Summary:





NtAddAtom(>)  1 
NtCreateThread(>)  2 
NtUserFindWindowEx(>)  4 
NtQueryDirectoryFile(>)  19 


NtCallbackReturn(>)  1 
NtEnumerateKey(>)  2 
NtWaitForSingleObject(>)  4 
NtUserRegisterWindowMessage(>)  19 


NtDuplicateToken(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtGdiGetStockObject(>)  5 
NtQueryInformationProcess(>)  20 


NtEnumerateValueKey(>)  1 
NtOpenDirectoryObject(>)  2 
NtOpenProcessToken(>)  6 
NtOpenProcessTokenEx(>)  26 


NtFsControlFile(>)  1 
NtOpenEvent(>)  2 
NtReadFile(>)  6 
NtOpenThreadTokenEx(>)  26 


NtGdiCreateBitmap(>)  1 
NtQueryInformationJobObject(>)  2 
NtSetInformationThread(>)  6 
NtQuerySystemInformation(>)  27 


NtGdiInit(>)  1 
NtQueryInstallUILanguage(>)  2 
NtWriteFile(>)  6 
NtOpenSection(>)  30 


NtGdiQueryFontAssocInfo(>)  1 
NtRaiseException(>)  2 
NtFreeVirtualMemory(>)  7 
NtReadVirtualMemory(>)  30 


NtGdiSelectBitmap(>)  1 
NtResumeThread(>)  2 
NtOpenProcess(>)  7 
NtQueryAttributesFile(>)  33 


NtNotifyChangeKey(>)  1 
NtTerminateProcess(>)  2 
NtContinue(>)  8 
NtQueryInformationToken(>)  34 


NtOpenKeyedEvent(>)  1 
NtUserWaitForInputIdle(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtMapViewOfSection(>)  40 


NtQueryObject(>)  1 
NtCreateSemaphore(>)  3 
NtQueryVolumeInformationFile(>)  8 
NtQueryValueKey(>)  41 


NtQueryPerformanceCounter(>)  1 
NtDuplicateObject(>)  3 
NtQuerySection(>)  9 
NtOpenFile(>)  44 


NtRegisterThreadTerminatePort(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtRequestWaitReplyPort(>)  10 
NtProtectVirtualMemory(>)  45 


NtSecureConnectPort(>)  1 
NtOpenMutant(>)  3 
NtUserSystemParametersInfo(>)  10 
NtUserUnregisterClass(>)  45 


NtSetSecurityObject(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtFlushInstructionCache(>)  11 
NtUserFindExistingCursorIcon(>)  48 


NtTestAlert(>)  1 
NtOpenThreadToken(>)  3 
NtSetInformationProcess(>)  11 
NtAllocateVirtualMemory(>)  57 


NtUserCallNoParam(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtWriteVirtualMemory(>)  11 
NtUserRegisterClassExWOW(>)  63 


NtUserCallOneParam(>)  1 
NtSetInformationFile(>)  3 
NtCreateFile(>)  12 
NtUserGetClassInfo(>)  82 


NtUserGetDC(>)  1 
NtSetInformationObject(>)  3 
NtQueryDefaultLocale(>)  15 
NtOpenKey(>)  107 


NtUserGetThreadDesktop(>)  1 
NtCreateEvent(>)  4 
NtUnmapViewOfSection(>)  15 
NtUserQueryWindow(>)  132 


NtAccessCheck(>)  2 
NtQueryVirtualMemory(>)  4 
NtQueryDebugFilterState(>)  16 
NtClose(>)  179 


NtCreateKey(>)  2 
NtReleaseMutant(>)  4 
NtQueryInformationFile(>)  17 


NtCreateProcessEx(>)  2 
NtUserBuildHwndList(>)  4 



Trace:

 00001   416   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   416   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   416   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   416   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   416   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   416   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   416   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   416   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   416   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   416   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   416   NtClose  (12, ... ) == 0x0
 00014   416   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   416   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   416   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   416   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   416   NtClose  (16, ... ) == 0x0
 00021   416   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   416   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   416   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   416   NtClose  (16, ... ) == 0x0
 00026   416   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   416   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   416   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   416   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 408, 416, 1478, 0} "\30g\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 408, 416, 1478, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 408, 416, 1478, 0} "\30g\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   416   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   416   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   416   NtClose  (16, ... ) == 0x0
 00036   416   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   416   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   416   NtClose  (28, ... ) == 0x0
 00041   416   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   416   NtClose  (28, ... ) == 0x0
 00045   416   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   416   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   416   NtClose  (28, ... ) == 0x0
 00049   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   416   NtClose  (28, ... ) == 0x0
 00052   416   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 408, 416, 1483, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 408, 416, 1483, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 408, 416, 1483, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   416   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 128, ) == 0x0
 00057   416   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 128, ... (0x45d000), 204800, 4, ) == 0x0
 00058   416   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00059   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   416   NtClose  (28, ... ) == 0x0
 00062   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   416   NtClose  (28, ... ) == 0x0
 00065   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   416   NtClose  (28, ... ) == 0x0
 00068   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   416   NtClose  (28, ... ) == 0x0
 00071   416   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 64, ) == 0x0
 00072   416   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 64, ... (0x45d000), 204800, 4, ) == 0x0
 00073   416   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00074   416   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   416   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   416   NtClose  (28, ... ) == 0x0
 00077   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   416   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   416   NtClose  (28, ... ) == 0x0
 00080   416   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00081   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   416   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   416   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   416   NtClose  (28, ... ) == 0x0
 00085   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   416   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   416   NtClose  (28, ... ) == 0x0
 00088   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   416   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 408, 416, 1485, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 408, 416, 1485, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 408, 416, 1485, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00093   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   416   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4a0000), 0x0, 1060864, ) == 0x0
 00095   416   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   416   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   416   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00098   416   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   416   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   416   NtClose  (-2147482208, ... ) == 0x0
 00101   416   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5963776, 4096, ) == 0x0
 00102   416   NtFreeVirtualMemory  (-1, (0x5b0000), 4096, 32768, ... (0x5b0000), 4096, ) == 0x0
 00103   416   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   416   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00105   416   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   416   NtClose  (-2147482208, ... ) == 0x0
 00107   416   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00108   416   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   416   NtClose  (-2147482208, ... ) == 0x0
 00110   416   NtQueryDefaultLocale  (0, -135984628, ... ) == 0x0
 00111   416   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   416   NtUserCallNoParam  (24, ... ) == 0x0
 00113   416   NtGdiCreateCompatibleDC  (0, ...
 00114   416   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5963776, 4096, ) == 0x0
 00113   416   NtGdiCreateCompatibleDC  ... ) == 0x100103c9
 00115   416   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   416   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   416   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x13050402
 00118   416   NtGdiCreateSolidBrush  (0, 0, ...
 00119   416   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9175040, 4096, ) == 0x0
 00118   416   NtGdiCreateSolidBrush  ... ) == 0xe100408
 00120   416   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   416   NtGdiCreateCompatibleDC  (0, ... ) == 0x39010416
 00122   416   NtGdiSelectBitmap  (956367894, 319095810, ... ) == 0x185000f
 00123   416   NtUserGetThreadDesktop  (416, 0, ... ) == 0x2c
 00124   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   416   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   416   NtClose  (52, ... ) == 0x0
 00127   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00141   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00143   416   NtAllocateVirtualMemory  (-1, 6123520, 0, 4096, 4096, 32, ... 6123520, 4096, ) == 0x0
 00142   416   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00144   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00146   416   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00147   416   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00148   416   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00149   416   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00150   416   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   416   NtCallbackReturn  (0, 0, 0, ...
 00152   416   NtGdiInit  (... ) == 0x1
 00153   416   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   416   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   416   NtAllocateVirtualMemory  (-1, 0, 0, 17506, 4096, 4, ... 9240576, 20480, ) == 0x0
 00156   416   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 20480, ) == 0x0
 00157   416   NtQueryVirtualMemory  (-1, 0x401000, Basic, 52, ... {BaseAddress=0x401000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x23000,State=0x1000,Protect=0x80,Type=0x1000000,}, 28, ) == 0x0
 00158   416   NtQueryVirtualMemory  (-1, 0x45754c, Basic, 28, ... {BaseAddress=0x457000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x6000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00159   416   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00160   416   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00161   416   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00162   416   NtProtectVirtualMemory  (-1, (0x400218), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00163   416   NtProtectVirtualMemory  (-1, (0x400218), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00164   416   NtProtectVirtualMemory  (-1, (0x400240), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00165   416   NtProtectVirtualMemory  (-1, (0x400240), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00166   416   NtProtectVirtualMemory  (-1, (0x400268), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00167   416   NtProtectVirtualMemory  (-1, (0x400268), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00168   416   NtProtectVirtualMemory  (-1, (0x400290), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00169   416   NtProtectVirtualMemory  (-1, (0x400290), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00170   416   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00171   416   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00172   416   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00173   416   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00174   416   NtProtectVirtualMemory  (-1, (0x400308), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00175   416   NtProtectVirtualMemory  (-1, (0x400308), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00176   416   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00177   416   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00178   416   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x2005c, 0x100b2, 0x100b0, 0x100ae, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 34, ) == 0x0
 00179   416   NtUserQueryWindow  (65706, 0, ... ) == 0x7e0
 00180   416   NtUserQueryWindow  (65706, 1, ... ) == 0x7e4
 00181   416   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2016, 0}, ... 52, ) == 0x0
 00182   416   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \1\0\0", 64, ) , 64, ) == 0x0
 00183   416   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00184   416   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00185   416   NtClose  (52, ... ) == 0x0
 00186   416   NtUserQueryWindow  (65704, 0, ... ) == 0x7e0
 00187   416   NtUserQueryWindow  (65704, 1, ... ) == 0x7e4
 00188   416   NtUserQueryWindow  (65702, 0, ... ) == 0x7e0
 00189   416   NtUserQueryWindow  (65702, 1, ... ) == 0x7e4
 00190   416   NtUserQueryWindow  (131168, 0, ... ) == 0x7e0
 00191   416   NtUserQueryWindow  (131168, 1, ... ) == 0x7e4
 00192   416   NtUserQueryWindow  (65696, 0, ... ) == 0x774
 00193   416   NtUserQueryWindow  (65696, 1, ... ) == 0x784
 00194   416   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1908, 0}, ... 52, ) == 0x0
 00195   416   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00196   416   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00197   416   NtContinue  (-135988068, 0, ...
 00196   416   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00198   416   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00199   416   NtContinue  (-135988068, 0, ...
 00198   416   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00200   416   NtClose  (52, ... ) == 0x0
 00201   416   NtUserQueryWindow  (65664, 0, ... ) == 0x774
 00202   416   NtUserQueryWindow  (65664, 1, ... ) == 0x784
 00203   416   NtUserQueryWindow  (65652, 0, ... ) == 0x774
 00204   416   NtUserQueryWindow  (65652, 1, ... ) == 0x784
 00205   416   NtUserQueryWindow  (65640, 0, ... ) == 0x774
 00206   416   NtUserQueryWindow  (65640, 1, ... ) == 0x784
 00207   416   NtUserQueryWindow  (196682, 0, ... ) == 0x774
 00208   416   NtUserQueryWindow  (196682, 1, ... ) == 0x784
 00209   416   NtUserQueryWindow  (65638, 0, ... ) == 0x774
 00210   416   NtUserQueryWindow  (65638, 1, ... ) == 0x784
 00211   416   NtUserQueryWindow  (196684, 0, ... ) == 0x774
 00212   416   NtUserQueryWindow  (196684, 1, ... ) == 0x784
 00213   416   NtUserQueryWindow  (196668, 0, ... ) == 0x774
 00214   416   NtUserQueryWindow  (196668, 1, ... ) == 0x784
 00215   416   NtUserQueryWindow  (65688, 0, ... ) == 0x774
 00216   416   NtUserQueryWindow  (65688, 1, ... ) == 0x784
 00217   416   NtUserQueryWindow  (65676, 0, ... ) == 0x774
 00218   416   NtUserQueryWindow  (65676, 1, ... ) == 0x784
 00219   416   NtUserQueryWindow  (65660, 0, ... ) == 0x774
 00220   416   NtUserQueryWindow  (65660, 1, ... ) == 0x778
 00221   416   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00222   416   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 00223   416   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 52, ) == 0x0
 00224   416   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00225   416   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00226   416   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00227   416   NtClose  (52, ... ) == 0x0
 00228   416   NtUserQueryWindow  (65726, 0, ... ) == 0x7e8
 00229   416   NtUserQueryWindow  (65726, 1, ... ) == 0x7ec
 00230   416   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 52, ) == 0x0
 00231   416   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0", 64, ) , 64, ) == 0x0
 00232   416   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\377\0\377\377", 4, ) , 4, ) == 0x0
 00233   416   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\210fvx\210x\206wfvGe$\306d\21\26\210ls\210\210\250g\207\210hhx\207xhvwdfF|d\21\27\210\206hx\250\252\206\210\207v\207\210x\207\207gfv4F\306G\21\21\210\206\207\210\212\250\250h\210\207x\210\210wvwgFD$d!\21\21x\250g\210\212\252\250\206\210\207w\210\207\207wvvgBGd\21\21\21\210\212\203\210\250\252\212\210x\210w\210\210xwgcd%F\1\21\21\21\27\212\250\210\212\252\252\210f\210\207x\210\207w7fR@`\21\21\21\21\21\210\2508\212\252\250\250\210gw\21088vvu$$!\21\21\21\21\21\30\210\210\210\212\252\210\206vgw\210\203wsb`\7\21\21\21\21\21\21\21\210\203\210\210\210\210\207vvwwwsf4\7\21\21\21\21\21\21\21\21\30\210\210\210\210\210wGwvwww5\2\21\21\21\21\21\21", 256, ) , 256, ) == 0x0
 00234   416   NtClose  (52, ... ) == 0x0
 00235   416   NtUserQueryWindow  (65724, 0, ... ) == 0x7e8
 00236   416   NtUserQueryWindow  (65724, 1, ... ) == 0x7ec
 00237   416   NtUserQueryWindow  (65722, 0, ... ) == 0x7e8
 00238   416   NtUserQueryWindow  (65722, 1, ... ) == 0x7ec
 00239   416   NtUserQueryWindow  (65720, 0, ... ) == 0x7e8
 00240   416   NtUserQueryWindow  (65720, 1, ... ) == 0x7ec
 00241   416   NtUserQueryWindow  (65718, 0, ... ) == 0x7e8
 00242   416   NtUserQueryWindow  (65718, 1, ... ) == 0x7ec
 00243   416   NtUserQueryWindow  (65716, 0, ... ) == 0x7e8
 00244   416   NtUserQueryWindow  (65716, 1, ... ) == 0x7ec
 00245   416   NtUserQueryWindow  (131164, 0, ... ) == 0x7f4
 00246   416   NtUserQueryWindow  (131164, 1, ... ) == 0x7f8
 00247   416   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2036, 0}, ... 52, ) == 0x0
 00248   416   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\301\0\0\0\0\1\0\0\377\356\377\356\11\0\0\0\11\0\0\0\0\376\0\0\0\0\20\0\0 \0\0\0\2\0\0\0 \0\0q\0\0\0\377\357\375\177\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00249   416   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00250   416   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00251   416   NtClose  (52, ... ) == 0x0
 00252   416   NtUserQueryWindow  (65714, 0, ... ) == 0x7e0
 00253   416   NtUserQueryWindow  (65714, 1, ... ) == 0x7e4
 00254   416   NtUserQueryWindow  (65712, 0, ... ) == 0x7e8
 00255   416   NtUserQueryWindow  (65712, 1, ... ) == 0x7ec
 00256   416   NtUserQueryWindow  (65710, 0, ... ) == 0x7e8
 00257   416   NtUserQueryWindow  (65710, 1, ... ) == 0x7ec
 00258   416   NtUserQueryWindow  (131170, 0, ... ) == 0x7d8
 00259   416   NtUserQueryWindow  (131170, 1, ... ) == 0x7dc
 00260   416   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2008, 0}, ... 52, ) == 0x0
 00261   416   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0", 64, ) , 64, ) == 0x0
 00262   416   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00263   416   NtContinue  (-135988068, 0, ...
 00262   416   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00264   416   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00265   416   NtContinue  (-135988068, 0, ...
 00264   416   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00266   416   NtClose  (52, ... ) == 0x0
 00267   416   NtUserQueryWindow  (65644, 0, ... ) == 0x774
 00268   416   NtUserQueryWindow  (65644, 1, ... ) == 0x7a0
 00269   416   NtUserQueryWindow  (327760, 0, ... ) == 0x774
 00270   416   NtUserQueryWindow  (327760, 1, ... ) == 0x778
 00271   416   NtUserQueryWindow  (262228, 0, ... ) == 0x774
 00272   416   NtUserQueryWindow  (262228, 1, ... ) == 0x778
 00273   416   NtUserQueryWindow  (327758, 0, ... ) == 0x774
 00274   416   NtUserQueryWindow  (327758, 1, ... ) == 0x778
 00275   416   NtUserQueryWindow  (65662, 0, ... ) == 0x774
 00276   416   NtUserQueryWindow  (65662, 1, ... ) == 0x778
 00277   416   NtUserQueryWindow  (65654, 0, ... ) == 0x774
 00278   416   NtUserQueryWindow  (65654, 1, ... ) == 0x778
 00279   416   NtRaiseException  (1242696, 1241956, 1, ...
 00280   416   NtContinue  (1240752, 0, ...
 00281   416   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00282   416   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 56, ) }, ... 56, ) == 0x0
 00283   416   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00284   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00285   416   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00286   416   NtDuplicateObject  (-1, 3101, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00287   416   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00288   416   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00289   416   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x2005c, 0x100b2, 0x100b0, 0x100ae, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 34, ) == 0x0
 00290   416   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00291   416   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00292   416   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x2005c, 0x100b2, 0x100b0, 0x100ae, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 34, ) == 0x0
 00293   416   NtUserQueryWindow  (65706, 0, ... ) == 0x7e0
 00294   416   NtUserQueryWindow  (65706, 1, ... ) == 0x7e4
 00295   416   NtUserQueryWindow  (65704, 0, ... ) == 0x7e0
 00296   416   NtUserQueryWindow  (65704, 1, ... ) == 0x7e4
 00297   416   NtUserQueryWindow  (65702, 0, ... ) == 0x7e0
 00298   416   NtUserQueryWindow  (65702, 1, ... ) == 0x7e4
 00299   416   NtUserQueryWindow  (131168, 0, ... ) == 0x7e0
 00300   416   NtUserQueryWindow  (131168, 1, ... ) == 0x7e4
 00301   416   NtUserQueryWindow  (65696, 0, ... ) == 0x774
 00302   416   NtUserQueryWindow  (65696, 1, ... ) == 0x784
 00303   416   NtUserQueryWindow  (65664, 0, ... ) == 0x774
 00304   416   NtUserQueryWindow  (65664, 1, ... ) == 0x784
 00305   416   NtUserQueryWindow  (65652, 0, ... ) == 0x774
 00306   416   NtUserQueryWindow  (65652, 1, ... ) == 0x784
 00307   416   NtUserQueryWindow  (65640, 0, ... ) == 0x774
 00308   416   NtUserQueryWindow  (65640, 1, ... ) == 0x784
 00309   416   NtUserQueryWindow  (196682, 0, ... ) == 0x774
 00310   416   NtUserQueryWindow  (196682, 1, ... ) == 0x784
 00311   416   NtUserQueryWindow  (65638, 0, ... ) == 0x774
 00312   416   NtUserQueryWindow  (65638, 1, ... ) == 0x784
 00313   416   NtUserQueryWindow  (196684, 0, ... ) == 0x774
 00314   416   NtUserQueryWindow  (196684, 1, ... ) == 0x784
 00315   416   NtUserQueryWindow  (196668, 0, ... ) == 0x774
 00316   416   NtUserQueryWindow  (196668, 1, ... ) == 0x784
 00317   416   NtUserQueryWindow  (65688, 0, ... ) == 0x774
 00318   416   NtUserQueryWindow  (65688, 1, ... ) == 0x784
 00319   416   NtUserQueryWindow  (65676, 0, ... ) == 0x774
 00320   416   NtUserQueryWindow  (65676, 1, ... ) == 0x784
 00321   416   NtUserQueryWindow  (65660, 0, ... ) == 0x774
 00322   416   NtUserQueryWindow  (65660, 1, ... ) == 0x778
 00323   416   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00324   416   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 00325   416   NtUserQueryWindow  (65726, 0, ... ) == 0x7e8
 00326   416   NtUserQueryWindow  (65726, 1, ... ) == 0x7ec
 00327   416   NtUserQueryWindow  (65724, 0, ... ) == 0x7e8
 00328   416   NtUserQueryWindow  (65724, 1, ... ) == 0x7ec
 00329   416   NtUserQueryWindow  (65722, 0, ... ) == 0x7e8
 00330   416   NtUserQueryWindow  (65722, 1, ... ) == 0x7ec
 00331   416   NtUserQueryWindow  (65720, 0, ... ) == 0x7e8
 00332   416   NtUserQueryWindow  (65720, 1, ... ) == 0x7ec
 00333   416   NtUserQueryWindow  (65718, 0, ... ) == 0x7e8
 00334   416   NtUserQueryWindow  (65718, 1, ... ) == 0x7ec
 00335   416   NtUserQueryWindow  (65716, 0, ... ) == 0x7e8
 00336   416   NtUserQueryWindow  (65716, 1, ... ) == 0x7ec
 00337   416   NtUserQueryWindow  (131164, 0, ... ) == 0x7f4
 00338   416   NtUserQueryWindow  (131164, 1, ... ) == 0x7f8
 00339   416   NtUserQueryWindow  (65714, 0, ... ) == 0x7e0
 00340   416   NtUserQueryWindow  (65714, 1, ... ) == 0x7e4
 00341   416   NtUserQueryWindow  (65712, 0, ... ) == 0x7e8
 00342   416   NtUserQueryWindow  (65712, 1, ... ) == 0x7ec
 00343   416   NtUserQueryWindow  (65710, 0, ... ) == 0x7e8
 00344   416   NtUserQueryWindow  (65710, 1, ... ) == 0x7ec
 00345   416   NtUserQueryWindow  (131170, 0, ... ) == 0x7d8
 00346   416   NtUserQueryWindow  (131170, 1, ... ) == 0x7dc
 00347   416   NtUserQueryWindow  (65644, 0, ... ) == 0x774
 00348   416   NtUserQueryWindow  (65644, 1, ... ) == 0x7a0
 00349   416   NtUserQueryWindow  (327760, 0, ... ) == 0x774
 00350   416   NtUserQueryWindow  (327760, 1, ... ) == 0x778
 00351   416   NtUserQueryWindow  (262228, 0, ... ) == 0x774
 00352   416   NtUserQueryWindow  (262228, 1, ... ) == 0x778
 00353   416   NtUserQueryWindow  (327758, 0, ... ) == 0x774
 00354   416   NtUserQueryWindow  (327758, 1, ... ) == 0x778
 00355   416   NtUserQueryWindow  (65662, 0, ... ) == 0x774
 00356   416   NtUserQueryWindow  (65662, 1, ... ) == 0x778
 00357   416   NtUserQueryWindow  (65654, 0, ... ) == 0x774
 00358   416   NtUserQueryWindow  (65654, 1, ... ) == 0x778
 00359   416   NtRaiseException  (1242640, 1241900, 1, ...
 00360   416   NtContinue  (1240696, 0, ...
 00361   416   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00362   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   416   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00364   416   NtDuplicateObject  (-1, 3380, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00365   416   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00366   416   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00367   416   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x2005c, 0x100b2, 0x100b0, 0x100ae, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 34, ) == 0x0
 00368   416   NtSetSecurityObject  (-1, 4, {1, 0, 0x4, 0, 0, 0, 1242476}, ... ) == 0x0
 00369   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00370   416   NtQueryValueKey  (60,  (60, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   416   NtClose  (60, ... ) == 0x0
 00372   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00373   416   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00374   416   NtClose  (60, ... ) == 0x0
 00375   416   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 60, ) == 0x0
 00376   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00377   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 68, ) }, ... 68, ) == 0x0
 00378   416   NtNotifyChangeKey  (68, 64, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00379   416   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00380   416   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00381   416   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00382   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00384   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00386   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00387   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 84, ) == 0x0
 00388   416   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00389   416   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00390   416   NtQueryInformationToken  (88, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00391   416   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00392   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 92, ) }, ... 92, ) == 0x0
 00393   416   NtQueryValueKey  (92,  (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00394   416   NtClose  (92, ... ) == 0x0
 00395   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00396   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00397   416   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00398   416   NtClose  (92, ... ) == 0x0
 00399   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400   416   NtClose  (88, ... ) == 0x0
 00401   416   NtClose  (80, ... ) == 0x0
 00402   416   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00403   416   NtClose  (84, ... ) == 0x0
 00404   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00405   416   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00406   416   NtClose  (84, ... ) == 0x0
 00407   416   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00408   416   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00409   416   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00410   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00411   416   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00412   416   NtClose  (84, ... ) == 0x0
 00413   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00414   416   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00415   416   NtClose  (84, ... ) == 0x0
 00416   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00417   416   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00418   416   NtClose  (84, ... ) == 0x0
 00419   416   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00420   416   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00421   416   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00422   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00423   416   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00424   416   NtClose  (84, ... ) == 0x0
 00425   416   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {408, 0}, ... 84, ) == 0x0
 00426   416   NtQueryInformationProcess  (84, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00427   416   NtClose  (84, ... ) == 0x0
 00428   416   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00429   416   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00430   416   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00431   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00432   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00433   416   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00434   416   NtClose  (84, ... ) == 0x0
 00435   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 84, ) }, ... 84, ) == 0x0
 00436   416   NtSetInformationObject  (84, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00437   416   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00438   416   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00439   416   NtClose  (80, ... ) == 0x0
 00440   416   NtUserSystemParametersInfo  (41, 500, 1241216, 0, ... ) == 0x1
 00441   416   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00442   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00443   416   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00444   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03b
 00445   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00446   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03d
 00447   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00448   416   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00449   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03f
 00450   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00451   416   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00452   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc041
 00453   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00454   416   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00455   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc043
 00456   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00457   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc045
 00458   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00459   416   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00460   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc047
 00461   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00462   416   NtUserFindExistingCursorIcon  (1241004, 1241020, 1241588, ... ) == 0x10011
 00463   416   NtUserRegisterClassExWOW  (1241456, 1241536, 1241520, 1241552, 0, 384, 0, ... ) == 0x810dc049
 00464   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00465   416   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00466   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04b
 00467   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00468   416   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00469   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04d
 00470   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00471   416   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00472   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04f
 00473   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0x0
 00474   416   NtUserRegisterClassExWOW  (1241464, 1241544, 1241528, 1241560, 0, 384, 0, ... ) == 0x810dc051
 00475   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00476   416   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00477   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc053
 00478   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00479   416   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00480   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc055
 00481   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc057
 00482   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00483   416   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00484   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc059
 00485   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00486   416   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10013
 00487   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05b
 00488   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00489   416   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00490   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05d
 00491   416   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00492   416   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00493   416   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05f
 00494   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00495   416   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 00496   416   NtAllocateVirtualMemory  (-1, 9240576, 0, 4096, 4096, 4, ... 9240576, 4096, ) == 0x0
 00497   416   NtAllocateVirtualMemory  (-1, 9244672, 0, 8192, 4096, 4, ... 9244672, 8192, ) == 0x0
 00498   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 80, ) }, ... 80, ) == 0x0
 00499   416   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8e0000), 0x0, 12288, ) == 0x0
 00500   416   NtClose  (80, ... ) == 0x0
 00501   416   NtAllocateVirtualMemory  (-1, 9252864, 0, 4096, 4096, 4, ... 9252864, 4096, ) == 0x0
 00502   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00503   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 00504   416   NtQueryValueKey  (80,  (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00505   416   NtClose  (80, ... ) == 0x0
 00506   416   NtQueryDefaultUILanguage  (1239840, ...
 00507   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00508   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00509   416   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00510   416   NtClose  (-2147482208, ... ) == 0x0
 00511   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00512   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00513   416   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00514   416   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   416   NtClose  (-2147482196, ... ) == 0x0
 00516   416   NtClose  (-2147482208, ... ) == 0x0
 00506   416   NtQueryDefaultUILanguage  ... ) == 0x0
 00517   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00518   416   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00519   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00520   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 88, ) == 0x0
 00521   416   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 8323072, ) == 0x0
 00522   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   416   NtQueryDefaultUILanguage  (2013024600, ...
 00524   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00525   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00526   416   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00527   416   NtClose  (-2147482208, ... ) == 0x0
 00528   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00529   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530   416   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00531   416   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00532   416   NtClose  (-2147482196, ... ) == 0x0
 00533   416   NtClose  (-2147482208, ... ) == 0x0
 00523   416   NtQueryDefaultUILanguage  ... ) == 0x0
 00534   416   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00535   416   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00536   416   NtQueryDefaultLocale  (1, 1237876, ... ) == 0x0
 00537   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538   416   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 416, 1494, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 408, 416, 1494, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 416, 1494, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ) == 0x0
 00539   416   NtClose  (80, ... ) == 0x0
 00540   416   NtClose  (88, ... ) == 0x0
 00541   416   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00542   416   NtUnmapViewOfSection  (-1, 0x12edcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00543   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00544   416   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00545   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00546   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00547   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236960, ... ) }, 1236960, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00548   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00549   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00550   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00551   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237552, ... ) }, 1237552, ... ) == 0x0
 00552   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 88, {status=0x0, info=1}, ) }, 3, 33, ... 88, {status=0x0, info=1}, ) == 0x0
 00553   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00554   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00555   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00556   416   NtClose  (80, ... ) == 0x0
 00557   416   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00558   416   NtClose  (92, ... ) == 0x0
 00559   416   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00560   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00561   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 80, ) == 0x0
 00562   416   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00563   416   NtClose  (92, ... ) == 0x0
 00564   416   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00565   416   NtClose  (80, ... ) == 0x0
 00566   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00567   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00568   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00569   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00570   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00571   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00572   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00573   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00574   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00575   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00576   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00577   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00578   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00579   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00580   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00581   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00582   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00583   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00584   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00585   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00586   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00587   416   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238736, ... ) , 42, 1238736, ... ) == 0x0
 00588   416   NtQueryDefaultUILanguage  (1237452, ...
 00589   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00590   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00591   416   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00592   416   NtClose  (-2147482208, ... ) == 0x0
 00593   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00594   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   416   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00596   416   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00597   416   NtClose  (-2147482196, ... ) == 0x0
 00598   416   NtClose  (-2147482208, ... ) == 0x0
 00588   416   NtQueryDefaultUILanguage  ... ) == 0x0
 00599   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236304, ... ) }, 1236304, ... ) == 0x0
 00601   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00602   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00603   416   NtClose  (80, ... ) == 0x0
 00604   416   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 4096, ) == 0x0
 00605   416   NtClose  (92, ... ) == 0x0
 00606   416   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00607   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235944, ... ) }, 1235944, ... ) == 0x0
 00608   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236644,  (0x80100080, {24, 0, 0x40, 0, 1236644, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00609   416   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 92, ... 80, ) == 0x0
 00610   416   NtClose  (92, ... ) == 0x0
 00611   416   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8f0000), {0, 0}, 4096, ) == 0x0
 00612   416   NtClose  (80, ... ) == 0x0
 00613   416   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00614   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00615   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 92, ) == 0x0
 00616   416   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 4096, ) == 0x0
 00617   416   NtQueryInformationFile  (80, 1236264, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00618   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619   416   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 416, 1495, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 408, 416, 1495, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 416, 1495, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ) == 0x0
 00620   416   NtClose  (80, ... ) == 0x0
 00621   416   NtClose  (92, ... ) == 0x0
 00622   416   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00623   416   NtUnmapViewOfSection  (-1, 0x12e478, ... ) == STATUS_NOT_MAPPED_VIEW
 00624   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00625   416   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00626   416   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00627   416   NtUserGetDC  (0, ... ) == 0x1010054
 00628   416   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00629   416   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00630   416   NtUserSystemParametersInfo  (66, 12, 1238756, 0, ... ) == 0x1
 00631   416   NtOpenProcessToken  (-1, 0x8, ... 92, ) == 0x0
 00632   416   NtAccessCheck  (1393640, 92, 0x1, 1238160, 1238104, 56, 1238188, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00633   416   NtClose  (92, ... ) == 0x0
 00634   416   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 92, ) }, ... 92, ) == 0x0
 00635   416   NtQueryValueKey  (92,  (92, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00636   416   NtClose  (92, ... ) == 0x0
 00637   416   NtUserSystemParametersInfo  (41, 500, 1238256, 0, ... ) == 0x1
 00638   416   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00639   416   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 92, ) }, ... 92, ) == 0x0
 00640   416   NtQueryValueKey  (92,  (92, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00641   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 80, ) }, ... 80, ) == 0x0
 00642   416   NtQueryValueKey  (80,  (80, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00643   416   NtClose  (80, ... ) == 0x0
 00644   416   NtClose  (92, ... ) == 0x0
 00645   416   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00646   416   NtUserSystemParametersInfo  (4130, 0, 1238780, 0, ... ) == 0x1
 00647   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 92, ) }, ... 92, ) == 0x0
 00648   416   NtEnumerateValueKey  (92, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00649   416   NtClose  (92, ... ) == 0x0
 00650   416   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00651   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03b
 00652   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03d
 00653   416   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00654   416   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc03f
 00655   416   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00656   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc041
 00657   416   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00658   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ...
 00659   416   NtAllocateVirtualMemory  (-1, 6127616, 0, 4096, 4096, 32, ... 6127616, 4096, ) == 0x0
 00658   416   NtUserRegisterClassExWOW  ... ) == 0x810dc043
 00660   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc045
 00661   416   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00662   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc047
 00663   416   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00664   416   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc049
 00665   416   NtUserGetClassInfo  (1905590272, 1238676, 1238628, 1238704, 0, ... ) == 0xc049
 00666   416   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00667   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04b
 00668   416   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00669   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04d
 00670   416   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00671   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04f
 00672   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc051
 00673   416   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00674   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc053
 00675   416   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00676   416   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc055
 00677   416   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc057
 00678   416   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00679   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc059
 00680   416   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10013
 00681   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05b
 00682   416   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00683   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05d
 00684   416   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00685   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05f
 00686   416   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00687   416   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc017
 00688   416   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00689   416   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc019
 00690   416   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10013
 00691   416   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc018
 00692   416   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00693   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01a
 00694   416   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00695   416   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc01c
 00696   416   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00697   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01e
 00698   416   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00699   416   NtUserRegisterClassExWOW  (1238572, 1238652, 1238636, 1238668, 0, 384, 0, ... ) == 0x810dc01b
 00700   416   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00701   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc068
 00702   416   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00703   416   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc06a
 00704   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03b
 00705   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03d
 00706   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03f
 00707   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc041
 00708   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc043
 00709   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc045
 00710   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc047
 00711   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc049
 00712   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04b
 00713   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04d
 00714   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04f
 00715   416   NtUserGetClassInfo  (1999896576, 1241580, 1241532, 1241608, 0, ... ) == 0xc051
 00716   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc053
 00717   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc055
 00718   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc059
 00719   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05b
 00720   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05d
 00721   416   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05f
 00722   416   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00723   416   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00724   416   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00725   416   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00726   416   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00727   416   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00728   416   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00729   416   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00730   416   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00731   416   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00732   416   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00733   416   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00734   416   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00735   416   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00736   416   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00737   416   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00738   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00739   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00740   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00741   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00742   416   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9502720, 262144, ) == 0x0
 00743   416   NtAllocateVirtualMemory  (-1, 9502720, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 00744   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00745   416   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9764864, 262144, ) == 0x0
 00746   416   NtAllocateVirtualMemory  (-1, 9764864, 0, 4096, 4096, 4, ... 9764864, 4096, ) == 0x0
 00747   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00748   416   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10027008, 262144, ) == 0x0
 00749   416   NtAllocateVirtualMemory  (-1, 10027008, 0, 4096, 4096, 4, ... 10027008, 4096, ) == 0x0
 00750   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00751   416   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10289152, 262144, ) == 0x0
 00752   416   NtAllocateVirtualMemory  (-1, 10289152, 0, 4096, 4096, 4, ... 10289152, 4096, ) == 0x0
 00753   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00754   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00755   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00756   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00757   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 00758   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00759   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 80, ) == 0x0
 00760   416   NtClose  (92, ... ) == 0x0
 00761   416   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa10000), 0x0, 90112, ) == 0x0
 00762   416   NtClose  (80, ... ) == 0x0
 00763   416   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00764   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 00765   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00766   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 92, ) == 0x0
 00767   416   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00768   416   NtClose  (80, ... ) == 0x0
 00769   416   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00770   416   NtClose  (92, ... ) == 0x0
 00771   416   NtQueryDefaultLocale  (1, 1239460, ... ) == 0x0
 00772   416   NtAllocateVirtualMemory  (-1, 9506816, 0, 4096, 4096, 4, ... 9506816, 4096, ) == 0x0
 00773   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 92, ) }, ... 92, ) == 0x0
 00774   416   NtClose  (92, ... ) == 0x0
 00775   416   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00777   416   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00780   416   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00781   416   NtClose  (92, ... ) == 0x0
 00782   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00783   416   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00784   416   NtClose  (92, ... ) == 0x0
 00785   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00786   416   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00787   416   NtClose  (92, ... ) == 0x0
 00788   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00789   416   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00790   416   NtClose  (92, ... ) == 0x0
 00791   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 92, ) }, ... 92, ) == 0x0
 00792   416   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00793   416   NtClose  (92, ... ) == 0x0
 00794   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00795   416   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00796   416   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00797   416   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00798   416   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1241616, 0,  (0x1f0003, {24, 52, 0x80, 1241616, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00799   416   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 92, ) }, ... 92, ) == 0x0
 00800   416   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00801   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00802   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00803   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 80, ) }, ... 80, ) == 0x0
 00804   416   NtQueryValueKey  (80,  (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00805   416   NtClose  (80, ... ) == 0x0
 00806   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00807   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00808   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00809   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00810   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 80, ) }, ... 80, ) == 0x0
 00811   416   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00812   416   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00813   416   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00814   416   NtClose  (80, ... ) == 0x0
 00815   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 80, ) }, ... 80, ) == 0x0
 00816   416   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00817   416   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818   416   NtClose  (80, ... ) == 0x0
 00819   416   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820   416   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00821   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00822   416   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00823   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00824   416   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00825   416   NtCreateKey  (0xf003f, {24, 84, 0x40, 0, 0,  (0xf003f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 80, 2, ) }, 0, 0x0, 0, ... 80, 2, ) == 0x0
 00826   416   NtQueryDefaultUILanguage  (1239852, ...
 00827   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00828   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00829   416   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00830   416   NtClose  (-2147482208, ... ) == 0x0
 00831   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00832   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00833   416   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00834   416   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   416   NtClose  (-2147482196, ... ) == 0x0
 00836   416   NtClose  (-2147482208, ... ) == 0x0
 00826   416   NtQueryDefaultUILanguage  ... ) == 0x0
 00837   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00838   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00839   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00840   416   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa10000), 0x0, 593920, ) == 0x0
 00841   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00842   416   NtQueryDefaultLocale  (1, 1237888, ... ) == 0x0
 00843   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   416   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 416, 1496, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 408, 416, 1496, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 416, 1496, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ) == 0x0
 00845   416   NtClose  (96, ... ) == 0x0
 00846   416   NtClose  (100, ... ) == 0x0
 00847   416   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00848   416   NtUnmapViewOfSection  (-1, 0x12edd8, ... ) == STATUS_NOT_MAPPED_VIEW
 00849   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00850   416   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00852   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00853   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236428, ... ) }, 1236428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00855   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00856   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00857   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237020, ... ) }, 1237020, ... ) == 0x0
 00858   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00859   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00860   416   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00861   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00862   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00863   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00865   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00866   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00867   416   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00868   416   NtClose  (104, ... ) == 0x0
 00869   416   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00870   416   NtClose  (108, ... ) == 0x0
 00871   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00872   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00874   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00875   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00876   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00877   416   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00878   416   NtClose  (108, ... ) == 0x0
 00879   416   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00880   416   NtClose  (104, ... ) == 0x0
 00881   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00882   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00883   416   NtTestAlert  (... ) == 0x0
 00884   416   NtContinue  (1244464, 1, ...
 00885   416   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x490000,}, 4, ... ) == 0x0
 00886   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1243656, ... ) }, 1243656, ... ) == 0x0
 00887   416   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1376256, 1422392, 0, 1243996}  (24, {20, 48, new_msg, 0, 1376256, 1422392, 0, 1243996} "\0\0\0\0\2\0\1\0\23\0\0\0\10\6\25\0\215\26\365w" ... {20, 48, reply, 0, 408, 416, 1497, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\10\6\25\0\1\0\0\0" )  ... {20, 48, reply, 0, 408, 416, 1497, 0}  (24, {20, 48, new_msg, 0, 1376256, 1422392, 0, 1243996} "\0\0\0\0\2\0\1\0\23\0\0\0\10\6\25\0\215\26\365w" ... {20, 48, reply, 0, 408, 416, 1497, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\10\6\25\0\1\0\0\0" )  ) == 0x0
 00888   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243664,  (0x80100080, {24, 0, 0x40, 0, 1243664, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00889   416   NtQueryDirectoryFile  (-2147482208, 0, 0, 0, -511647744, 4096, Names, 1,  (-2147482208, 0, 0, 0, -511647744, 4096, Names, 1, "~1.tmp", 1, ... {status=0x0, info=24}, ) , 1, ... {status=0x0, info=24}, ) == 0x0
 00890   416   NtClose  (-2147482208, ... ) == 0x0
 00888   416   NtCreateFile  ... 104, {status=0x0, info=2}, ) == 0x0
 00891   416   NtClose  (104, ... ) == 0x0
 00892   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1242912, ... ) }, 1242912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893   416   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243644,  (0xc0100080, {24, 0, 0x40, 0, 1243644, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00894   416   NtClose  (-2147482208, ... ) == 0x0
 00895   416   NtQueryDirectoryFile  (-2147482208, 0, 0, 0, -511647744, 4096, Names, 1,  (-2147482208, 0, 0, 0, -511647744, 4096, Names, 1, "~1.tmp.exe", 1, ... ) , 1, ... ) == STATUS_NO_SUCH_FILE
 00896   416   NtClose  (-2147482208, ... ) == 0x0
 00893   416   NtCreateFile  ... 104, {status=0x0, info=2}, ) == 0x0
 00897   416   NtQueryVolumeInformationFile  (104, 1243804, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00898   416   NtQueryInformationFile  (104, 1243696, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00899   416   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\0\24\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 49152, 0x0, 0, ... {status=0x0, info=49152}, ) , 49152, 0x0, 0, ... {status=0x0, info=49152}, ) == 0x0
 00900   416   NtClose  (104, ... ) == 0x0
 00901   416   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00902   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1240368, ... ) }, 1240368, ... ) == 0x0
 00903   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1241060, ... ) }, 1241060, ... ) == 0x0
 00904   416   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00905   416   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00906   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00907   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 112, ) }, ... 112, ) == 0x0
 00908   416   NtQueryValueKey  (112,  (112, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00909   416   NtClose  (112, ... ) == 0x0
 00910   416   NtQueryVolumeInformationFile  (104, 1240368, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00911   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238352, ... ) }, 1238352, ... ) == 0x0
 00912   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00913   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 116, ) == 0x0
 00914   416   NtClose  (112, ... ) == 0x0
 00915   416   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa10000), 0x0, 106496, ) == 0x0
 00916   416   NtClose  (116, ... ) == 0x0
 00917   416   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00918   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238668, ... ) }, 1238668, ... ) == 0x0
 00919   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00920   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 112, ) == 0x0
 00921   416   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00922   416   NtClose  (116, ... ) == 0x0
 00923   416   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00924   416   NtClose  (112, ... ) == 0x0
 00925   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00926   416   NtQueryInformationFile  (112, 1238956, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00927   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 112, ... 116, ) == 0x0
 00928   416   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa10000), 0x0, 1028096, ) == 0x0
 00929   416   NtQueryInformationFile  (112, 1239052, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00930   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00932   416   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00933   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 00934   416   NtQueryDirectoryFile  (120, 0, 0, 0, 1236616, 616, BothDirectory, 1,  (120, 0, 0, 0, 1236616, 616, BothDirectory, 1, "~1.tmp.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00935   416   NtClose  (120, ... ) == 0x0
 00936   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00937   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00938   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1236004, ... ) }, 1236004, ... ) == 0x0
 00939   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 00940   416   NtQueryDirectoryFile  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 00941   416   NtClose  (120, ... ) == 0x0
 00942   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 00943   416   NtQueryDirectoryFile  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00944   416   NtClose  (120, ... ) == 0x0
 00945   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 00946   416   NtQueryDirectoryFile  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 00947   416   NtClose  (120, ... ) == 0x0
 00948   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 00949   416   NtQueryDirectoryFile  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235364, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00950   416   NtClose  (120, ... ) == 0x0
 00951   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00952   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00953   416   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00954   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00955   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00956   416   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00957   416   NtClose  (120, ... ) == 0x0
 00958   416   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00959   416   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960   416   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00961   416   NtClose  (116, ... ) == 0x0
 00962   416   NtClose  (112, ... ) == 0x0
 00963   416   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00964   416   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   416   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00966   416   NtOpenProcessToken  (-1, 0xa, ... 112, ) == 0x0
 00967   416   NtQueryInformationToken  (112, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00968   416   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 00970   416   NtQueryValueKey  (116,  (116, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (116, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00971   416   NtQueryValueKey  (116,  (116, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (116, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00972   416   NtClose  (116, ... ) == 0x0
 00973   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 00974   416   NtQueryValueKey  (116,  (116, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00975   416   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 00976   416   NtQueryValueKey  (116,  (116, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (116, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00977   416   NtClose  (116, ... ) == 0x0
 00978   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 00980   416   NtQueryValueKey  (116,  (116, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   416   NtClose  (116, ... ) == 0x0
 00982   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00983   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00984   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00985   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00986   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00987   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00988   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00989   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00990   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00991   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00992   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 116, ) }, ... 116, ) == 0x0
 00993   416   NtEnumerateKey  (116, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (116, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00994   416   NtOpenKey  (0x20019, {24, 116, 0x40, 0, 0,  (0x20019, {24, 116, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 120, ) }, ... 120, ) == 0x0
 00995   416   NtQueryValueKey  (120,  (120, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (120, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00996   416   NtQueryValueKey  (120,  (120, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (120, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00997   416   NtClose  (120, ... ) == 0x0
 00998   416   NtEnumerateKey  (116, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00999   416   NtClose  (116, ... ) == 0x0
 01000   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01001   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01003   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01004   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01005   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01006   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01007   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01008   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01009   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01010   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01011   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01013   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01014   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01015   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01016   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01017   416   NtClose  (116, ... ) == 0x0
 01018   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01019   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01020   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01021   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01022   416   NtClose  (116, ... ) == 0x0
 01023   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01025   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01026   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01027   416   NtClose  (116, ... ) == 0x0
 01028   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01029   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01030   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01031   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01032   416   NtClose  (116, ... ) == 0x0
 01033   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01034   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01035   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01036   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01037   416   NtClose  (116, ... ) == 0x0
 01038   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01040   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01041   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01042   416   NtClose  (116, ... ) == 0x0
 01043   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01045   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01046   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01047   416   NtClose  (116, ... ) == 0x0
 01048   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01049   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01050   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01051   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01052   416   NtClose  (116, ... ) == 0x0
 01053   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01054   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01055   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01056   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01057   416   NtClose  (116, ... ) == 0x0
 01058   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01059   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01060   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01061   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01062   416   NtClose  (116, ... ) == 0x0
 01063   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01064   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01065   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01066   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01067   416   NtClose  (116, ... ) == 0x0
 01068   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01069   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01070   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01071   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01072   416   NtClose  (116, ... ) == 0x0
 01073   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01074   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01075   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01076   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01077   416   NtClose  (116, ... ) == 0x0
 01078   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01079   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01080   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01081   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01082   416   NtClose  (116, ... ) == 0x0
 01083   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01084   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01085   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01086   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01087   416   NtClose  (116, ... ) == 0x0
 01088   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01089   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 01090   416   NtQueryValueKey  (116,  (116, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (116, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (116, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01091   416   NtClose  (116, ... ) == 0x0
 01092   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01093   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01094   416   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01095   416   NtClose  (116, ... ) == 0x0
 01096   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01097   416   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01098   416   NtOpenProcessToken  (-1, 0xa, ... 116, ) == 0x0
 01099   416   NtDuplicateToken  (116, 0xc, {24, 0, 0x0, 0, 1240260, 0x0}, 0, 2, ... 120, ) == 0x0
 01100   416   NtClose  (116, ... ) == 0x0
 01101   416   NtAccessCheck  (1428392, 120, 0x1, 1240388, 1240332, 56, 1240416, ... (0x1), ) == 0x0
 01102   416   NtClose  (120, ... ) == 0x0
 01103   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 120, ) }, ... 120, ) == 0x0
 01104   416   NtQueryValueKey  (120,  (120, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (120, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01105   416   NtClose  (120, ... ) == 0x0
 01106   416   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 120, ) }, ... 120, ) == 0x0
 01107   416   NtQuerySymbolicLinkObject  (120, ...  (120, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01108   416   NtClose  (120, ... ) == 0x0
 01109   416   NtQueryInformationFile  (104, 1238720, 528, Name, ... {status=0x0, info=130}, ) == 0x0
 01110   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01111   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01112   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\~1.tmp.exe"}, 1237400, ... ) }, 1237400, ... ) == 0x0
 01113   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01114   416   NtQueryDirectoryFile  (120, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (120, 0, 0, 0, 1236760, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01115   416   NtClose  (120, ... ) == 0x0
 01116   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01117   416   NtQueryDirectoryFile  (120, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (120, 0, 0, 0, 1236760, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 01118   416   NtClose  (120, ... ) == 0x0
 01119   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01120   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01121   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01122   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01123   416   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01124   416   NtClose  (120, ... ) == 0x0
 01125   416   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 120, ) }, ... 120, ) == 0x0
 01126   416   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 116, ) }, ... 116, ) == 0x0
 01127   416   NtClose  (120, ... ) == 0x0
 01128   416   NtQueryValueKey  (116,  (116, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01129   416   NtQueryValueKey  (116,  (116, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (116, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01130   416   NtClose  (116, ... ) == 0x0
 01131   416   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10551296, 4096, ) == 0x0
 01132   416   NtAllocateVirtualMemory  (-1, 10551296, 0, 4096, 4096, 4, ... 10551296, 4096, ) == 0x0
 01133   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 01134   416   NtQueryValueKey  (116,  (116, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01135   416   NtClose  (116, ... ) == 0x0
 01136   416   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01137   416   NtQueryInformationToken  (112, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01138   416   NtQueryInformationToken  (112, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01139   416   NtClose  (112, ... ) == 0x0
 01140   416   NtCreateProcessEx  (1242996, 2035711, 0, -1, 0, 108, 0, 0, 0, ... ) == 0x0
 01141   416   NtQueryInformationProcess  (112, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=384,ParentPid=408,}, 0x0, ) == 0x0
 01142   416   NtReadVirtualMemory  (112, 0x7ffdf008, 4, ...  (112, 0x7ffdf008, 4, ... "\0\0\200\11", 0x0, ) , 0x0, ) == 0x0
 01143   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01144   416   NtAllocateVirtualMemory  (-1, 1429504, 0, 8192, 4096, 4, ... 1429504, 8192, ) == 0x0
 01145   416   NtReadVirtualMemory  (112, 0x9800000, 4096, ...  (112, 0x9800000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\0\24\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 4096, ) , 4096, ) == 0x0
 01146   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01147   416   NtQueryInformationProcess  (112, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=384,ParentPid=408,}, 0x0, ) == 0x0
 01148   416   NtAllocateVirtualMemory  (-1, 0, 0, 1772, 4096, 4, ... 10616832, 4096, ) == 0x0
 01149   416   NtAllocateVirtualMemory  (112, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01150   416   NtWriteVirtualMemory  (112, 0x10000,  (112, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01151   416   NtAllocateVirtualMemory  (112, 0, 0, 1772, 4096, 4, ... 131072, 4096, ) == 0x0
 01152   416   NtWriteVirtualMemory  (112, 0x20000,  (112, 0x20000, "\0\20\0\0\354\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0Z\0\\0\264\5\0\0Z\0\\0\20\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0Z\0\\0l\6\0\0\36\0 \0\310\6\0\0\0\0\2\0\350\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1772, ... 0x0, ) , 1772, ... 0x0, ) == 0x0
 01153   416   NtWriteVirtualMemory  (112, 0x7ffdf010,  (112, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01154   416   NtWriteVirtualMemory  (112, 0x7ffdf1e8,  (112, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01155   416   NtFreeVirtualMemory  (-1, (0xa20000), 0, 32768, ... (0xa20000), 4096, ) == 0x0
 01156   416   NtAllocateVirtualMemory  (112, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01157   416   NtAllocateVirtualMemory  (112, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01158   416   NtProtectVirtualMemory  (112, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01159   416   NtCreateThread  (0x1f03ff, 0x0, 112, 1241260, 1241980, 1, ... 116, {384, 380}, ) == 0x0
 01160   416   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1378552, 1376256, 1422400, 1243080}  (24, {168, 196, new_msg, 0, 1378552, 1376256, 1422400, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367ws\0\0\0t\0\0\0\200\1\0\0|\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 408, 416, 1498, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wp\0\0\0t\0\0\0\200\1\0\0|\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 408, 416, 1498, 0}  (24, {168, 196, new_msg, 0, 1378552, 1376256, 1422400, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367ws\0\0\0t\0\0\0\200\1\0\0|\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 408, 416, 1498, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wp\0\0\0t\0\0\0\200\1\0\0|\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01161   416   NtResumeThread  (116, ... 1, ) == 0x0
 01162   416   NtClose  (104, ... ) == 0x0
 01163   416   NtClose  (108, ... ) == 0x0
 01164   416   NtQueryInformationProcess  (112, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=384,ParentPid=408,}, 0x0, ) == 0x0
 01165   416   NtUserWaitForInputIdle  (384, 30000, 0, ...
 01166   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 108, ) == 0x0
 01167   416   NtClose  (108, ... ) == 0x0
 01165   416   NtUserWaitForInputIdle  ... ) == 0x102
 01168   416   NtClose  (112, ... ) == 0x0
 01169   416   NtClose  (116, ... ) == 0x0
 01170   416   NtQueryPerformanceCounter  (... {215726105, 0}, {3579545, 0}, ) == 0x0
 01171   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01172   416   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10616832, 65536, ) == 0x0
 01173   416   NtAllocateVirtualMemory  (-1, 10616832, 0, 4096, 4096, 4, ... 10616832, 4096, ) == 0x0
 01174   416   NtAllocateVirtualMemory  (-1, 10620928, 0, 8192, 4096, 4, ... 10620928, 8192, ) == 0x0
 01175   416   NtAllocateVirtualMemory  (-1, 10629120, 0, 4096, 4096, 4, ... 10629120, 4096, ) == 0x0
 01176   416   NtAllocateVirtualMemory  (-1, 10633216, 0, 4096, 4096, 4, ... 10633216, 4096, ) == 0x0
 01177   416   NtAllocateVirtualMemory  (-1, 0, 0, 6, 12288, 64, ... 10682368, 4096, ) == 0x0
 01178   416   NtProtectVirtualMemory  (-1, (0xa30000), 6, 64, ...
 01179   416   NtContinue  (-135987412, 0, ...
 01178   416   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 01180   416   NtFreeVirtualMemory  (-1, (0xa30000), 0, 32768, ... (0xa30000), 4096, ) == 0x0
 01181   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1241688, ... ) }, 1241688, ... ) == 0x0
 01182   416   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 116, {status=0x0, info=1}, ) }, 7, 2113568, ... 116, {status=0x0, info=1}, ) == 0x0
 01183   416   NtSetInformationFile  (116, 1241664, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01184   416   NtClose  (116, ... ) == 0x0
 01185   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241932,  (0x80100080, {24, 0, 0x40, 0, 1241932, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 01186   416   NtQueryInformationFile  (116, 1242868, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01187   416   NtQueryInformationFile  (116, 1242840, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01188   416   NtQueryInformationFile  (116, 1242792, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01189   416   NtQueryInformationFile  (116, 1430104, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01190   416   NtQueryInformationFile  (116, 1241336, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01191   416   NtQueryInformationFile  (116, 1241180, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01192   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\EUPSVC.EXE"}, 1240072, ... ) }, 1240072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   416   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1241188,  (0x40110080, {24, 0, 0x40, 0, 1241188, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01194   416   NtClose  (-2147481992, ... ) == 0x0
 01193   416   NtCreateFile  ... 112, {status=0x0, info=2}, ) == 0x0
 01195   416   NtQueryVolumeInformationFile  (112, 1240560, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01196   416   NtQueryInformationFile  (112, 1240520, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01197   416   NtQueryVolumeInformationFile  (116, 1240560, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01198   416   NtQueryVolumeInformationFile  (116, 1240244, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01199   416   NtSetInformationFile  (112, 1240348, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01200   416   NtAllocateVirtualMemory  (-1, 1437696, 0, 65536, 4096, 4, ... 1437696, 65536, ) == 0x0
 01201   416   NtReadFile  (116, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (116, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", ) == 0x0
 01202   416   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01203   416   NtReadFile  (116, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (116, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", ) \236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352 (116, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", ) b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353 (116, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", ) Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", ) == 0x0
 01204   416   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352 (112, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353 (112, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01205   416   NtReadFile  (116, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (116, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\353`m\263\222\16Zi\373\3759\377Al:\306\233\30\21!g\226\254j\14Q\312\366P)6\252\361\374wR\276\216\30\3\6\310\255\6\303'tiZ\357L\17{\272\303\341\201\245\20\361\323yf&\17\6\11\261\207\300\303\321\17\30\367u@\301\324\371\356-\253.S\255\244"O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", ) O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", ) == 0x0
 01206   416   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\353`m\263\222\16Zi\373\3759\377Al:\306\233\30\21!g\226\254j\14Q\312\366P)6\252\361\374wR\276\216\30\3\6\310\255\6\303'tiZ\357L\17{\272\303\341\201\245\20\361\323yf&\17\6\11\261\207\300\303\321\17\30\367u@\301\324\371\356-\253.S\255\244"O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01207   416   NtReadFile  (116, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (116, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\25\313\36\270\214\226\21B\304\243`\371\275\66-:\177\243\35\264OQ\207\273\321\2559\243/O\202\300\216\234\3505\315D*\27+\220\360\354\201\205G\337\266\240\331\221\303\273\333\242\5w\247\254\25_\376\332\12\240\26\4!\212e\22e\344\276/Y\341\235] \362\240!YK\343F\36\370\36\13\255\270\361\316\245\210#\16\3\332\215\371fC\263\243\253\262\220\323]\21\37\12\277o\222\252\231\316T\354\207U\205\334\25-r\251\274\373%\22\251\66\313\2534g}S\177\17\271\232\360~\313E\234U\305\2515z\252\226\376g\211\15\203\364\316\275\314\310\237Iz\227+\233\317\270f\21\310?\266\367\213\251\24\34\365\321\307\370;\31?\334+\232\231~\30\0i\231c\303\36\325\253\361[\276\205lp\264O\224<\365\353\200B@\247\4\360\225\366B\212H9\336\252\242Ui\265\330\331\364\371\305a\3663\347\213[\315\250\343m\321\273$\203\210\350\27\234\271"\16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", ) \16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", ) == 0x0
 01208   416   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\25\313\36\270\214\226\21B\304\243`\371\275\66-:\177\243\35\264OQ\207\273\321\2559\243/O\202\300\216\234\3505\315D*\27+\220\360\354\201\205G\337\266\240\331\221\303\273\333\242\5w\247\254\25_\376\332\12\240\26\4!\212e\22e\344\276/Y\341\235] \362\240!YK\343F\36\370\36\13\255\270\361\316\245\210#\16\3\332\215\371fC\263\243\253\262\220\323]\21\37\12\277o\222\252\231\316T\354\207U\205\334\25-r\251\274\373%\22\251\66\313\2534g}S\177\17\271\232\360~\313E\234U\305\2515z\252\226\376g\211\15\203\364\316\275\314\310\237Iz\227+\233\317\270f\21\310?\266\367\213\251\24\34\365\321\307\370;\31?\334+\232\231~\30\0i\231c\303\36\325\253\361[\276\205lp\264O\224<\365\353\200B@\247\4\360\225\366B\212H9\336\252\242Ui\265\330\331\364\371\305a\3663\347\213[\315\250\343m\321\273$\203\210\350\27\234\271"\16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01209   416   NtReadFile  (116, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=21504},  (116, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=21504}, "\354\332\33\312 \372)\251=\360b8\24]\34G_\\13\204\261R\377V\372B\311|\224F\267\224\370Z\2709\330V\271\361T\216O\366=\323Q\305#\230\326\303\335\226a\305\237\212\301t\257 \3\312+\372 t\361|$\224\311\240\3449t.\372k\2550\7\16\36~w\361\234\335L\311[\262\240ouXL`\252\320+A\301\256\12\262z\316\225g\355c\266\27-\215U\350\323?V\277-\314'\237p\257Y\7\212I\252\365\310M\277\332\357G\241\35\334y\250\22'\374+\300\266\212\205\332\37\1\257@\300\247\3136\376B\23\12\231\235iLvN[O\212\203.\25\276q\334>\277s\220\246CvsN\5\277\301\370\3768\263\346\10\255M:]\224d\262\21\324\276y\232\277\357J\177\226\377e\252\r\21\233\320c\247\266w\10\245\371nW\10\204\253\376\27\330\6[\321\242=\6\353\5\274G\360F\3\12\252c\230\364\362\265\372\364\15\323$\331\10\3533P\23\223x\327\25\3763\240\211\4\323\316S\255\324\331\217{\252}`\371\14\204\202\310`\266\223\274\177\253+\227\321.\310\313\313\32T\226\22\302\11\27\3>\257B1\6y\345C\11)\306\211b\311Q\333\204n\346l\220\12W`\13\246\234[#\302\275\360H\22\260&\252SZ\222\365\200`,L\203C\374/\5Y\253\230\36Y\355Y\231-\275\12\373\377\276\246\36\225\307\27\347\205p99\324 \25RE\245%D\275\255\202\205\22\305\214D\307\332k\3469\323p\355@\324"\14\315N\204\264H\326\10\325\22\2437ET<\206\346\2747\264\377*\336\207A\361\351\4\367\302W\350\357\15@\203\304\207\272\11\34\236\363\220\367\27T\213\351", ) V\372B\311|\224F\267\224\370Z\2709\330V\271\361T\216O\366=\323Q\305#\230\326\303\335\226a\305\237\212\301t\257 \3\312+\372 t\361|$\224\311\240\3449t.\372k\2550\7\16\36~w\361\234\335L\311[\262\240ouXL`\252\320+A\301\256\12\262z\316\225g\355c\266\27-\215U\350\323?V\277-\314'\237p\257Y\7\212I\252\365\310M\277\332\357G\241\35\334y\250\22'\374+\300\266\212\205\332\37\1\257@\300\247\3136\376B\23\12\231\235iLvN[O\212\203.\25\276q\334>\277s\220\246CvsN\5\277\301\370\3768\263\346\10\255M:]\224d\262\21\324\276y\232\277\357J\177\226\377e\252\r\21\233\320c\247\266w\10\245\371nW\10\204\253\376\27\330\6[\321\242=\6\353\5\274G\360F\3\12\252c\230\364\362\265\372\364\15\323$\331\10\3533P\23\223x\327\25\3763\240\211\4\323\316S\255\324\331\217{\252}`\371\14\204\202\310`\266\223\274\177\253+\227\321.\310\313\313\32T\226\22\302\11\27\3>\257B1\6y\345C\11)\306\211b\311Q\333\204n\346l\220\12W`\13\246\234[#\302\275\360H\22\260&\252SZ\222\365\200`,L\203C\374/\5Y\253\230\36Y\355Y\231-\275\12\373\377\276\246\36\225\307\27\347\205p99\324 \25RE\245%D\275\255\202\205\22\305\214D\307\332k\3469\323p\355@\324 (116, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=21504}, "\354\332\33\312 \372)\251=\360b8\24]\34G_\\13\204\261R\377V\372B\311|\224F\267\224\370Z\2709\330V\271\361T\216O\366=\323Q\305#\230\326\303\335\226a\305\237\212\301t\257 \3\312+\372 t\361|$\224\311\240\3449t.\372k\2550\7\16\36~w\361\234\335L\311[\262\240ouXL`\252\320+A\301\256\12\262z\316\225g\355c\266\27-\215U\350\323?V\277-\314'\237p\257Y\7\212I\252\365\310M\277\332\357G\241\35\334y\250\22'\374+\300\266\212\205\332\37\1\257@\300\247\3136\376B\23\12\231\235iLvN[O\212\203.\25\276q\334>\277s\220\246CvsN\5\277\301\370\3768\263\346\10\255M:]\224d\262\21\324\276y\232\277\357J\177\226\377e\252\r\21\233\320c\247\266w\10\245\371nW\10\204\253\376\27\330\6[\321\242=\6\353\5\274G\360F\3\12\252c\230\364\362\265\372\364\15\323$\331\10\3533P\23\223x\327\25\3763\240\211\4\323\316S\255\324\331\217{\252}`\371\14\204\202\310`\266\223\274\177\253+\227\321.\310\313\313\32T\226\22\302\11\27\3>\257B1\6y\345C\11)\306\211b\311Q\333\204n\346l\220\12W`\13\246\234[#\302\275\360H\22\260&\252SZ\222\365\200`,L\203C\374/\5Y\253\230\36Y\355Y\231-\275\12\373\377\276\246\36\225\307\27\347\205p99\324 \25RE\245%D\275\255\202\205\22\305\214D\307\332k\3469\323p\355@\324"\14\315N\204\264H\326\10\325\22\2437ET<\206\346\2747\264\377*\336\207A\361\351\4\367\302W\350\357\15@\203\304\207\272\11\34\236\363\220\367\27T\213\351", ) , ) == 0x0
 01210   416   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\354\332\33\312 \372)\251=\360b8\24]\34G_\\13\204\261R\377V\372B\311|\224F\267\224\370Z\2709\330V\271\361T\216O\366=\323Q\305#\230\326\303\335\226a\305\237\212\301t\257 \3\312+\372 t\361|$\224\311\240\3449t.\372k\2550\7\16\36~w\361\234\335L\311[\262\240ouXL`\252\320+A\301\256\12\262z\316\225g\355c\266\27-\215U\350\323?V\277-\314'\237p\257Y\7\212I\252\365\310M\277\332\357G\241\35\334y\250\22'\374+\300\266\212\205\332\37\1\257@\300\247\3136\376B\23\12\231\235iLvN[O\212\203.\25\276q\334>\277s\220\246CvsN\5\277\301\370\3768\263\346\10\255M:]\224d\262\21\324\276y\232\277\357J\177\226\377e\252\r\21\233\320c\247\266w\10\245\371nW\10\204\253\376\27\330\6[\321\242=\6\353\5\274G\360F\3\12\252c\230\364\362\265\372\364\15\323$\331\10\3533P\23\223x\327\25\3763\240\211\4\323\316S\255\324\331\217{\252}`\371\14\204\202\310`\266\223\274\177\253+\227\321.\310\313\313\32T\226\22\302\11\27\3>\257B1\6y\345C\11)\306\211b\311Q\333\204n\346l\220\12W`\13\246\234[#\302\275\360H\22\260&\252SZ\222\365\200`,L\203C\374/\5Y\253\230\36Y\355Y\231-\275\12\373\377\276\246\36\225\307\27\347\205p99\324 \25RE\245%D\275\255\202\205\22\305\214D\307\332k\3469\323p\355@\324"\14\315N\204\264H\326\10\325\22\2437ET<\206\346\2747\264\377*\336\207A\361\351\4\367\302W\350\357\15@\203\304\207\272\11\34\236\363\220\367\27T\213\351", 21504, 0x0, 0, ... {status=0x0, info=21504}, ) V\372B\311|\224F\267\224\370Z\2709\330V\271\361T\216O\366=\323Q\305#\230\326\303\335\226a\305\237\212\301t\257 \3\312+\372 t\361|$\224\311\240\3449t.\372k\2550\7\16\36~w\361\234\335L\311[\262\240ouXL`\252\320+A\301\256\12\262z\316\225g\355c\266\27-\215U\350\323?V\277-\314'\237p\257Y\7\212I\252\365\310M\277\332\357G\241\35\334y\250\22'\374+\300\266\212\205\332\37\1\257@\300\247\3136\376B\23\12\231\235iLvN[O\212\203.\25\276q\334>\277s\220\246CvsN\5\277\301\370\3768\263\346\10\255M:]\224d\262\21\324\276y\232\277\357J\177\226\377e\252\r\21\233\320c\247\266w\10\245\371nW\10\204\253\376\27\330\6[\321\242=\6\353\5\274G\360F\3\12\252c\230\364\362\265\372\364\15\323$\331\10\3533P\23\223x\327\25\3763\240\211\4\323\316S\255\324\331\217{\252}`\371\14\204\202\310`\266\223\274\177\253+\227\321.\310\313\313\32T\226\22\302\11\27\3>\257B1\6y\345C\11)\306\211b\311Q\333\204n\346l\220\12W`\13\246\234[#\302\275\360H\22\260&\252SZ\222\365\200`,L\203C\374/\5Y\253\230\36Y\355Y\231-\275\12\373\377\276\246\36\225\307\27\347\205p99\324 \25RE\245%D\275\255\202\205\22\305\214D\307\332k\3469\323p\355@\324 (112, 0, 0, 0, "\354\332\33\312 \372)\251=\360b8\24]\34G_\\13\204\261R\377V\372B\311|\224F\267\224\370Z\2709\330V\271\361T\216O\366=\323Q\305#\230\326\303\335\226a\305\237\212\301t\257 \3\312+\372 t\361|$\224\311\240\3449t.\372k\2550\7\16\36~w\361\234\335L\311[\262\240ouXL`\252\320+A\301\256\12\262z\316\225g\355c\266\27-\215U\350\323?V\277-\314'\237p\257Y\7\212I\252\365\310M\277\332\357G\241\35\334y\250\22'\374+\300\266\212\205\332\37\1\257@\300\247\3136\376B\23\12\231\235iLvN[O\212\203.\25\276q\334>\277s\220\246CvsN\5\277\301\370\3768\263\346\10\255M:]\224d\262\21\324\276y\232\277\357J\177\226\377e\252\r\21\233\320c\247\266w\10\245\371nW\10\204\253\376\27\330\6[\321\242=\6\353\5\274G\360F\3\12\252c\230\364\362\265\372\364\15\323$\331\10\3533P\23\223x\327\25\3763\240\211\4\323\316S\255\324\331\217{\252}`\371\14\204\202\310`\266\223\274\177\253+\227\321.\310\313\313\32T\226\22\302\11\27\3>\257B1\6y\345C\11)\306\211b\311Q\333\204n\346l\220\12W`\13\246\234[#\302\275\360H\22\260&\252SZ\222\365\200`,L\203C\374/\5Y\253\230\36Y\355Y\231-\275\12\373\377\276\246\36\225\307\27\347\205p99\324 \25RE\245%D\275\255\202\205\22\305\214D\307\332k\3469\323p\355@\324"\14\315N\204\264H\326\10\325\22\2437ET<\206\346\2747\264\377*\336\207A\361\351\4\367\302W\350\357\15@\203\304\207\272\11\34\236\363\220\367\27T\213\351", 21504, 0x0, 0, ... {status=0x0, info=21504}, ) , 21504, 0x0, 0, ... {status=0x0, info=21504}, ) == 0x0
 01211   416   NtReadFile  (116, 0, 0, 0, 61440, 0x0, 0, ... ) == STATUS_END_OF_FILE
 01212   416   NtFreeVirtualMemory  (-1, (0x15f000), 65536, 16384, ... (0x15f000), 65536, ) == 0x0
 01213   416   NtSetInformationFile  (112, 1242792, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01214   416   NtClose  (116, ... ) == 0x0
 01215   416   NtClose  (112, ... ) == 0x0
 01216   416   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01217   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1239084, ... ) }, 1239084, ... ) == 0x0
 01218   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1239776, ... ) }, 1239776, ... ) == 0x0
 01219   416   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01220   416   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 112, ... 116, ) == 0x0
 01221   416   NtQueryVolumeInformationFile  (112, 1239084, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01222   416   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 108, ) }, ... 108, ) == 0x0
 01223   416   NtWaitForSingleObject  (108, 0, {-1000000, -1}, ... ) == 0x0
 01224   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 104, ) }, ... 104, ) == 0x0
 01225   416   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 57344, ) == 0x0
 01226   416   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01227   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) == 0x0
 01228   416   NtQueryInformationFile  (120, 1237672, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01229   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 120, ... 124, ) == 0x0
 01230   416   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa40000), 0x0, 1028096, ) == 0x0
 01231   416   NtQueryInformationFile  (120, 1237768, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01232   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01233   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01234   416   NtQueryDirectoryFile  (128, 0, 0, 0, 1235332, 616, BothDirectory, 1,  (128, 0, 0, 0, 1235332, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01235   416   NtClose  (128, ... ) == 0x0
 01236   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01237   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01238   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1234720, ... ) }, 1234720, ... ) == 0x0
 01239   416   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01240   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01241   416   NtQueryDirectoryFile  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01242   416   NtClose  (128, ... ) == 0x0
 01243   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01244   416   NtQueryDirectoryFile  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01245   416   NtClose  (128, ... ) == 0x0
 01246   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01247   416   NtQueryDirectoryFile  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (128, 0, 0, 0, 1234080, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01248   416   NtClose  (128, ... ) == 0x0
 01249   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01250   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01251   416   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01252   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01253   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01254   416   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01255   416   NtClose  (128, ... ) == 0x0
 01256   416   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   416   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\eupsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01259   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01260   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1237000, ... ) }, 1237000, ... ) == 0x0
 01261   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01262   416   NtQueryDirectoryFile  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01263   416   NtClose  (128, ... ) == 0x0
 01264   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01265   416   NtQueryDirectoryFile  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01266   416   NtClose  (128, ... ) == 0x0
 01267   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0
 01268   416   NtQueryDirectoryFile  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (128, 0, 0, 0, 1236360, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01269   416   NtClose  (128, ... ) == 0x0
 01270   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01271   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01272   416   NtWaitForSingleObject  (108, 0, {-1000000, -1}, ... ) == 0x0
 01273   416   NtQueryVolumeInformationFile  (112, 1237644, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01274   416   NtQueryInformationFile  (112, 1237624, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01275   416   NtQueryInformationFile  (112, 1237664, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01276   416   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01277   416   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01278   416   NtClose  (124, ... ) == 0x0
 01279   416   NtClose  (120, ... ) == 0x0
 01280   416   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01281   416   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eupsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01282   416   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01283   416   NtOpenProcessToken  (-1, 0xa, ... 120, ) == 0x0
 01284   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01285   416   NtQueryValueKey  (124,  (124, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01286   416   NtQueryValueKey  (124,  (124, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (124, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01287   416   NtClose  (124, ... ) == 0x0
 01288   416   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 124, ) }, ... 124, ) == 0x0
 01289   416   NtQuerySymbolicLinkObject  (124, ...  (124, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01290   416   NtClose  (124, ... ) == 0x0
 01291   416   NtQueryInformationFile  (112, 1237436, 528, Name, ... {status=0x0, info=60}, ) == 0x0
 01292   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01293   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01294   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1236116, ... ) }, 1236116, ... ) == 0x0
 01295   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01296   416   NtQueryDirectoryFile  (124, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235476, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01297   416   NtClose  (124, ... ) == 0x0
 01298   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01299   416   NtQueryDirectoryFile  (124, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235476, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01300   416   NtClose  (124, ... ) == 0x0
 01301   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01302   416   NtQueryDirectoryFile  (124, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235476, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01303   416   NtClose  (124, ... ) == 0x0
 01304   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01305   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01306   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01307   416   NtQueryValueKey  (124,  (124, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01308   416   NtClose  (124, ... ) == 0x0
 01309   416   NtQueryInformationToken  (120, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01310   416   NtQueryInformationToken  (120, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01311   416   NtClose  (120, ... ) == 0x0
 01312   416   NtCreateProcessEx  (1241712, 2035711, 0, -1, 0, 116, 0, 0, 0, ... ) == 0x0
 01313   416   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 124, ) }, ... 124, ) == 0x0
 01314   416   NtMapViewOfSection  (124, 120, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01315   416   NtClose  (124, ... ) == 0x0
 01316   416   NtProtectVirtualMemory  (120, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01317   416   NtWriteVirtualMemory  (120, 0x77f7e603,  (120, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01318   416   NtProtectVirtualMemory  (120, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01319   416   NtWriteVirtualMemory  (120, 0x77f7e6a3,  (120, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01320   416   NtProtectVirtualMemory  (120, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01321   416   NtWriteVirtualMemory  (120, 0x77f7e6b3,  (120, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01322   416   NtSetInformationProcess  (120, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 01323   416   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1516,ParentPid=408,}, 0x0, ) == 0x0
 01324   416   NtReadVirtualMemory  (120, 0x7ffdf008, 4, ...  (120, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 01325   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01326   416   NtReadVirtualMemory  (120, 0x400000, 4096, ...  (120, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 4096, ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 4096, ) == 0x0
 01327   416   NtReadVirtualMemory  (120, 0x439000, 256, ...  (120, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) urn:schemas-microsoft-com:asm.v1 (120, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) 1.0 (120, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) , 256, ) == 0x0
 01328   416   NtReadVirtualMemory  (120, 0x439018, 24, ...  (120, 0x439018, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200", 24, ) , 24, ) == 0x0
 01329   416   NtReadVirtualMemory  (120, 0x439030, 24, ...  (120, 0x439030, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0", 24, ) , 24, ) == 0x0
 01330   416   NtReadVirtualMemory  (120, 0x439048, 16, ...  (120, 0x439048, 16, ... "X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0", 16, ) , 16, ) == 0x0
 01331   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01332   416   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1516,ParentPid=408,}, 0x0, ) == 0x0
 01333   416   NtAllocateVirtualMemory  (-1, 0, 0, 1716, 4096, 4, ... 10747904, 4096, ) == 0x0
 01334   416   NtAllocateVirtualMemory  (120, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01335   416   NtWriteVirtualMemory  (120, 0x10000,  (120, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01336   416   NtAllocateVirtualMemory  (120, 0, 0, 1716, 4096, 4, ... 131072, 4096, ) == 0x0
 01337   416   NtWriteVirtualMemory  (120, 0x20000,  (120, 0x20000, "\0\20\0\0\264\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0<\0>\0\230\5\0\0v\0x\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\0>\0P\6\0\0\36\0 \0\220\6\0\0\0\0\2\0\260\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1716, ... 0x0, ) , 1716, ... 0x0, ) == 0x0
 01338   416   NtWriteVirtualMemory  (120, 0x7ffdf010,  (120, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01339   416   NtWriteVirtualMemory  (120, 0x7ffdf1e8,  (120, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01340   416   NtFreeVirtualMemory  (-1, (0xa40000), 0, 32768, ... (0xa40000), 4096, ) == 0x0
 01341   416   NtAllocateVirtualMemory  (120, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01342   416   NtAllocateVirtualMemory  (120, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01343   416   NtProtectVirtualMemory  (120, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01344   416   NtCreateThread  (0x1f03ff, 0x0, 120, 1239976, 1240696, 1, ... 124, {1516, 1520}, ) == 0x0
 01345   416   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1378696, 1376256, 0, 1241796}  (24, {168, 196, new_msg, 0, 1378696, 1376256, 0, 1241796} "\210\6\31\1\0\0\1\0\2$\370wP\322\25\0{\0\0\0|\0\0\0\354\5\0\0\360\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1p\0\0\0x\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" ... {168, 196, reply, 0, 408, 416, 2273, 0} "\320\231\26\0\0\0\1\0\0\0\0\0P\322\25\0x\0\0\0|\0\0\0\354\5\0\0\360\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1p\0\0\0x\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" )  ... {168, 196, reply, 0, 408, 416, 2273, 0}  (24, {168, 196, new_msg, 0, 1378696, 1376256, 0, 1241796} "\210\6\31\1\0\0\1\0\2$\370wP\322\25\0{\0\0\0|\0\0\0\354\5\0\0\360\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1p\0\0\0x\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" ... {168, 196, reply, 0, 408, 416, 2273, 0} "\320\231\26\0\0\0\1\0\0\0\0\0P\322\25\0x\0\0\0|\0\0\0\354\5\0\0\360\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1p\0\0\0x\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" )  ) == 0x0
 01346   416   NtResumeThread  (124, ... 1, ) == 0x0
 01347   416   NtClose  (112, ... ) == 0x0
 01348   416   NtClose  (116, ... ) == 0x0
 01349   416   NtTerminateProcess  (0, 0, ... ) == 0x0
 01350   416   NtClose  (96, ... ) == 0x0
 01351   416   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01352   416   NtClose  (100, ... ) == 0x0
 01353   416   NtClose  (80, ... ) == 0x0
 01354   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01355   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01356   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01357   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01358   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01359   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01360   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01361   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01362   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01363   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01364   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01365   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01366   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01367   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01368   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01369   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01370   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01371   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01372   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01373   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01374   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01375   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01376   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01377   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01378   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01379   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01380   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01381   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01382   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01383   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01384   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01385   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01386   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01387   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01388   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01389   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01390   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01391   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc017
 01392   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01393   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc019
 01394   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01395   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc018
 01396   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01397   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01a
 01398   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01399   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01c
 01400   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01401   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01e
 01402   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01403   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01b
 01404   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01405   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc068
 01406   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01407   416   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc06a
 01408   416   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01409   416   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 01410   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01411   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01412   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01413   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01414   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01415   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01416   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01417   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01418   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01419   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01420   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01421   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01422   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01423   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01424   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01425   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01426   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01427   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01428   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01429   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01430   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01431   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01432   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01433   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01434   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01435   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01436   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01437   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01438   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01439   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01440   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01441   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01442   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01443   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01444   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01445   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01446   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01447   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01448   416   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01449   416   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01450   416   NtFreeVirtualMemory  (-1, (0xa10000), 4096, 32768, ... (0xa10000), 4096, ) == 0x0
 01451   416   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244} "\0\0\0\0\3\0\1\0\320vC\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 408, 416, 2282, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ... {20, 48, reply, 0, 408, 416, 2282, 0}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244} "\0\0\0\0\3\0\1\0\320vC\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 408, 416, 2282, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ) == 0x0
 01452   416   NtTerminateProcess  (-1, 0, ...
 01453   416   NtClose  (44, ... ) == 0x0