Summary:





NtCallbackReturn(>)  1 
NtTestAlert(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUserRegisterWindowMessage(>)  20 


NtDuplicateObject(>)  1 
NtUserCallNoParam(>)  1 
NtSetInformationObject(>)  3 
NtQueryValueKey(>)  23 


NtFsControlFile(>)  1 
NtUserGetThreadDesktop(>)  1 
NtGdiGetStockObject(>)  5 
NtContinue(>)  24 


NtGdiCreateBitmap(>)  1 
NtAddAtom(>)  2 
NtQueryDefaultLocale(>)  5 
NtOpenFile(>)  24 


NtGdiInit(>)  1 
NtCreateKey(>)  2 
NtCreateFile(>)  6 
NtQueryDebugFilterState(>)  24 


NtGdiQueryFontAssocInfo(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtSetInformationThread(>)  6 
NtUserFindExistingCursorIcon(>)  24 


NtGdiSelectBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtUserSystemParametersInfo(>)  6 
NtQuerySystemInformation(>)  25 


NtNotifyChangeKey(>)  1 
NtOpenEvent(>)  2 
NtQuerySection(>)  7 
NtOpenSection(>)  26 


NtOpenKeyedEvent(>)  1 
NtOpenProcessToken(>)  2 
NtOpenProcessTokenEx(>)  8 
NtUserRegisterClassExWOW(>)  34 


NtOpenMutant(>)  1 
NtQueryInformationFile(>)  2 
NtOpenThreadTokenEx(>)  8 
NtProtectVirtualMemory(>)  35 


NtOpenProcess(>)  1 
NtQueryInformationProcess(>)  2 
NtRequestWaitReplyPort(>)  8 
NtAllocateVirtualMemory(>)  36 


NtOpenSymbolicLinkObject(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtMapViewOfSection(>)  39 


NtQueryInformationThread(>)  1 
NtQueryVirtualMemory(>)  2 
NtQueryInformationToken(>)  11 
NtOpenKey(>)  54 


NtQueryObject(>)  1 
NtTerminateProcess(>)  2 
NtFlushInstructionCache(>)  17 
NtUserGetClassInfo(>)  54 


NtQuerySymbolicLinkObject(>)  1 
NtUserGetDC(>)  2 
NtCreateSection(>)  18 
NtClose(>)  98 


NtQueryVolumeInformationFile(>)  1 
NtCreateEvent(>)  3 
NtUserUnregisterClass(>)  18 


NtRegisterThreadTerminatePort(>)  1 
NtCreateSemaphore(>)  3 
NtUnmapViewOfSection(>)  19 


NtSecureConnectPort(>)  1 



Trace:

 00001   416   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   416   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   416   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   416   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   416   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   416   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   416   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   416   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   416   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   416   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   416   NtClose  (12, ... ) == 0x0
 00014   416   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   416   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   416   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   416   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   416   NtClose  (16, ... ) == 0x0
 00021   416   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   416   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   416   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   416   NtClose  (16, ... ) == 0x0
 00026   416   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   416   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   416   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   416   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 412, 416, 1519, 0} "\360L\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 412, 416, 1519, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 412, 416, 1519, 0} "\360L\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   416   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   416   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   416   NtClose  (16, ... ) == 0x0
 00036   416   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   416   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   416   NtClose  (28, ... ) == 0x0
 00041   416   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   416   NtClose  (28, ... ) == 0x0
 00045   416   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   416   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   416   NtClose  (28, ... ) == 0x0
 00049   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   416   NtClose  (28, ... ) == 0x0
 00052   416   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 412, 416, 1526, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 412, 416, 1526, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 412, 416, 1526, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   416   NtProtectVirtualMemory  (-1, (0x436000), 40960, 4, ... (0x436000), 40960, 8, ) == 0x0
 00057   416   NtProtectVirtualMemory  (-1, (0x436000), 40960, 8, ... (0x436000), 40960, 4, ) == 0x0
 00058   416   NtFlushInstructionCache  (-1, 4415488, 40960, ... ) == 0x0
 00059   416   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   416   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   416   NtClose  (28, ... ) == 0x0
 00062   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   416   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   416   NtClose  (28, ... ) == 0x0
 00065   416   NtTestAlert  (... ) == 0x0
 00066   416   NtContinue  (1244464, 1, ...
 00067   416   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x43605c,}, 4, ... ) == 0x0
 00068   416   NtAllocateVirtualMemory  (-1, 0, 0, 73728, 12288, 64, ... 3342336, 73728, ) == 0x0
 00069   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00070   416   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00071   416   NtClose  (28, ... ) == 0x0
 00072   416   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00073   416   NtContinue  (1244388, 0, ...
 00074   416   NtContinue  (1244388, 0, ...
 00075   416   NtProtectVirtualMemory  (-1, (0x40000c), 512, 4, ... (0x400000), 4096, 2, ) == 0x0
 00076   416   NtContinue  (1244388, 0, ...
 00077   416   NtContinue  (1244388, 0, ...
 00078   416   NtContinue  (1244388, 0, ...
 00079   416   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244988,  (0x100080, {24, 0, 0x40, 0, 1244988, "\??\SUPERBPM"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080   416   NtContinue  (1244388, 0, ...
 00081   416   NtContinue  (1244388, 0, ...
 00082   416   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244988,  (0x100080, {24, 0, 0x40, 0, 1244988, "\??\NTICE"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083   416   NtContinue  (1244388, 0, ...
 00084   416   NtContinue  (1244388, 0, ...
 00085   416   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244988,  (0x100080, {24, 0, 0x40, 0, 1244988, "\??\REGVXD"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086   416   NtAllocateVirtualMemory  (-1, 0, 0, 135168, 12288, 64, ... 3473408, 135168, ) == 0x0
 00087   416   NtContinue  (1244372, 0, ...
 00088   416   NtContinue  (1244372, 0, ...
 00089   416   NtContinue  (1244372, 0, ...
 00090   416   NtContinue  (1244372, 0, ...
 00091   416   NtContinue  (1244372, 0, ...
 00092   416   NtContinue  (1244372, 0, ...
 00093   416   NtContinue  (1244376, 0, ...
 00094   416   NtContinue  (1244376, 0, ...
 00095   416   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244976,  (0x100080, {24, 0, 0x40, 0, 1244976, "\??\FILEVXD"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   416   NtContinue  (1244376, 0, ...
 00097   416   NtContinue  (1244376, 0, ...
 00098   416   NtContinue  (1244376, 0, ...
 00099   416   NtContinue  (1244376, 0, ...
 00100   416   NtAllocateVirtualMemory  (-1, 0, 0, 47552, 12288, 64, ... 3670016, 49152, ) == 0x0
 00101   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00102   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00103   416   NtClose  (28, ... ) == 0x0
 00104   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00105   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00106   416   NtClose  (28, ... ) == 0x0
 00107   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00108   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00109   416   NtClose  (28, ... ) == 0x0
 00110   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00111   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00112   416   NtClose  (28, ... ) == 0x0
 00113   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00114   416   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00115   416   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00116   416   NtClose  (28, ... ) == 0x0
 00117   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00118   416   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119   416   NtClose  (28, ... ) == 0x0
 00120   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00121   416   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00122   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00124   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 412, 416, 1540, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 412, 416, 1540, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 412, 416, 1540, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00125   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   416   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x510000), 0x0, 1060864, ) == 0x0
 00127   416   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00128   416   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00129   416   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00130   416   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00131   416   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00132   416   NtClose  (-2147482020, ... ) == 0x0
 00133   416   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3735552, 4096, ) == 0x0
 00134   416   NtFreeVirtualMemory  (-1, (0x390000), 4096, 32768, ... (0x390000), 4096, ) == 0x0
 00135   416   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00136   416   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00137   416   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   416   NtClose  (-2147482020, ... ) == 0x0
 00139   416   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00140   416   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00141   416   NtClose  (-2147482020, ... ) == 0x0
 00142   416   NtQueryDefaultLocale  (0, -135067124, ... ) == 0x0
 00143   416   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00144   416   NtUserCallNoParam  (24, ... ) == 0x0
 00145   416   NtGdiCreateCompatibleDC  (0, ...
 00146   416   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3735552, 4096, ) == 0x0
 00145   416   NtGdiCreateCompatibleDC  ... ) == 0xe010448
 00147   416   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00148   416   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00149   416   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb05044f
 00150   416   NtGdiCreateSolidBrush  (0, 0, ...
 00151   416   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3801088, 4096, ) == 0x0
 00150   416   NtGdiCreateSolidBrush  ... ) == 0x8100452
 00152   416   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00153   416   NtGdiCreateCompatibleDC  (0, ... ) == 0x6010453
 00154   416   NtGdiSelectBitmap  (100729939, 184878159, ... ) == 0x185000f
 00155   416   NtUserGetThreadDesktop  (416, 0, ... ) == 0x2c
 00156   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00157   416   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00158   416   NtClose  (52, ... ) == 0x0
 00159   416   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00160   416   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 673, 128, 0, ... ) == 0x810dc017
 00161   416   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00162   416   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 674, 128, 0, ... ) == 0x810dc01c
 00163   416   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00164   416   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 675, 128, 0, ... ) == 0x810dc01e
 00165   416   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00166   416   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 676, 128, 0, ... ) == 0x810d8002
 00167   416   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10013
 00168   416   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 677, 128, 0, ... ) == 0x810dc018
 00169   416   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00170   416   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 678, 128, 0, ... ) == 0x810dc01a
 00171   416   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00172   416   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 679, 128, 0, ... ) == 0x810dc01d
 00173   416   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00174   416   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 681, 128, 0, ... ) == 0x810dc026
 00175   416   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00176   416   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 680, 128, 0, ... ) == 0x810dc019
 00177   416   NtUserRegisterClassExWOW  (1241348, 1241428, 1241412, 1241444, 0, 128, 0, ... ) == 0x810dc020
 00178   416   NtUserRegisterClassExWOW  (1241348, 1241424, 1241440, 1241412, 0, 130, 0, ... ) == 0x810dc022
 00179   416   NtUserRegisterClassExWOW  (1241348, 1241428, 1241412, 1241444, 0, 128, 0, ... ) == 0x810dc023
 00180   416   NtUserRegisterClassExWOW  (1241348, 1241424, 1241440, 1241412, 0, 130, 0, ... ) == 0x810dc024
 00181   416   NtUserRegisterClassExWOW  (1241348, 1241428, 1241412, 1241444, 0, 128, 0, ...
 00182   416   NtAllocateVirtualMemory  (-1, 6533120, 0, 4096, 4096, 32, ... 6533120, 4096, ) == 0x0
 00181   416   NtUserRegisterClassExWOW  ... ) == 0x810dc025
 00183   416   NtCallbackReturn  (0, 0, 0, ...
 00184   416   NtGdiInit  (... ) == 0x1
 00185   416   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00186   416   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00187   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00188   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00189   416   NtClose  (52, ... ) == 0x0
 00190   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00191   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00192   416   NtClose  (52, ... ) == 0x0
 00193   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00194   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00195   416   NtClose  (52, ... ) == 0x0
 00196   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00197   416   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3866624, 65536, ) == 0x0
 00198   416   NtAllocateVirtualMemory  (-1, 3866624, 0, 4096, 4096, 4, ... 3866624, 4096, ) == 0x0
 00199   416   NtAllocateVirtualMemory  (-1, 3870720, 0, 8192, 4096, 4, ... 3870720, 8192, ) == 0x0
 00200   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00201   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x3c0000), 0x0, 12288, ) == 0x0
 00202   416   NtClose  (52, ... ) == 0x0
 00203   416   NtAllocateVirtualMemory  (-1, 3878912, 0, 4096, 4096, 4, ... 3878912, 4096, ) == 0x0
 00204   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00205   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00206   416   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00207   416   NtClose  (52, ... ) == 0x0
 00208   416   NtQueryDefaultUILanguage  (1241428, ...
 00209   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00210   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00211   416   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00212   416   NtClose  (-2147482020, ... ) == 0x0
 00213   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00214   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00215   416   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00216   416   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00217   416   NtClose  (-2147482032, ... ) == 0x0
 00218   416   NtClose  (-2147482020, ... ) == 0x0
 00208   416   NtQueryDefaultUILanguage  ... ) == 0x0
 00219   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00220   416   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00221   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00222   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00223   416   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x920000), 0x0, 8323072, ) == 0x0
 00224   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00225   416   NtQueryDefaultUILanguage  (2013024600, ...
 00226   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00227   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00228   416   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00229   416   NtClose  (-2147482020, ... ) == 0x0
 00230   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00231   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00232   416   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00233   416   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00234   416   NtClose  (-2147482032, ... ) == 0x0
 00235   416   NtClose  (-2147482020, ... ) == 0x0
 00225   416   NtQueryDefaultUILanguage  ... ) == 0x0
 00236   416   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00237   416   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00238   416   NtQueryDefaultLocale  (1, 1239464, ... ) == 0x0
 00239   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   416   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240320, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240320, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1567, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 416, 1567, 0}  (24, {128, 156, new_msg, 0, 1240320, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1567, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\0\364\22\0\0\0\0\0" )  ) == 0x0
 00241   416   NtClose  (52, ... ) == 0x0
 00242   416   NtClose  (56, ... ) == 0x0
 00243   416   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00244   416   NtUnmapViewOfSection  (-1, 0x12f400, ... ) == STATUS_NOT_MAPPED_VIEW
 00245   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00246   416   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00247   416   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00249   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00250   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238548, ... ) }, 1238548, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00252   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00253   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00254   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239140, ... ) }, 1239140, ... ) == 0x0
 00255   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00256   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00257   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00258   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00259   416   NtClose  (52, ... ) == 0x0
 00260   416   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x920000), 0x0, 921600, ) == 0x0
 00261   416   NtClose  (60, ... ) == 0x0
 00262   416   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00263   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00264   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00265   416   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00266   416   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00267   416   NtQueryInformationToken  (64, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00268   416   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00269   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 68, ) }, ... 68, ) == 0x0
 00270   416   NtQueryValueKey  (68,  (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00271   416   NtClose  (68, ... ) == 0x0
 00272   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00273   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00274   416   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00275   416   NtClose  (68, ... ) == 0x0
 00276   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00277   416   NtClose  (64, ... ) == 0x0
 00278   416   NtClose  (60, ... ) == 0x0
 00279   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00280   416   NtClose  (52, ... ) == 0x0
 00281   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00282   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00283   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00284   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00285   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00286   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00287   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00288   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00289   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00290   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00291   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00292   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00293   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00294   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00295   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00296   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00297   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00298   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00299   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00300   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00301   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00302   416   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240324, ... ) , 42, 1240324, ... ) == 0x0
 00303   416   NtQueryDefaultUILanguage  (1239040, ...
 00304   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00305   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00306   416   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00307   416   NtClose  (-2147482020, ... ) == 0x0
 00308   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00309   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   416   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00311   416   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   416   NtClose  (-2147482032, ... ) == 0x0
 00313   416   NtClose  (-2147482020, ... ) == 0x0
 00303   416   NtQueryDefaultUILanguage  ... ) == 0x0
 00314   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237892, ... ) }, 1237892, ... ) == 0x0
 00316   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00317   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00318   416   NtClose  (52, ... ) == 0x0
 00319   416   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 4096, ) == 0x0
 00320   416   NtClose  (60, ... ) == 0x0
 00321   416   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00322   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237532, ... ) }, 1237532, ... ) == 0x0
 00323   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238232,  (0x80100080, {24, 0, 0x40, 0, 1238232, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00324   416   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00325   416   NtClose  (60, ... ) == 0x0
 00326   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 4096, ) == 0x0
 00327   416   NtClose  (52, ... ) == 0x0
 00328   416   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00329   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00330   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00331   416   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3e0000), 0x0, 4096, ) == 0x0
 00332   416   NtQueryInformationFile  (52, 1237852, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00333   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   416   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237932, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237932, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\254\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1568, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\254\352\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 416, 1568, 0}  (24, {128, 156, new_msg, 0, 1237932, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\254\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1568, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\254\352\22\0\0\0\0\0" )  ) == 0x0
 00335   416   NtClose  (52, ... ) == 0x0
 00336   416   NtClose  (60, ... ) == 0x0
 00337   416   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00338   416   NtUnmapViewOfSection  (-1, 0x12eaac, ... ) == STATUS_NOT_MAPPED_VIEW
 00339   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00340   416   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00341   416   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00342   416   NtUserGetDC  (0, ... ) == 0x1010051
 00343   416   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00344   416   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00345   416   NtContinue  (1237888, 0, ...
 00346   416   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00347   416   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 00348   416   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00349   416   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 00350   416   NtClose  (56, ... ) == 0x0
 00351   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00352   416   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00353   416   NtClose  (56, ... ) == 0x0
 00354   416   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 56, ) == 0x0
 00355   416   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00356   416   NtClose  (56, ... ) == 0x0
 00357   416   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00358   416   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00359   416   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00360   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00361   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00362   416   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00363   416   NtClose  (56, ... ) == 0x0
 00364   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00365   416   NtSetInformationObject  (56, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00366   416   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 60, ) }, ... 60, ) == 0x0
 00367   416   NtQueryValueKey  (60,  (60, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00368   416   NtClose  (60, ... ) == 0x0
 00369   416   NtUserSystemParametersInfo  (41, 500, 1239912, 0, ... ) == 0x1
 00370   416   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00371   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00372   416   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00373   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc03b
 00374   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00375   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc03d
 00376   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00377   416   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00378   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc03f
 00379   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00380   416   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00381   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc041
 00382   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00383   416   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00384   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc043
 00385   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00386   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc045
 00387   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00388   416   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00389   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc047
 00390   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00391   416   NtUserFindExistingCursorIcon  (1239700, 1239716, 1240284, ... ) == 0x10011
 00392   416   NtUserRegisterClassExWOW  (1240152, 1240232, 1240216, 1240248, 0, 384, 0, ... ) == 0x810dc049
 00393   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00394   416   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00395   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc04b
 00396   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00397   416   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00398   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc04d
 00399   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00400   416   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00401   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc04f
 00402   416   NtUserGetClassInfo  (1999896576, 1240324, 1240276, 1240352, 0, ... ) == 0x0
 00403   416   NtUserRegisterClassExWOW  (1240160, 1240240, 1240224, 1240256, 0, 384, 0, ... ) == 0x810dc051
 00404   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00405   416   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00406   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc053
 00407   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00408   416   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00409   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc055
 00410   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc057
 00411   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00412   416   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00413   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc059
 00414   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00415   416   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10013
 00416   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc05b
 00417   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00418   416   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00419   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc05d
 00420   416   NtUserGetClassInfo  (1999896576, 1240320, 1240272, 1240348, 0, ... ) == 0x0
 00421   416   NtUserFindExistingCursorIcon  (1239704, 1239720, 1240288, ... ) == 0x10011
 00422   416   NtUserRegisterClassExWOW  (1240156, 1240236, 1240220, 1240252, 0, 384, 0, ... ) == 0x810dc05f
 00423   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc03b
 00424   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc03d
 00425   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc03f
 00426   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc041
 00427   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc043
 00428   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc045
 00429   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc047
 00430   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc049
 00431   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc04b
 00432   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc04d
 00433   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc04f
 00434   416   NtUserGetClassInfo  (1999896576, 1243168, 1243120, 1243196, 0, ... ) == 0xc051
 00435   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc053
 00436   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc055
 00437   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc059
 00438   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc05b
 00439   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc05d
 00440   416   NtUserGetClassInfo  (1999896576, 1243164, 1243116, 1243192, 0, ... ) == 0xc05f
 00441   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00442   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1243072, ... ) }, 1243072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00443   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1243072, ... ) }, 1243072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00444   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1243072, ... ) }, 1243072, ... ) == 0x0
 00445   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00446   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00447   416   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00448   416   NtClose  (60, ... ) == 0x0
 00449   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00450   416   NtClose  (52, ... ) == 0x0
 00451   416   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00452   416   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00453   416   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00454   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00455   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00456   416   NtClose  (52, ... ) == 0x0
 00457   416   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00458   416   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00459   416   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00460   416   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00461   416   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00462   416   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00463   416   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00464   416   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00465   416   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00466   416   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00467   416   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00468   416   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00469   416   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00470   416   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00471   416   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00472   416   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00473   416   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00474   416   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00475   416   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00476   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00478   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00479   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00480   416   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9568256, 262144, ) == 0x0
 00481   416   NtAllocateVirtualMemory  (-1, 9568256, 0, 4096, 4096, 4, ... 9568256, 4096, ) == 0x0
 00482   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00483   416   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9830400, 262144, ) == 0x0
 00484   416   NtAllocateVirtualMemory  (-1, 9830400, 0, 4096, 4096, 4, ... 9830400, 4096, ) == 0x0
 00485   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00486   416   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10092544, 262144, ) == 0x0
 00487   416   NtAllocateVirtualMemory  (-1, 10092544, 0, 4096, 4096, 4, ... 10092544, 4096, ) == 0x0
 00488   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00489   416   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10354688, 262144, ) == 0x0
 00490   416   NtAllocateVirtualMemory  (-1, 10354688, 0, 4096, 4096, 4, ... 10354688, 4096, ) == 0x0
 00491   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00492   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00493   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00494   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00495   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1239044, ... ) }, 1239044, ... ) == 0x0
 00496   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00497   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00498   416   NtClose  (52, ... ) == 0x0
 00499   416   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3d0000), 0x0, 90112, ) == 0x0
 00500   416   NtClose  (60, ... ) == 0x0
 00501   416   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 00502   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1239360, ... ) }, 1239360, ... ) == 0x0
 00503   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00504   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00505   416   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00506   416   NtClose  (60, ... ) == 0x0
 00507   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00508   416   NtClose  (52, ... ) == 0x0
 00509   416   NtQueryDefaultLocale  (1, 1241048, ... ) == 0x0
 00510   416   NtAllocateVirtualMemory  (-1, 9572352, 0, 4096, 4096, 4, ... 9572352, 4096, ) == 0x0
 00511   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 52, ) }, ... 52, ) == 0x0
 00512   416   NtClose  (52, ... ) == 0x0
 00513   416   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00514   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   416   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00516   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00517   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00518   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1243072, ... ) }, 1243072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00519   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1243072, ... ) }, 1243072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00520   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1243072, ... ) }, 1243072, ... ) == 0x0
 00521   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00522   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 60, ) == 0x0
 00523   416   NtQuerySection  (60, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00524   416   NtClose  (52, ... ) == 0x0
 00525   416   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00526   416   NtClose  (60, ... ) == 0x0
 00527   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00528   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242268, ... ) }, 1242268, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00529   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1242268, ... ) }, 1242268, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1242268, ... ) }, 1242268, ... ) == 0x0
 00531   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00532   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00533   416   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00534   416   NtClose  (60, ... ) == 0x0
 00535   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00536   416   NtClose  (52, ... ) == 0x0
 00537   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00538   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00539   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00540   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00541   416   NtClose  (52, ... ) == 0x0
 00542   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00543   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00544   416   NtClose  (52, ... ) == 0x0
 00545   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00546   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00547   416   NtClose  (52, ... ) == 0x0
 00548   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00549   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00550   416   NtClose  (52, ... ) == 0x0
 00551   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 52, ) }, ... 52, ) == 0x0
 00552   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00553   416   NtClose  (52, ... ) == 0x0
 00554   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555   416   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00556   416   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00557   416   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00558   416   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00559   416   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00560   416   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243204, 0,  (0x1f0003, {24, 52, 0x80, 1243204, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00561   416   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 60, ) }, ... 60, ) == 0x0
 00562   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00563   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00564   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 64, ) }, ... 64, ) == 0x0
 00565   416   NtQueryValueKey  (64,  (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00566   416   NtClose  (64, ... ) == 0x0
 00567   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00568   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00569   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00570   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00571   416   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00572   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 64, ) }, ... 64, ) == 0x0
 00573   416   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   416   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   416   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   416   NtClose  (64, ... ) == 0x0
 00577   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 64, ) }, ... 64, ) == 0x0
 00578   416   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   416   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00580   416   NtClose  (64, ... ) == 0x0
 00581   416   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00582   416   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00583   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00584   416   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00585   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00586   416   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00587   416   NtCreateKey  (0xf003f, {24, 56, 0x40, 0, 0,  (0xf003f, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00588   416   NtQueryDefaultUILanguage  (1241440, ...
 00589   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00590   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00591   416   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00592   416   NtClose  (-2147482020, ... ) == 0x0
 00593   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00594   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   416   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00596   416   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00597   416   NtClose  (-2147482032, ... ) == 0x0
 00598   416   NtClose  (-2147482020, ... ) == 0x0
 00588   416   NtQueryDefaultUILanguage  ... ) == 0x0
 00599   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00601   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00602   416   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa20000), 0x0, 593920, ) == 0x0
 00603   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604   416   NtQueryDefaultLocale  (1, 1239476, ... ) == 0x0
 00605   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00606   416   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240332, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240332, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\251\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\14\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1569, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\251\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\14\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 416, 1569, 0}  (24, {128, 156, new_msg, 0, 1240332, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\251\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\14\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1569, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\251\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\14\364\22\0\0\0\0\0" )  ) == 0x0
 00607   416   NtClose  (68, ... ) == 0x0
 00608   416   NtClose  (72, ... ) == 0x0
 00609   416   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00610   416   NtUnmapViewOfSection  (-1, 0x12f40c, ... ) == STATUS_NOT_MAPPED_VIEW
 00611   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00612   416   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00613   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00614   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00615   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238016, ... ) }, 1238016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00616   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00617   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00618   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00619   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238608, ... ) }, 1238608, ... ) == 0x0
 00620   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00621   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00622   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00623   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00624   416   NtClose  (68, ... ) == 0x0
 00625   416   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 921600, ) == 0x0
 00626   416   NtClose  (76, ... ) == 0x0
 00627   416   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00628   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00629   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00630   416   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00631   416   NtClose  (76, ... ) == 0x0
 00632   416   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00633   416   NtClose  (68, ... ) == 0x0
 00634   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00635   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00636   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00637   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00638   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00639   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00640   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00641   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00642   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00643   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00644   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00645   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00646   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00647   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00648   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00649   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00650   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00651   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00652   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00653   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00654   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00655   416   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1239792, ... ) , 42, 1239792, ... ) == 0x0
 00656   416   NtQueryDefaultUILanguage  (1238508, ...
 00657   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00658   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00659   416   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00660   416   NtClose  (-2147482020, ... ) == 0x0
 00661   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00662   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00663   416   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00664   416   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   416   NtClose  (-2147482032, ... ) == 0x0
 00666   416   NtClose  (-2147482020, ... ) == 0x0
 00656   416   NtQueryDefaultUILanguage  ... ) == 0x0
 00667   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237360, ... ) }, 1237360, ... ) == 0x0
 00669   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00670   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00671   416   NtClose  (68, ... ) == 0x0
 00672   416   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 4096, ) == 0x0
 00673   416   NtClose  (76, ... ) == 0x0
 00674   416   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00675   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237000, ... ) }, 1237000, ... ) == 0x0
 00676   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237700,  (0x80100080, {24, 0, 0x40, 0, 1237700, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00677   416   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00678   416   NtClose  (76, ... ) == 0x0
 00679   416   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 4096, ) == 0x0
 00680   416   NtClose  (68, ... ) == 0x0
 00681   416   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00682   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00683   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00684   416   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3e0000), 0x0, 4096, ) == 0x0
 00685   416   NtQueryInformationFile  (68, 1237320, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00686   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00687   416   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237400, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237400, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\230\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1570, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\230\350\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 416, 1570, 0}  (24, {128, 156, new_msg, 0, 1237400, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\230\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1570, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\230\350\22\0\0\0\0\0" )  ) == 0x0
 00688   416   NtClose  (68, ... ) == 0x0
 00689   416   NtClose  (76, ... ) == 0x0
 00690   416   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00691   416   NtUnmapViewOfSection  (-1, 0x12e898, ... ) == STATUS_NOT_MAPPED_VIEW
 00692   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00693   416   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00694   416   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00695   416   NtUserGetDC  (0, ... ) == 0x1010052
 00696   416   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00697   416   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00698   416   NtContinue  (1237364, 0, ...
 00699   416   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00700   416   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 00701   416   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00702   416   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 00703   416   NtClose  (72, ... ) == 0x0
 00704   416   NtCreateKey  (0x2001f, {24, 56, 0x40, 0, 0,  (0x2001f, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 72, 2, ) }, 0, 0x0, 0, ... 72, 2, ) == 0x0
 00705   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 76, ) }, ... 76, ) == 0x0
 00706   416   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00707   416   NtClose  (76, ... ) == 0x0
 00708   416   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 76, ) == 0x0
 00709   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00710   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 80, ) }, ... 80, ) == 0x0
 00711   416   NtNotifyChangeKey  (80, 68, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00712   416   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00713   416   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 84, ) == 0x0
 00714   416   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00715   416   NtFreeVirtualMemory  (-1, (0x350000), 135168, 16384, ... (0x350000), 135168, ) == 0x0
 00716   416   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00717   416   NtTerminateProcess  (0, 0, ... ) == 0x0
 00718   416   NtClose  (72, ... ) == 0x0
 00719   416   NtClose  (64, ... ) == 0x0
 00720   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 00721   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc03b
 00722   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00723   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc03d
 00724   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00725   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc03f
 00726   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00727   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc041
 00728   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00729   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc043
 00730   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00731   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc045
 00732   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00733   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc047
 00734   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00735   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc049
 00736   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00737   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc04b
 00738   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00739   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc04d
 00740   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00741   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc04f
 00742   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00743   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc051
 00744   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00745   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc053
 00746   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00747   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc057
 00748   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00749   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc059
 00750   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00751   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc05b
 00752   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00753   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc05d
 00754   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00755   416   NtUserGetClassInfo  (1999896576, 1243536, 1243488, 1243564, 0, ... ) == 0xc05f
 00756   416   NtUserUnregisterClass  (1243540, 1999896576, 1243528, ... ) == 0x1
 00757   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 00758   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 00759   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 00760   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 00761   416   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00762   416   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 560, 2147344384, 0, 16216908}  (24, {20, 48, new_msg, 0, 560, 2147344384, 0, 16216908} "\0\0\0\0\3\0\1\0L\0.\0D\0L\0\0\0\0\0" ... {20, 48, reply, 0, 412, 416, 1571, 0} "\0\0\0\0\3\0\1\0\0\0\0\0D\0L\0\0\0\0\0" )  ... {20, 48, reply, 0, 412, 416, 1571, 0}  (24, {20, 48, new_msg, 0, 560, 2147344384, 0, 16216908} "\0\0\0\0\3\0\1\0L\0.\0D\0L\0\0\0\0\0" ... {20, 48, reply, 0, 412, 416, 1571, 0} "\0\0\0\0\3\0\1\0\0\0\0\0D\0L\0\0\0\0\0" )  ) == 0x0
 00763   416   NtTerminateProcess  (-1, 0, ...
 00764   416   NtClose  (44, ... ) == 0x0