Summary:


NtAccessCheck(>)  1 
NtUserGetThreadDesktop(>)  1 
NtSetInformationFile(>)  5 
NtQueryVirtualMemory(>)  15 

NtCallbackReturn(>)  1 
NtUserOpenWindowStation(>)  1 
NtUserBuildHwndList(>)  5 
NtDeviceIoControlFile(>)  16 

NtCreateProcessEx(>)  1 
NtUserSystemParametersInfo(>)  1 
NtWaitForSingleObject(>)  5 
NtRequestWaitReplyPort(>)  16 

NtCreateSemaphore(>)  1 
NtConnectPort(>)  2 
NtWriteVirtualMemory(>)  5 
NtOpenSection(>)  24 

NtCreateThread(>)  1 
NtCreateIoCompletion(>)  2 
NtContinue(>)  6 
NtQueryDirectoryFile(>)  24 

NtDuplicateToken(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtOpenProcessToken(>)  6 
NtSetInformationProcess(>)  25 

NtGdiCreateBitmap(>)  1 
NtGdiHfontCreate(>)  2 
NtQueryDefaultUILanguage(>)  6 
NtOpenProcessTokenEx(>)  28 

NtGdiCreatePatternBrushInternal(>)  1 
NtQueryInformationJobObject(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtOpenThreadTokenEx(>)  28 

NtGdiInit(>)  1 
NtReleaseMutant(>)  2 
NtWaitForMultipleObjects(>)  6 
NtCreateSection(>)  29 

NtGdiQueryFontAssocInfo(>)  1 
NtTerminateProcess(>)  2 
NtFsControlFile(>)  7 
NtQueryInformationToken(>)  37 

NtGdiSelectBitmap(>)  1 
NtUserCloseWindowStation(>)  2 
NtOpenThreadToken(>)  7 
NtOpenFile(>)  41 

NtOpenEvent(>)  1 
NtUserGetObjectInformation(>)  2 
NtQueryInformationFile(>)  7 
NtQueryInformationProcess(>)  44 

NtOpenKeyedEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtEnumerateKey(>)  8 
NtQueryDefaultLocale(>)  48 

NtOpenMutant(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtSetValueKey(>)  8 
NtUnmapViewOfSection(>)  48 

NtQueryDebugFilterState(>)  1 
NtOpenDirectoryObject(>)  3 
NtUserCallNoParam(>)  9 
NtAllocateVirtualMemory(>)  51 

NtQueryInstallUILanguage(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtUserFindExistingCursorIcon(>)  9 
NtQueryAttributesFile(>)  54 

NtQueryObject(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtUserGetWindowDC(>)  10 
NtFlushInstructionCache(>)  65 

NtQueryPerformanceCounter(>)  1 
NtReadVirtualMemory(>)  3 
NtCreateKey(>)  11 
NtMapViewOfSection(>)  69 

NtQuerySystemTime(>)  1 
NtSetEvent(>)  3 
NtFreeVirtualMemory(>)  11 
NtQuerySystemInformation(>)  76 

NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 
NtUserCallOneParam(>)  11 
NtQueryValueKey(>)  105 

NtResumeThread(>)  1 
NtUserOpenDesktop(>)  3 
NtWriteFile(>)  11 
NtUserValidateHandleSecure(>)  130 

NtSecureConnectPort(>)  1 
NtCreateMutant(>)  4 
NtQuerySection(>)  12 
NtOpenKey(>)  153 

NtTestAlert(>)  1 
NtDuplicateObject(>)  4 
NtSetInformationThread(>)  13 
NtProtectVirtualMemory(>)  156 

NtUserBuildNameList(>)  1 
NtQueryVolumeInformationFile(>)  4 
NtCreateEvent(>)  14 
NtUserQueryWindow(>)  158 

NtUserCloseDesktop(>)  1 
NtGdiGetStockObject(>)  5 
NtCreateFile(>)  14 
NtClose(>)  240 

NtUserGetGUIThreadInfo(>)  1 
NtReadFile(>)  5 
NtUserRegisterClassExWOW(>)  14 

Trace:
 00001  1740   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1740   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1740   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1740   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1740   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1740   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1740   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1740   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1740   NtClose  (12, ... ) == 0x0
 00015  1740   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1740   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1740   NtClose  (16, ... ) == 0x0
 00021  1740   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1740   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1740   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1740   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1740   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1740   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1740   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1740   NtClose  (16, ... ) == 0x0
 00030  1740   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1740   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1740   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1740   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 928, 1740, 57961, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57961, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 928, 1740, 57961, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036  1740   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1740   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1740   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1740   NtClose  (16, ... ) == 0x0
 00041  1740   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1740   NtClose  (16, ... ) == 0x0
 00044  1740   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1740   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1740   NtClose  (16, ... ) == 0x0
 00048  1740   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1740   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1740   NtClose  (16, ... ) == 0x0
 00052  1740   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1740   NtClose  (16, ... ) == 0x0
 00055  1740   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1740   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1740   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1740   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1740   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 928, 1740, 57962, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 928, 1740, 57962, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 928, 1740, 57962, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 928, 1740, 57963, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57963, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 928, 1740, 57963, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061  1740   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 4, ... (0x47c000), 155648, 128, ) == 0x0
 00062  1740   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 128, ... (0x47c000), 155648, 4, ) == 0x0
 00063  1740   NtFlushInstructionCache  (-1, 4702208, 155648, ... ) == 0x0
 00064  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00065  1740   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00066  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.DLL"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00067  1740   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00068  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.DLL"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00069  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00070  1740   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00071  1740   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00072  1740   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00073  1740   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00074  1740   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075  1740   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00076  1740   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00077  1740   NtClose  (36, ... ) == 0x0
 00078  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00079  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00080  1740   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00081  1740   NtClose  (36, ... ) == 0x0
 00082  1740   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083  1740   NtClose  (32, ... ) == 0x0
 00084  1740   NtClose  (16, ... ) == 0x0
 00085  1740   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00086  1740   NtClose  (28, ... ) == 0x0
 00087  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00088  1740   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00089  1740   NtClose  (28, ... ) == 0x0
 00090  1740   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00091  1740   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00092  1740   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00093  1740   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00094  1740   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00095  1740   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00096  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00097  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == 0x0
 00099  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00100  1740   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 16, ) == 0x0
 00101  1740   NtQuerySection  (16, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00102  1740   NtClose  (28, ... ) == 0x0
 00103  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00104  1740   NtClose  (16, ... ) == 0x0
 00105  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00106  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00107  1740   NtClose  (16, ... ) == 0x0
 00108  1740   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00109  1740   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00110  1740   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00111  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00112  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00113  1740   NtClose  (16, ... ) == 0x0
 00114  1740   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00115  1740   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00116  1740   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00117  1740   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00118  1740   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00119  1740   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00120  1740   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00121  1740   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00122  1740   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00123  1740   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00124  1740   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00125  1740   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00126  1740   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00127  1740   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00128  1740   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00129  1740   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00130  1740   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00131  1740   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00132  1740   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 4, ... (0x47c000), 155648, 64, ) == 0x0
 00133  1740   NtProtectVirtualMemory  (-1, (0x47c000), 155648, 64, ... (0x47c000), 155648, 4, ) == 0x0
 00134  1740   NtFlushInstructionCache  (-1, 4702208, 155648, ... ) == 0x0
 00135  1740   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00136  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00137  1740   NtReadFile  (16, 0, 0, 0, 4, {185340, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {185340, 0}, 0, ... {status=0x0, info=4}, "\300 \0\0", ) , ) == 0x0
 00138  1740   NtReadFile  (16, 0, 0, 0, 8, {8380, 0}, 0, ... {status=0x0, info=8},  (16, 0, 0, 0, 8, {8380, 0}, 0, ... {status=0x0, info=8}, "\320J\233Dhs5\223", ) , ) == 0x0
 00139  1740   NtReadFile  (16, 0, 0, 0, 8, {176948, 0}, 0, ... {status=0x0, info=8},  (16, 0, 0, 0, 8, {176948, 0}, 0, ... {status=0x0, info=8}, "\362;\213\12\257\312\207\325", ) , ) == 0x0
 00140  1740   NtClose  (16, ... ) == 0x0
 00141  1740   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00142  1740   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00143  1740   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00144  1740   NtClose  (16, ... ) == 0x0
 00145  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00146  1740   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00147  1740   NtClose  (16, ... ) == 0x0
 00148  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00150  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00151  1740   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00152  1740   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00153  1740   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00154  1740   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 16, ) }, ... 16, ) == 0x0
 00155  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00156  1740   NtClose  (16, ... ) == 0x0
 00157  1740   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00158  1740   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00159  1740   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00160  1740   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00161  1740   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00162  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00163  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00165  1740   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00166  1740   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00167  1740   NtClose  (16, ... ) == 0x0
 00168  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00169  1740   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00170  1740   NtClose  (16, ... ) == 0x0
 00171  1740   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00172  1740   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00173  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00174  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00177  1740   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00178  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00180  1740   NtTestAlert  (... ) == 0x0
 00181  1740   NtContinue  (1244464, 1, ...
 00182  1740   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x47c17a,}, 4, ... ) == 0x0
 00183  1740   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 3407872, 4096, ) == 0x0
 00184  1740   NtAllocateVirtualMemory  (-1, 0, 0, 15980, 4096, 4, ... 3473408, 16384, ) == 0x0
 00185  1740   NtFreeVirtualMemory  (-1, (0x350000), 0, 32768, ... (0x350000), 16384, ) == 0x0
 00186  1740   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00187  1740   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00188  1740   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189  1740   NtClose  (28, ... ) == 0x0
 00190  1740   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00191  1740   NtProtectVirtualMemory  (-1, (0x40e860), -1662053999, -238816909, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00192  1740   NtProtectVirtualMemory  (-1, (0x3fff02), -1920137235, -2091057152, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00193  1740   NtProtectVirtualMemory  (-1, (0x141c600), 148100, 251738496, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00194  1740   NtProtectVirtualMemory  (-1, (0xfed68589), -362, -2060728949, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00195  1740   NtProtectVirtualMemory  (-1, (0xff4ab58d), -314, -2063466497, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00196  1740   NtProtectVirtualMemory  (-1, (0x500068), 1080710741, 100794367, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00197  1740   NtProtectVirtualMemory  (-1, (0xff6e95ff), 6946816, 268462080, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00198  1740   NtProtectVirtualMemory  (-1, (0x85c90000), 57246735, -1064960001, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00199  1740   NtProtectVirtualMemory  (-1, (0x67f95b00), 232, -322, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00200  1740   NtProtectVirtualMemory  (-1, (0x4002b0), -397192999, 50331651, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00201  1740   NtProtectVirtualMemory  (-1, (0x3ffe86), -1123811957, 915103070, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00202  1740   NtProtectVirtualMemory  (-1, (0xf904c7), -2096466688, 1065607051, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00203  1740   NtProtectVirtualMemory  (-1, (0x3b430000), 112918, -352321536, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00204  1740   NtProtectVirtualMemory  (-1, (0x33cb1301), 880017467, -2096839805, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00205  1740   NtProtectVirtualMemory  (-1, (0x3fff32), -1241558191, 1459911427, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00206  1740   NtProtectVirtualMemory  (-1, (0x85cbcf8b), -695468033, -13715969, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00207  1740   NtProtectVirtualMemory  (-1, (0x5c10ff00), 371205, -322, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00208  1740   NtProtectVirtualMemory  (-1, (0xc82b08c3), -2096794624, -108830887, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00209  1740   NtProtectVirtualMemory  (-1, (0x3ebeb5), -16750080, 8388712, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00210  1740   NtProtectVirtualMemory  (-1, (0x3ec6b5), -1912602625, 848691199, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00211  1740   NtProtectVirtualMemory  (-1, (0x843e8b36), -1961863539, 139365375, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00212  1740   NtProtectVirtualMemory  (-1, (0x77413ce8), 742852490, 1064567033, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00213  1740   NtProtectVirtualMemory  (-1, (0x385a8a14), 1946157434, -2146989065, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00214  1740   NtProtectVirtualMemory  (-1, (0xc10108e8), -1050278817, -1964411617, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00215  1740   NtProtectVirtualMemory  (-1, (0xc101c486), 73370122, -339442160, ... ) == STATUS_INVALID_PAGE_PROTECTION
 00216  1740   NtAllocateVirtualMemory  (-1, 0, 0, 118784, 4096, 4, ... 3407872, 118784, ) == 0x0
 00217  1740   NtAllocateVirtualMemory  (-1, 0, 0, 118784, 4096, 4, ... 3538944, 118784, ) == 0x0
 00218  1740   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 118784, ) == 0x0
 00219  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1350, 4096, 4, ... 3407872, 4096, ) == 0x0
 00220  1740   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00221  1740   NtAllocateVirtualMemory  (-1, 0, 0, 79872, 4096, 4, ... 3407872, 81920, ) == 0x0
 00222  1740   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 81920, ) == 0x0
 00223  1740   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 4, ... 3407872, 4096, ) == 0x0
 00224  1740   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00225  1740   NtAllocateVirtualMemory  (-1, 0, 0, 2560, 4096, 4, ... 3407872, 4096, ) == 0x0
 00226  1740   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 4096, ) == 0x0
 00227  1740   NtAllocateVirtualMemory  (-1, 0, 0, 5120, 4096, 4, ... 3407872, 8192, ) == 0x0
 00228  1740   NtFreeVirtualMemory  (-1, (0x340000), 0, 32768, ... (0x340000), 8192, ) == 0x0
 00229  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00230  1740   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00231  1740   NtClose  (28, ... ) == 0x0
 00232  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00233  1740   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00234  1740   NtClose  (28, ... ) == 0x0
 00235  1740   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00236  1740   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00237  1740   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00238  1740   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00239  1740   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00240  1740   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00241  1740   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00242  1740   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00243  1740   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00244  1740   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00245  1740   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00246  1740   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00247  1740   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00248  1740   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00249  1740   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00250  1740   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00251  1740   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00252  1740   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00253  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00256  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 7274606, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 7274606, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 928, 1740, 57971, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57971, 0}  (24, {28, 56, new_msg, 0, 2089900645, 7274606, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 928, 1740, 57971, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00257  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00258  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00259  1740   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00260  1740   NtClose  (28, ... ) == 0x0
 00261  1740   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00262  1740   NtClose  (32, ... ) == 0x0
 00263  1740   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00264  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00265  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00266  1740   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00267  1740   NtClose  (32, ... ) == 0x0
 00268  1740   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00269  1740   NtClose  (28, ... ) == 0x0
 00270  1740   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00271  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00272  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00273  1740   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00274  1740   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00275  1740   NtClose  (28, ... ) == 0x0
 00276  1740   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00277  1740   NtClose  (32, ... ) == 0x0
 00278  1740   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00279  1740   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00280  1740   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00281  1740   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00282  1740   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00283  1740   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00284  1740   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00285  1740   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00286  1740   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00287  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00288  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00289  1740   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00290  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00291  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00292  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00294  1740   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00295  1740   NtClose  (32, ... ) == 0x0
 00296  1740   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x580000), 0x0, 1060864, ) == 0x0
 00297  1740   NtClose  (-2147482740, ... ) == 0x0
 00298  1740   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00299  1740   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00300  1740   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00301  1740   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00302  1740   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00303  1740   NtClose  (-2147482740, ... ) == 0x0
 00304  1740   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00305  1740   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00306  1740   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00307  1740   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00308  1740   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309  1740   NtClose  (-2147482740, ... ) == 0x0
 00310  1740   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00311  1740   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312  1740   NtClose  (-2147482740, ... ) == 0x0
 00313  1740   NtQueryDefaultLocale  (0, -106645172, ... ) == 0x0
 00314  1740   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00315  1740   NtUserCallNoParam  (24, ... ) == 0x0
 00316  1740   NtGdiCreateCompatibleDC  (0, ...
 00317  1740   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00316  1740   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00318  1740   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00319  1740   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00320  1740   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00321  1740   NtGdiCreateSolidBrush  (0, 0, ...
 00322  1740   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00321  1740   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00323  1740   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00324  1740   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00325  1740   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00326  1740   NtUserGetThreadDesktop  (1740, 0, ... ) == 0x24
 00327  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00328  1740   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00329  1740   NtClose  (44, ... ) == 0x0
 00330  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00331  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8174c017
 00332  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00333  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8174c01c
 00334  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00335  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8174c01e
 00336  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00337  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81748002
 00338  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00339  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8174c018
 00340  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00341  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8174c01a
 00342  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00343  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8174c01d
 00344  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00345  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8174c026
 00346  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00347  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8174c019
 00348  1740   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8174c020
 00349  1740   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8174c022
 00350  1740   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8174c023
 00351  1740   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8174c024
 00352  1740   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8174c025
 00353  1740   NtCallbackReturn  (0, 0, 0, ...
 00354  1740   NtGdiInit  (... ) == 0x1
 00355  1740   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00356  1740   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00357  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00358  1740   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00359  1740   NtClose  (44, ... ) == 0x0
 00360  1740   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00361  1740   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00362  1740   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00363  1740   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00364  1740   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00365  1740   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00366  1740   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00367  1740   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00368  1740   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00369  1740   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00370  1740   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00371  1740   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00372  1740   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00373  1740   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00374  1740   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00375  1740   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00376  1740   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00377  1740   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00378  1740   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00379  1740   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00380  1740   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00381  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382  1740   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00383  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 44, {status=0x0, info=0}, ) }, 7, 16, ... 44, {status=0x0, info=0}, ) == 0x0
 00384  1740   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\235\372y\306\314\301\202S\3741\1~A\277!f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00385  1740   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00386  1740   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00387  1740   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00388  1740   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00389  1740   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00390  1740   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00391  1740   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00392  1740   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00393  1740   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "9\241\302\354\24I\334\2536\332d\363a\342\233\241\306\306\217_5G\2;6\245\333\245\235\337\357\34\22\341\247\23\373^\306\275\213x8\336\3\312A\20\261MZ~\15\225\317Us\226\20S\323\344Z\224JD\30\275\33\23\217V\210\226\304\360Us2\227", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "9\241\302\354\24I\334\2536\332d\363a\342\233\241\306\306\217_5G\2;6\245\333\245\235\337\357\34\22\341\247\23\373^\306\275\213x8\336\3\312A\20\261MZ~\15\225\317Us\226\20S\323\344Z\224JD\30\275\33\23\217V\210\226\304\360Us2\227", 80, ... ) , 80, ... ) == 0x0
 00394  1740   NtClose  (-2147482740, ... ) == 0x0
 00384  1740   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\177<\26\324\363\352]iOMzLf\242\217u\270\354\266\207\321\214Z\202\201\364\232\2647\204\21\10I\236\204\13\315\36\317\244<{"\362\300\36Z\302NM^X\46{\340\323o\253\230\350T\12\26\16\215g6\12l[\3\16\306\2d\221\222G\267\342\2273\335\334\118\17\227%\351\3033SN\362\262\220;\241\305\226};\26Bg\30\26\14&\177\21\275oU\317U\240\267w\217u\345W\240\330\212\311\270\226\325\371\265\334\316J\25\221)\215:\274\525\306 \23\374\301\306!\310v\2350I\4\260\332Cc\372\6\236)E\211\316-B\2549\37\32\244\206\357'P}\333\12\253|,o\2628\210\363\22#\340@\32I\240\6O\254\307\334\370\357\224\324\276\22\203bJ\303\270+\361\252\28\367\5}\5Y\227As*t\230\277\20W\11}))A\177\12.#\255\322\14s\331\375\11@\230\212\316\177\307", ) \362\300\36Z\302NM^X\46{\340\323o\253\230\350T\12\26\16\215g6\12l[\3\16\306\2d\221\222G\267\342\2273\335\334\118\17\227%\351\3033SN\362\262\220;\241\305\226};\26Bg\30\26\14&\177\21\275oU\317U\240\267w\217u\345W\240\330\212\311\270\226\325\371\265\334\316J\25\221)\215:\274\525\306 \23\374\301\306!\310v\2350I\4\260\332Cc\372\6\236)E\211\316-B\2549\37\32\244\206\357'P}\333\12\253|,o\2628\210\363\22#\340@\32I\240\6O\254\307\334\370\357\224\324\276\22\203bJ\303\270+\361\252\28\367\5}\5Y\227As*t\230\277\20W\11}))A\177\12.#\255\322\14s\331\375\11@\230\212\316\177\307", ) == 0x0
 00395  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00396  1740   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00397  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 48, ) }, ... 48, ) == 0x0
 00398  1740   NtQueryValueKey  (48,  (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00399  1740   NtClose  (48, ... ) == 0x0
 00400  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 48, ) }, ... 48, ) == 0x0
 00401  1740   NtQueryValueKey  (48,  (48, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402  1740   NtClose  (48, ... ) == 0x0
 00403  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00404  1740   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00405  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00406  1740   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00407  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 48, ) }, ... 48, ) == 0x0
 00408  1740   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00409  1740   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00410  1740   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00411  1740   NtClose  (48, ... ) == 0x0
 00412  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 48, ) }, ... 48, ) == 0x0
 00413  1740   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00414  1740   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00415  1740   NtClose  (48, ... ) == 0x0
 00416  1740   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 48, ) }, ... 48, ) == 0x0
 00417  1740   NtOpenEvent  (0x1f0003, {24, 48, 0x0, 0, 0,  (0x1f0003, {24, 48, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00419  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00420  1740   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00421  1740   NtClose  (52, ... ) == 0x0
 00422  1740   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00423  1740   NtSetInformationObject  (52, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00424  1740   NtOpenKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00425  1740   NtOpenKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00426  1740   NtOpenProcessToken  (-1, 0x8, ... 56, ) == 0x0
 00427  1740   NtQueryInformationToken  (56, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00428  1740   NtClose  (56, ... ) == 0x0
 00429  1740   NtUserCallOneParam  (0, 41, ... ) == 0x4
 00430  1740   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00431  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 10027008, 1048576, ) == 0x0
 00432  1740   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00433  1740   NtAllocateVirtualMemory  (-1, 10027008, 0, 16384, 4096, 4, ... 10027008, 16384, ) == 0x0
 00434  1740   NtUserCallNoParam  (29, ...
 00435  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242268, ... ) }, 1242268, ... ) == 0x0
 00436  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00437  1740   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 60, ) == 0x0
 00438  1740   NtClose  (56, ... ) == 0x0
 00439  1740   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x380000), 0x0, 221184, ) == 0x0
 00440  1740   NtClose  (60, ... ) == 0x0
 00441  1740   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00442  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242576, ... ) }, 1242576, ... ) == 0x0
 00443  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00444  1740   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 56, ) == 0x0
 00445  1740   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00446  1740   NtClose  (60, ... ) == 0x0
 00447  1740   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 00448  1740   NtClose  (56, ... ) == 0x0
 00449  1740   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00450  1740   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00451  1740   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00452  1740   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00453  1740   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00454  1740   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00455  1740   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00456  1740   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00457  1740   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00458  1740   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00459  1740   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00460  1740   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00461  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00462  1740   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00463  1740   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00464  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00465  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00466  1740   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00467  1740   NtClose  (56, ... ) == 0x0
 00468  1740   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00469  1740   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 60, ) }, ... 60, ) == 0x0
 00470  1740   NtQueryValueKey  (60,  (60, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00471  1740   NtClose  (60, ... ) == 0x0
 00472  1740   NtClose  (56, ... ) == 0x0
 00473  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00474  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00475  1740   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00476  1740   NtClose  (56, ... ) == 0x0
 00477  1740   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00478  1740   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 60, ) }, ... 60, ) == 0x0
 00479  1740   NtQueryValueKey  (60,  (60, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00480  1740   NtClose  (60, ... ) == 0x0
 00481  1740   NtClose  (56, ... ) == 0x0
 00482  1740   NtUserGetProcessWindowStation  (... ) == 0x1c
 00483  1740   NtUserGetObjectInformation  (28, 2, 1244364, 64, 1244360, ... ) == 0x1
 00484  1740   NtUserGetGUIThreadInfo  (1740, 1244384, ... ) == 0x1
 00485  1740   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1244228, 64, ... 56, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1244228, 64, ... 56, 0x0, 0x0, 0x0, 64, ) == 0x0
 00486  1740   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 928, 1740, 57973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 928, 1740, 57973, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 928, 1740, 57973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00487  1740   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 928, 1740, 57974, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 928, 1740, 57974, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 928, 1740, 57974, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00488  1740   NtUserCallNoParam  (29, ...
 00489  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241624, ... ) }, 1241624, ... ) == 0x0
 00488  1740   NtUserCallNoParam  ... ) == 0x0
 00490  1740   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ... ) == 0x1
 00491  1740   NtGdiHfontCreate  (1243752, 356, 0, 0, 1340336, ... ) == 0x330a04e1
 00492  1740   NtGdiHfontCreate  (1243752, 356, 0, 0, 1340328, ... ) == 0x520a0634
 00493  1740   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 928, 1740, 57975, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 928, 1740, 57975, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 928, 1740, 57975, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00494  1740   NtMapViewOfSection  (60, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x380000), {0, 0}, 327680, ) == 0x0
 00495  1740   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00496  1740   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00497  1740   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00498  1740   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00499  1740   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00500  1740   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00501  1740   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00502  1740   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00503  1740   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00504  1740   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00505  1740   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00506  1740   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00507  1740   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00508  1740   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00509  1740   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00510  1740   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00511  1740   NtAllocateVirtualMemory  (-1, 3297280, 0, 4096, 4096, 4, ... 3297280, 4096, ) == 0x0
 00512  1740   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00513  1740   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ... ) == 0x72100798
 00514  1740   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00515  1740   NtUserCallNoParam  (29, ...
 00516  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241064, ... ) }, 1241064, ... ) == 0x0
 00515  1740   NtUserCallNoParam  ... ) == 0x0
 00517  1740   NtUserCallNoParam  (29, ...
 00518  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241060, ... ) }, 1241060, ... ) == 0x0
 00517  1740   NtUserCallNoParam  ... ) == 0x0
 00434  1740   NtUserCallNoParam  ... ) == 0x1
 00519  1740   NtQueryVirtualMemory  (-1, 0x373313, Basic, 28, ... {BaseAddress=0x373000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xa000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00520  1740   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00521  1740   NtContinue  (1244356, 0, ...
 00522  1740   NtQueryVirtualMemory  (-1, 0x372d5c, Basic, 28, ... {BaseAddress=0x372000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xb000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00523  1740   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00524  1740   NtContinue  (1244032, 0, ...
 00525  1740   NtQueryVirtualMemory  (-1, 0x372dc0, Basic, 28, ... {BaseAddress=0x372000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xb000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00526  1740   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00527  1740   NtContinue  (1244032, 0, ...
 00528  1740   NtQueryVirtualMemory  (-1, 0x370d71, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xd000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00529  1740   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00530  1740   NtQueryVirtualMemory  (-1, 0x373132, Basic, 28, ... {BaseAddress=0x373000,AllocationBase=0x360000,AllocationProtect=0x4,RegionSize=0xa000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00531  1740   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00532  1740   NtQueryVirtualMemory  (-1, 0x7c816fe0, Basic, 28, ... {BaseAddress=0x7c816000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x6e000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00533  1740   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 00534  1740   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00535  1740   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00536  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00537  1740   NtQueryInformationJobObject  (0, BasicLimit, 48, ... ) == STATUS_ACCESS_DENIED
 00538  1740   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"}, ... 64, ) }, ... 64, ) == 0x0
 00539  1740   NtQueryValueKey  (64,  (64, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) , Partial, 526, ... TitleIdx=0, Type=1, Data= (64, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00540  1740   NtQueryValueKey  (64,  (64, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) , Partial, 526, ... TitleIdx=0, Type=1, Data=" (64, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) \0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) == 0x0
 00541  1740   NtClose  (64, ... ) == 0x0
 00542  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1239712, ... ) }, 1239712, ... ) == 0x0
 00543  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00544  1740   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 64, ... 68, ) == 0x0
 00545  1740   NtClose  (64, ... ) == 0x0
 00546  1740   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3d0000), 0x0, 81920, ) == 0x0
 00547  1740   NtClose  (68, ... ) == 0x0
 00548  1740   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 00549  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1240020, ... ) }, 1240020, ... ) == 0x0
 00550  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00551  1740   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 64, ) == 0x0
 00552  1740   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00553  1740   NtClose  (68, ... ) == 0x0
 00554  1740   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x69450000), 0x0, 90112, ) == 0x0
 00555  1740   NtClose  (64, ... ) == 0x0
 00556  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00557  1740   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 00558  1740   NtClose  (64, ... ) == 0x0
 00559  1740   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 00560  1740   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 00561  1740   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 00562  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00563  1740   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 733184, ) == 0x0
 00564  1740   NtClose  (64, ... ) == 0x0
 00565  1740   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00566  1740   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00567  1740   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00568  1740   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00569  1740   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00570  1740   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00571  1740   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00572  1740   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00573  1740   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00574  1740   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 00575  1740   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 00576  1740   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 00577  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00578  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1239196, ... ) }, 1239196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 00580  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00581  1740   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00582  1740   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00583  1740   NtClose  (64, ... ) == 0x0
 00584  1740   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 65536, ) == 0x0
 00585  1740   NtClose  (68, ... ) == 0x0
 00586  1740   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00587  1740   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00588  1740   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00589  1740   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00590  1740   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00591  1740   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00592  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00593  1740   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 00594  1740   NtClose  (68, ... ) == 0x0
 00595  1740   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00596  1740   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00597  1740   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00598  1740   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00599  1740   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00600  1740   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00601  1740   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00602  1740   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00603  1740   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00604  1740   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00605  1740   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00606  1740   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00607  1740   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 00608  1740   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 00609  1740   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 00610  1740   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00611  1740   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00612  1740   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00613  1740   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 00614  1740   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 00615  1740   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 00616  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00617  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1239196, ... ) }, 1239196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00618  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 00619  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00620  1740   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 64, ) == 0x0
 00621  1740   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00622  1740   NtClose  (68, ... ) == 0x0
 00623  1740   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 00624  1740   NtClose  (64, ... ) == 0x0
 00625  1740   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00626  1740   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00627  1740   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00628  1740   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00629  1740   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00630  1740   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00631  1740   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00632  1740   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00633  1740   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00634  1740   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 00635  1740   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 00636  1740   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 00637  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00638  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1239196, ... ) }, 1239196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00639  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 00640  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00641  1740   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00642  1740   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00643  1740   NtClose  (64, ... ) == 0x0
 00644  1740   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 00645  1740   NtClose  (68, ... ) == 0x0
 00646  1740   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00647  1740   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00648  1740   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00649  1740   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00650  1740   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00651  1740   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00652  1740   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00653  1740   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00654  1740   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00655  1740   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00656  1740   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00657  1740   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00658  1740   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 00659  1740   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 00660  1740   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 00661  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00662  1740   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00663  1740   NtClose  (68, ... ) == 0x0
 00664  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00665  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00666  1740   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00667  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00668  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00669  1740   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00670  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00671  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00672  1740   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00673  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00674  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00675  1740   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00676  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00677  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00678  1740   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00679  1740   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 00680  1740   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 00681  1740   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 00682  1740   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 00683  1740   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 00684  1740   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 00685  1740   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 00686  1740   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 00687  1740   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 00688  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00689  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00690  1740   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 68, ) }, ... 68, ) == 0x0
 00691  1740   NtQueryValueKey  (68,  (68, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00692  1740   NtClose  (68, ... ) == 0x0
 00693  1740   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 68, ) }, ... 68, ) == 0x0
 00694  1740   NtQueryValueKey  (68,  (68, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00695  1740   NtClose  (68, ... ) == 0x0
 00696  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 68, ) }, ... 68, ) == 0x0
 00697  1740   NtQueryValueKey  (68,  (68, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 00698  1740   NtClose  (68, ... ) == 0x0
 00699  1740   NtCreateEvent  (0x1f0003, {24, 48, 0x80, 1237788, 0,  (0x1f0003, {24, 48, 0x80, 1237788, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 68, ) }, 0, 1, ... 68, ) == STATUS_OBJECT_NAME_EXISTS
 00700  1740   NtQueryDefaultUILanguage  (2090319928, ...
 00701  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00702  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00703  1740   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00704  1740   NtClose  (-2147482740, ... ) == 0x0
 00705  1740   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00706  1740   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00707  1740   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00708  1740   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00709  1740   NtClose  (-2147481328, ... ) == 0x0
 00710  1740   NtClose  (-2147482740, ... ) == 0x0
 00700  1740   NtQueryDefaultUILanguage  ... ) == 0x0
 00711  1740   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00712  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00713  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00714  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00715  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00716  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00717  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00718  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00719  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00720  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00721  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00722  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00723  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00724  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00725  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00726  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00727  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00728  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00729  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00730  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00731  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00732  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00733  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00734  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00735  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00736  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00737  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00738  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00739  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00740  1740   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00741  1740   NtClose  (64, ... ) == 0x0
 00742  1740   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00743  1740   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 72, ) }, ... 72, ) == 0x0
 00744  1740   NtQueryValueKey  (72,  (72, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (72, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 00745  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00746  1740   NtQueryValueKey  (72,  (72, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (72, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 00747  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00748  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00749  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00750  1740   NtQueryDefaultLocale  (1, 1237540, ... ) == 0x0
 00751  1740   NtClose  (72, ... ) == 0x0
 00752  1740   NtClose  (64, ... ) == 0x0
 00753  1740   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 64, ) }, ... 64, ) == 0x0
 00754  1740   NtQueryValueKey  (64,  (64, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00755  1740   NtClose  (64, ... ) == 0x0
 00756  1740   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 64, ) }, ... 64, ) == 0x0
 00757  1740   NtQueryValueKey  (64,  (64, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00758  1740   NtQueryValueKey  (64,  (64, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00759  1740   NtClose  (64, ... ) == 0x0
 00760  1740   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761  1740   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 64, ) }, ... 64, ) == 0x0
 00762  1740   NtQueryValueKey  (64,  (64, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00763  1740   NtClose  (64, ... ) == 0x0
 00764  1740   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00765  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00766  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00767  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00768  1740   NtQueryPerformanceCounter  (... {924406645, 10}, {3579545, 0}, ) == 0x0
 00769  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770  1740   NtQueryDefaultLocale  (1, 1239916, ... ) == 0x0
 00771  1740   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00772  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00773  1740   NtQueryValueKey  (64,  (64, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00774  1740   NtClose  (64, ... ) == 0x0
 00775  1740   NtUserGetProcessWindowStation  (... ) == 0x1c
 00776  1740   NtUserGetObjectInformation  (28, 1, 1239512, 12, 1239524, ... ) == 0x1
 00777  1740   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\WPA\PnP"}, ... 64, ) }, ... 64, ) == 0x0
 00779  1740   NtQueryValueKey  (64,  (64, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 00780  1740   NtClose  (64, ... ) == 0x0
 00781  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00782  1740   NtQueryValueKey  (64,  (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00783  1740   NtQueryValueKey  (64,  (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00784  1740   NtClose  (64, ... ) == 0x0
 00785  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00786  1740   NtQueryValueKey  (64,  (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00787  1740   NtQueryValueKey  (64,  (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00788  1740   NtClose  (64, ... ) == 0x0
 00789  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00790  1740   NtQueryValueKey  (64,  (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00791  1740   NtQueryValueKey  (64,  (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00792  1740   NtClose  (64, ... ) == 0x0
 00793  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00794  1740   NtQueryValueKey  (64,  (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00795  1740   NtQueryValueKey  (64,  (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00796  1740   NtClose  (64, ... ) == 0x0
 00797  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00798  1740   NtQueryValueKey  (64,  (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 00799  1740   NtQueryValueKey  (64,  (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 00800  1740   NtClose  (64, ... ) == 0x0
 00801  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00802  1740   NtQueryValueKey  (64,  (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00803  1740   NtQueryValueKey  (64,  (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (64, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00804  1740   NtClose  (64, ... ) == 0x0
 00805  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 64, ) }, ... 64, ) == 0x0
 00806  1740   NtQueryValueKey  (64,  (64, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00807  1740   NtQueryValueKey  (64,  (64, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (64, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 00808  1740   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00809  1740   NtClose  (64, ... ) == 0x0
 00810  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00811  1740   NtCreateMutant  (0x1f0001, 0x0, 0, ... 72, ) == 0x0
 00812  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 76, ) == 0x0
 00813  1740   NtCreateMutant  (0x1f0001, 0x0, 0, ... 80, ) == 0x0
 00814  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00815  1740   NtCreateMutant  (0x1f0001, 0x0, 0, ... 88, ) == 0x0
 00816  1740   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 92, ) }, ... 92, ) == 0x0
 00817  1740   NtQueryValueKey  (92,  (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00818  1740   NtQueryValueKey  (92,  (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00819  1740   NtQueryValueKey  (92,  (92, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820  1740   NtOpenKey  (0x1, {24, 92, 0x40, 0, 0,  (0x1, {24, 92, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00821  1740   NtClose  (92, ... ) == 0x0
 00822  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1239428, ... ) }, 1239428, ... ) == 0x0
 00823  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 92, ) }, ... 92, ) == 0x0
 00824  1740   NtQueryValueKey  (92,  (92, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (92, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (92, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00825  1740   NtClose  (92, ... ) == 0x0
 00826  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00827  1740   NtQueryValueKey  (92,  (92, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (92, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (92, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 00828  1740   NtClose  (92, ... ) == 0x0
 00829  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00830  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00831  1740   NtQueryValueKey  (92,  (92, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (92, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (92, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 00832  1740   NtClose  (92, ... ) == 0x0
 00833  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00834  1740   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835  1740   NtCreateSemaphore  (0x1f0003, {24, 48, 0x80, 1343256, 0,  (0x1f0003, {24, 48, 0x80, 1343256, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 92, ) }, 0, 2147483647, ... 92, ) == STATUS_OBJECT_NAME_EXISTS
 00836  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\faultrep.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837  1740   NtOpenKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\PCHealth\ErrorReporting"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00838  1740   NtCreateKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Microsoft\PCHealth\ErrorReporting"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00839  1740   NtOpenKey  (0x10000, {24, 96, 0x40, 0, 0,  (0x10000, {24, 96, 0x40, 0, 0, "DW"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00840  1740   NtQueryValueKey  (96,  (96, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00841  1740   NtQueryValueKey  (96,  (96, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00842  1740   NtQueryValueKey  (96,  (96, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00843  1740   NtQueryValueKey  (96,  (96, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00844  1740   NtQueryValueKey  (96,  (96, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00845  1740   NtQueryValueKey  (96,  (96, "DoTextLog", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00846  1740   NtQueryValueKey  (96,  (96, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00847  1740   NtQueryValueKey  (96,  (96, "IncludeShutdownErrs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00848  1740   NtQueryValueKey  (96,  (96, "NumberOfFaultPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00849  1740   NtQueryValueKey  (96,  (96, "NumberOfHangPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00850  1740   NtQueryValueKey  (96,  (96, "MaxUserQueueSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851  1740   NtQueryValueKey  (96,  (96, "ForceQueueMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00852  1740   NtCreateKey  (0x20119, {24, 96, 0x40, 0, 0,  (0x20119, {24, 96, 0x40, 0, 0, "ExclusionList"}, 0, 0x0, 0, ... 100, 2, ) }, 0, 0x0, 0, ... 100, 2, ) == 0x0
 00853  1740   NtCreateKey  (0x20119, {24, 96, 0x40, 0, 0,  (0x20119, {24, 96, 0x40, 0, 0, "InclusionList"}, 0, 0x0, 0, ... 104, 2, ) }, 0, 0x0, 0, ... 104, 2, ) == 0x0
 00854  1740   NtClose  (96, ... ) == 0x0
 00855  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 96, ) }, ... 96, ) == 0x0
 00856  1740   NtQueryValueKey  (96,  (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00857  1740   NtClose  (96, ... ) == 0x0
 00858  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00859  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00860  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1236956, ... ) }, 1236956, ... ) == 0x0
 00861  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 96, {status=0x0, info=1}, ) }, 3, 16417, ... 96, {status=0x0, info=1}, ) == 0x0
 00862  1740   NtQueryDirectoryFile  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1,  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 00863  1740   NtClose  (96, ... ) == 0x0
 00864  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 96, {status=0x0, info=1}, ) }, 3, 16417, ... 96, {status=0x0, info=1}, ) == 0x0
 00865  1740   NtQueryDirectoryFile  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1,  (96, 0, 0, 0, 1236384, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 00866  1740   NtClose  (96, ... ) == 0x0
 00867  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00868  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00869  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00870  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00871  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1235604, ... ) }, 1235604, ... ) == 0x0
 00872  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234376, ... ) }, 1234376, ... ) == 0x0
 00873  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00874  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00875  1740   NtQueryValueKey  (100,  (100, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876  1740   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 00877  1740   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00878  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00879  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 96, ) }, ... 96, ) == 0x0
 00881  1740   NtQueryValueKey  (96,  (96, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882  1740   NtClose  (96, ... ) == 0x0
 00883  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884  1740   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 96, ) == 0x0
 00885  1740   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00886  1740   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00887  1740   NtQuerySystemTime  (... {991494472, 29915843}, ) == 0x0
 00888  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 00889  1740   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890  1740   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00891  1740   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00892  1740   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00893  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00894  1740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 120, ) == 0x0
 00895  1740   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\235\372y\306\314\301\202.N\313;\6.@\17I\300TW\323x\226\16\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00896  1740   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00897  1740   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00898  1740   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00899  1740   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00900  1740   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00901  1740   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00902  1740   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00903  1740   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00904  1740   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "0\215\263\311\320\257.\330\361\212 \275\12\265W\316\265\264\260\36\217\2\254 O\1V\332n\365\261mYm, 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "0\215\263\311\320\257.\330\361\212 \275\12\265W\316\265\264\260\36\217\2\254 O\1V\332n\365\261mYm, 80, ... ) , 80, ... ) == 0x0
 00905  1740   NtClose  (-2147482740, ... ) == 0x0
 00895  1740   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\234L\237\304\255s\277P\331]\217\342D}J\334q\331\350\375\317\211\233M\311\325h\207\240?2\2>\274%s\354\266\263\335B\225\352\313e\212\236\275\334\201'e\277\2X\364\350\34\30DI\279>\31\362Oe\353\332\240\361\37\343M\367!\10\22\230\232\314\353\256{\12\215\31I\177\255l:3X\224&\2210\34hC\3262Q\345O\323\11$\200'\331\374\322a\265woG\31|\325\345[%\341K\22\335\243\256\16\204\212d\331\275\213\254-\2104\260\212\200*mN\314d7\237\237\267\307\213\304#K\26K\262e|W\16\274\326\206\210\304"U$\370\16Im-", ) Oe\353\332\240\361\37\343M\367!\10\22\230\232\314\353\256{\12\215\31I\177\255l:3X\224&\2210\34hC\3262Q\345O\323\11$\200'\331\374\322a\265woG\31|\325\345[%\341K\22\335\243\256\16\204\212d\331\275\213\254-\2104\260\212\200*mN\314d7\237\237\267\307\213\304#K\26K\262e|W\16\274\326\206\210\304 ... {status=0x0, info=256}, "\234L\237\304\255s\277P\331]\217\342D}J\334q\331\350\375\317\211\233M\311\325h\207\240?2\2>\274%s\354\266\263\335B\225\352\313e\212\236\275\334\201'e\277\2X\364\350\34\30DI\279>\31\362Oe\353\332\240\361\37\343M\367!\10\22\230\232\314\353\256{\12\215\31I\177\255l:3X\224&\2210\34hC\3262Q\345O\323\11$\200'\331\374\322a\265woG\31|\325\345[%\341K\22\335\243\256\16\204\212d\331\275\213\254-\2104\260\212\200*mN\314d7\237\237\267\307\213\304#K\26K\262e|W\16\274\326\206\210\304"U$\370\16Im-", ) , ) == 0x0
 00906  1740   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\235\372y\306\314\301\202.N\313;\6.@r\373:n/\274\207\270!\300TW\323x\226\16\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00907  1740   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00908  1740   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00909  1740   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00910  1740   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00911  1740   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00912  1740   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00913  1740   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00914  1740   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00915  1740   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\342\351\340\373\342/1\36\360\264\232\306\271\21\303\6\10Z\0s\314\5\12\20\276\14_\372s\320P6\365\27\355l\266{\205eg\177\350\343\226:2\332\361q\213r?\204#\61w\371ADvyc&o\\3613\232\224\354\363\367\330v\310SM\11", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\342\351\340\373\342/1\36\360\264\232\306\271\21\303\6\10Z\0s\314\5\12\20\276\14_\372s\320P6\365\27\355l\266{\205eg\177\350\343\226:2\332\361q\213r?\204#\61w\371ADvyc&o\\3613\232\224\354\363\367\330v\310SM\11", 80, ... ) , 80, ... ) == 0x0
 00916  1740   NtClose  (-2147482740, ... ) == 0x0
 00906  1740   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\247\15\220l\333p\305\20t\273\364\226\270\177x\216\232\33\265X.\23"T\201\20\356;#e\354\346\230\6\307\262\277\224k\26\316\2377\314p\206\14K\335%\260F)\16<'Lh!\322\363\256+"z#\201\354i\363\247un8B\16\272\211\355\253%\374\346\15x\341\6\251<\260\13\361\32\351 \251.\2\276\256_\302yC\364\364|\225\236\377\253qc'$\317\353X\376)HG\355\315\273B\321\301\33}\21(\212\377\340\217\3635\332n[\376\253\274\267\311\276\233\342\366\253\375Xwl\4\264\357\3737*\345\361y\235\206\205[Uj\240\257\16 \240\220\353\357Y\377\357W\221m\202"\275 \245\230\141\366\35\322x\36\314\200\13"\7\360", ) T\201\20\356;#e\354\346\230\6\307\262\277\224k\26\316\2377\314p\206\14K\335%\260F)\16<'Lh!\322\363\256+ ... {status=0x0, info=256}, "\247\15\220l\333p\305\20t\273\364\226\270\177x\216\232\33\265X.\23"T\201\20\356;#e\354\346\230\6\307\262\277\224k\26\316\2377\314p\206\14K\335%\260F)\16<'Lh!\322\363\256+"z#\201\354i\363\247un8B\16\272\211\355\253%\374\346\15x\341\6\251<\260\13\361\32\351 \251.\2\276\256_\302yC\364\364|\225\236\377\253qc'$\317\353X\376)HG\355\315\273B\321\301\33}\21(\212\377\340\217\3635\332n[\376\253\274\267\311\276\233\342\366\253\375Xwl\4\264\357\3737*\345\361y\235\206\205[Uj\240\257\16 \240\220\353\357Y\377\357W\221m\202"\275 \245\230\141\366\35\322x\36\314\200\13"\7\360", ) \275 \245\230\141\366\35\322x\36\314\200\13 ... {status=0x0, info=256}, "\247\15\220l\333p\305\20t\273\364\226\270\177x\216\232\33\265X.\23"T\201\20\356;#e\354\346\230\6\307\262\277\224k\26\316\2377\314p\206\14K\335%\260F)\16<'Lh!\322\363\256+"z#\201\354i\363\247un8B\16\272\211\355\253%\374\346\15x\341\6\251<\260\13\361\32\351 \251.\2\276\256_\302yC\364\364|\225\236\377\253qc'$\317\353X\376)HG\355\315\273B\321\301\33}\21(\212\377\340\217\3635\332n[\376\253\274\267\311\276\233\342\366\253\375Xwl\4\264\357\3737*\345\361y\235\206\205[Uj\240\257\16 \240\220\353\357Y\377\357W\221m\202"\275 \245\230\141\366\35\322x\36\314\200\13"\7\360", ) , ) == 0x0
 00917  1740   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\235\372y\306\314\301\202.N\313;\6.@r\373:n/\274\207\305\223:n/\274\207\270!\300TW\323x\226\16\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00918  1740   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00919  1740   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00920  1740   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00921  1740   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00922  1740   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00923  1740   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00924  1740   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00925  1740   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00926  1740   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "fOqJ~\3461\324\33\377\202{\332\27\"\203\320K\372\222\11\375\30\223\360\301(\17\3358N,\2uQ\326\330vW\317\274e\332@\4\362\347\22>\210\27$#\0\321n\221\301/O\231\0\17\302z\32\262\356\211\366=\3356\17\354BjxI", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "fOqJ~\3461\324\33\377\202{\332\27\"\203\320K\372\222\11\375\30\223\360\301(\17\3358N,\2uQ\326\330vW\317\274e\332@\4\362\347\22>\210\27$#\0\321n\221\301/O\231\0\17\302z\32\262\356\211\366=\3356\17\354BjxI", 80, ... ) \203\320K\372\222\11\375\30\223\360\301(\17\3358N,\2uQ\326\330vW\317\274e\332@\4\362\347\22>\210\27$#\0\321n\221\301/O\231\0\17\302z\32\262\356\211\366=\3356\17\354BjxI", 80, ... ) == 0x0
 00927  1740   NtClose  (-2147482740, ... ) == 0x0
 00917  1740   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\37,bm?L*\270$%\17ev\305\334\0\360VS|\303\277\237\356\0S\331$o\212\306*\301\311\09n\370]i?=\31\177C\300\204 LF4\14Z\v^1\332.\345\17\7\367\263\327\270\325W\207\330\367]\261\335\34\236|:1HT\3\304Y~\36>vh\312\306\270\301\323\31\252b;\257\203\224\11\216\371q\356\265ZJ*\20Dw\323H\241-\262\325\312\326f\272\25\301*\14\375\333 B\331FC\226\30209h\26\225'\320\10\274\367\343y$\266\347=\2748\227\10\11\2137\364pr\14\242\373R\233\310\206I\335!\376=\344*'\345\3\241\356\222\337H\370J\214\7q\250\17\332S\37\257@\312eH~:iS\270\222R\13oY\333\2451G\21p\301k\236\274\3574\272\1x5\216kV:\315\241\323k\344'\33d\343\30\234_\363P\374\345\4\211, ) , ) == 0x0
 00928  1740   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\235\372y\306\314\301\202.N\313;\6.@r\373:n/\274\207\305\223:n/\274\207\305\223:n/\274\207\270!\300TW\323x\226\16\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00929  1740   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00930  1740   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00931  1740   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00932  1740   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00933  1740   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00934  1740   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00935  1740   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00936  1740   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00937  1740   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\227\325\353\12&\242\221\217VD\366\267[\33\20\253\224\345\3363\35\6\262\206\25*\341x\364\231\236\251\305l\337\247H\364v\222\263\301\277N;rH\23\20\335\300`\244\203\314\370\340\307*`\341\204\313\264\35\323!f\271{\305\360T\331\314h\246\324n\32", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\227\325\353\12&\242\221\217VD\366\267[\33\20\253\224\345\3363\35\6\262\206\25*\341x\364\231\236\251\305l\337\247H\364v\222\263\301\277N;rH\23\20\335\300`\244\203\314\370\340\307*`\341\204\313\264\35\323!f\271{\305\360T\331\314h\246\324n\32", 80, ... ) , 80, ... ) == 0x0
 00938  1740   NtClose  (-2147482740, ... ) == 0x0
 00928  1740   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, ")\302\270\11\260\346v\3377\253\376\305\261\237\303\315e\305\352\263\272;J\30i\244\5S\16"5rM\225\375\260d\311\231\213{^\230\5\364'\371\375*7\340\221\366\336#\276\207\232\252\274\331\231\231\374k\312\3K^\37\373\0\6\252\177\266\344\37\246\315~5\2\32\39\216\247\355\220\350\260\1\313\240L\333\300\206\22\266t\324\324\276\221\15\313\225\10\363\354q\315\2254\251O\300\313\224\37\331\333\215\257\240G\274\26\226Y\275\246x\275\354YUhV\272\224zW\341\261XE0\316\2114\332\373\321\34\245\331\36~\354\273\234A-]\314\301\371=\15\203\367h\4\27\274kZa\342\16\226\325\230(\313>\5\364U\251\1\317%\241\235:OC\337\305\1>\237\272\364\254=\340o\225O\2076@y@2\224\271\345\231\211J\250\327\266\352\0\317\271'P\234\11,\275;\264\365\334\13-\1\310\254\20\270\212a\347\317\212X", ) 5rM\225\375\260d\311\231\213{^\230\5\364'\371\375*7\340\221\366\336#\276\207\232\252\274\331\231\231\374k\312\3K^\37\373\0\6\252\177\266\344\37\246\315~5\2\32\39\216\247\355\220\350\260\1\313\240L\333\300\206\22\266t\324\324\276\221\15\313\225\10\363\354q\315\2254\251O\300\313\224\37\331\333\215\257\240G\274\26\226Y\275\246x\275\354YUhV\272\224zW\341\261XE0\316\2114\332\373\321\34\245\331\36~\354\273\234A-]\314\301\371=\15\203\367h\4\27\274kZa\342\16\226\325\230(\313>\5\364U\251\1\317%\241\235:OC\337\305\1>\237\272\364\254=\340o\225O\2076@y@2\224\271\345\231\211J\250\327\266\352\0\317\271'P\234\11,\275;\264\365\334\13-\1\310\254\20\270\212a\347\317\212X", ) == 0x0
 00939  1740   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\235\372y\306\314\301\202.N\313;\6.@r\373:n/\274\207\305\223:n/\274\207\305\223:n/\274\207\305\223:n/\274\207\270!\300TW\323x\226\16\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00940  1740   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00941  1740   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00942  1740   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00943  1740   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00944  1740   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00945  1740   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00946  1740   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00947  1740   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00948  1740   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "0\\355_\244\15\305\221\17\371\362\6\214e\301\211J^\14\204(\225\260\322\200\15\20\247\1\326\322\263\6\177\5\0\177\25\370\230\352\26V4\343\205q\205f\361\345\236\200zg\273\3057\307Lq_)7\265\272\02\307\226sK\220\224X\47\275\30$", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "0\\355_\244\15\305\221\17\371\362\6\214e\301\211J^\14\204(\225\260\322\200\15\20\247\1\326\322\263\6\177\5\0\177\25\370\230\352\26V4\343\205q\205f\361\345\236\200zg\273\3057\307Lq_)7\265\272\02\307\226sK\220\224X\47\275\30$", 80, ... ) , 80, ... ) == 0x0
 00949  1740   NtClose  (-2147482740, ... ) == 0x0
 00939  1740   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\310D\256 a\69\302\6\356\277z.\363\316\307\246\207\374\361\253\2005\16Y\200\360=\235\264\235c\34G\214d\355\7\5\246\15\334\15\351\276:\27\236\350\362\233\36\342\353\330\354\24\352\226\373#\231]\25k\305\221\300,\321\307u\370\253YlX\2113?\4B\334\22\326\224\343\247\253o\201\275\262ET\340W\325"\346\7H#\333bU\254\246\257\301\34\341\206G\14\231a\372\320\25t:\7\233I\t\6\13\250\240\202\277\246\271\365\33\226i\2142E\231!RP-\365\202:\267\200\16\273q\225\322\257\11\254\225\374\313bZF\217\250\364\237O\360\250l\326n\34\223\373\254\341P\226\357w\17./H\36z\\355\324\226\320\342Z\233\260\262\354Cl\221:\31\312\334\216K\251ib\16\364\31R\304\200\320|V\24\230\242=\307\357KcA\337L6\207Q\32wg\312\375pL\11\351\230\3107l\266\207]'Kt", ) \346\7H#\333bU\254\246\257\301\34\341\206G\14\231a\372\320\25t:\7\233I\t\6\13\250\240\202\277\246\271\365\33\226i\2142E\231!RP-\365\202:\267\200\16\273q\225\322\257\11\254\225\374\313bZF\217\250\364\237O\360\250l\326n\34\223\373\254\341P\226\357w\17./H\36z\\355\324\226\320\342Z\233\260\262\354Cl\221:\31\312\334\216K\251ib\16\364\31R\304\200\320|V\24\230\242=\307\357KcA\337L6\207Q\32wg\312\375pL\11\351\230\3107l\266\207]'Kt", ) == 0x0
 00950  1740   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\235\372y\306\314\301\202.N\313;\6.@r\373:n/\274\207\305\223:n/\274\207\305\223:n/\274\207\305\223:n/\274\207\305\223:n/\274\207\270!\300TW\323x\226\16\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00951  1740   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00952  1740   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00953  1740   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00954  1740   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00955  1740   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00956  1740   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00957  1740   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00958  1740   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00959  1740   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "hS}\350l\372\221\253\313\22\22\370\304m('\271\222$4iY\320\35771\236\357\341,?\16\14/\311*!\31\321^\220vw\344\205\25\5\240\250'l\373\324\10\0\237 \250R\334\267\343\255\25\214m\27\3714\222\201y\262Yt\\240\321nk", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "hS}\350l\372\221\253\313\22\22\370\304m('\271\222$4iY\320\35771\236\357\341,?\16\14/\311*!\31\321^\220vw\344\205\25\5\240\250'l\373\324\10\0\237 \250R\334\267\343\255\25\214m\27\3714\222\201y\262Yt\\240\321nk", 80, ... ) , 80, ... ) == 0x0
 00960  1740   NtClose  (-2147482740, ... ) == 0x0
 00950  1740   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "$#\362H\274\306\360\25>\270\260\237\3455"Q\243\316V\337\\345\227\27{\372\216\2111<\223\275\341=\21\301r\251_\371\277\211v!\16\310A#\224\362\222\5\240\270t\242X\2269f\252\30\\314\224\24x\21\215)}\217\347"V\203\370\274\352\372v\13g\254.\30`W"C}T\324S\336\346\36k?\346qGu\327\232\2504\334\371\317\220\322!*\262\337&? \177-f\353Glw\320\314\25C[\342\314\324~\203\17\230#l\360DH\7v\344\344\372e\17U\274\5\1\350\300@\177/\24\367\372\364\241\273-\236?\217'1\343>xB\220\243}\350\235V\342~%\30vx\226\332``\227f>\32\377\235\204\314or\202\347\33)D0\305k\223\306\377\27c\33dx\335D\340\327{L\325~\362\252+\205\317\325DD\36&\211\267e\353\266\373$\36'\347\245\301~:\2476\316\247\232", ) Q\243\316V\337\\345\227\27{\372\216\2111<\223\275\341=\21\301r\251_\371\277\211v!\16\310A#\224\362\222\5\240\270t\242X\2269f\252\30\\314\224\24x\21\215)}\217\347 ... {status=0x0, info=256}, "$#\362H\274\306\360\25>\270\260\237\3455"Q\243\316V\337\\345\227\27{\372\216\2111<\223\275\341=\21\301r\251_\371\277\211v!\16\310A#\224\362\222\5\240\270t\242X\2269f\252\30\\314\224\24x\21\215)}\217\347"V\203\370\274\352\372v\13g\254.\30`W"C}T\324S\336\346\36k?\346qGu\327\232\2504\334\371\317\220\322!*\262\337&? \177-f\353Glw\320\314\25C[\342\314\324~\203\17\230#l\360DH\7v\344\344\372e\17U\274\5\1\350\300@\177/\24\367\372\364\241\273-\236?\217'1\343>xB\220\243}\350\235V\342~%\30vx\226\332``\227f>\32\377\235\204\314or\202\347\33)D0\305k\223\306\377\27c\33dx\335D\340\327{L\325~\362\252+\205\317\325DD\36&\211\267e\353\266\373$\36'\347\245\301~:\2476\316\247\232", ) C}T\324S\336\346\36k?\346qGu\327\232\2504\334\371\317\220\322!*\262\337&? \177-f\353Glw\320\314\25C[\342\314\324~\203\17\230#l\360DH\7v\344\344\372e\17U\274\5\1\350\300@\177/\24\367\372\364\241\273-\236?\217'1\343>xB\220\243}\350\235V\342~%\30vx\226\332``\227f>\32\377\235\204\314or\202\347\33)D0\305k\223\306\377\27c\33dx\335D\340\327{L\325~\362\252+\205\317\325DD\36&\211\267e\353\266\373$\36'\347\245\301~:\2476\316\247\232", ) == 0x0
 00961  1740   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\235\372y\306\314\301\202.N\313;\6.@r\373:n/\274\207\305\223:n/\274\207\305\223:n/\274\207\305\223:n/\274\207\305\223:n/\274\207\305\223:n/\274\207\270!\300TW\323x\226\16\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00962  1740   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00963  1740   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00964  1740   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00965  1740   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00966  1740   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00967  1740   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00968  1740   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00969  1740   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00970  1740   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, ")\310\12\327\227~\323\356\211\225\233\223=\233\276\226\210\271n\320}h\276\15\17\326\U\345\10\326\32\316\345|\241\263\353%@\212\263\304\15\236C\277\375\334\320\222p'\371\312\177\330C\333\354\306\3368\340\253#\371\224Y, 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, ")\310\12\327\227~\323\356\211\225\233\223=\233\276\226\210\271n\320}h\276\15\17\326\U\345\10\326\32\316\345|\241\263\353%@\212\263\304\15\236C\277\375\334\320\222p'\371\312\177\330C\333\354\306\3368\340\253#\371\224Y, 80, ... ) , 80, ... ) == 0x0
 00971  1740   NtClose  (-2147482740, ... ) == 0x0
 00961  1740   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "H~\237\14\213y\25\230\36\3062@\200I.\225\222\254\344\26s\313G\263\342\377\271b\340LvO\270\375\362\302\36\206WD\2437c\211?\3478\16Q0\16 U\245\226\177\315\233\342Z\324\205XO\205!\34\211l|\17\353\226\177\3\246\206&(\327*\344z\263\205s\357\377\237\376\2#\355zm\345N\321Dbu\264\215)\202\210\365\325\313P[%B\346o\313\23\210\32$f\324R&\301}u\352\322\270\312\376\342b\242\363\232\207\216/\274\324/`w\363\315l\337\33G\4\6\221l\365ryD\24\276\14D\276d~\37[A-\200-\37\322n\200\22\216\342\35e\237y\323!\2447\363\367\240c?\214\326\362s\320%\347\311?\16@\20S\347\252\244\24\334\34s%\14\241\241_E"\343o1\302\335\234t\20\377\351v\212~\334\344\232\3416tub\215\224#_$+\340T\17`\206M\312q\332\250", ) \343o1\302\335\234t\20\377\351v\212~\334\344\232\3416tub\215\224#_$+\340T\17`\206M\312q\332\250", ) == 0x0
 00972  1740   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 00973  1740   NtConnectPort  ( ("\RPC Control\IcaApi", {12, 2, 1, 0}, 0x0, 0x0, 1234748, 188, ... 128, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1234748, 188, ... 128, 0x0, 0x0, 0x0, 188, ) == 0x0
 00974  1740   NtRequestWaitReplyPort  (128, {200, 224, new_msg, 0, 1350664, 12, 2, 1310721}  (128, {200, 224, new_msg, 0, 1350664, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\08\232\24\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\234]a\364\310\367\16g\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0\234q\4\307x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 928, 1740, 57977, 0} "\7\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\234]a\364\310\367\16g\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0\234q\4\307x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 928, 1740, 57977, 0}  (128, {200, 224, new_msg, 0, 1350664, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\08\232\24\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\234]a\364\310\367\16g\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0\234q\4\307x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 928, 1740, 57977, 0} "\7\0\0\0\274\0\0\0x\1\24\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\234]a\364\310\367\16g\270\233\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\220\233\24\0\234q\4\307x\1\24\0\260\233\24\0h\1\24\0\0\0\0\0\0\0\0\0\260\233\24\0P\0\0\0\270\233\24\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\274\325\22\0\372\31\221|P\335\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 00975  1740   NtRequestWaitReplyPort  (128, {32, 56, new_msg, 0, 0, 0, 0, 0}  (128, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 928, 1740, 57978, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201\0;\251\201\1`\202\201\0\0\0\0\0\376?\300\344\243n\371\20W\271\201\2\0\0\0\240V\271\201\240V\271\201" )  ... {124, 148, reply, 0, 928, 1740, 57978, 0}  (128, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 928, 1740, 57978, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201\0;\251\201\1`\202\201\0\0\0\0\0\376?\300\344\243n\371\20W\271\201\2\0\0\0\240V\271\201\240V\271\201" )  ) == 0x0
 00976  1740   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00977  1740   NtRequestWaitReplyPort  (128, {44, 68, new_msg, 56, 928, 1740, 57978, 0}  (128, {44, 68, new_msg, 56, 928, 1740, 57978, 0} "\1\356\0\0B\2\5\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 928, 1740, 57979, 0} "\2\31\221|\4\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 928, 1740, 57979, 0}  (128, {44, 68, new_msg, 56, 928, 1740, 57978, 0} "\1\356\0\0B\2\5\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 928, 1740, 57979, 0} "\2\31\221|\4\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\14\5\0\0\320\371\15\0" )  ) == 0x0
 00978  1740   NtRequestWaitReplyPort  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 928, 1740, 57980, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 928, 1740, 57980, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 928, 1740, 57980, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 00979  1740   NtRequestWaitReplyPort  (128, {44, 68, new_msg, 56, 928, 1740, 57979, 0}  (128, {44, 68, new_msg, 56, 928, 1740, 57979, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 928, 1740, 57981, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 928, 1740, 57981, 0}  (128, {44, 68, new_msg, 56, 928, 1740, 57979, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0\210\236\24\0\10\5\0\0" ... {40, 64, reply, 0, 928, 1740, 57981, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\14\5\0\0\320\371\15\0" )  ) == 0x0
 00980  1740   NtRequestWaitReplyPort  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 928, 1740, 57982, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 928, 1740, 57982, 0}  (128, {64, 88, new_msg, 56, 1351024, 1235324, 1351296, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 928, 1740, 57982, 0} "\10\0\0\0@\0\1\10\2\0\0t\330\22\0\210\236\24\0\220\335\22\0\30\356\220|p\5\221|\1\0\0\0\210\236\24\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 00981  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00982  1740   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "ActiveComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00983  1740   NtQueryValueKey  (136,  (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00984  1740   NtClose  (136, ... ) == 0x0
 00985  1740   NtClose  (132, ... ) == 0x0
 00986  1740   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 132, ) == 0x0
 00987  1740   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 136, ) == 0x0
 00988  1740   NtDuplicateObject  (-1, 132, -1, 0x0, 0, 2, ... 140, ) == 0x0
 00989  1740   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00990  1740   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00991  1740   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00992  1740   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00993  1740   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234784,  (0xc0100080, {24, 0, 0x40, 0, 1234784, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 00994  1740   NtSetInformationFile  (148, 1234840, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00995  1740   NtSetInformationFile  (148, 1234828, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00996  1740   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00997  1740   NtWriteFile  (148, 117, 0, 0,  (148, 117, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00998  1740   NtReadFile  (148, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (148, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00999  1740   NtFsControlFile  (148, 117, 0x0, 0x0, 0x11c017,  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01000  1740   NtFsControlFile  (148, 117, 0x0, 0x0, 0x11c017,  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , ) == 0x103
 01001  1740   NtFsControlFile  (148, 117, 0x0, 0x0, 0x11c017,  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (148, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01002  1740   NtClose  (144, ... ) == 0x0
 01003  1740   NtClose  (148, ... ) == 0x0
 01004  1740   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01005  1740   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01006  1740   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01007  1740   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01008  1740   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234756,  (0xc0100080, {24, 0, 0x40, 0, 1234756, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 01009  1740   NtSetInformationFile  (144, 1234812, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01010  1740   NtSetInformationFile  (144, 1234800, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01011  1740   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01012  1740   NtWriteFile  (144, 117, 0, 0,  (144, 117, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01013  1740   NtReadFile  (144, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (144, 117, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01014  1740   NtFsControlFile  (144, 117, 0x0, 0x0, 0x11c017,  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01015  1740   NtFsControlFile  (144, 117, 0x0, 0x0, 0x11c017,  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\334\340\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , ) == 0x103
 01016  1740   NtFsControlFile  (144, 117, 0x0, 0x0, 0x11c017,  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (144, 117, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\251\24\0\1\0\0\0\264\251\24\0 \0\0\0\1\0\0\0\16\0\20\0\300\251\24\0\320\251\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\20\252\24\0\1\0\0\0\1\0\0\0 \252\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01017  1740   NtClose  (148, ... ) == 0x0
 01018  1740   NtClose  (144, ... ) == 0x0
 01019  1740   NtOpenProcessToken  (-1, 0x20008, ... 144, ) == 0x0
 01020  1740   NtQueryInformationToken  (144, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01021  1740   NtQueryInformationToken  (144, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 01022  1740   NtOpenDirectoryObject  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Windows\WindowStations"}, ... 148, ) }, ... 148, ) == 0x0
 01023  1740   NtUserOpenWindowStation  ({24, 148, 0x40, 0, 0,  ({24, 148, 0x40, 0, 0, "winsta0"}, 0x37f, ... ) }, 0x37f, ... ) == 0x98
 01024  1740   NtClose  (148, ... ) == 0x0
 01025  1740   NtUserCloseWindowStation  (152, ...
 01026  1740   NtClose  (152, ... ) == 0x0
 01025  1740   NtUserCloseWindowStation  ... ) == 0x1
 01027  1740   NtClose  (144, ... ) == 0x0
 01028  1740   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 144, ) == 0x0
 01029  1740   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 152, ) == 0x0
 01030  1740   NtCreateMutant  (0x1f0001, {24, 0, 0x2, 0, 0, 0x0}, 0, ... 148, ) == 0x0
 01031  1740   NtDuplicateObject  (-1, -1, -1, 0x1f0fff, 2, 0, ... 156, ) == 0x0
 01032  1740   NtCreateSection  (0xf0007, {24, 0, 0x2, 0, 0, 0x0}, {7248, 0}, 4, 134217728, 0, ... 160, ) == 0x0
 01033  1740   NtMapViewOfSection  (160, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3d0000), {0, 0}, 8192, ) == 0x0
 01034  1740   NtQueryDefaultUILanguage  (1235448, ...
 01035  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01036  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01037  1740   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01038  1740   NtClose  (-2147482740, ... ) == 0x0
 01039  1740   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01040  1740   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041  1740   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 01042  1740   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01043  1740   NtClose  (-2147481328, ... ) == 0x0
 01044  1740   NtClose  (-2147482740, ... ) == 0x0
 01034  1740   NtQueryDefaultUILanguage  ... ) == 0x0
 01045  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01046  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01047  1740   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01048  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233692, ... ) }, 1233692, ... ) == 0x0
 01049  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232464, ... ) }, 1232464, ... ) == 0x0
 01050  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01051  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01052  1740   NtCreateFile  (0x10100080, {24, 0, 0x40, 0, 1234800,  (0x10100080, {24, 0, 0x40, 0, 1234800, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\bce_appcompat.txt"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 01053  1740   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 01054  1740   NtClose  (-2147482740, ... ) == 0x0
 01055  1740   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01056  1740   NtClose  (-2147482740, ... ) == 0x0
 01057  1740   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01058  1740   NtClose  (-2147482740, ... ) == 0x0
 01052  1740   NtCreateFile  ... 164, {status=0x0, info=2}, ) == 0x0
 01059  1740   NtClose  (164, ... ) == 0x0
 01060  1740   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 164, ) == 0x0
 01061  1740   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0xa90000), 0x0, 4194304, ) == 0x0
 01062  1740   NtAllocateVirtualMemory  (-1, 11075584, 0, 1, 4096, 4, ... 11075584, 4096, ) == 0x0
 01063  1740   NtAllocateVirtualMemory  (-1, 11079680, 0, 1968, 4096, 4, ... 11079680, 4096, ) == 0x0
 01064  1740   NtCreateSection  (0xf0007, 0x0, {22396, 0}, 4, 134217728, 0, ... 168, ) == 0x0
 01065  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01066  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01067  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01068  1740   NtClose  (164, ... ) == 0x0
 01069  1740   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01070  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01071  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01072  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01073  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01074  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01075  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01076  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01077  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01078  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01079  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01080  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01081  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01082  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01083  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01084  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01085  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01086  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01087  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01088  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01089  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01090  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01091  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01092  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01093  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01094  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01095  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01096  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01097  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01098  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01099  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01100  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01101  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01102  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01103  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01104  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01105  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01106  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01107  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01108  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01109  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01110  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01111  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01112  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01113  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01114  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01115  1740   NtClose  (168, ... ) == 0x0
 01116  1740   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01117  1740   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 168, {status=0x0, info=1}, ) }, 3, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01118  1740   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 164, ) }, ... 164, ) == 0x0
 01119  1740   NtQuerySymbolicLinkObject  (164, ...  (164, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0
 01120  1740   NtClose  (164, ... ) == 0x0
 01121  1740   NtQueryVolumeInformationFile  (168, 1234016, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01122  1740   NtClose  (168, ... ) == 0x0
 01123  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1232812, ... ) }, 1232812, ... ) == 0x0
 01124  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01125  1740   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 168, ... 164, ) == 0x0
 01126  1740   NtClose  (168, ... ) == 0x0
 01127  1740   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 126976, ) == 0x0
 01128  1740   NtClose  (164, ... ) == 0x0
 01129  1740   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01130  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1233120, ... ) }, 1233120, ... ) == 0x0
 01131  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 164, {status=0x0, info=1}, ) }, 5, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 01132  1740   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 164, ... 168, ) == 0x0
 01133  1740   NtQuerySection  (168, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01134  1740   NtClose  (164, ... ) == 0x0
 01135  1740   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 01136  1740   NtClose  (168, ... ) == 0x0
 01137  1740   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 01138  1740   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 01139  1740   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 01140  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01141  1740   NtAllocateVirtualMemory  (-1, 1355776, 0, 12288, 4096, 4, ... 1355776, 12288, ) == 0x0
 01142  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234508, ... ) }, 1234508, ... ) == 0x0
 01143  1740   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234516,  (0x40100080, {24, 0, 0x40, 0, 1234516, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\bce_appcompat.txt"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 01144  1740   NtClose  (-2147482740, ... ) == 0x0
 01145  1740   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 01146  1740   NtClose  (-2147482740, ... ) == 0x0
 01147  1740   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01148  1740   NtClose  (-2147482740, ... ) == 0x0
 01149  1740   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 01150  1740   NtClose  (-2147482740, ... ) == 0x0
 01143  1740   NtCreateFile  ... 168, {status=0x0, info=3}, ) == 0x0
 01151  1740   NtAllocateVirtualMemory  (-1, 1368064, 0, 12288, 4096, 4, ... 1368064, 12288, ) == 0x0
 01152  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 164, {status=0x0, info=1}, ) }, 3, 16417, ... 164, {status=0x0, info=1}, ) == 0x0
 01153  1740   NtQueryDirectoryFile  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1,  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01154  1740   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "\377\376", 2, 0x0, 0, ... {status=0x0, info=2}, ) , 2, 0x0, 0, ... {status=0x0, info=2}, ) == 0x0
 01155  1740   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \01\0.\00\0 (168, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \0U\0T\0F\0-\01\06\0 (168, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) , 106, 0x0, 0, ... {status=0x0, info=106}, ) == 0x0
 01156  1740   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 01157  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233600, ... ) }, 1233600, ... ) == 0x0
 01158  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01159  1740   NtQueryDirectoryFile  (172, 0, 0, 0, 1233212, 592, Directory, 1,  (172, 0, 0, 0, 1233212, 592, Directory, 1, "packed.exe", 0, ... {status=0x0, info=84}, ) , 0, ... {status=0x0, info=84}, ) == 0x0
 01160  1740   NtClose  (172, ... ) == 0x0
 01161  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01162  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01163  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232132, ... ) }, 1232132, ... ) == 0x0
 01164  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1230904, ... ) }, 1230904, ... ) == 0x0
 01165  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01166  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01167  1740   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0
 01168  1740   NtQueryInformationFile  (172, 1233688, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01169  1740   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 172, ... 176, ) == 0x0
 01170  1740   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 188416, ) == 0x0
 01171  1740   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01172  1740   NtClose  (176, ... ) == 0x0
 01173  1740   NtClose  (172, ... ) == 0x0
 01174  1740   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\05\03\04\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\05\03\04\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\08\05\03\04\04\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\05\03\04\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\01\03\08\07\07\0E\01\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\05\03\04\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0W\0I\0N\03\02\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\05\03\04\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\02\09\04\0A\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\05\03\04\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\00\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\05\03\04\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\05\03\04\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\01\08\05\03\04\04\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\01\03\08\07\07\0E\01\06\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\02\09\04\0A\06\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\00\0/\00\02\0/\02\00\00\06\0 \00\08\0:\05\06\0:\00\09\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... , 418, 0x0, 0, ...
 01175  1740   NtContinue  (-106648108, 0, ...
 01174  1740   NtWriteFile  ... {status=0x0, info=418}, ) == 0x0
 01176  1740   NtQueryDirectoryFile  (164, 0, 0, 0, 1371248, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01177  1740   NtClose  (164, ... ) == 0x0
 01178  1740   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0", 16, 0x0, 0, ... {status=0x0, info=16}, ) , 16, 0x0, 0, ... {status=0x0, info=16}, ) == 0x0
 01179  1740   NtClose  (168, ... ) == 0x0
 01180  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1234508, ... ) }, 1234508, ... ) == 0x0
 01181  1740   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234516,  (0x40100080, {24, 0, 0x40, 0, 1234516, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\bce_appcompat.txt"}, 0x0, 128, 0, 3, 96, 0, 0, ... 168, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 168, {status=0x0, info=1}, ) == 0x0
 01182  1740   NtQueryInformationFile  (168, 1234540, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01183  1740   NtSetInformationFile  (168, 1234572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01184  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 164, {status=0x0, info=1}, ) }, 3, 16417, ... 164, {status=0x0, info=1}, ) == 0x0
 01185  1740   NtQueryDirectoryFile  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1,  (164, 0, 0, 0, 1233220, 616, BothDirectory, 1, "kernel32.dll", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01186  1740   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (168, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) , 126, 0x0, 0, ... {status=0x0, info=126}, ) == 0x0
 01187  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1233572, ... ) }, 1233572, ... ) == 0x0
 01188  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01189  1740   NtQueryDirectoryFile  (172, 0, 0, 0, 1233212, 592, Directory, 1,  (172, 0, 0, 0, 1233212, 592, Directory, 1, "kernel32.dll", 0, ... {status=0x0, info=88}, ) , 0, ... {status=0x0, info=88}, ) == 0x0
 01190  1740   NtClose  (172, ... ) == 0x0
 01191  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01192  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01193  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232132, ... ) }, 1232132, ... ) == 0x0
 01194  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230904, ... ) }, 1230904, ... ) == 0x0
 01195  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01196  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01197  1740   NtQueryDefaultLocale  (1, 1233092, ... ) == 0x0
 01198  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01199  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01200  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232124, ... ) }, 1232124, ... ) == 0x0
 01201  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230896, ... ) }, 1230896, ... ) == 0x0
 01202  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01203  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01204  1740   NtQueryDefaultLocale  (1, 1233084, ... ) == 0x0
 01205  1740   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0
 01206  1740   NtQueryInformationFile  (172, 1233688, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01207  1740   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 172, ... 176, ) == 0x0
 01208  1740   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 987136, ) == 0x0
 01209  1740   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01210  1740   NtClose  (176, ... ) == 0x0
 01211  1740   NtClose  (172, ... ) == 0x0
 01212  1740   NtQueryDefaultUILanguage  (1233044, ...
 01213  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01214  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01215  1740   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01216  1740   NtClose  (-2147482740, ... ) == 0x0
 01217  1740   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01218  1740   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219  1740   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 01220  1740   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221  1740   NtClose  (-2147481328, ... ) == 0x0
 01222  1740   NtClose  (-2147482740, ... ) == 0x0
 01212  1740   NtQueryDefaultUILanguage  ... ) == 0x0
 01223  1740   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \09\08\04\05\07\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \00\0x\0F\00\0B\03\03\01\0F\06\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0 (168, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) == 0x0
 01224  1740   NtQueryDirectoryFile  (164, 0, 0, 0, 1362544, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01225  1740   NtClose  (164, ... ) == 0x0
 01226  1740   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0<\0/\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 42, 0x0, 0, ... {status=0x0, info=42}, ) , 42, 0x0, 0, ... {status=0x0, info=42}, ) == 0x0
 01227  1740   NtClose  (168, ... ) == 0x0
 01228  1740   NtUnmapViewOfSection  (-1, 0x77b40000, ... ) == 0x0
 01229  1740   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01230  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1231780, ... ) }, 1231780, ... ) == 0x0
 01231  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1232516, ... ) }, 1232516, ... ) == 0x0
 01232  1740   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01233  1740   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 168, ... 164, ) == 0x0
 01234  1740   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235  1740   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 172, ) }, ... 172, ) == 0x0
 01236  1740   NtQueryValueKey  (172,  (172, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237  1740   NtClose  (172, ... ) == 0x0
 01238  1740   NtQueryVolumeInformationFile  (168, 1231792, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01239  1740   NtOpenMutant  (0x120001, {24, 48, 0x0, 0, 0,  (0x120001, {24, 48, 0x0, 0, 0, "ShimCacheMutex"}, ... 172, ) }, ... 172, ) == 0x0
 01240  1740   NtWaitForSingleObject  (172, 0, {-1000000, -1}, ... ) == 0x0
 01241  1740   NtOpenSection  (0x2, {24, 48, 0x0, 0, 0,  (0x2, {24, 48, 0x0, 0, 0, "ShimSharedMemory"}, ... 176, ) }, ... 176, ) == 0x0
 01242  1740   NtMapViewOfSection  (176, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 57344, ) == 0x0
 01243  1740   NtReleaseMutant  (172, ... 0x0, ) == 0x0
 01244  1740   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01245  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229724, ... ) }, 1229724, ... ) == 0x0
 01246  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01247  1740   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 180, ... 184, ) == 0x0
 01248  1740   NtClose  (180, ... ) == 0x0
 01249  1740   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa90000), 0x0, 126976, ) == 0x0
 01250  1740   NtClose  (184, ... ) == 0x0
 01251  1740   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01252  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1230032, ... ) }, 1230032, ... ) == 0x0
 01253  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01254  1740   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01255  1740   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01256  1740   NtClose  (184, ... ) == 0x0
 01257  1740   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 01258  1740   NtClose  (180, ... ) == 0x0
 01259  1740   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 01260  1740   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 01261  1740   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 01262  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263  1740   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 180, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 180, {status=0x0, info=1}, ) == 0x0
 01264  1740   NtQueryInformationFile  (180, 1230048, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01265  1740   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 180, ... 184, ) == 0x0
 01266  1740   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 1191936, ) == 0x0
 01267  1740   NtQueryInformationFile  (180, 1230148, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01268  1740   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01269  1740   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01270  1740   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01271  1740   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272  1740   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 188, ) }, ... 188, ) == 0x0
 01273  1740   NtQueryValueKey  (188,  (188, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (188, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01274  1740   NtClose  (188, ... ) == 0x0
 01275  1740   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01276  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01277  1740   NtQueryDirectoryFile  (188, 0, 0, 0, 1227744, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227744, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01278  1740   NtClose  (188, ... ) == 0x0
 01279  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01280  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01281  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228120, ... ) }, 1228120, ... ) == 0x0
 01282  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01283  1740   NtQueryDirectoryFile  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01284  1740   NtClose  (188, ... ) == 0x0
 01285  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01286  1740   NtQueryDirectoryFile  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01287  1740   NtClose  (188, ... ) == 0x0
 01288  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01289  1740   NtQueryDirectoryFile  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (188, 0, 0, 0, 1227548, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01290  1740   NtClose  (188, ... ) == 0x0
 01291  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01292  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01293  1740   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01294  1740   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01296  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01297  1740   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01298  1740   NtClose  (188, ... ) == 0x0
 01299  1740   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300  1740   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228952, ... ) }, 1228952, ... ) == 0x0
 01302  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01303  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01304  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227820, ... ) }, 1227820, ... ) == 0x0
 01305  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 188, {status=0x0, info=1}, ) }, 5, 96, ... 188, {status=0x0, info=1}, ) == 0x0
 01306  1740   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 188, ... 192, ) == 0x0
 01307  1740   NtClose  (188, ... ) == 0x0
 01308  1740   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbc0000), 0x0, 180224, ) == 0x0
 01309  1740   NtClose  (192, ... ) == 0x0
 01310  1740   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01311  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227416, ... ) }, 1227416, ... ) == 0x0
 01312  1740   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228160,  (0x80100080, {24, 0, 0x40, 0, 1228160, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01313  1740   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 192, ... 188, ) == 0x0
 01314  1740   NtClose  (192, ... ) == 0x0
 01315  1740   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbc0000), {0, 0}, 180224, ) == 0x0
 01316  1740   NtClose  (188, ... ) == 0x0
 01317  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01318  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01319  1740   NtQueryDefaultLocale  (1, 1228780, ... ) == 0x0
 01320  1740   NtQueryVirtualMemory  (-1, 0xbc0000, Basic, 28, ... {BaseAddress=0xbc0000,AllocationBase=0xbc0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01321  1740   NtQueryVirtualMemory  (-1, 0xbc0000, Basic, 28, ... {BaseAddress=0xbc0000,AllocationBase=0xbc0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01322  1740   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01323  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01324  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01325  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227812, ... ) }, 1227812, ... ) == 0x0
 01326  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 188, {status=0x0, info=1}, ) }, 5, 96, ... 188, {status=0x0, info=1}, ) == 0x0
 01327  1740   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 188, ... 192, ) == 0x0
 01328  1740   NtClose  (188, ... ) == 0x0
 01329  1740   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbc0000), 0x0, 180224, ) == 0x0
 01330  1740   NtClose  (192, ... ) == 0x0
 01331  1740   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01332  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227408, ... ) }, 1227408, ... ) == 0x0
 01333  1740   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228152,  (0x80100080, {24, 0, 0x40, 0, 1228152, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01334  1740   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 192, ... 188, ) == 0x0
 01335  1740   NtClose  (192, ... ) == 0x0
 01336  1740   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbc0000), {0, 0}, 180224, ) == 0x0
 01337  1740   NtClose  (188, ... ) == 0x0
 01338  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01339  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01340  1740   NtQueryDefaultLocale  (1, 1228772, ... ) == 0x0
 01341  1740   NtQueryVirtualMemory  (-1, 0xbc0000, Basic, 28, ... {BaseAddress=0xbc0000,AllocationBase=0xbc0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01342  1740   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 01343  1740   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01345  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01346  1740   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01347  1740   NtClose  (188, ... ) == 0x0
 01348  1740   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01350  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01351  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1229372, ... ) }, 1229372, ... ) == 0x0
 01352  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01353  1740   NtQueryDirectoryFile  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01354  1740   NtClose  (188, ... ) == 0x0
 01355  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01356  1740   NtQueryDirectoryFile  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01357  1740   NtClose  (188, ... ) == 0x0
 01358  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01359  1740   NtQueryDirectoryFile  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228800, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01360  1740   NtClose  (188, ... ) == 0x0
 01361  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01362  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01363  1740   NtWaitForSingleObject  (172, 0, {-1000000, -1}, ... ) == 0x0
 01364  1740   NtReleaseMutant  (172, ... 0x0, ) == 0x0
 01365  1740   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01366  1740   NtClose  (184, ... ) == 0x0
 01367  1740   NtClose  (180, ... ) == 0x0
 01368  1740   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01369  1740   NtOpenProcessToken  (-1, 0xa, ... 180, ) == 0x0
 01370  1740   NtQueryInformationToken  (180, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01371  1740   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01372  1740   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01373  1740   NtQueryValueKey  (184,  (184, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (184, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01374  1740   NtQueryValueKey  (184,  (184, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (184, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01375  1740   NtClose  (184, ... ) == 0x0
 01376  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01377  1740   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01378  1740   NtQueryValueKey  (184,  (184, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379  1740   NtClose  (184, ... ) == 0x0
 01380  1740   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01381  1740   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01382  1740   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01383  1740   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01384  1740   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01385  1740   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01386  1740   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01387  1740   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01388  1740   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01389  1740   NtQueryDefaultLocale  (1, 1231220, ... ) == 0x0
 01390  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 184, ) }, ... 184, ) == 0x0
 01391  1740   NtEnumerateKey  (184, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (184, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01392  1740   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 188, ) }, ... 188, ) == 0x0
 01393  1740   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01394  1740   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01395  1740   NtClose  (188, ... ) == 0x0
 01396  1740   NtEnumerateKey  (184, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01397  1740   NtClose  (184, ... ) == 0x0
 01398  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 184, ) }, ... 184, ) == 0x0
 01399  1740   NtEnumerateKey  (184, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 01400  1740   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 188, ) }, ... 188, ) == 0x0
 01401  1740   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 01402  1740   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01403  1740   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01404  1740   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01405  1740   NtClose  (188, ... ) == 0x0
 01406  1740   NtEnumerateKey  (184, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 01407  1740   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 188, ) }, ... 188, ) == 0x0
 01408  1740   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 01409  1740   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01410  1740   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01411  1740   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01412  1740   NtClose  (188, ... ) == 0x0
 01413  1740   NtEnumerateKey  (184, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 01414  1740   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 188, ) }, ... 188, ) == 0x0
 01415  1740   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 01416  1740   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01417  1740   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01418  1740   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01419  1740   NtClose  (188, ... ) == 0x0
 01420  1740   NtEnumerateKey  (184, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 01421  1740   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 188, ) }, ... 188, ) == 0x0
 01422  1740   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 01423  1740   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01424  1740   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01425  1740   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01426  1740   NtClose  (188, ... ) == 0x0
 01427  1740   NtEnumerateKey  (184, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (184, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 01428  1740   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 188, ) }, ... 188, ) == 0x0
 01429  1740   NtQueryValueKey  (188,  (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (188, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 01430  1740   NtQueryValueKey  (188,  (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01431  1740   NtQueryValueKey  (188,  (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (188, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01432  1740   NtQueryValueKey  (188,  (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (188, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01433  1740   NtClose  (188, ... ) == 0x0
 01434  1740   NtEnumerateKey  (184, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01435  1740   NtClose  (184, ... ) == 0x0
 01436  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01437  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01447  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01450  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01451  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01452  1740   NtClose  (184, ... ) == 0x0
 01453  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01454  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01455  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01456  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01457  1740   NtClose  (184, ... ) == 0x0
 01458  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01460  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01461  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01462  1740   NtClose  (184, ... ) == 0x0
 01463  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01465  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01466  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01467  1740   NtClose  (184, ... ) == 0x0
 01468  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01470  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01471  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01472  1740   NtClose  (184, ... ) == 0x0
 01473  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01475  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01476  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01477  1740   NtClose  (184, ... ) == 0x0
 01478  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01480  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01481  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01482  1740   NtClose  (184, ... ) == 0x0
 01483  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01485  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01486  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01487  1740   NtClose  (184, ... ) == 0x0
 01488  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01490  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01491  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01492  1740   NtClose  (184, ... ) == 0x0
 01493  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01495  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01496  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01497  1740   NtClose  (184, ... ) == 0x0
 01498  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01500  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01501  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01502  1740   NtClose  (184, ... ) == 0x0
 01503  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01505  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01506  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01507  1740   NtClose  (184, ... ) == 0x0
 01508  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01510  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01511  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01512  1740   NtClose  (184, ... ) == 0x0
 01513  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01515  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01516  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01517  1740   NtClose  (184, ... ) == 0x0
 01518  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01519  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01520  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01521  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01522  1740   NtClose  (184, ... ) == 0x0
 01523  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01525  1740   NtQueryValueKey  (184,  (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (184, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01526  1740   NtClose  (184, ... ) == 0x0
 01527  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01528  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01529  1740   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01530  1740   NtClose  (184, ... ) == 0x0
 01531  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532  1740   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01533  1740   NtOpenProcessToken  (-1, 0xa, ... 184, ) == 0x0
 01534  1740   NtDuplicateToken  (184, 0xc, {24, 0, 0x0, 0, 1231652, 0x0}, 0, 2, ... 188, ) == 0x0
 01535  1740   NtClose  (184, ... ) == 0x0
 01536  1740   NtAccessCheck  (1379984, 188, 0x1, 1231728, 1231780, 56, 1231760, ... (0x1), ) == 0x0
 01537  1740   NtClose  (188, ... ) == 0x0
 01538  1740   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 188, ) }, ... 188, ) == 0x0
 01539  1740   NtQueryValueKey  (188,  (188, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (188, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01540  1740   NtClose  (188, ... ) == 0x0
 01541  1740   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 188, ) }, ... 188, ) == 0x0
 01542  1740   NtQuerySymbolicLinkObject  (188, ...  (188, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01543  1740   NtClose  (188, ... ) == 0x0
 01544  1740   NtQueryVolumeInformationFile  (168, 1229484, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01545  1740   NtQueryInformationFile  (168, 1229600, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 01546  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01547  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01548  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228772, ... ) }, 1228772, ... ) == 0x0
 01549  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01550  1740   NtQueryDirectoryFile  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01551  1740   NtClose  (188, ... ) == 0x0
 01552  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01553  1740   NtQueryDirectoryFile  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01554  1740   NtClose  (188, ... ) == 0x0
 01555  1740   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 188, {status=0x0, info=1}, ) }, 3, 16417, ... 188, {status=0x0, info=1}, ) == 0x0
 01556  1740   NtQueryDirectoryFile  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1,  (188, 0, 0, 0, 1228200, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01557  1740   NtClose  (188, ... ) == 0x0
 01558  1740   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01559  1740   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01560  1740   NtQueryInformationFile  (168, 1231640, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01561  1740   NtCreateSection  (0xf0005, 0x0, {180224, 0}, 2, 134217728, 168, ... 188, ) == 0x0
 01562  1740   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 180224, 1, 0, 2, ... (0xa90000), {0, 0}, 180224, ) == 0x0
 01563  1740   NtClose  (188, ... ) == 0x0
 01564  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01565  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01566  1740   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01567  1740   NtClose  (188, ... ) == 0x0
 01568  1740   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 188, ) }, ... 188, ) == 0x0
 01569  1740   NtOpenKey  (0x20019, {24, 188, 0x40, 0, 0,  (0x20019, {24, 188, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 184, ) }, ... 184, ) == 0x0
 01570  1740   NtClose  (188, ... ) == 0x0
 01571  1740   NtQueryValueKey  (184,  (184, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01572  1740   NtQueryValueKey  (184,  (184, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (184, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 01573  1740   NtClose  (184, ... ) == 0x0
 01574  1740   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01575  1740   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 4128768, 4096, ) == 0x0
 01576  1740   NtAllocateVirtualMemory  (-1, 4128768, 0, 4096, 4096, 4, ... 4128768, 4096, ) == 0x0
 01577  1740   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 184, ) }, ... 184, ) == 0x0
 01578  1740   NtQueryValueKey  (184,  (184, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579  1740   NtClose  (184, ... ) == 0x0
 01580  1740   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581  1740   NtQueryInformationToken  (180, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01582  1740   NtQueryInformationToken  (180, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01583  1740   NtClose  (180, ... ) == 0x0
 01584  1740   NtQuerySection  (164, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01585  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586  1740   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 01587  1740   NtCreateProcessEx  (1233564, 2035711, 0, -1, 4, 164, 0, 0, 0, ... ) == 0x0
 01588  1740   NtSetInformationProcess  (180, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 01589  1740   NtSetInformationProcess  (180, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01590  1740   NtQueryInformationProcess  (180, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffde000,AffinityMask=0x1,BasePriority=8,Pid=484,ParentPid=928,}, 0x0, ) == 0x0
 01591  1740   NtReadVirtualMemory  (180, 0x7ffde008, 4, ...  (180, 0x7ffde008, 4, ... "\0\0\00", 0x0, ) , 0x0, ) == 0x0
 01592  1740   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593  1740   NtReadVirtualMemory  (180, 0x30000000, 4096, ...  (180, 0x30000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0$\206\244\23`\347\312@`\347\312@`\347\312@9\304\331@b\347\312@`\347\313@d\347\312@\210\370\301@a\347\312@\343\373\304@j\347\312@\210\370\300@I\347\312@6\370\331@h\347\312@\272\304\326@i\347\312@\220\370\301@p\347\312@`\347\312@H\346\312@Rich`\347\312@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0N\23\216?\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\24\0\220\2\0\0\240\0\0\0\0\0\0\232t\0\0\0\20\0\0\0\320\3\0\0\0\00\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\3\0\0\20\0\0\237*\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\327\211\2\0z\1\0\0\00\3\0\244\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Z\236\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0\370\0\0\0\0\20\0\0\270\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222\216\2\0", 4096, ) , 4096, ) == 0x0
 01594  1740   NtReadVirtualMemory  (180, 0x30033000, 256, ...  (180, 0x30033000, 256, ... "\0\0\0\0J\23\216?\0\0\0\0\0\0\3\0\5\0\0\0(\0\0\200\13\0\0\0@\0\0\200\20\0\0\0X\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0e\0\0\0p\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\210\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\240\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\270\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\310\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\330\0\0\0\3600\3\0\26\3\0\0\0\0\0\0\0\0\0\0\104\3\0\254\1\0\0\0\0\0\0\0\0\0\0\2645\3\0\360\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\0\310\200\0\0\0\0\14\0\0\0\0\0f\1", 256, ) , 256, ) == 0x0
 01595  1740   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01596  1740   NtQueryInformationProcess  (180, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffde000,AffinityMask=0x1,BasePriority=8,Pid=484,ParentPid=928,}, 0x0, ) == 0x0
 01597  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 1232516, ... ) }, 1232516, ... ) == 0x0
 01598  1740   NtAllocateVirtualMemory  (-1, 0, 0, 2428, 4096, 4, ... 11075584, 4096, ) == 0x0
 01599  1740   NtAllocateVirtualMemory  (180, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 01600  1740   NtWriteVirtualMemory  (180, 0x10000,  (180, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 01601  1740   NtAllocateVirtualMemory  (180, 0, 0, 2428, 4096, 4, ... 131072, 4096, ) == 0x0
 01602  1740   NtWriteVirtualMemory  (180, 0x20000,  (180, 0x20000, "\0\20\0\0|\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\364\3\366\3\230\4\0\0:\0<\0\220\10\0\0N\0P\0\314\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\34\11\0\0\36\0 \0X\11\0\0\0\0\2\0x\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2428, ... 0x0, ) , 2428, ... 0x0, ) == 0x0
 01603  1740   NtWriteVirtualMemory  (180, 0x7ffde010,  (180, 0x7ffde010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01604  1740   NtAllocateVirtualMemory  (180, 0, 0, 388, 4096, 4, ... 196608, 4096, ) == 0x0
 01605  1740   NtWriteVirtualMemory  (180, 0x30000,  (180, 0x30000, "S\0h\0i\0m\0E\0n\0g\0.\0d\0l\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\1\0\0\253\355\15\254\210\255\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 388, ... 0x0, ) , 388, ... 0x0, ) == 0x0
 01606  1740   NtWriteVirtualMemory  (180, 0x7ffde1e8,  (180, 0x7ffde1e8, "\0\0\3\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01607  1740   NtFreeVirtualMemory  (-1, (0xa90000), 0, 32768, ... (0xa90000), 4096, ) == 0x0
 01608  1740   NtAllocateVirtualMemory  (180, 0, 0, 1048576, 8192, 4, ... 262144, 1048576, ) == 0x0
 01609  1740   NtAllocateVirtualMemory  (180, 1302528, 0, 8192, 4096, 4, ... 1302528, 8192, ) == 0x0
 01610  1740   NtProtectVirtualMemory  (180, (0x13e000), 4096, 260, ... (0x13e000), 4096, 4, ) == 0x0
 01611  1740   NtCreateThread  (0x1f03ff, 0x0, 180, 1233572, 1233236, 1, ... 184, {484, 748}, ) == 0x0
 01612  1740   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\267\0\0\0\270\0\0\0\344\1\0\0\354\2\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 928, 1740, 57985, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\264\0\0\0\270\0\0\0\344\1\0\0\354\2\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ... {168, 196, reply, 0, 928, 1740, 57985, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\267\0\0\0\270\0\0\0\344\1\0\0\354\2\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 928, 1740, 57985, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\264\0\0\0\270\0\0\0\344\1\0\0\354\2\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\214\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ) == 0x0
 01613  1740   NtResumeThread  (184, ... 1, ) == 0x0
 01614  1740   NtClose  (168, ... ) == 0x0
 01615  1740   NtClose  (164, ... ) == 0x0
 01616  1740   NtClose  (184, ... ) == 0x0
 01617  1740   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01618  1740   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x102
 01619  1740   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01620  1740   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x102
 01621  1740   NtWaitForMultipleObjects  (2, (152, 180, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 01622  1740   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x0
 01623  1740   NtClose  (180, ... ) == 0x0
 01624  1740   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 01625  1740   NtClose  (160, ... ) == 0x0
 01626  1740   NtClose  (144, ... ) == 0x0
 01627  1740   NtClose  (152, ... ) == 0x0
 01628  1740   NtClose  (148, ... ) == 0x0
 01629  1740   NtClose  (156, ... ) == 0x0
 01630  1740   NtClose  (100, ... ) == 0x0
 01631  1740   NtClose  (104, ... ) == 0x0
 01632  1740   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 01633  1740   NtWaitForMultipleObjects  (2, (64, 72, ), 1, 0, 0x0, ... ) == 0x1
 01634  1740   NtClose  (72, ... ) == 0x0
 01635  1740   NtSetEvent  (64, ... 0x0, ) == 0x0
 01636  1740   NtClose  (64, ... ) == 0x0
 01637  1740   NtWaitForMultipleObjects  (2, (76, 80, ), 1, 0, 0x0, ... ) == 0x1
 01638  1740   NtClose  (80, ... ) == 0x0
 01639  1740   NtSetEvent  (76, ... 0x0, ) == 0x0
 01640  1740   NtClose  (76, ... ) == 0x0
 01641  1740   NtWaitForMultipleObjects  (2, (84, 88, ), 1, 0, 0x0, ... ) == 0x1
 01642  1740   NtClose  (88, ... ) == 0x0
 01643  1740   NtSetEvent  (84, ... 0x0, ) == 0x0
 01644  1740   NtClose  (84, ... ) == 0x0
 01645  1740   NtRequestWaitReplyPort  (128, {88, 112, new_msg, 0, 928, 1740, 57981, 0}  (128, {88, 112, new_msg, 0, 928, 1740, 57981, 0} "\1\356\0\0A\2<\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201" ... {124, 148, reply, 0, 928, 1740, 58115, 0} "\2\376\255\201\1\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371R\250S\200\304;\350\371\4\0\0\0\0\0\0\0\220\276u\201<(\255\201\7\0\0\0\304\277u\201]\0\0\0" )  ... {124, 148, reply, 0, 928, 1740, 58115, 0}  (128, {88, 112, new_msg, 0, 928, 1740, 57981, 0} "\1\356\0\0A\2<\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201" ... {124, 148, reply, 0, 928, 1740, 58115, 0} "\2\376\255\201\1\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371R\250S\200\304;\350\371\4\0\0\0\0\0\0\0\220\276u\201<(\255\201\7\0\0\0\304\277u\201]\0\0\0" )  ) == 0x0
 01646  1740   NtClose  (124, ... ) == 0x0
 01647  1740   NtClose  (128, ... ) == 0x0
 01648  1740   NtClose  (68, ... ) == 0x0
 01649  1740   NtUnmapViewOfSection  (-1, 0x69450000, ... ) == 0x0
 01650  1740   NtUnmapViewOfSection  (-1, 0x77920000, ... ) == 0x0
 01651  1740   NtUnmapViewOfSection  (-1, 0x76f50000, ... ) == 0x0
 01652  1740   NtUnmapViewOfSection  (-1, 0x76360000, ... ) == 0x0
 01653  1740   NtUnmapViewOfSection  (-1, 0x5b860000, ... ) == 0x0
 01654  1740   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 01655  1740   NtContinue  (1242900, 0, ...
 01656  1740   NtTerminateProcess  (0, -1073741682, ... ) == 0x0
 01657  1740   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01658  1740   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 01659  1740   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01660  1740   NtClose  (92, ... ) == 0x0
 01661  1740   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 01662  1740   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01663  1740   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 01664  1740   NtClose  (60, ... ) == 0x0
 01665  1740   NtGdiDeleteObjectApp  (1913653144, ... ) == 0x1
 01666  1740   NtUserGetProcessWindowStation  (... ) == 0x1c
 01667  1740   NtUserBuildNameList  (28, 522, 1379448, 1244228, ... ) == 0x0
 01668  1740   NtUserGetProcessWindowStation  (... ) == 0x1c
 01669  1740   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x3c
 01670  1740   NtUserBuildHwndList  (60, 0, 0, 0, 64, ... (0x5009e, 0x400fa, 0x10074, 0x10080, 0x10070, 0x10084, 0x30048, 0x10072, 0x20052, 0x5009c, 0x10090, 0x500a2, 0x100d0, 0x200b0, 0x100cc, 0x70104, 0x70100, 0x20118, 0x3014c, 0x1011c, 0x100e6, 0x100d6, 0x100d2, 0x100ca, 0x100c8, 0x100ba, 0x100ae, 0x100ac, 0x300a6, 0x10078, 0x30062, 0x50036, 0x5005c, 0x100be, 0x400fe, 0x10092, 0x10086, 0x40034, 0x50050, 0x1013c, 0x10120, 0x100c2, 0x100bc, 0x2014e, 0x100d8, 0x100b6, 0x100b8, 0x100b4, 0x100c0, 0x1009a, 0x5005e, 0x1, ), 52, ) == 0x0
 01671  1740   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 01672  1740   NtUserQueryWindow  (327838, 0, ... ) == 0x6b8
 01673  1740   NtUserQueryWindow  (327838, 1, ... ) == 0x6d4
 01674  1740   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 01675  1740   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 01676  1740   NtUserQueryWindow  (262394, 0, ... ) == 0x6b8
 01677  1740   NtUserQueryWindow  (262394, 1, ... ) == 0x6d4
 01678  1740   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 01679  1740   NtUserBuildHwndList  (0, 262394, 1, 0, 64, ... (0x80064, 0x60068, 0x6006c, 0x50094, 0x50096, 0x60066, 0x7006a, 0x90058, 0x6006e, 0x5008a, 0x50088, 0x500a0, 0x1, ), 13, ) == 0x0
 01680  1740   NtUserValidateHandleSecure  (524388, ... ) == 0x1
 01681  1740   NtUserQueryWindow  (524388, 0, ... ) == 0x6b8
 01682  1740   NtUserQueryWindow  (524388, 1, ... ) == 0x6d4
 01683  1740   NtUserValidateHandleSecure  (393320, ... ) == 0x1
 01684  1740   NtUserQueryWindow  (393320, 0, ... ) == 0x6b8
 01685  1740   NtUserQueryWindow  (393320, 1, ... ) == 0x6d4
 01686  1740   NtUserValidateHandleSecure  (393324, ... ) == 0x1
 01687  1740   NtUserQueryWindow  (393324, 0, ... ) == 0x6b8
 01688  1740   NtUserQueryWindow  (393324, 1, ... ) == 0x6d4
 01689  1740   NtUserValidateHandleSecure  (327828, ... ) == 0x1
 01690  1740   NtUserQueryWindow  (327828, 0, ... ) == 0x6b8
 01691  1740   NtUserQueryWindow  (327828, 1, ... ) == 0x6d4
 01692  1740   NtUserValidateHandleSecure  (327830, ... ) == 0x1
 01693  1740   NtUserQueryWindow  (327830, 0, ... ) == 0x6b8
 01694  1740   NtUserQueryWindow  (327830, 1, ... ) == 0x6d4
 01695  1740   NtUserValidateHandleSecure  (393318, ... ) == 0x1
 01696  1740   NtUserQueryWindow  (393318, 0, ... ) == 0x6b8
 01697  1740   NtUserQueryWindow  (393318, 1, ... ) == 0x6d4
 01698  1740   NtUserValidateHandleSecure  (458858, ... ) == 0x1
 01699  1740   NtUserQueryWindow  (458858, 0, ... ) == 0x6b8
 01700  1740   NtUserQueryWindow  (458858, 1, ... ) == 0x6d4
 01701  1740   NtUserValidateHandleSecure  (589912, ... ) == 0x1
 01702  1740   NtUserQueryWindow  (589912, 0, ... ) == 0x6b8
 01703  1740   NtUserQueryWindow  (589912, 1, ... ) == 0x6d4
 01704  1740   NtUserValidateHandleSecure  (393326, ... ) == 0x1
 01705  1740   NtUserQueryWindow  (393326, 0, ... ) == 0x6b8
 01706  1740   NtUserQueryWindow  (393326, 1, ... ) == 0x6d4
 01707  1740   NtUserValidateHandleSecure  (327818, ... ) == 0x1
 01708  1740   NtUserQueryWindow  (327818, 0, ... ) == 0x6b8
 01709  1740   NtUserQueryWindow  (327818, 1, ... ) == 0x6d4
 01710  1740   NtUserValidateHandleSecure  (327816, ... ) == 0x1
 01711  1740   NtUserQueryWindow  (327816, 0, ... ) == 0x6b8
 01712  1740   NtUserQueryWindow  (327816, 1, ... ) == 0x6d4
 01713  1740   NtUserValidateHandleSecure  (327840, ... ) == 0x1
 01714  1740   NtUserQueryWindow  (327840, 0, ... ) == 0x6b8
 01715  1740   NtUserQueryWindow  (327840, 1, ... ) == 0x6d4
 01716  1740   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 01717  1740   NtUserQueryWindow  (65652, 0, ... ) == 0x6b8
 01718  1740   NtUserQueryWindow  (65652, 1, ... ) == 0x6d4
 01719  1740   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 01720  1740   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 01721  1740   NtUserQueryWindow  (65664, 0, ... ) == 0x6b8
 01722  1740   NtUserQueryWindow  (65664, 1, ... ) == 0x6d4
 01723  1740   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 01724  1740   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 01725  1740   NtUserQueryWindow  (65648, 0, ... ) == 0x6b8
 01726  1740   NtUserQueryWindow  (65648, 1, ... ) == 0x6d4
 01727  1740   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 01728  1740   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 01729  1740   NtUserQueryWindow  (65668, 0, ... ) == 0x6b8
 01730  1740   NtUserQueryWindow  (65668, 1, ... ) == 0x6d4
 01731  1740   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 01732  1740   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 01733  1740   NtUserQueryWindow  (196680, 0, ... ) == 0x6b8
 01734  1740   NtUserQueryWindow  (196680, 1, ... ) == 0x6d4
 01735  1740   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 01736  1740   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 01737  1740   NtUserQueryWindow  (65650, 0, ... ) == 0x6b8
 01738  1740   NtUserQueryWindow  (65650, 1, ... ) == 0x6d4
 01739  1740   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 01740  1740   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 01741  1740   NtUserQueryWindow  (131154, 0, ... ) == 0x6b8
 01742  1740   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 01743  1740   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 01744  1740   NtUserBuildHwndList  (0, 131154, 1, 0, 64, ... (0x3003e, 0x3003c, 0x30040, 0x30042, 0x30044, 0x30046, 0x10076, 0x10082, 0x1007a, 0x1007e, 0x1, ), 11, ) == 0x0
 01745  1740   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 01746  1740   NtUserQueryWindow  (196670, 0, ... ) == 0x6b8
 01747  1740   NtUserQueryWindow  (196670, 1, ... ) == 0x6d4
 01748  1740   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 01749  1740   NtUserQueryWindow  (196668, 0, ... ) == 0x6b8
 01750  1740   NtUserQueryWindow  (196668, 1, ... ) == 0x6d4
 01751  1740   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 01752  1740   NtUserQueryWindow  (196672, 0, ... ) == 0x6b8
 01753  1740   NtUserQueryWindow  (196672, 1, ... ) == 0x6d4
 01754  1740   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 01755  1740   NtUserQueryWindow  (196674, 0, ... ) == 0x6b8
 01756  1740   NtUserQueryWindow  (196674, 1, ... ) == 0x6d4
 01757  1740   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 01758  1740   NtUserQueryWindow  (196676, 0, ... ) == 0x6b8
 01759  1740   NtUserQueryWindow  (196676, 1, ... ) == 0x6d4
 01760  1740   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 01761  1740   NtUserQueryWindow  (196678, 0, ... ) == 0x6b8
 01762  1740   NtUserQueryWindow  (196678, 1, ... ) == 0x6d4
 01763  1740   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 01764  1740   NtUserQueryWindow  (65654, 0, ... ) == 0x6b8
 01765  1740   NtUserQueryWindow  (65654, 1, ... ) == 0x6d4
 01766  1740   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 01767  1740   NtUserQueryWindow  (65666, 0, ... ) == 0x6b8
 01768  1740   NtUserQueryWindow  (65666, 1, ... ) == 0x6d4
 01769  1740   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 01770  1740   NtUserQueryWindow  (65658, 0, ... ) == 0x6b8
 01771  1740   NtUserQueryWindow  (65658, 1, ... ) == 0x6d4
 01772  1740   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 01773  1740   NtUserQueryWindow  (65662, 0, ... ) == 0x6b8
 01774  1740   NtUserQueryWindow  (65662, 1, ... ) == 0x6d4
 01775  1740   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 01776  1740   NtUserQueryWindow  (327836, 0, ... ) == 0x6b8
 01777  1740   NtUserQueryWindow  (327836, 1, ... ) == 0x6d4
 01778  1740   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 01779  1740   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 01780  1740   NtUserQueryWindow  (65680, 0, ... ) == 0x6b8
 01781  1740   NtUserQueryWindow  (65680, 1, ... ) == 0x6bc
 01782  1740   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 01783  1740   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 01784  1740   NtUserQueryWindow  (327842, 0, ... ) == 0x6b8
 01785  1740   NtUserQueryWindow  (327842, 1, ... ) == 0x6d4
 01786  1740   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 01787  1740   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 01788  1740   NtUserQueryWindow  (65744, 0, ... ) == 0x19c
 01789  1740   NtUserQueryWindow  (65744, 1, ... ) == 0x1a0
 01790  1740   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 01791  1740   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 01792  1740   NtUserQueryWindow  (131248, 0, ... ) == 0xa0
 01793  1740   NtUserQueryWindow  (131248, 1, ... ) == 0xe4
 01794  1740   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 01795  1740   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 01796  1740   NtUserQueryWindow  (65740, 0, ... ) == 0x19c
 01797  1740   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 01798  1740   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 01799  1740   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 01800  1740   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 01801  1740   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 01802  1740   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 01803  1740   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 01804  1740   NtUserQueryWindow  (459008, 0, ... ) == 0x5e8
 01805  1740   NtUserQueryWindow  (459008, 1, ... ) == 0x1dc
 01806  1740   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 01807  1740   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 01808  1740   NtUserQueryWindow  (131352, 0, ... ) == 0x6ac
 01809  1740   NtUserQueryWindow  (131352, 1, ... ) == 0x7f4
 01810  1740   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 01811  1740   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 01812  1740   NtUserQueryWindow  (196940, 0, ... ) == 0x4b4
 01813  1740   NtUserQueryWindow  (196940, 1, ... ) == 0x474
 01814  1740   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 01815  1740   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 01816  1740   NtUserQueryWindow  (65820, 0, ... ) == 0x22c
 01817  1740   NtUserQueryWindow  (65820, 1, ... ) == 0x220
 01818  1740   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 01819  1740   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 01820  1740   NtUserQueryWindow  (65766, 0, ... ) == 0x6b8
 01821  1740   NtUserQueryWindow  (65766, 1, ... ) == 0x13c
 01822  1740   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 01823  1740   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 01824  1740   NtUserQueryWindow  (65750, 0, ... ) == 0x6b8
 01825  1740   NtUserQueryWindow  (65750, 1, ... ) == 0x13c
 01826  1740   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 01827  1740   NtUserBuildHwndList  (0, 65750, 1, 0, 64, ... (0x100da, 0x100dc, 0x100de, 0x100e0, 0x1, ), 5, ) == 0x0
 01828  1740   NtUserValidateHandleSecure  (65754, ... ) == 0x1
 01829  1740   NtUserQueryWindow  (65754, 0, ... ) == 0x6b8
 01830  1740   NtUserQueryWindow  (65754, 1, ... ) == 0x13c
 01831  1740   NtUserValidateHandleSecure  (65756, ... ) == 0x1
 01832  1740   NtUserQueryWindow  (65756, 0, ... ) == 0x6b8
 01833  1740   NtUserQueryWindow  (65756, 1, ... ) == 0x13c
 01834  1740   NtUserValidateHandleSecure  (65758, ... ) == 0x1
 01835  1740   NtUserQueryWindow  (65758, 0, ... ) == 0x6b8
 01836  1740   NtUserQueryWindow  (65758, 1, ... ) == 0x13c
 01837  1740   NtUserValidateHandleSecure  (65760, ... ) == 0x1
 01838  1740   NtUserQueryWindow  (65760, 0, ... ) == 0x6b8
 01839  1740   NtUserQueryWindow  (65760, 1, ... ) == 0x13c
 01840  1740   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 01841  1740   NtUserQueryWindow  (65746, 0, ... ) == 0x6b8
 01842  1740   NtUserQueryWindow  (65746, 1, ... ) == 0x6d4
 01843  1740   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 01844  1740   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 01845  1740   NtUserQueryWindow  (65738, 0, ... ) == 0x19c
 01846  1740   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 01847  1740   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 01848  1740   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 01849  1740   NtUserQueryWindow  (65736, 0, ... ) == 0xa0
 01850  1740   NtUserQueryWindow  (65736, 1, ... ) == 0xe4
 01851  1740   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 01852  1740   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 01853  1740   NtUserQueryWindow  (65722, 0, ... ) == 0x104
 01854  1740   NtUserQueryWindow  (65722, 1, ... ) == 0x108
 01855  1740   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 01856  1740   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 01857  1740   NtUserQueryWindow  (65710, 0, ... ) == 0x104
 01858  1740   NtUserQueryWindow  (65710, 1, ... ) == 0x108
 01859  1740   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 01860  1740   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 01861  1740   NtUserQueryWindow  (65708, 0, ... ) == 0x120
 01862  1740   NtUserQueryWindow  (65708, 1, ... ) == 0x124
 01863  1740   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 01864  1740   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 01865  1740   NtUserQueryWindow  (196774, 0, ... ) == 0xc4
 01866  1740   NtUserQueryWindow  (196774, 1, ... ) == 0xc8
 01867  1740   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 01868  1740   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 01869  1740   NtUserQueryWindow  (65656, 0, ... ) == 0x6b8
 01870  1740   NtUserQueryWindow  (65656, 1, ... ) == 0x6ec
 01871  1740   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 01872  1740   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 01873  1740   NtUserQueryWindow  (196706, 0, ... ) == 0x6b8
 01874  1740   NtUserQueryWindow  (196706, 1, ... ) == 0x6bc
 01875  1740   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 01876  1740   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 01877  1740   NtUserQueryWindow  (327734, 0, ... ) == 0x6b8
 01878  1740   NtUserQueryWindow  (327734, 1, ... ) == 0x6bc
 01879  1740   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 01880  1740   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 01881  1740   NtUserQueryWindow  (327772, 0, ... ) == 0x6b8
 01882  1740   NtUserQueryWindow  (327772, 1, ... ) == 0x6bc
 01883  1740   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 01884  1740   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 01885  1740   NtUserQueryWindow  (65726, 0, ... ) == 0x19c
 01886  1740   NtUserQueryWindow  (65726, 1, ... ) == 0x1a0
 01887  1740   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 01888  1740   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 01889  1740   NtUserQueryWindow  (262398, 0, ... ) == 0x6b8
 01890  1740   NtUserQueryWindow  (262398, 1, ... ) == 0x6d4
 01891  1740   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 01892  1740   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 01893  1740   NtUserQueryWindow  (65682, 0, ... ) == 0x6b8
 01894  1740   NtUserQueryWindow  (65682, 1, ... ) == 0x6bc
 01895  1740   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 01896  1740   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 01897  1740   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 01898  1740   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 01899  1740   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 01900  1740   NtUserBuildHwndList  (0, 65670, 1, 0, 64, ... (0x1008c, 0x1008e, 0x1, ), 3, ) == 0x0
 01901  1740   NtUserValidateHandleSecure  (65676, ... ) == 0x1
 01902  1740   NtUserQueryWindow  (65676, 0, ... ) == 0x6b8
 01903  1740   NtUserQueryWindow  (65676, 1, ... ) == 0x6bc
 01904  1740   NtUserValidateHandleSecure  (65678, ... ) == 0x1
 01905  1740   NtUserQueryWindow  (65678, 0, ... ) == 0x6b8
 01906  1740   NtUserQueryWindow  (65678, 1, ... ) == 0x6bc
 01907  1740   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 01908  1740   NtUserQueryWindow  (262196, 0, ... ) == 0x6b8
 01909  1740   NtUserQueryWindow  (262196, 1, ... ) == 0x6d4
 01910  1740   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 01911  1740   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 01912  1740   NtUserQueryWindow  (327760, 0, ... ) == 0x6b8
 01913  1740   NtUserQueryWindow  (327760, 1, ... ) == 0x6d4
 01914  1740   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 01915  1740   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 01916  1740   NtUserQueryWindow  (65852, 0, ... ) == 0x22c
 01917  1740   NtUserQueryWindow  (65852, 1, ... ) == 0x220
 01918  1740   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 01919  1740   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 01920  1740   NtUserQueryWindow  (65824, 0, ... ) == 0x22c
 01921  1740   NtUserQueryWindow  (65824, 1, ... ) == 0x220
 01922  1740   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 01923  1740   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 01924  1740   NtUserQueryWindow  (65730, 0, ... ) == 0xa0
 01925  1740   NtUserQueryWindow  (65730, 1, ... ) == 0xe4
 01926  1740   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 01927  1740   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 01928  1740   NtUserQueryWindow  (65724, 0, ... ) == 0xa0
 01929  1740   NtUserQueryWindow  (65724, 1, ... ) == 0xe4
 01930  1740   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 01931  1740   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 01932  1740   NtUserQueryWindow  (131406, 0, ... ) == 0x4b4
 01933  1740   NtUserQueryWindow  (131406, 1, ... ) == 0x474
 01934  1740   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 01935  1740   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 01936  1740   NtUserQueryWindow  (65752, 0, ... ) == 0x6b8
 01937  1740   NtUserQueryWindow  (65752, 1, ... ) == 0x13c
 01938  1740   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 01939  1740   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 01940  1740   NtUserQueryWindow  (65718, 0, ... ) == 0x104
 01941  1740   NtUserQueryWindow  (65718, 1, ... ) == 0x108
 01942  1740   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 01943  1740   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 01944  1740   NtUserQueryWindow  (65720, 0, ... ) == 0x120
 01945  1740   NtUserQueryWindow  (65720, 1, ... ) == 0x124
 01946  1740   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 01947  1740   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 01948  1740   NtUserQueryWindow  (65716, 0, ... ) == 0xc4
 01949  1740   NtUserQueryWindow  (65716, 1, ... ) == 0xc8
 01950  1740   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 01951  1740   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 01952  1740   NtUserQueryWindow  (65728, 0, ... ) == 0x19c
 01953  1740   NtUserQueryWindow  (65728, 1, ... ) == 0x1a0
 01954  1740   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 01955  1740   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 01956  1740   NtUserQueryWindow  (65690, 0, ... ) == 0x6b8
 01957  1740   NtUserQueryWindow  (65690, 1, ... ) == 0x6bc
 01958  1740   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 01959  1740   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 01960  1740   NtUserQueryWindow  (327774, 0, ... ) == 0x6b8
 01961  1740   NtUserQueryWindow  (327774, 1, ... ) == 0x6bc
 01962  1740   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 01963  1740   NtUserCloseDesktop  (60, ... ) == 0x1
 01964  1740   NtUserGetProcessWindowStation  (... ) == 0x1c
 01965  1740   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01966  1740   NtUserGetProcessWindowStation  (... ) == 0x1c
 01967  1740   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01968  1740   NtGdiDeleteObjectApp  (856294625, ... ) == 0x1
 01969  1740   NtGdiDeleteObjectApp  (1376388660, ... ) == 0x1
 01970  1740   NtClose  (56, ... ) == 0x0
 01971  1740   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01972  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 56, ) }, ... 56, ) == 0x0
 01973  1740   NtQueryValueKey  (56,  (56, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01974  1740   NtClose  (56, ... ) == 0x0
 01975  1740   NtClose  (44, ... ) == 0x0
 01976  1740   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 01977  1740   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01978  1740   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01979  1740   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01980  1740   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1177968, 2011678370, 1178092, 1177980}  (24, {20, 48, new_msg, 0, 1177968, 2011678370, 1178092, 1177980} "\0\0\0\0\3\0\1\0\214\371\21\0\320\220\347w\216\0\0\300" ... {20, 48, reply, 0, 928, 1740, 58118, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\320\220\347w\216\0\0\300" )  ... {20, 48, reply, 0, 928, 1740, 58118, 0}  (24, {20, 48, new_msg, 0, 1177968, 2011678370, 1178092, 1177980} "\0\0\0\0\3\0\1\0\214\371\21\0\320\220\347w\216\0\0\300" ... {20, 48, reply, 0, 928, 1740, 58118, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\320\220\347w\216\0\0\300" )  ) == 0x0
 01981  1740   NtTerminateProcess  (-1, -1073741682, ...
NtAccessCheck(>)	1	NtUserGetThreadDesktop(>)	1	NtSetInformationFile(>)	5	NtQueryVirtualMemory(>)	15
NtCallbackReturn(>)	1	NtUserOpenWindowStation(>)	1	NtUserBuildHwndList(>)	5	NtDeviceIoControlFile(>)	16
NtCreateProcessEx(>)	1	NtUserSystemParametersInfo(>)	1	NtWaitForSingleObject(>)	5	NtRequestWaitReplyPort(>)	16
NtCreateSemaphore(>)	1	NtConnectPort(>)	2	NtWriteVirtualMemory(>)	5	NtOpenSection(>)	24
NtCreateThread(>)	1	NtCreateIoCompletion(>)	2	NtContinue(>)	6	NtQueryDirectoryFile(>)	24
NtDuplicateToken(>)	1	NtGdiCreateSolidBrush(>)	2	NtOpenProcessToken(>)	6	NtSetInformationProcess(>)	25
NtGdiCreateBitmap(>)	1	NtGdiHfontCreate(>)	2	NtQueryDefaultUILanguage(>)	6	NtOpenProcessTokenEx(>)	28
NtGdiCreatePatternBrushInternal(>)	1	NtQueryInformationJobObject(>)	2	NtUserGetProcessWindowStation(>)	6	NtOpenThreadTokenEx(>)	28
NtGdiInit(>)	1	NtReleaseMutant(>)	2	NtWaitForMultipleObjects(>)	6	NtCreateSection(>)	29
NtGdiQueryFontAssocInfo(>)	1	NtTerminateProcess(>)	2	NtFsControlFile(>)	7	NtQueryInformationToken(>)	37
NtGdiSelectBitmap(>)	1	NtUserCloseWindowStation(>)	2	NtOpenThreadToken(>)	7	NtOpenFile(>)	41
NtOpenEvent(>)	1	NtUserGetObjectInformation(>)	2	NtQueryInformationFile(>)	7	NtQueryInformationProcess(>)	44
NtOpenKeyedEvent(>)	1	NtGdiCreateCompatibleDC(>)	3	NtEnumerateKey(>)	8	NtQueryDefaultLocale(>)	48
NtOpenMutant(>)	1	NtGdiDeleteObjectApp(>)	3	NtSetValueKey(>)	8	NtUnmapViewOfSection(>)	48
NtQueryDebugFilterState(>)	1	NtOpenDirectoryObject(>)	3	NtUserCallNoParam(>)	9	NtAllocateVirtualMemory(>)	51
NtQueryInstallUILanguage(>)	1	NtOpenSymbolicLinkObject(>)	3	NtUserFindExistingCursorIcon(>)	9	NtQueryAttributesFile(>)	54
NtQueryObject(>)	1	NtQuerySymbolicLinkObject(>)	3	NtUserGetWindowDC(>)	10	NtFlushInstructionCache(>)	65
NtQueryPerformanceCounter(>)	1	NtReadVirtualMemory(>)	3	NtCreateKey(>)	11	NtMapViewOfSection(>)	69
NtQuerySystemTime(>)	1	NtSetEvent(>)	3	NtFreeVirtualMemory(>)	11	NtQuerySystemInformation(>)	76
NtRegisterThreadTerminatePort(>)	1	NtSetInformationObject(>)	3	NtUserCallOneParam(>)	11	NtQueryValueKey(>)	105
NtResumeThread(>)	1	NtUserOpenDesktop(>)	3	NtWriteFile(>)	11	NtUserValidateHandleSecure(>)	130
NtSecureConnectPort(>)	1	NtCreateMutant(>)	4	NtQuerySection(>)	12	NtOpenKey(>)	153
NtTestAlert(>)	1	NtDuplicateObject(>)	4	NtSetInformationThread(>)	13	NtProtectVirtualMemory(>)	156
NtUserBuildNameList(>)	1	NtQueryVolumeInformationFile(>)	4	NtCreateEvent(>)	14	NtUserQueryWindow(>)	158
NtUserCloseDesktop(>)	1	NtGdiGetStockObject(>)	5	NtCreateFile(>)	14	NtClose(>)	240
NtUserGetGUIThreadInfo(>)	1	NtReadFile(>)	5	NtUserRegisterClassExWOW(>)	14