   NtClose  (-2147481328, ... ) == 0x0
 00710   808   NtClose  (-2147482740, ... ) == 0x0
 00700   808   NtQueryDefaultUILanguage  ... ) == 0x0
 00711   808   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00712   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00713   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00714   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00715   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00716   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00717   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00718   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00719   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00720   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00721   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00722   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00723   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00724   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00725   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00726   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00727   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00728   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00729   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00730   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00731   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00732   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00733   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00734   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00735   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00736   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00737   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00738   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00739   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00740   808   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00741   808   NtClose  (64, ... ) == 0x0
 00742   808   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00743   808   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 72, ) }, ... 72, ) == 0x0
 00744   808   NtQueryValueKey  (72,  (72, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (72, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 00745   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00746   808   NtQueryValueKey  (72,  (72, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (72, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 00747   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00748   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00749   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00750   808   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00751   808   NtClose  (72, ... ) == 0x0
 00752   808   NtClose  (64, ... ) == 0x0
 00753   808   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 64, ) }, ... 64, ) == 0x0
 00754   808   NtQueryValueKey  (64,  (64, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00755   808   NtClose  (64, ... ) == 0x0
 00756   808   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 64, ) }, ... 64, ) == 0x0
 00757   808   NtQueryValueKey  (64,  (64, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00758   808   NtQueryValueKey  (64,  (64, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00759   808   NtClose  (64, ... ) == 0x0
 00760   808   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761   808   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 64, ) }, ... 64, ) == 0x0
 00762   808   NtQueryValueKey  (64,  (64, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00763   808   NtClose  (64, ... ) == 0x0
 00764   808   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00765   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00766   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00767   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00768   808   NtQueryPerformanceCounter  (... {924549785, 10}, {3579545, 0}, ) == 0x0
 00769   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770   808   NtQueryDefaultLocale  (1, 1239916, ... ) == 0x0
 00771   808   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00772   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00773   808   NtQueryValueKey  (64,  (64, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00774   808   NtClose  (64, ... ) == 0x0
 00775   808   NtUserGetProcessWindowStation  (... ) == 0x1c
 00776   808   NtUserGetObjectInformation  (28, 1, 1239512, 12, 1239524, ... ) == 0x1
 00777   808   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\WPA\PnP"}, ... 64, ) }, ... 64, ) == 0x0
 00779   808   NtQueryValueKey  (64,  (64, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 00780   808   NtClose  (64, ... ) == 0x0
 00781   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00782   808   NtQueryValueKey  (64,  (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00783   808   NtQueryValueKey  (64,  (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00784   808   NtClose  (64, ... ) == 0x0
 00785   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00786   808   NtQueryValueKey  (64,  (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00787   808   NtQueryValueKey  (64,  (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00788   808   NtClose  (64, ... ) == 0x0
 00789   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00790   808   NtQueryValueKey  (64,  (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00791   808   NtQueryValueKey  (64,  (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00792   808   NtClose  (64, ... ) == 0x0
 00793   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00794   808   NtQueryValueKey  (64,  (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00795   808   NtQueryValueKey  (64,  (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00796   808   NtClose  (64, ... ) == 0x0
 00797   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00798   808   NtQueryValueKey  (64,  (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 00799   808   NtQueryValueKey  (64,  (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 00800   808   NtClose  (64, ... ) == 0x0
 00801   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00802   808   NtQueryValueKey  (64,  (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00803   808   NtQueryValueKey  (64,  (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00804   808   NtClose  (64, ... ) == 0x0
 00805   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 64, ) }, ... 64, ) == 0x0
 00806   808   NtQueryValueKey  (64,  (64, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00807   808   NtQueryValueKey  (64,  (64, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (64, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 00808   808   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00809   808   NtClose  (64, ... ) == 0x0
 00810   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00811   808   NtCreateMutant  (0x1f0001, 0x0, 0, ... 72, ) == 0x0
 00812   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 76, ) == 0x0
 00813   808   NtCreateMutant  (0x1f0001, 0x0, 0, ... 80, ) == 0x0
 00814   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00815   808   NtCreateMutant  (0x1f0001, 0x0, 0, ... 88, ) == 0x0
 00816   808   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 92, ) }, ... 92, ) == 0x0
 00817   808   NtQueryValueKey  (92,  (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00818   808   NtQueryValueKey  (92,  (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00819   808   NtQueryValueKey  (92,  (92, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820   808   NtOpenKey  (0x1, {24, 92, 0x40, 0, 0,  (0x1, {24, 92, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00821   808   NtClose  (92, ... ) == 0x0
 00822   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1239428, ... ) }, 1239428, ... ) == 0x0
 00823   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 92, ) }, ... 92, ) == 0x0
 00824   808   NtQueryValueKey  (92,  (92, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (92, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (92, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00825   808   NtClose  (92, ... ) == 0x0
 00826   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00827   808   NtQueryValueKey  (92,  (92, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (92, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (92, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 00828   808   NtClose  (92, ... ) == 0x0
 00829   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00830   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00831   808   NtQueryValueKey  (92,  (92, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (92, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (92, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 00832   808   NtClose  (92, ... ) == 0x0
 00833   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00834   808   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   808   NtCreateSemaphore  (0x1f0003, {24, 48, 0x80, 1343256, 0,  (0x1f0003, {24, 48, 0x80, 1343256, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 92, ) }, 0, 2147483647, ... 92, ) == STATUS_OBJECT_NAME_EXISTS
 00836   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\faultrep.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837   808   NtOpenKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\PCHealth\ErrorReporting"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00838   808   NtCreateKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Microsoft\PCHealth\ErrorReporting"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00839   808   NtOpenKey  (0x10000, {24, 96, 0x40, 0, 0,  (0x10000, {24, 96, 0x40, 0, 0, "DW"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00840   808   NtQueryValueKey  (96,  (96, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00841   808   NtQueryValueKey  (96,  (96, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00842   808   NtQueryValueKey  (96,  (96, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00843   808   NtQueryValueKey  (96,  (96, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00844   808   NtQueryValueKey  (96,  (96, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00845   808   NtQueryValueKey  (96,  (96, "DoTextLog", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00846   808   NtQueryValueKey  (96,  (96, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00847   808   NtQueryValueKey  (96,  (96, "IncludeShutdownErrs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00848   808   NtQueryValueKey  (96,  (96, "NumberOfFaultPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00849   808   NtQueryValueKey  (96,  (96, "NumberOfHangPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00850   808   NtQueryValueKey  (96,  (96, "MaxUserQueueSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   808   NtQueryValueKey  (96,  (96, "ForceQueueMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00852   808   NtCreateKey  (0x20119, {24, 96, 0x40, 0, 0,  (0x20119, {24, 96, 0x40, 0, 0, "ExclusionList"}, 0, 0x0, 0, ... 100, 2, ) }, 0, 0x0, 0, ... 100, 2, ) == 0x0
 00853   808   NtCreateKey  (0x20119, {24, 96, 0x40, 0, 0,  (0x20119, {24, 96, 0x40, 0, 0, "InclusionList"}, 0, 0x0, 0, ... 104, 2, ) }, 0, 0x0, 0, ... 104, 2, ) == 0x0
 00854   808   NtClose  (96, ... ) == 0x0
 00855   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 96, ) }, ... 96, ) == 0x0
 00856   808   NtQueryValueKey  (96,  (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00857   808   NtClose  (96, ... ) == 0x0
 00858   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00859   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00860   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1236956, ... ) }, 1236956, ... ) == 0x0
 00861   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 96, {status=0x0, info=1}, ) }, 3, 16417, ... 96, {status=0x0, info=1}, ) == 0x0
 00862   808   NtQueryDirectoryFile  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1,  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 00863   808   NtClose  (96, ... ) == 0x0
 00864   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 96, {status=0x0, info=1}, ) }, 3, 16417, ... 96, {status=0x0, info=1}, ) == 0x0
 00865   808   NtQueryDirectoryFile  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1,  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 00866   808   NtClose  (96, ... ) == 0x0
 00867   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00868   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00869   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00870   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00871   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1235604, ... ) }, 1235604, ... ) == 0x0
 00872   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234376, ... ) }, 1234376, ... ) == 0x0
 00873   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00874   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00875   808   NtQueryValueKey  (100,  (100, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876   808   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 00877   808   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00878   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00879   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 96, ) }, ... 96, ) == 0x0
 00881   808   NtQueryValueKey  (96,  (96, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   808   NtClose  (96, ... ) == 0x0
 00883   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884   808   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 96, ) == 0x0
 00885   808   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00886   808   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00887   808   NtQuerySystemTime  (... {1100253002, 29916038}, ) == 0x0
 00888   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 00889   808   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   808   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00891   808   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00892   808   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00893   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00894   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 120, ) == 0x0
 00895   808   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Do\211!m(}\374\241oT\334A\237\320\202\247\227\344 \255U\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00896   808   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00897   808   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00898   808   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00899   808   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00900   808   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00901   808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00902   808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00903   808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00904   808   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\11\2z\262\303\330\252\265\5)]\12l\271\207\5\231\15l\33\11C\346\223\246\237t1h\322\221\2428q\310\202\210\351\300\347\253\23p9\336\22\220A\377)\162T\351A\254\3158\211E\215U\253\341\237\333\347\211\364\370\231z\262h\345\330d\361y", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\11\2z\262\303\330\252\265\5)]\12l\271\207\5\231\15l\33\11C\346\223\246\237t1h\322\221\2428q\310\202\210\351\300\347\253\23p9\336\22\220A\377)\162T\351A\254\3158\211E\215U\253\341\237\333\347\211\364\370\231z\262h\345\330d\361y", 80, ... ) , 80, ... ) == 0x0
 00905   808   NtClose  (-2147482740, ... ) == 0x0
 00895   808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\27\247\22\315\21{&\261`\353\37C\356\207\204M$\311g#\226\5\16\313\310Cl\376\2313\230=\274\204\266\13Q\271\202f\200\13\13\350\211\263o\3;\256\303\365\355m\270o\325\327h\370\375\2ywf\374\267\255H\330\220x\31\233}1\350)\324\226\33\243\341\355\210\367\324\237jO1\35\264\14}\330\257<\26\206c\211\256\34\323\3165\30\206\17\325\210\2\4\322:\312\35]p?\217\376\31\30\302\22\201\252RD\361\31x\377\16\264\24Q\337\217\265\360\320\357\2\370\261\334\321\305\25D\362:`{W\242<\23\321\24\351v\213\215\35\20\346|'\15\204.\245=\251\2141\276\344,a\27648I\2014\213\254\275\254\302\260.\12\5e!\310\AK\245\201\221\327\265\320\13g\366H\17tr\376IF\254\335\242\337U\361\361\221\277\320!\230:\277r\230\254-i\266\364-C\12x?\35\357\12\10n=b\177z", ) , ) == 0x0
 00906   808   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Do\211!m(}\374\241oT\334A\237>\217f\4p\304\344<\17\247\227\344 \255U\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00907   808   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00908   808   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00909   808   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00910   808   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00911   808   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00912   808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00913   808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00914   808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00915   808   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "/w`\241\260}\256\257s\306\366\336\315\10]\27CT\2706\24\240\341u\251o\372\227\305o\330\247\342\316\275\302\376B\270\304zK\33b\25\357\314\276\326\303`\202\205d:\27\314\254\321\255nC\276 8\346\3\25\275wI\320\354N\315\331\0\26z\34", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "/w`\241\260}\256\257s\306\366\336\315\10]\27CT\2706\24\240\341u\251o\372\227\305o\330\247\342\316\275\302\376B\270\304zK\33b\25\357\314\276\326\303`\202\205d:\27\314\254\321\255nC\276 8\346\3\25\275wI\320\354N\315\331\0\26z\34", 80, ... ) , 80, ... ) == 0x0
 00916   808   NtClose  (-2147482740, ... ) == 0x0
 00906   808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\230}\11$1\33P.)7\34\26\12\330N]\2304m\316\273i\273t\236\377\267\370\310&Jwt{H\255X8\3Sk8\3070\20\210\207\227\337\357\376c\343-L}Xa$\23\255[\316\275p\2649\334\326g\345~\212\311\335\303\37\242q\366t\10\2506dUP!\227)j\360ZI\1G\235\\267\2276\23n\227g\312\223\261l\224g\W\177Q p\320\17K\10\330\350\257\22\326C\227e\333;\307\254\232\10d\315\34\270\244\373B\177\2\6\2P;Y\14\201R%*9d57\371=#\353\36ao\374\341\224\26Z\34=I\207N^\306\201vE6\35\357\327V\360\320x\361FjW\2]\263\244\303\366\33\320o\267\23006\272Z\253\260\15\32\214\352^\215\4\27`\213%\254\5\370[J\350\367_", ) \212\311\335\303\37\242q\366t\10\2506dUP!\227)j\360ZI\1G\235\\267\2276\23n\227g\312\223\261l\224g\W\177Q p\320\17K\10\330\350\257\22\326C\227e\333;\307\254\232\10d\315\34\270\244\373B\177\2\6\2P;Y\14\201R%*9d57\371=#\353\36ao\374\341\224\26Z\34=I\207N^\306\201vE6\35\357\327V\360\320x\361FjW\2]\263\244\303\366\33\320o\267\23006\272Z\253\260\15\32\214\352^\215\4\27`\213%\254\5\370[J\350\367_", ) == 0x0
 00917   808   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Do\211!m(}\374\241oT\334A\237>\217f\4p\304\344\322\2f\4p\304\344<\17\247\227\344 \255U\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00918   808   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00919   808   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00920   808   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00921   808   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00922   808   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00923   808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00924   808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00925   808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00926   808   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "-\200\222\331\270\204G\321\16]\6\266\270g\325x0\202K<4\177WR\364\334P\3\275\273\375K\275\227\251\226c\21\136OP\177\207NuH\32mi\35\303,\7\363/QE1w\325c.jk\350\364(\15(\5\304\377\7\304P\341e+\306", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "-\200\222\331\270\204G\321\16]\6\266\270g\325x0\202K<4\177WR\364\334P\3\275\273\375K\275\227\251\226c\21\136OP\177\207NuH\32mi\35\303,\7\363/QE1w\325c.jk\350\364(\15(\5\304\377\7\304P\341e+\306", 80, ... ) , 80, ... ) == 0x0
 00927   808   NtClose  (-2147482740, ... ) == 0x0
 00917   808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\26?_ztP\234P\371.\356\360_\217'e0\207\237\263`CF\214\247\2555y>y\24-\2122\233\265g\306oK\222\34\313\204GW\260$\320\3345V\3419\346\24g\241\250\322\323\302\250\375\302\212;\7\30W\213\212\240\313\17\326sq\17c:\355\204D\327\360\200\256B+p\356\273Y\246\1\304\11\2473\203M\247\242q\256\3623\315\235\363\224\231\316\4<>\277ge\334\370t\207\300\320\305\277|\327\23\3663b\3\240\215z47:!u\311\235D\261\17\204h<\241\205Xz\330@\203\263\311\342,\236#F\377,\372\10\201\250\310\330#\212\33\276\231\342\221\344\347z\274\353\342\304\6\215\6\244\256\301\2470\360\327\204\376LB\366T\250\302&\261\267R\22uk\2555*b`[\273~\340\7\222)\11)\242\3467\267V\210\357I\11\235TKXR'\263(\367\352a\3501#\177\332\243\274\210%", ) , ) == 0x0
 00928   808   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Do\211!m(}\374\241oT\334A\237>\217f\4p\304\344\322\2f\4p\304\344\322\2f\4p\304\344<\17\247\227\344 \255U\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00929   808   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00930   808   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00931   808   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00932   808   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00933   808   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00934   808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00935   808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00936   808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00937   808   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "Y\362\374Z\316\20#\0\246\236\247k\356r\332\2139\26Te`bZ\251\335\260\14\314c\231h\263\354\355\366\325\221\255\250S\254\352)\236\3117\370'\315 \34P\340\305Pwz\304\226\343\223\15\14]\325*\311s\221\355\337c\325\257\332\316\264J\26\347", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "Y\362\374Z\316\20#\0\246\236\247k\356r\332\2139\26Te`bZ\251\335\260\14\314c\231h\263\354\355\366\325\221\255\250S\254\352)\236\3117\370'\315 \34P\340\305Pwz\304\226\343\223\15\14]\325*\311s\221\355\337c\325\257\332\316\264J\26\347", 80, ... ) , 80, ... ) == 0x0
 00938   808   NtClose  (-2147482740, ... ) == 0x0
 00928   808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "h\21\306\366\274\205\273r\17\317\36>\340\333\216YU\11'|\312`n\302o\246p\24\252\237\361\277-\226\234F\330\326\350\354\1F=&\33\1\367\326\4e;\231v\236V\243\233\205m\322\346\320\2534-\270\255]\266\345\215[\224\346\312\314\25\322~\12\365b\216\276\313dh`\272q\13\237\243\353\361f\240`\241\261z\245\254\306\2\245_C0\370Qs\33\271.\242R'4f\351M\7\323I\13Kg M\20\320\220\17\2464Z\270\34\240B\2310-\6\202\312v\336F\221\202\234W\207B\120\252\15\334E\31SA\216\330cm\201[\3431\34\364W\214\254G\17\224\206\324\22\177\3466\200|\220W\360\361\334\366,9F\345r\224\211\320\272\312\326\216q,\265W\235[\247\365\300\227m\37\370\273.a\301R\201\215\312g\300\272f\266\26\34:F6>B\311\270}/FzM\216\271\1\234\354\256Sm", ) , ) == 0x0
 00939   808   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Do\211!m(}\374\241oT\334A\237>\217f\4p\304\344\322\2f\4p\304\344\322\2f\4p\304\344\322\2f\4p\304\344<\17\247\227\344 \255U\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00940   808   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00941   808   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00942   808   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00943   808   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00944   808   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00945   808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00946   808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00947   808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00948   808   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\7\364\250\325\272%V]\302U\216\374C\3008\362\330|D\313\20\12\204\333Z\356\252\355\306j\254\202_>\331\320\14\357\336\310\360\322H\325", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\7\364\250\325\272%V]\302U\216\374C\3008\362\330|D\313\20\12\204\333Z\356\252\355\306j\254\202_>\331\320\14\357\336\310\360\322H\325", 80, ... ) \333Z\356\252\355\306j\254\202_>\331\320\14\357\336\310\360\322H\325", 80, ... ) == 0x0
 00949   808   NtClose  (-2147482740, ... ) == 0x0
 00939   808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\301kv\207#\3423\236\355Y\35M\212\355jI{E\34RQ\211J|\331f]\32law\16\361\34\222\340\354\313\236\335\337<\21\350\252*~.\220\12\255\2q\2318\226\265\266KQ+\345\256\344.\316\263jh)v{65\247=qk\3\251\275\247C\207`\240yX\1\344\274cV\207;\254DS_\371\373\277\354\7\307\327H\331uU\206K\1\256\240}\247{\222\17\2607\244\217\312\13\360H\214\256\273\330\201\6\327&a\213S\256S\210\15\370\226m\220sYel{\242k\327|\15\377\271\301th\332\305\177R\351x\356\310n\371\16\260L\205[\373\6cm\222h\346\306n\227&\4\327\231\221\7^\207W\367B\272\235\12\265\252J\243\341\364~\272o)v\370w\267A\357!\263ZK\366\271\324x!\300\371p\365\362/\304\317|\324|z\270\247\350\246\326\236s]_\26\263U\243\271\30\302S\30", ) , ) == 0x0
 00950   808   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Do\211!m(}\374\241oT\334A\237>\217f\4p\304\344\322\2f\4p\304\344\322\2f\4p\304\344\322\2f\4p\304\344\322\2f\4p\304\344<\17\247\227\344 \255U\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00951   808   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00952   808   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00953   808   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00954   808   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00955   808   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00956   808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00957   808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00958   808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00959   808   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\304d\210V\234\314uW\243g\316\33I\217\100.gSFb(s\336\374\0\205E\231\217\361\224'U\3574"\351\335\302\15R\327\276\34ai\301c}\302B\16\35\356U\213\214\255\344\6\253\200:\177\360j&\13\33\3029\232k\230\33\321\236", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\304d\210V\234\314uW\243g\316\33I\217\100.gSFb(s\336\374\0\205E\231\217\361\224'U\3574"\351\335\302\15R\327\276\34ai\301c}\302B\16\35\356U\213\214\255\344\6\253\200:\177\360j&\13\33\3029\232k\230\33\321\236", 80, ... ) \351\335\302\15R\327\276\34ai\301c}\302B\16\35\356U\213\214\255\344\6\253\200:\177\360j&\13\33\3029\232k\230\33\321\236", 80, ... ) == 0x0
 00960   808   NtClose  (-2147482740, ... ) == 0x0
 00950   808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\2447\26\262\241\36\304%\346{P\206\366\276\255E\234^#\20O\212\240;\243a\314\202AV\367\307\207\10\317T\325u\314Lo\371yp\332o\361w\15\241\357@@\215G\27O\261\342\217{\362\353\247\23\306\242\222S\377\323X\342"\330%P\3\337\214\12\352K\24\372\204\326\357G\271\3\303b\304K\341>6\341\342\17\377j4\3d\214\333\35\37\300??\252\201\3709\227\277\241\210*\321\203\342\366r'\17q\210L\363\306\302\34\371\177\257]\203C\26%O\276vW\2\334\364\270\6\11\2/\310\226\321\276\323\277\212qw\347\275\215X\376\372h\300\231*b{=g\200\255\362w\15 \226\224\220\365\314\326\304U\313\357\267\267\232q/\17\364.jp\10\377\370\0\210\30\1\242\373@\366\342X\323J\274k\222\333?\317\305ed\265"Gg9V\336\331,\344$\253?"\335\376\344\324M\342\335\33\274\341J|", ) \330%P\3\337\214\12\352K\24\372\204\326\357G\271\3\303b\304K\341>6\341\342\17\377j4\3d\214\333\35\37\300??\252\201\3709\227\277\241\210*\321\203\342\366r'\17q\210L\363\306\302\34\371\177\257]\203C\26%O\276vW\2\334\364\270\6\11\2/\310\226\321\276\323\277\212qw\347\275\215X\376\372h\300\231*b{=g\200\255\362w\15 \226\224\220\365\314\326\304U\313\357\267\267\232q/\17\364.jp\10\377\370\0\210\30\1\242\373@\366\342X\323J\274k\222\333?\317\305ed\265 ... {status=0x0, info=256}, "\2447\26\262\241\36\304%\346{P\206\366\276\255E\234^#\20O\212\240;\243a\314\202AV\367\307\207\10\317T\325u\314Lo\371yp\332o\361w\15\241\357@@\215G\27O\261\342\217{\362\353\247\23\306\242\222S\377\323X\342"\330%P\3\337\214\12\352K\24\372\204\326\357G\271\3\303b\304K\341>6\341\342\17\377j4\3d\214\333\35\37\300??\252\201\3709\227\277\241\210*\321\203\342\366r'\17q\210L\363\306\302\34\371\177\257]\203C\26%O\276vW\2\334\364\270\6\11\2/\310\226\321\276\323\277\212qw\347\275\215X\376\372h\300\231*b{=g\200\255\362w\15 \226\224\220\365\314\326\304U\313\357\267\267\232q/\17\364.jp\10\377\370\0\210\30\1\242\373@\366\342X\323J\274k\222\333?\317\305ed\265"Gg9V\336\331,\344$\253?"\335\376\344\324M\342\335\33\274\341J|", ) \335\376\344\324M\342\335\33\274\341J|", ) == 0x0
 00961   808   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "Do\211!m(}\374\241oT\334A\237>\217f\4p\304\344\322\2f\4p\304\344\322\2f\4p\304\344\322\2f\4p\304\344\322\2f\4p\304\344\322\2f\4p\304\344<\17\247\227\344 \255U\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00962   808   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00963   808   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00964   808   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00965   808   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00966   808   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00967   808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00968   808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00969   808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00970   808   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "W\263 c,e\323\200\34\216\244=\322\272\1777\4\200\267\320i:\242\256\33\307\205fTy\223\30\344\337t{n\25\36?y\301\311c\31g=\32-\305DY\36h\17|\202ln\7\315\262)\26\326\275|\377\343\267O\224\371\276\303\0\335\363!\314", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "W\263 c,e\323\200\34\216\244=\322\272\1777\4\200\267\320i:\242\256\33\307\205fTy\223\30\344\337t{n\25\36?y\301\311c\31g=\32-\305DY\36h\17|\202ln\7\315\262)\26\326\275|\377\343\267O\224\371\276\303\0\335\363!\314", 80, ... ) , 80, ... ) == 0x0
 00971   808   NtClose  (-2147482740, ... ) == 0x0
 00961   808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\234pUx\367\275U\353a\202\375\334o\10l*\260o\2qF\236\10P\365p\220\3159l\2536\307\27\207\245\321\3772\203\276q\334\250p\326d\360\302L\243\311\212*}\201\355\376\312\347 \205\246R\222\242\232+D\334]aVC\30D\220P0\234?r\231\357\350b\255\345w(\32\200\240\342\271\313\225W\24\341[\237\204\261Eu]\365m\347,\270a\203 \27E\300\341M\267\210\371\350\10\307\221\257\32\216.Y\267\361 (\335~*\\241\201?\177O.\366?z\345\2\37J\2532\24J\253\37&\21\360\225W\337\201\371)_J\372^h\207\261HBHf\277\373!\210\265\15\307\225\362)<\202\314\321p\2148\373c\326j\344\303\24.\311\,FF}gU"?\32\16\204\333\23\32\5\251\310\355-!\2\336\322k\325\264\177\230\2208j\3\264\37\306\325DO\334\206\265\365\302\10\15\225\352\301\13", ) ?\32\16\204\333\23\32\5\251\310\355-!\2\336\322k\325\264\177\230\2208j\3\264\37\306\325DO\334\206\265\365\302\10\15\225\352\301\13", ) == 0x0
 00972   808   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 00973   808   NtConnectPort  ( ("\RPC Control\IcaApi", {12, 2, 1, 0}, 0x0, 0x0, 1234748, 188, ... 128, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1234748, 188, ... 128, 0x0, 0x0, 0x0, 188, ) == 0x0
 00974   808   NtRequestWaitReplyPort  (128, {200, 224, new_msg, 0, 1350664, 12, 2, 1310721}  (128, {200, 224, new_msg, 0, 1350664, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\08\232\24\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\4\220E^\345\224(\351\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0#\211~\33x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1928, 808, 57971, 0} "\7\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\4\220E^\345\224(\351\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0#\211~\33x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1928, 808, 57971, 0}  (128, {200, 224, new_msg, 0, 1350664, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\08\232\24\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\4\220E^\345\224(\351\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0#\211~\33x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1928, 808, 57971, 0} "\7\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\4\220E^\345\224(\351\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0#\211~\33x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 00975   808   NtRequestWaitReplyPort  (128, {32, 56, new_msg, 0, 0, 0, 0, 0}  (128, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 1928, 808, 57972, 0} "\2\376\255\201\1\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371R\250S\200\304;\350\371\4\0\0\0\0\0\0\0\220\276u\201<(\255\201\7\0\0\0\304\277u\201]\0\0\0" )  ... {124, 148, reply, 0, 1928, 808, 57972, 0}  (128, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 1928, 808, 57972, 0} "\2\376\255\201\1\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371R\250S\200\304;\350\371\4\0\0\0\0\0\0\0\220\276u\201<(\255\201\7\0\0\0\304\277u\201]\0\0\0" )  ) == 0x0
 00976   808   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00977   808   NtRequestWaitReplyPort  (128, {44, 68, new_msg, 56, 1928, 808, 57972, 0}  (128, {44, 68, new_msg, 56, 1928, 808, 57972, 0} "\1\376\0\0B\2\5\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200\377\377\377\377\324\376\255\201\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 1928, 808, 57973, 0} "\2\31\221|\4\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 1928, 808, 57973, 0}  (128, {44, 68, new_msg, 56, 1928, 808, 57972, 0} "\1\376\0\0B\2\5\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200\377\377\377\377\324\376\255\201\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 1928, 808, 57973, 0} "\2\31\221|\4\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\14\5\0\0\320\371\15\0" )  ) == 0x0
 00978   808   NtRequestWaitReplyPort  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1928, 808, 57974, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 1928, 808, 57974, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1928, 808, 57974, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 00979   808   NtRequestWaitReplyPort  (128, {44, 68, new_msg, 56, 1928, 808, 57973, 0}  (128, {44, 68, new_msg, 56, 1928, 808, 57973, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 1928, 808, 57975, 0} "\2\376\255\201\4\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 1928, 808, 57975, 0}  (128, {44, 68, new_msg, 56, 1928, 808, 57973, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 1928, 808, 57975, 0} "\2\376\255\201\4\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\14\5\0\0\320\371\15\0" )  ) == 0x0
 00980   808   NtRequestWaitReplyPort  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1928, 808, 57976, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 1928, 808, 57976, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1928, 808, 57976, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 00981   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00982   808   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "ActiveComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00983   808   NtQueryValueKey  (136,  (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00984   808   NtClose  (136, ... ) == 0x0
 00985   808   NtClose  (132, ... ) == 0x0
 00986   808   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 132, ) == 0x0
 00987   808   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 136, ) == 0x0
 00988   808   NtDuplicateObject  (-1, 132, -1, 0x0, 0, 2, ... 140, ) == 0x0
 00989   808   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00990   808   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00991   808   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00992   808   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00993   808   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234784,  (0xc0100080, {24, 0, 0x40, 0, 1234784, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 00994   808   NtSetInformationFile  (148, 1234840, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00995   808   NtSetInformationFile  (148, 1234828, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00996   808   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00997   808   NtWriteFile  (148, 117, 0, 0,  (148, 117, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00998   808   NtReadFile  (148, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (148, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00999   808   NtFsControlFile  (148, 117, 0x0, 0x0, 0x11c017,  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01000   808   NtFsControlFile  (148, 117, 0x0, 0x0, 0x11c017,  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , ) == 0x103
 01001   808   NtFsControlFile  (148, 117, 0x0, 0x0, 0x11c017,  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01002   808   NtClose  (144, ... ) == 0x0
 01003   808   NtClose  (148, ... ) == 0x0
 01004   808   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01005   808   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01006   808   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01007   808   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01008   808   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234756,  (0xc0100080, {24, 0, 0x40, 0, 1234756, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 01009   808   NtSetInformationFile  (144, 1234812, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01010   808   NtSetInformationFile  (144, 1234800, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01011   808   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01012   808   NtWriteFile  (144, 117, 0, 0,  (144, 117, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01013   808   NtReadFile  (144, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (144, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01014   808   NtFsControlFile  (144, 117, 0x0, 0x0, 0x11c017,  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01015   808   NtFsControlFile  (144, 117, 0x0, 0x0, 0x11c017,  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , ) == 0x103
 01016   808   NtFsControlFile  (144, 117, 0x0, 0x0, 0x11c017,  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01017   808   NtClose  (148, ... ) == 0x0
 01018   808   NtClose  (144, ... ) == 0x0
 01019   808   NtOpenProcessToken  (-1, 0x20008, ... 144, ) == 0x0
 01020   808   NtQueryInformationToken  (144, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01021   808   NtQueryInformationToken  (144, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 01022   808   NtOpenDirectoryObject  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Windows\WindowStations"}, ... 148, ) }, ... 148, ) == 0x0
 01023   808   NtUserOpenWindowStation  ({24, 148, 0x40, 0, 0,  ({24, 148, 0x40, 0, 0, "winsta0"}, 0x37f, ... ) }, 0x37f, ... ) == 0x98
 01024   808   NtClose  (148, ... ) == 0x0
 01025   808   NtUserCloseWindowStation  (152, ...
 01026   808   NtClose  (152, ... ) == 0x0
 01025   808   NtUserCloseWindowStation  ... ) == 0x1
 01027   808   NtClose  (144, ... ) == 0x0
 01028   808   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 144, ) == 0x0
 01029   808   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 152, ) == 0x0
 01030   808   NtCreateMutant  (0x1f0001, {24, 0, 0x2, 0, 0, 0x0}, 0, ... 148, ) == 0x0
 01031   808   NtDuplicateObject  (-1, -1, -1, 0x1f0fff, 2, 0, ... 156, ) == 0x0
 01032   808   NtCreateSection  (0xf0007, {24, 0, 0x2, 0, 0, 0x0}, {7248, 0}, 4, 134217728, 0, ... 160, ) == 0x0
 01033   808   NtMapViewOfSection  (160, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3d0000), {0, 0}, 8192, ) == 0x0
 01034   808   NtQueryDefaultUILanguage  (1235448, ...
 01035   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01036   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01037   808   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01038   808   NtClose  (-2147482740, ... ) == 0x0
 01039   808   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01040   808   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   808   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 01042   808   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01043   808   NtClose  (-2147481328, ... ) == 0x0
 01044   808   NtClose  (-2147482740, ... ) == 0x0
 01034   808   NtQueryDefaultUILanguage  ... ) == 0x0
 01045   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01046   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01047   808   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01048   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233692, ... ) }, 1233692, ... ) == 0x0
 01049   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232464, ... ) }, 1232464, ... ) == 0x0
 01050   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01051   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01052   808   NtCreateFile  (0x10100080, {24, 0, 0x40, 0, 1234800,  (0x10100080, {24, 0, 0x40, 0, 1234800, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\f34_appcompat.txt"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 01053   808   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 01054   808   NtClose  (-2147482740, ... ) == 0x0
 01055   808   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01056   808   NtClose  (-2147482740, ... ) == 0x0
 01057   808   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01058   808   NtClose  (-2147482740, ... ) == 0x0
 01052   808   NtCreateFile  ... 164, {status=0x0, info=2}, ) == 0x0
 01059   808   NtClose  (164, ... ) == 0x0
 01060   808   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 164, ) == 0x0
 01061   808   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0xa90000), 0x0, 4194304, ) == 0x0
 01062   808   NtAllocateVirtualMemory  (-1, 11075584, 0, 1, 4096, 4, ... 11075584, 4096, ) == 0x0
 01063   808   NtAllocateVirtualMemory  (-1, 11079680, 0, 1968, 4096, 4, ... 11079680, 4096, ) == 0x0
 01064   808   NtCreateSection  (0xf0007, 0x0, {22396, 0}, 4, 134217728, 0, ... 168, ) == 0x0
 01065   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01066   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01067   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01068   808   NtClose  (164, ... ) == 0x0
 01069   808   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01070   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01071   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01072   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01073   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01074   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01075   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01076   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01077   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01078   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01079   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01080   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01081   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01082   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01083   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01084   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01085   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01086   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01087   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01088   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01089   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01090   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01091   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01092   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01093   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01094   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01095   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01096   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01097   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01098   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01099   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01100   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01101   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01102   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01103   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01104   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01105   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01106   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01107   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01108   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01109   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01110   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01111   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01112   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01113   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01114   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01115   808   NtClose  (168, ... ) == 0x0
 01116   808   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01117   808   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 168, {status=0x0, info=1}, ) }, 3, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01118   808   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 164, ) }, ... 164, ) == 0x0
 01119   808   NtQuerySymbolicLinkObject  (164, ...  (164, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0
 01120   808   NtClose  (164, ... ) == 0x0
 01121   808   NtQueryVolumeInformationFile  (168, 1234016, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01122   808   NtClose  (168, ... ) == 0x0
 01123   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1232812, ... ) }, 1232812, ... ) == 0x0
 01124   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01125   808   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 168, ... 164, ) == 0x0
 01126   808   NtClose  (168, ... ) == 0x0
 01127   808   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 126976, ) == 0x0
 01128   808   NtClose  (164, ... ) == 0x0
 01129   808   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01130   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1233120, ... ) }, 1233120, ... ) == 0x0
 01131   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 164, {status=0x0, info=1}, ) }, 5, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 01132   808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 164, ... 168, ) == 0x0
 01133   808   NtQuerySection  (168, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01134   808   NtClose  (164, ... ) == 0x0
 01135   808   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 01136   808   NtClose  (168, ... ) == 0x0
 01137   808   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 01138   808   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 01139   808   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 01140   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01141   808   NtAllocateVirtualMemory  (-1, 1355776, 0, 12288, 4096, 4, ... 1355776, 12288, ) == 0x0
 01142   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234508, ... ) }, 1234508, ... ) == 0x0
 01143   808   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234516,  (0x40100080, {24, 0, 0x40, 0, 1234516, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\f34_appcompat.txt"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 01144   808   NtClose  (-2147482740, ... ) == 0x0
 01145   808   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 01146   808   NtClose  (-2147482740, ... ) == 0x0
 01147   808   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01148   808   NtClose  (-2147482740, ... ) == 0x0
 01149   808   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01150   808   NtClose  (-2147482740, ... ) == 0x0
 01143   808   NtCreateFile  ... 168, {status=0x0, info=3}, ) == 0x0
 01151   808   NtAllocateVirtualMemory  (-1, 1368064, 0, 12288, 4096, 4, ... 1368064, 12288, ) == 0x0
 01152   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 164, {status=0x0, info=1}, ) }, 3, 16417, ... 164, {status=0x0, info=1}, ) == 0x0
 01153   808   NtQueryDirectoryFile  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1,  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01154   808   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "\377\376", 2, 0x0, 0, ... {status=0x0, info=2}, ) , 2, 0x0, 0, ... {status=0x0, info=2}, ) == 0x0
 01155   808   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \01\0.\00\0 (168, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \0U\0T\0F\0-\01\06\0 (168, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) , 106, 0x0, 0, ... {status=0x0, info=106}, ) == 0x0
 01156   808   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 01157   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233600, ... ) }, 1233600, ... ) == 0x0
 01158   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01159   808   NtQueryDirectoryFile  (172, 0, 0, 0, 1233212, 592, Directory, 1,  (172, 0, 0, 0, 1233212, 592, Directory, 1, "packed.exe", 0, ... {status=0x0, info=84}, ) , 0, ... {status=0x0, info=84}, ) == 0x0
 01160   808   NtClose  (172, ... ) == 0x0
 01161   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01162   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01163   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232132, ... ) }, 1232132, ... ) == 0x0
 01164   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1230904, ... ) }, 1230904, ... ) == 0x0
 01165   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01166   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01167   808   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0
 01168   808   NtQueryInformationFile  (172, 1233688, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01169   808   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 172, ... 176, ) == 0x0
 01170   808   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 180224, ) == 0x0
 01171   808   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01172   808   NtClose  (176, ... ) == 0x0
 01173   808   NtClose  (172, ... ) == 0x0
 01174   808   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\08\01\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\08\01\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\07\08\01\07\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\08\01\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\01\03\08\07\07\0E\01\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\08\01\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0W\0I\0N\03\02\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\08\01\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\02\09\04\0A\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\08\01\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\00\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\08\01\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\08\01\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\07\08\01\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... , 418, 0x0, 0, ...
 01175   808   NtContinue  (-106648108, 0, ...
 01174   808   NtWriteFile  ... {status=0x0, info=418}, ) == 0x0
 01176   808   NtQueryDirectoryFile  (164, 0, 0, 0, 1371248, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01177   808   NtClose  (164, ... ) == 0x0
 01178   808   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0", 16, 0x0, 0, ... {status=0x0, info=16}, ) , 16, 0x0, 0, ... {status=0x0, info=16}, ) == 0x0
 01179   808   NtClose  (168, ... ) == 0x0
 01180   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1234508, ... ) }, 1234508, ... ) == 0x0
 01181   808   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234516,  (0x40100080, {24, 0, 0x40, 0, 1234516, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\f34_appcompat.txt"}, 0x0, 128, 0, 3, 96, 0, 0, ... 168, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 168, {status=0x0, info=1}, ) == 0x0
 01182   808   NtQueryInformationFile  (168, 1234540, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01183   808   NtSetInformationFile  (168, 1234572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01184   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 164, {status=0x0, info=1}, ) }, 3, 16417, ... 164, {status=0x0, info=1}, ) == 0x0
 01185   808   NtQueryDirectoryFile  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1,  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1, "kernel32.dll", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01186   808   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) , 126, 0x0, 0, ... {status=0x0, info=126}, ) == 0x0
 01187   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1233572, ... ) }, 1233572, ... ) == 0x0
 01188   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01189   808   NtQueryDirectoryFile  (172, 0, 0, 0, 1233212, 592, Directory, 1,  (172, 0, 0, 0, 1233212, 592, Directory, 1, "kernel32.dll", 0, ... {status=0x0, info=88}, ) , 0, ... {status=0x0, info=88}, ) == 0x0
 01190   808   NtClose  (172, ... ) == 0x0
 01191   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01192   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01193   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232132, ... ) }, 1232132, ... ) == 0x0
 01194   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230904, ... ) }, 1230904, ... ) == 0x0
 01195   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01196   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01197   808   NtQueryDefaultLocale  (1, 1233092, ... ) == 0x0
 01198   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01199   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01200   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232124, ... ) }, 1232124, ... ) == 0x0
 01201   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230896, ... ) }, 1230896, ... ) == 0x0
 01202   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01203   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01204   808   NtQueryDefaultLocale  (1, 1233084, ... ) == 0x0
 01205   808   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0
 01206   808   NtQueryInformationFile  (172, 1233688, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01207   808   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 172, ... 176, ) == 0x0
 01208   808   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 987136, ) == 0x0
 01209   808   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01210   808   NtClose  (176, ... ) == 0x0
 01211   808   NtClose  (172, ... ) == 0x0
 01212   808   NtQueryDefaultUILanguage  (1233044, ...
 01213   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01214   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01215   808   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01216   808   NtClose  (-2147482740, ... ) == 0x0
 01217   808   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01218   808   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   808   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 01220   808   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221   808   NtClose  (-2147481328, ... ) == 0x0
 01222   808   NtClose  (-2147482740, ... ) == 0x0
 01212   808   NtQueryDefaultUILanguage  ... ) == 0x0
 01223   808   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \09\08\04\05\07\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \00\0x\0F\00\0B\03\03\01\0F\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) == 0x0
 01224   808   NtQueryDirectoryFile  (164, 0, 0, 0, 1362544, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01225   808   NtClose  (164, ... ) == 0x0
 01226   808   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0<\0/\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 42, 0x0, 0, ... {status=0x0, info=42}, ) , 42, 0x0, 0, ... {status=0x0, info=42}, ) == 0x0
 01227   808   NtClose  (168, ... ) == 0x0
 01228   808   NtUnmapViewOfSection  (-1, 0x77b40000, ... ) == 0x0
 01229   808   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01230   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1231780, ... ) }, 1231780, ... ) == 0x0
 01231   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1232516, ... ) }, 1232516, ... ) == 0x0
 01232   808   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01233   808   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 168, ... 164, ) == 0x0
 01234   808   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   808   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 172, ) }, ... 172, ) == 0x0
 01236   808   NtQueryValueKey  (172,  (172, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   808   NtClose  (172, ... ) == 0x0
 01238   808   NtQueryVolumeInformationFile  (168, 1231792, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01239   808   NtOpenMutant  (0x120001, {24, 48, 0x0, 0, 0,  (0x120001, {24, 48, 0x0, 0, 0, "ShimCacheMutex"}, ... 172, ) }, ... 172, ) == 0x0
 01240   808   NtWaitForSingleObject  (172, 0, {-1000000, -1}, ... ) == 0x0
 01241   808   NtOpenSection  (0x2, {24, 48, 0x0, 0, 0,  (0x2, {24, 48, 0x0, 0, 0, "ShimSharedMemory"}, ... 176, ) }, ... 176, ) == 0x0
 01242   808   NtMapViewOfSection  (176, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 57344, ) == 0x0
 01243   808   NtReleaseMutant  (172, ... 0x0, ) == 0x0
 01244   808   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01245   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229724, ... ) }, 1229724, ... ) == 0x0
 01246   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01247   808   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 180, ... 184, ) == 0x0
 01248   808   NtClose  (180, ... ) == 0x0
 01249   808   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa90000), 0x0, 126976, ) == 0x0
 01250   808   NtClose  (184, ... ) == 0x0
 01251   808   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01252   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1230032, ... ) }, 1230032, ... ) == 0x0
 01253   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01254   808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01255   808   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01256   808   NtClose  (184, ... ) == 0x0
 01257   808   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 01258   808   NtClose  (180, ... ) == 0x0
 01259   808   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 01260   808   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 01261   808   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 01262   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263   808   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 180, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 180, {status=0x0, info=1}, ) == 0x0
 01264   808   NtQueryInformationFile  (180, 1230048, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01265   808   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 180, ... 184, ) == 0x0
 01266   808   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 1191936, ) == 0x0
 01267   808   NtQueryInformationFile  (180, 1230148, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01268   808   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01269   808   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01270   808   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01271   808   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272   808   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 188, ) }, ... 188, ) == 0x0
 01273   808   NtQueryValueKey  (188,  (188, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (188, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01274   808   NtClose  (188, ... ) == 0x0
 01275   808   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01276   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01277   808   NtQueryDirectoryFile  (188, 0, 0, 0, 1227744, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227744, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01278   808   NtClose  (188, ... ) == 0x0
 01279   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01280   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01281   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228120, ... ) }, 1228120, ... ) == 0x0
 01282   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01283   808   NtQueryDirectoryFile  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01284   808   NtClose  (188, ... ) == 0x0
 01285   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01286   808   NtQueryDirectoryFile  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01287   808   NtClose  (188, ... ) == 0x0
 01288   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01289   808   NtQueryDirectoryFile  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01290   808   NtClose  (188, ... ) == 0x0
 01291   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01292   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01293   808   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01294   808   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01296   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01297   808   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01298   808   NtClose  (188, ... ) == 0x0
 01299   808   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   808   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228952, ... ) }, 1228952, ... ) == 0x0
 01302   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01303   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01304   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227820, ... ) }, 1227820, ... ) == 0x0
 01305   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 188, {status=0x0, info=1}, ) }, 5, 96, ... 188, {status=0x0, info=1}, ) == 0x0
 01306   808   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 188, ... 192, ) == 0x0
 01307   808   NtClose  (188, ... ) == 0x0
 01308   808   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbc0000), 0x0, 180224, ) == 0x0
 01309   808   NtClose  (192, ... ) == 0x0
 01310   808   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01311   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227416, ... ) }, 1227416, ... ) == 0x0
 01312   808   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228160,  (0x80100080, {24, 0, 0x40, 0, 1228160, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01313   808   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 192, ... 188, ) == 0x0
 01314   808   NtClose  (192, ... ) == 0x0
 01315   808   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbc0000), {0, 0}, 180224, ) == 0x0
 01316   808   NtClose  (188, ... ) == 0x0
 01317   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01318   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01319   808   NtQueryDefaultLocale  (1, 1228780, ... ) == 0x0
 01320   808   NtQueryVirtualMemory  (-1, 0xbc0000, Basic, 28, ... {BaseAddress=0xbc0000,AllocationBase=0xbc0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01321   808   NtQueryVirtualMemory  (-1, 0xbc0000, Basic, 28, ... {BaseAddress=0xbc0000,AllocationBase=0xbc0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01322   808   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01323   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01324   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01325   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227812, ... ) }, 1227812, ... ) == 0x0
 01326   808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 188, {status=0x0, info=1}, ) }, 5, 96, ... 188, {status=0x0, info=1}, ) == 0x0
 01327   808   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 188, ... 192, ) == 0x0
 01328   808   NtClose  (188, ... ) == 0x0
 01329   808   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbc0000), 0x0, 180224, ) == 0x0
 01330   808   NtClose  (192, ... ) == 0x0
 01331   808   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01332   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227408, ... ) }, 1227408, ... ) == 0x0
 01333   808   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228152,  (0x80100080, {24, 0, 0x40, 0, 1228152, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01334   808   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 192, ... 188, ) == 0x0
 01335   808   NtClose  (192, ... ) == 0x0
 01336   808   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbc0000), {0, 0}, 180224, ) == 0x0
 01337   808   NtClose  (188, ... ) == 0x0
 01338   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01339   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01340   808   NtQueryDefaultLocale  (1, 1228772, ... ) == 0x0
 01341   808   NtQueryVirtualMemory  (-1, 0xbc0000, Basic, 28, ... {BaseAddress=0xbc0000,AllocationBase=0xbc0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01342   808   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01343   808   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01345   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01346   808   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01347   808   NtClose  (188, ... ) == 0x0
 01348   808   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01350   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01351   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1229372, ... ) }, 1229372, ... ) == 0x0
 01352   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01353   808   NtQueryDirectoryFile  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01354   808   NtClose  (188, ... ) == 0x0
 01355   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01356   808   NtQueryDirectoryFile  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01357   808   NtClose  (188, ... ) == 0x0
 01358   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01359   808   NtQueryDirectoryFile  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01360   808   NtClose  (188, ... ) == 0x0
 01361   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01362   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01363   808   NtWaitForSingleObject  (172, 0, {-1000000, -1}, ... ) == 0x0
 01364   808   NtReleaseMutant  (172, ... 0x0, ) == 0x0
 01365   808   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01366   808   NtClose  (184, ... ) == 0x0
 01367   808   NtClose  (180, ... ) == 0x0
 01368   808   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01369   808   NtOpenProcessToken  (-1, 0xa, ... 180, ) == 0x0
 01370   808   NtQueryInformationToken  (180, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01371   808   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01372   808   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01373   808   NtQueryValueKey  (184,  (184, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (184, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01374   808   NtQueryValueKey  (184,  (184, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (184, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01375   808   NtClose  (184, ... ) == 0x0
 01376   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01377   808   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01378   808   NtQueryValueKey  (184,  (184, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379   808   NtClose  (184, ... ) == 0x0
 01380   808   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01381   808   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01382   808   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01383   808   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01384   808   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01385   808   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01386   808   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01387   808   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01388   808   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01389   808   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01390   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 184, ) }, ... 184, ) == 0x0
 01391   808   NtEnumerateKey  (184, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (184, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01392   808   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 188, ) }, ... 188, ) == 0x0
 01393   808   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01394   808   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01395   808   NtClose  (188, ... ) == 0x0
 01396   808   NtEnumerateKey  (184, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01397   808   NtClose  (184, ... ) == 0x0
 01398   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 184, ) }, ... 184, ) == 0x0
 01399   808   NtEnumerateKey  (184, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 01400   808   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 188, ) }, ... 188, ) == 0x0
 01401   808   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 01402   808   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01403   808   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01404   808   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01405   808   NtClose  (188, ... ) == 0x0
 01406   808   NtEnumerateKey  (184, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 01407   808   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 188, ) }, ... 188, ) == 0x0
 01408   808   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 01409   808   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01410   808   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01411   808   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01412   808   NtClose  (188, ... ) == 0x0
 01413   808   NtEnumerateKey  (184, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 01414   808   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 188, ) }, ... 188, ) == 0x0
 01415   808   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 01416   808   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01417   808   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01418   808   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01419   808   NtClose  (188, ... ) == 0x0
 01420   808   NtEnumerateKey  (184, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 01421   808   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 188, ) }, ... 188, ) == 0x0
 01422   808   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 01423   808   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01424   808   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01425   808   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01426   808   NtClose  (188, ... ) == 0x0
 01427   808   NtEnumerateKey  (184, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 01428   808   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 188, ) }, ... 188, ) == 0x0
 01429   808   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 01430   808   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01431   808   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01432   808   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01433   808   NtClose  (188, ... ) == 0x0
 01434   808   NtEnumerateKey  (184, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01435   808   NtClose  (184, ... ) == 0x0
 01436   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01437   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01447   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01450   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01451   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01452   808   NtClose  (184, ... ) == 0x0
 01453   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01454   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01455   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01456   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01457   808   NtClose  (184, ... ) == 0x0
 01458   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01460   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01461   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01462   808   NtClose  (184, ... ) == 0x0
 01463   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01465   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01466   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01467   808   NtClose  (184, ... ) == 0x0
 01468   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01470   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01471   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01472   808   NtClose  (184, ... ) == 0x0
 01473   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01475   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01476   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01477   808   NtClose  (184, ... ) == 0x0
 01478   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01480   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01481   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01482   808   NtClose  (184, ... ) == 0x0
 01483   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01485   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01486   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01487   808   NtClose  (184, ... ) == 0x0
 01488   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01490   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01491   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01492   808   NtClose  (184, ... ) == 0x0
 01493   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01495   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01496   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01497   808   NtClose  (184, ... ) == 0x0
 01498   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01500   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01501   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01502   808   NtClose  (184, ... ) == 0x0
 01503   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01505   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01506   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01507   808   NtClose  (184, ... ) == 0x0
 01508   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01510   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01511   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01512   808   NtClose  (184, ... ) == 0x0
 01513   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01515   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01516   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01517   808   NtClose  (184, ... ) == 0x0
 01518   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01519   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01520   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01521   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01522   808   NtClose  (184, ... ) == 0x0
 01523   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01525   808   NtQueryValueKey  (184,  (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01526   808   NtClose  (184, ... ) == 0x0
 01527   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01528   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01529   808   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01530   808   NtClose  (184, ... ) == 0x0
 01531   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   808   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01533   808   NtOpenProcessToken  (-1, 0xa, ... 184, ) == 0x0
 01534   808   NtDuplicateToken  (184, 0xc, {24, 0, 0x0, 0, 1231652, 0x0}, 0, 2, ... 188, ) == 0x0
 01535   808   NtClose  (184, ... ) == 0x0
 01536   808   NtAccessCheck  (1379984, 188, 0x1, 1231728, 1231780, 56, 1231760, ... (0x1), ) == 0x0
 01537   808   NtClose  (188, ... ) == 0x0
 01538   808   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 188, ) }, ... 188, ) == 0x0
 01539   808   NtQueryValueKey  (188,  (188, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (188, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01540   808   NtClose  (188, ... ) == 0x0
 01541   808   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 188, ) }, ... 188, ) == 0x0
 01542   808   NtQuerySymbolicLinkObject  (188, ...  (188, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01543   808   NtClose  (188, ... ) == 0x0
 01544   808   NtQueryVolumeInformationFile  (168, 1229484, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01545   808   NtQueryInformationFile  (168, 1229600, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 01546   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01547   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01548   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228772, ... ) }, 1228772, ... ) == 0x0
 01549   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01550   808   NtQueryDirectoryFile  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01551   808   NtClose  (188, ... ) == 0x0
 01552   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01553   808   NtQueryDirectoryFile  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01554   808   NtClose  (188, ... ) == 0x0
 01555   808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01556   808   NtQueryDirectoryFile  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01557   808   NtClose  (188, ... ) == 0x0
 01558   808   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01559   808   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01560   808   NtQueryInformationFile  (168, 1231640, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01561   808   NtCreateSection  (0xf0005, 0x0, {180224, 0}, 2, 134217728, 168, ... 188, ) == 0x0
 01562   808   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 180224, 1, 0, 2, ... (0xa90000), {0, 0}, 180224, ) == 0x0
 01563   808   NtClose  (188, ... ) == 0x0
 01564   808   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01565   808   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01566   808   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01567   808   NtClose  (188, ... ) == 0x0
 01568   808   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 188, ) }, ... 188, ) == 0x0
 01569   808   NtOpenKey  (0x20019, {24, 188, 0x40, 0, 0,  (0x20019, {24, 188, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 184, ) }, ... 184, ) == 0x0
 01570   808   NtClose  (188, ... ) == 0x0
 01571   808   NtQueryValueKey  (184,  (184, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01572   808   NtQueryValueKey  (184,  (184, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (184, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 01573   808   NtClose  (184, ... ) == 0x0
 01574   808   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01575   808   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 4128768, 4096, ) == 0x0
 01576   808   NtAllocateVirtualMemory  (-1, 4128768, 0, 4096, 4096, 4, ... 4128768, 4096, ) == 0x0
 01577   808   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01578   808   NtQueryValueKey  (184,  (184, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579   808   NtClose  (184, ... ) == 0x0
 01580   808   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581   808   NtQueryInformationToken  (180, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01582   808   NtQueryInformationToken  (180, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01583   808   NtClose  (180, ... ) == 0x0
 01584   808   NtQuerySection  (164, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01585   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586   808   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 01587   808   NtCreateProcessEx  (1233564, 2035711, 0, -1, 4, 164, 0, 0, 0, ... ) == 0x0
 01588   808   NtSetInformationProcess  (180, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 01589   808   NtSetInformationProcess  (180, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01590   808   NtQueryInformationProcess  (180, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdb000,AffinityMask=0x1,BasePriority=8,Pid=1656,ParentPid=1928,}, 0x0, ) == 0x0
 01591   808   NtReadVirtualMemory  (180, 0x7ffdb008, 4, ...  (180, 0x7ffdb008, 4, ... "\0\0\00", 0x0, ) , 0x0, ) == 0x0
 01592   808   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593   808   NtReadVirtualMemory  (180, 0x30000000, 4096, ...  (180, 0x30000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0$\206\244\23`\347\312@`\347\312@`\347\312@9\304\331@b\347\312@`\347\313@d\347\312@\210\370\301@a\347\312@\343\373\304@j\347\312@\210\370\300@I\347\312@6\370\331@h\347\312@\272\304\326@i\347\312@\220\370\301@p\347\312@`\347\312@H\346\312@Rich`\347\312@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0N\23\216?\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\24\0\220\2\0\0\240\0\0\0\0\0\0\232t\0\0\0\20\0\0\0\320\3\0\0\0\00\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\3\0\0\20\0\0\237*\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\327\211\2\0z\1\0\0\00\3\0\244\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Z\236\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0\370\0\0\0\0\20\0\0\270\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222\216\2\0", 4096, ) , 4096, ) == 0x0
 01594   808   NtReadVirtualMemory  (180, 0x30033000, 256, ...  (180, 0x30033000, 256, ... "\0\0\0\0J\23\216?\0\0\0\0\0\0\3\0\5\0\0\0(\0\0\200\13\0\0\0@\0\0\200\20\0\0\0X\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0e\0\0\0p\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\210\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\240\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\270\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\310\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\330\0\0\0\3600\3\0\26\3\0\0\0\0\0\0\0\0\0\0\104\3\0\254\1\0\0\0\0\0\0\0\0\0\0\2645\3\0\360\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\0\310\200\0\0\0\0\14\0\0\0\0\0f\1", 256, ) , 256, ) == 0x0
 01595   808   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01596   808   NtQueryInformationProcess  (180, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdb000,AffinityMask=0x1,BasePriority=8,Pid=1656,ParentPid=1928,}, 0x0, ) == 0x0
 01597   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 1232516, ... ) }, 1232516, ... ) == 0x0
 01598   808   NtAllocateVirtualMemory  (-1, 0, 0, 2428, 4096, 4, ... 11075584, 4096, ) == 0x0
 01599   808   NtAllocateVirtualMemory  (180, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 01600   808   NtWriteVirtualMemory  (180, 0x10000,  (180, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 01601   808   NtAllocateVirtualMemory  (180, 0, 0, 2428, 4096, 4, ... 131072, 4096, ) == 0x0
 01602   808   NtWriteVirtualMemory  (180, 0x20000,  (180, 0x20000, "\0\20\0\0|\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\364\3\366\3\230\4\0\0:\0<\0\220\10\0\0N\0P\0\314\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\34\11\0\0\36\0 \0X\11\0\0\0\0\2\0x\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2428, ... 0x0, ) , 2428, ... 0x0, ) == 0x0
 01603   808   NtWriteVirtualMemory  (180, 0x7ffdb010,  (180, 0x7ffdb010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01604   808   NtAllocateVirtualMemory  (180, 0, 0, 388, 4096, 4, ... 196608, 4096, ) == 0x0
 01605   808   NtWriteVirtualMemory  (180, 0x30000,  (180, 0x30000, "S\0h\0i\0m\0E\0n\0g\0.\0d\0l\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\1\0\0\253\355\15\254\210\255\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 388, ... 0x0, ) , 388, ... 0x0, ) == 0x0
 01606   808   NtWriteVirtualMemory  (180, 0x7ffdb1e8,  (180, 0x7ffdb1e8, "\0\0\3\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01607   808   NtFreeVirtualMemory  (-1, (0xa90000), 0, 32768, ... (0xa90000), 4096, ) == 0x0
 01608   808   NtAllocateVirtualMemory  (180, 0, 0, 1048576, 8192, 4, ... 262144, 1048576, ) == 0x0
 01609   808   NtAllocateVirtualMemory  (180, 1302528, 0, 8192, 4096, 4, ... 1302528, 8192, ) == 0x0
 01610   808   NtProtectVirtualMemory  (180, (0x13e000), 4096, 260, ... (0x13e000), 4096, 4, ) == 0x0
 01611   808   NtCreateThread  (0x1f03ff, 0x0, 180, 1233572, 1233236, 1, ... 184, {1656, 1248}, ) == 0x0
 01612   808   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\267\0\0\0\270\0\0\0x\6\0\0\340\4\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 1928, 808, 57977, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\264\0\0\0\270\0\0\0x\6\0\0\340\4\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ... {168, 196, reply, 0, 1928, 808, 57977, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\267\0\0\0\270\0\0\0x\6\0\0\340\4\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 1928, 808, 57977, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\264\0\0\0\270\0\0\0x\6\0\0\340\4\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ) == 0x0
 01613   808   NtResumeThread  (184, ... 1, ) == 0x0
 01614   808   NtClose  (168, ... ) == 0x0
 01615   808   NtClose  (164, ... ) == 0x0
 01616   808   NtClose  (184, ... ) == 0x0
 01617   808   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01618   808   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x102
 01619   808   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01620   808   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x102
 01621   808   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01622   808   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x102
 01623   808   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01624   808   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x0
 01625   808   NtClose  (180, ... ) == 0x0
 01626   808   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 01627   808   NtClose  (160, ... ) == 0x0
 01628   808   NtClose  (144, ... ) == 0x0
 01629   808   NtClose  (152, ... ) == 0x0
 01630   808   NtClose  (148, ... ) == 0x0
 01631   808   NtClose  (156, ... ) == 0x0
 01632   808   NtClose  (100, ... ) == 0x0
 01633   808   NtClose  (104, ... ) == 0x0
 01634   808   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 01635   808   NtWaitForMultipleObjects  (2, (64, 72, ), 1, 0, 0x0, ... ) == 0x1
 01636   808   NtClose  (72, ... ) == 0x0
 01637   808   NtSetEvent  (64, ... 0x0, ) == 0x0
 01638   808   NtClose  (64, ... ) == 0x0
 01639   808   NtWaitForMultipleObjects  (2, (76, 80, ), 1, 0, 0x0, ... ) == 0x1
 01640   808   NtClose  (80, ... ) == 0x0
 01641   808   NtSetEvent  (76, ... 0x0, ) == 0x0
 01642   808   NtClose  (76, ... ) == 0x0
 01643   808   NtWaitForMultipleObjects  (2, (84, 88, ), 1, 0, 0x0, ... ) == 0x1
 01644   808   NtClose  (88, ... ) == 0x0
 01645   808   NtSetEvent  (84, ... 0x0, ) == 0x0
 01646   808   NtClose  (84, ... ) == 0x0
 01647   808   NtRequestWaitReplyPort  (128, {88, 112, new_msg, 0, 1928, 808, 57975, 0}  (128, {88, 112, new_msg, 0, 1928, 808, 57975, 0} "\1\376\0\0A\2<\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200\377\377\377\377\324\376\255\201\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371" ... {124, 148, reply, 0, 1928, 808, 58110, 0} "\2\376\255\201\1\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371R\250S\200\304;\350\371\4\0\0\0\0\0\0\0\220\276u\201<(\255\201\7\0\0\0\304\277u\201]\0\0\0" )  ... {124, 148, reply, 0, 1928, 808, 58110, 0}  (128, {88, 112, new_msg, 0, 1928, 808, 57975, 0} "\1\376\0\0A\2<\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200\377\377\377\377\324\376\255\201\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371" ... {124, 148, reply, 0, 1928, 808, 58110, 0} "\2\376\255\201\1\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371R\250S\200\304;\350\371\4\0\0\0\0\0\0\0\220\276u\201<(\255\201\7\0\0\0\304\277u\201]\0\0\0" )  ) == 0x0
 01648   808   NtClose  (124, ... ) == 0x0
 01649   808   NtClose  (128, ... ) == 0x0
 01650   808   NtClose  (68, ... ) == 0x0
 01651   808   NtUnmapViewOfSection  (-1, 0x69450000, ... ) == 0x0
 01652   808   NtUnmapViewOfSection  (-1, 0x77920000, ... ) == 0x0
 01653   808   NtUnmapViewOfSection  (-1, 0x76f50000, ... ) == 0x0
 01654   808   NtUnmapViewOfSection  (-1, 0x76360000, ... ) == 0x0
 01655   808   NtUnmapViewOfSection  (-1, 0x5b860000, ... ) == 0x0
 01656   808   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 01657   808   NtContinue  (1242900, 0, ...
 01658   808   NtTerminateProcess  (0, -1073741682, ... ) == 0x0
 01659   808   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01660   808   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 01661   808   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01662   808   NtClose  (92, ... ) == 0x0
 01663   808   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 01664   808   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01665   808   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 01666   808   NtClose  (60, ... ) == 0x0
 01667   808   NtGdiDeleteObjectApp  (1913653144, ... ) == 0x1
 01668   808   NtUserGetProcessWindowStation  (... ) == 0x1c
 01669   808   NtUserBuildNameList  (28, 522, 1379448, 1244228, ... ) == 0x0
 01670   808   NtUserGetProcessWindowStation  (... ) == 0x1c
 01671   808   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x3c
 01672   808   NtUserBuildHwndList  (60, 0, 0, 0, 64, ... (0x5009e, 0x400fa, 0x10074, 0x10080, 0x10070, 0x10084, 0x30048, 0x10072, 0x20052, 0x5009c, 0x10090, 0x500a2, 0x100d0, 0x200b0, 0x100cc, 0x70104, 0x70100, 0x20118, 0x3014c, 0x1011c, 0x100e6, 0x100d6, 0x100d2, 0x100ca, 0x100c8, 0x100ba, 0x100ae, 0x100ac, 0x300a6, 0x10078, 0x30062, 0x50036, 0x5005c, 0x100be, 0x400fe, 0x10092, 0x10086, 0x40034, 0x50050, 0x1013c, 0x10120, 0x100c2, 0x100bc, 0x2014e, 0x100d8, 0x100b6, 0x100b8, 0x100b4, 0x100c0, 0x1009a, 0x5005e, 0x1, ), 52, ) == 0x0
 01673   808   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 01674   808   NtUserQueryWindow  (327838, 0, ... ) == 0x6b8
 01675   808   NtUserQueryWindow  (327838, 1, ... ) == 0x6d4
 01676   808   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 01677   808   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 01678   808   NtUserQueryWindow  (262394, 0, ... ) == 0x6b8
 01679   808   NtUserQueryWindow  (262394, 1, ... ) == 0x6d4
 01680   808   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 01681   808   NtUserBuildHwndList  (0, 262394, 1, 0, 64, ... (0x80064, 0x60068, 0x6006c, 0x50094, 0x50096, 0x60066, 0x7006a, 0x90058, 0x6006e, 0x5008a, 0x50088, 0x500a0, 0x1, ), 13, ) == 0x0
 01682   808   NtUserValidateHandleSecure  (524388, ... ) == 0x1
 01683   808   NtUserQueryWindow  (524388, 0, ... ) == 0x6b8
 01684   808   NtUserQueryWindow  (524388, 1, ... ) == 0x6d4
 01685   808   NtUserValidateHandleSecure  (393320, ... ) == 0x1
 01686   808   NtUserQueryWindow  (393320, 0, ... ) == 0x6b8
 01687   808   NtUserQueryWindow  (393320, 1, ... ) == 0x6d4
 01688   808   NtUserValidateHandleSecure  (393324, ... ) == 0x1
 01689   808   NtUserQueryWindow  (393324, 0, ... ) == 0x6b8
 01690   808   NtUserQueryWindow  (393324, 1, ... ) == 0x6d4
 01691   808   NtUserValidateHandleSecure  (327828, ... ) == 0x1
 01692   808   NtUserQueryWindow  (327828, 0, ... ) == 0x6b8
 01693   808   NtUserQueryWindow  (327828, 1, ... ) == 0x6d4
 01694   808   NtUserValidateHandleSecure  (327830, ... ) == 0x1
 01695   808   NtUserQueryWindow  (327830, 0, ... ) == 0x6b8
 01696   808   NtUserQueryWindow  (327830, 1, ... ) == 0x6d4
 01697   808   NtUserValidateHandleSecure  (393318, ... ) == 0x1
 01698   808   NtUserQueryWindow  (393318, 0, ... ) == 0x6b8
 01699   808   NtUserQueryWindow  (393318, 1, ... ) == 0x6d4
 01700   808   NtUserValidateHandleSecure  (458858, ... ) == 0x1
 01701   808   NtUserQueryWindow  (458858, 0, ... ) == 0x6b8
 01702   808   NtUserQueryWindow  (458858, 1, ... ) == 0x6d4
 01703   808   NtUserValidateHandleSecure  (589912, ... ) == 0x1
 01704   808   NtUserQueryWindow  (589912, 0, ... ) == 0x6b8
 01705   808   NtUserQueryWindow  (589912, 1, ... ) == 0x6d4
 01706   808   NtUserValidateHandleSecure  (393326, ... ) == 0x1
 01707   808   NtUserQueryWindow  (393326, 0, ... ) == 0x6b8
 01708   808   NtUserQueryWindow  (393326, 1, ... ) == 0x6d4
 01709   808   NtUserValidateHandleSecure  (327818, ... ) == 0x1
 01710   808   NtUserQueryWindow  (327818, 0, ... ) == 0x6b8
 01711   808   NtUserQueryWindow  (327818, 1, ... ) == 0x6d4
 01712   808   NtUserValidateHandleSecure  (327816, ... ) == 0x1
 01713   808   NtUserQueryWindow  (327816, 0, ... ) == 0x6b8
 01714   808   NtUserQueryWindow  (327816, 1, ... ) == 0x6d4
 01715   808   NtUserValidateHandleSecure  (327840, ... ) == 0x1
 01716   808   NtUserQueryWindow  (327840, 0, ... ) == 0x6b8
 01717   808   NtUserQueryWindow  (327840, 1, ... ) == 0x6d4
 01718   808   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 01719   808   NtUserQueryWindow  (65652, 0, ... ) == 0x6b8
 01720   808   NtUserQueryWindow  (65652, 1, ... ) == 0x6d4
 01721   808   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 01722   808   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 01723   808   NtUserQueryWindow  (65664, 0, ... ) == 0x6b8
 01724   808   NtUserQueryWindow  (65664, 1, ... ) == 0x6d4
 01725   808   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 01726   808   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 01727   808   NtUserQueryWindow  (65648, 0, ... ) == 0x6b8
 01728   808   NtUserQueryWindow  (65648, 1, ... ) == 0x6d4
 01729   808   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 01730   808   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 01731   808   NtUserQueryWindow  (65668, 0, ... ) == 0x6b8
 01732   808   NtUserQueryWindow  (65668, 1, ... ) == 0x6d4
 01733   808   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 01734   808   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 01735   808   NtUserQueryWindow  (196680, 0, ... ) == 0x6b8
 01736   808   NtUserQueryWindow  (196680, 1, ... ) == 0x6d4
 01737   808   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 01738   808   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 01739   808   NtUserQueryWindow  (65650, 0, ... ) == 0x6b8
 01740   808   NtUserQueryWindow  (65650, 1, ... ) == 0x6d4
 01741   808   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 01742   808   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 01743   808   NtUserQueryWindow  (131154, 0, ... ) == 0x6b8
 01744   808   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 01745   808   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 01746   808   NtUserBuildHwndList  (0, 131154, 1, 0, 64, ... (0x3003e, 0x3003c, 0x30040, 0x30042, 0x30044, 0x30046, 0x10076, 0x10082, 0x1007a, 0x1007e, 0x1, ), 11, ) == 0x0
 01747   808   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 01748   808   NtUserQueryWindow  (196670, 0, ... ) == 0x6b8
 01749   808   NtUserQueryWindow  (196670, 1, ... ) == 0x6d4
 01750   808   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 01751   808   NtUserQueryWindow  (196668, 0, ... ) == 0x6b8
 01752   808   NtUserQueryWindow  (196668, 1, ... ) == 0x6d4
 01753   808   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 01754   808   NtUserQueryWindow  (196672, 0, ... ) == 0x6b8
 01755   808   NtUserQueryWindow  (196672, 1, ... ) == 0x6d4
 01756   808   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 01757   808   NtUserQueryWindow  (196674, 0, ... ) == 0x6b8
 01758   808   NtUserQueryWindow  (196674, 1, ... ) == 0x6d4
 01759   808   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 01760   808   NtUserQueryWindow  (196676, 0, ... ) == 0x6b8
 01761   808   NtUserQueryWindow  (196676, 1, ... ) == 0x6d4
 01762   808   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 01763   808   NtUserQueryWindow  (196678, 0, ... ) == 0x6b8
 01764   808   NtUserQueryWindow  (196678, 1, ... ) == 0x6d4
 01765   808   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 01766   808   NtUserQueryWindow  (65654, 0, ... ) == 0x6b8
 01767   808   NtUserQueryWindow  (65654, 1, ... ) == 0x6d4
 01768   808   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 01769   808   NtUserQueryWindow  (65666, 0, ... ) == 0x6b8
 01770   808   NtUserQueryWindow  (65666, 1, ... ) == 0x6d4
 01771   808   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 01772   808   NtUserQueryWindow  (65658, 0, ... ) == 0x6b8
 01773   808   NtUserQueryWindow  (65658, 1, ... ) == 0x6d4
 01774   808   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 01775   808   NtUserQueryWindow  (65662, 0, ... ) == 0x6b8
 01776   808   NtUserQueryWindow  (65662, 1, ... ) == 0x6d4
 01777   808   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 01778   808   NtUserQueryWindow  (327836, 0, ... ) == 0x6b8
 01779   808   NtUserQueryWindow  (327836, 1, ... ) == 0x6d4
 01780   808   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 01781   808   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 01782   808   NtUserQueryWindow  (65680, 0, ... ) == 0x6b8
 01783   808   NtUserQueryWindow  (65680, 1, ... ) == 0x6bc
 01784   808   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 01785   808   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 01786   808   NtUserQueryWindow  (327842, 0, ... ) == 0x6b8
 01787   808   NtUserQueryWindow  (327842, 1, ... ) == 0x6d4
 01788   808   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 01789   808   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 01790   808   NtUserQueryWindow  (65744, 0, ... ) == 0x19c
 01791   808   NtUserQueryWindow  (65744, 1, ... ) == 0x1a0
 01792   808   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 01793   808   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 01794   808   NtUserQueryWindow  (131248, 0, ... ) == 0xa0
 01795   808   NtUserQueryWindow  (131248, 1, ... ) == 0xe4
 01796   808   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 01797   808   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 01798   808   NtUserQueryWindow  (65740, 0, ... ) == 0x19c
 01799   808   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 01800   808   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 01801   808   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 01802   808   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 01803   808   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 01804   808   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 01805   808   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 01806   808   NtUserQueryWindow  (459008, 0, ... ) == 0x5e8
 01807   808   NtUserQueryWindow  (459008, 1, ... ) == 0x1dc
 01808   808   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 01809   808   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 01810   808   NtUserQueryWindow  (131352, 0, ... ) == 0x6ac
 01811   808   NtUserQueryWindow  (131352, 1, ... ) == 0x7f4
 01812   808   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 01813   808   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 01814   808   NtUserQueryWindow  (196940, 0, ... ) == 0x4b4
 01815   808   NtUserQueryWindow  (196940, 1, ... ) == 0x474
 01816   808   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 01817   808   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 01818   808   NtUserQueryWindow  (65820, 0, ... ) == 0x22c
 01819   808   NtUserQueryWindow  (65820, 1, ... ) == 0x220
 01820   808   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 01821   808   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 01822   808   NtUserQueryWindow  (65766, 0, ... ) == 0x6b8
 01823   808   NtUserQueryWindow  (65766, 1, ... ) == 0x13c
 01824   808   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 01825   808   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 01826   808   NtUserQueryWindow  (65750, 0, ... ) == 0x6b8
 01827   808   NtUserQueryWindow  (65750, 1, ... ) == 0x13c
 01828   808   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 01829   808   NtUserBuildHwndList  (0, 65750, 1, 0, 64, ... (0x100da, 0x100dc, 0x100de, 0x100e0, 0x1, ), 5, ) == 0x0
 01830   808   NtUserValidateHandleSecure  (65754, ... ) == 0x1
 01831   808   NtUserQueryWindow  (65754, 0, ... ) == 0x6b8
 01832   808   NtUserQueryWindow  (65754, 1, ... ) == 0x13c
 01833   808   NtUserValidateHandleSecure  (65756, ... ) == 0x1
 01834   808   NtUserQueryWindow  (65756, 0, ... ) == 0x6b8
 01835   808   NtUserQueryWindow  (65756, 1, ... ) == 0x13c
 01836   808   NtUserValidateHandleSecure  (65758, ... ) == 0x1
 01837   808   NtUserQueryWindow  (65758, 0, ... ) == 0x6b8
 01838   808   NtUserQueryWindow  (65758, 1, ... ) == 0x13c
 01839   808   NtUserValidateHandleSecure  (65760, ... ) == 0x1
 01840   808   NtUserQueryWindow  (65760, 0, ... ) == 0x6b8
 01841   808   NtUserQueryWindow  (65760, 1, ... ) == 0x13c
 01842   808   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 01843   808   NtUserQueryWindow  (65746, 0, ... ) == 0x6b8
 01844   808   NtUserQueryWindow  (65746, 1, ... ) == 0x6d4
 01845   808   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 01846   808   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 01847   808   NtUserQueryWindow  (65738, 0, ... ) == 0x19c
 01848   808   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 01849   808   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 01850   808   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 01851   808   NtUserQueryWindow  (65736, 0, ... ) == 0xa0
 01852   808   NtUserQueryWindow  (65736, 1, ... ) == 0xe4
 01853   808   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 01854   808   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 01855   808   NtUserQueryWindow  (65722, 0, ... ) == 0x104
 01856   808   NtUserQueryWindow  (65722, 1, ... ) == 0x108
 01857   808   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 01858   808   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 01859   808   NtUserQueryWindow  (65710, 0, ... ) == 0x104
 01860   808   NtUserQueryWindow  (65710, 1, ... ) == 0x108
 01861   808   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 01862   808   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 01863   808   NtUserQueryWindow  (65708, 0, ... ) == 0x120
 01864   808   NtUserQueryWindow  (65708, 1, ... ) == 0x124
 01865   808   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 01866   808   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 01867   808   NtUserQueryWindow  (196774, 0, ... ) == 0xc4
 01868   808   NtUserQueryWindow  (196774, 1, ... ) == 0xc8
 01869   808   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 01870   808   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 01871   808   NtUserQueryWindow  (65656, 0, ... ) == 0x6b8
 01872   808   NtUserQueryWindow  (65656, 1, ... ) == 0x6ec
 01873   808   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 01874   808   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 01875   808   NtUserQueryWindow  (196706, 0, ... ) == 0x6b8
 01876   808   NtUserQueryWindow  (196706, 1, ... ) == 0x6bc
 01877   808   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 01878   808   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 01879   808   NtUserQueryWindow  (327734, 0, ... ) == 0x6b8
 01880   808   NtUserQueryWindow  (327734, 1, ... ) == 0x6bc
 01881   808   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 01882   808   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 01883   808   NtUserQueryWindow  (327772, 0, ... ) == 0x6b8
 01884   808   NtUserQueryWindow  (327772, 1, ... ) == 0x6bc
 01885   808   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 01886   808   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 01887   808   NtUserQueryWindow  (65726, 0, ... ) == 0x19c
 01888   808   NtUserQueryWindow  (65726, 1, ... ) == 0x1a0
 01889   808   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 01890   808   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 01891   808   NtUserQueryWindow  (262398, 0, ... ) == 0x6b8
 01892   808   NtUserQueryWindow  (262398, 1, ... ) == 0x6d4
 01893   808   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 01894   808   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 01895   808   NtUserQueryWindow  (65682, 0, ... ) == 0x6b8
 01896   808   NtUserQueryWindow  (65682, 1, ... ) == 0x6bc
 01897   808   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 01898   808   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 01899   808   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 01900   808   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 01901   808   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 01902   808   NtUserBuildHwndList  (0, 65670, 1, 0, 64, ... (0x1008c, 0x1008e, 0x1, ), 3, ) == 0x0
 01903   808   NtUserValidateHandleSecure  (65676, ... ) == 0x1
 01904   808   NtUserQueryWindow  (65676, 0, ... ) == 0x6b8
 01905   808   NtUserQueryWindow  (65676, 1, ... ) == 0x6bc
 01906   808   NtUserValidateHandleSecure  (65678, ... ) == 0x1
 01907   808   NtUserQueryWindow  (65678, 0, ... ) == 0x6b8
 01908   808   NtUserQueryWindow  (65678, 1, ... ) == 0x6bc
 01909   808   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 01910   808   NtUserQueryWindow  (262196, 0, ... ) == 0x6b8
 01911   808   NtUserQueryWindow  (262196, 1, ... ) == 0x6d4
 01912   808   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 01913   808   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 01914   808   NtUserQueryWindow  (327760, 0, ... ) == 0x6b8
 01915   808   NtUserQueryWindow  (327760, 1, ... ) == 0x6d4
 01916   808   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 01917   808   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 01918   808   NtUserQueryWindow  (65852, 0, ... ) == 0x22c
 01919   808   NtUserQueryWindow  (65852, 1, ... ) == 0x220
 01920   808   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 01921   808   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 01922   808   NtUserQueryWindow  (65824, 0, ... ) == 0x22c
 01923   808   NtUserQueryWindow  (65824, 1, ... ) == 0x220
 01924   808   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 01925   808   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 01926   808   NtUserQueryWindow  (65730, 0, ... ) == 0xa0
 01927   808   NtUserQueryWindow  (65730, 1, ... ) == 0xe4
 01928   808   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 01929   808   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 01930   808   NtUserQueryWindow  (65724, 0, ... ) == 0xa0
 01931   808   NtUserQueryWindow  (65724, 1, ... ) == 0xe4
 01932   808   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 01933   808   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 01934   808   NtUserQueryWindow  (131406, 0, ... ) == 0x4b4
 01935   808   NtUserQueryWindow  (131406, 1, ... ) == 0x474
 01936   808   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 01937   808   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 01938   808   NtUserQueryWindow  (65752, 0, ... ) == 0x6b8
 01939   808   NtUserQueryWindow  (65752, 1, ... ) == 0x13c
 01940   808   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 01941   808   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 01942   808   NtUserQueryWindow  (65718, 0, ... ) == 0x104
 01943   808   NtUserQueryWindow  (65718, 1, ... ) == 0x108
 01944   808   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 01945   808   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 01946   808   NtUserQueryWindow  (65720, 0, ... ) == 0x120
 01947   808   NtUserQueryWindow  (65720, 1, ... ) == 0x124
 01948   808   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 01949   808   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 01950   808   NtUserQueryWindow  (65716, 0, ... ) == 0xc4
 01951   808   NtUserQueryWindow  (65716, 1, ... ) == 0xc8
 01952   808   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 01953   808   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 01954   808   NtUserQueryWindow  (65728, 0, ... ) == 0x19c
 01955   808   NtUserQueryWindow  (65728, 1, ... ) == 0x1a0
 01956   808   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 01957   808   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 01958   808   NtUserQueryWindow  (65690, 0, ... ) == 0x6b8
 01959   808   NtUserQueryWindow  (65690, 1, ... ) == 0x6bc
 01960   808   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 01961   808   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 01962   808   NtUserQueryWindow  (327774, 0, ... ) == 0x6b8
 01963   808   NtUserQueryWindow  (327774, 1, ... ) == 0x6bc
 01964   808   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 01965   808   NtUserCloseDesktop  (60, ... ) == 0x1
 01966   808   NtUserGetProcessWindowStation  (... ) == 0x1c
 01967   808   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01968   808   NtUserGetProcessWindowStation  (... ) == 0x1c
 01969   808   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01970   808   NtGdiDeleteObjectApp  (856294625, ... ) == 0x1
 01971   808   NtGdiDeleteObjectApp  (1376388660, ... ) == 0x1
 01972   808   NtClose  (56, ... ) == 0x0
 01973   808   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01974   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 56, ) }, ... 56, ) == 0x0
 01975   808   NtQueryValueKey  (56,  (56, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01976   808   NtClose  (56, ... ) == 0x0
 01977   808   NtClose  (44, ... ) == 0x0
 01978   808   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 01979   808   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01980   808   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01981   808   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01982   808   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1177968, 2011678370, 1178092, 1177980}  (24, {20, 48, new_msg, 0, 1177968, 2011678370, 1178092, 1177980} "\0\0\0\0\3\0\1\0\214\371\21\0\320\220\347w\216\0\0\300" ... {20, 48, reply, 0, 1928, 808, 58113, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\320\220\347w\216\0\0\300" )  ... {20, 48, reply, 0, 1928, 808, 58113, 0}  (24, {20, 48, new_msg, 0, 1177968, 2011678370, 1178092, 1177980} "\0\0\0\0\3\0\1\0\214\371\21\0\320\220\347w\216\0\0\300" ... {20, 48, reply, 0, 1928, 808, 58113, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\320\220\347w\216\0\0\300" )  ) == 0x0
 01983   808   NtTerminateProcess  (-1, -1073741682, ...