Summary:


NtAddAtom(>)  1 
NtTestAlert(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryDefaultLocale(>)  15 

NtCallbackReturn(>)  1 
NtUserCallNoParam(>)  1 
NtQueryVirtualMemory(>)  3 
NtUserRegisterWindowMessage(>)  19 

NtContinue(>)  1 
NtUserCallOneParam(>)  1 
NtSetInformationObject(>)  3 
NtCreateSection(>)  20 

NtCreateProcessEx(>)  1 
NtUserGetDC(>)  1 
NtWriteFile(>)  3 
NtOpenProcessTokenEx(>)  25 

NtCreateThread(>)  1 
NtUserGetThreadDesktop(>)  1 
NtFreeVirtualMemory(>)  4 
NtOpenThreadTokenEx(>)  25 

NtDuplicateObject(>)  1 
NtAccessCheck(>)  2 
NtWriteVirtualMemory(>)  4 
NtQueryAttributesFile(>)  25 

NtDuplicateToken(>)  1 
NtCreateKey(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenSection(>)  27 

NtEnumerateValueKey(>)  1 
NtEnumerateKey(>)  2 
NtOpenProcessToken(>)  5 
NtQuerySystemInformation(>)  27 

NtFsControlFile(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtCreateFile(>)  6 
NtQueryInformationToken(>)  31 

NtGdiCreateBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtOpenFile(>)  34 

NtGdiInit(>)  1 
NtOpenEvent(>)  2 
NtReadVirtualMemory(>)  6 
NtQueryValueKey(>)  38 

NtGdiQueryFontAssocInfo(>)  1 
NtOpenMutant(>)  2 
NtSetInformationThread(>)  6 
NtProtectVirtualMemory(>)  39 

NtGdiSelectBitmap(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtSetInformationProcess(>)  7 
NtUnmapViewOfSection(>)  42 

NtNotifyChangeKey(>)  1 
NtOpenThreadToken(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtUserUnregisterClass(>)  45 

NtOpenKeyedEvent(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQuerySection(>)  8 
NtUserFindExistingCursorIcon(>)  48 

NtOpenProcess(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtRequestWaitReplyPort(>)  8 
NtAllocateVirtualMemory(>)  52 

NtQueryInformationJobObject(>)  1 
NtReleaseMutant(>)  2 
NtQueryDirectoryFile(>)  10 
NtUserRegisterClassExWOW(>)  63 

NtQueryObject(>)  1 
NtSetInformationFile(>)  2 
NtUserSystemParametersInfo(>)  10 
NtMapViewOfSection(>)  66 

NtQueryPerformanceCounter(>)  1 
NtTerminateProcess(>)  2 
NtFlushInstructionCache(>)  11 
NtUserGetClassInfo(>)  82 

NtRegisterThreadTerminatePort(>)  1 
NtWaitForSingleObject(>)  2 
NtQueryInformationProcess(>)  12 
NtOpenKey(>)  102 

NtResumeThread(>)  1 
NtCreateEvent(>)  3 
NtQueryInformationFile(>)  13 
NtClose(>)  146 

NtSecureConnectPort(>)  1 
NtCreateSemaphore(>)  3 
NtQueryDebugFilterState(>)  15 

Trace:
 00001   440   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   440   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   440   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   440   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   440   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   440   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   440   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   440   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   440   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   440   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   440   NtClose  (12, ... ) == 0x0
 00014   440   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   440   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   440   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   440   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   440   NtClose  (16, ... ) == 0x0
 00021   440   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   440   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   440   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   440   NtClose  (16, ... ) == 0x0
 00026   440   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   440   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   440   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   440   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   440   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 420, 440, 1433, 0} "\20\252\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 420, 440, 1433, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 420, 440, 1433, 0} "\20\252\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   440   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   440   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   440   NtClose  (16, ... ) == 0x0
 00036   440   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   440   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   440   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   440   NtClose  (28, ... ) == 0x0
 00041   440   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   440   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   440   NtClose  (28, ... ) == 0x0
 00045   440   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   440   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   440   NtClose  (28, ... ) == 0x0
 00049   440   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   440   NtClose  (28, ... ) == 0x0
 00052   440   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   440   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   440   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   440   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 420, 440, 1437, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 420, 440, 1437, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 420, 440, 1437, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   440   NtProtectVirtualMemory  (-1, (0x44f000), 163840, 4, ... (0x44f000), 163840, 128, ) == 0x0
 00057   440   NtProtectVirtualMemory  (-1, (0x44f000), 163840, 128, ... (0x44f000), 163840, 4, ) == 0x0
 00058   440   NtFlushInstructionCache  (-1, 4517888, 163840, ... ) == 0x0
 00059   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   440   NtClose  (28, ... ) == 0x0
 00062   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   440   NtClose  (28, ... ) == 0x0
 00065   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   440   NtClose  (28, ... ) == 0x0
 00068   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   440   NtClose  (28, ... ) == 0x0
 00071   440   NtProtectVirtualMemory  (-1, (0x44f000), 163840, 4, ... (0x44f000), 163840, 64, ) == 0x0
 00072   440   NtProtectVirtualMemory  (-1, (0x44f000), 163840, 64, ... (0x44f000), 163840, 4, ) == 0x0
 00073   440   NtFlushInstructionCache  (-1, 4517888, 163840, ... ) == 0x0
 00074   440   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   440   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   440   NtClose  (28, ... ) == 0x0
 00077   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   440   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   440   NtClose  (28, ... ) == 0x0
 00080   440   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00081   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   440   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   440   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   440   NtClose  (28, ... ) == 0x0
 00085   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   440   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   440   NtClose  (28, ... ) == 0x0
 00088   440   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   440   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   440   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 420, 440, 1439, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 420, 440, 1439, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 420, 440, 1439, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00093   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   440   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x480000), 0x0, 1060864, ) == 0x0
 00095   440   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   440   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   440   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00098   440   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   440   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   440   NtClose  (-2147482208, ... ) == 0x0
 00101   440   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5832704, 4096, ) == 0x0
 00102   440   NtFreeVirtualMemory  (-1, (0x590000), 4096, 32768, ... (0x590000), 4096, ) == 0x0
 00103   440   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   440   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00105   440   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   440   NtClose  (-2147482208, ... ) == 0x0
 00107   440   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00108   440   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   440   NtClose  (-2147482208, ... ) == 0x0
 00110   440   NtQueryDefaultLocale  (0, -135984628, ... ) == 0x0
 00111   440   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   440   NtUserCallNoParam  (24, ... ) == 0x0
 00113   440   NtGdiCreateCompatibleDC  (0, ...
 00114   440   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5832704, 4096, ) == 0x0
 00113   440   NtGdiCreateCompatibleDC  ... ) == 0xb0103e1
 00115   440   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   440   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   440   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x50503bc
 00118   440   NtGdiCreateSolidBrush  (0, 0, ...
 00119   440   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9043968, 4096, ) == 0x0
 00118   440   NtGdiCreateSolidBrush  ... ) == 0x41003ba
 00120   440   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   440   NtGdiCreateCompatibleDC  (0, ... ) == 0x40103bb
 00122   440   NtGdiSelectBitmap  (67175355, 84214716, ... ) == 0x185000f
 00123   440   NtUserGetThreadDesktop  (440, 0, ... ) == 0x2c
 00124   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   440   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   440   NtClose  (52, ... ) == 0x0
 00127   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00141   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00143   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00144   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00145   440   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00146   440   NtAllocateVirtualMemory  (-1, 5992448, 0, 4096, 4096, 32, ... 5992448, 4096, ) == 0x0
 00145   440   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00147   440   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00148   440   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00149   440   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00150   440   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   440   NtCallbackReturn  (0, 0, 0, ...
 00152   440   NtGdiInit  (... ) == 0x1
 00153   440   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   440   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   440   NtAllocateVirtualMemory  (-1, 0, 0, 9206, 4096, 4, ... 9109504, 12288, ) == 0x0
 00156   440   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 12288, ) == 0x0
 00157   440   NtQueryVirtualMemory  (-1, 0x43980b, Basic, 28, ... {BaseAddress=0x439000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x16000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00158   440   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00159   440   NtProtectVirtualMemory  (-1, (0x4001e8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00160   440   NtProtectVirtualMemory  (-1, (0x4001e8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00161   440   NtProtectVirtualMemory  (-1, (0x400210), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00162   440   NtProtectVirtualMemory  (-1, (0x400210), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00163   440   NtProtectVirtualMemory  (-1, (0x400238), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00164   440   NtProtectVirtualMemory  (-1, (0x400238), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00165   440   NtProtectVirtualMemory  (-1, (0x400260), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00166   440   NtProtectVirtualMemory  (-1, (0x400260), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00167   440   NtProtectVirtualMemory  (-1, (0x400288), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00168   440   NtProtectVirtualMemory  (-1, (0x400288), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00169   440   NtProtectVirtualMemory  (-1, (0x4002b0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00170   440   NtProtectVirtualMemory  (-1, (0x4002b0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00171   440   NtProtectVirtualMemory  (-1, (0x4002d8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00172   440   NtProtectVirtualMemory  (-1, (0x4002d8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00173   440   NtProtectVirtualMemory  (-1, (0x400300), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00174   440   NtProtectVirtualMemory  (-1, (0x400300), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00175   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00176   440   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00177   440   NtClose  (52, ... ) == 0x0
 00178   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00179   440   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00180   440   NtClose  (52, ... ) == 0x0
 00181   440   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 52, ) == 0x0
 00182   440   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00183   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 60, ) }, ... 60, ) == 0x0
 00184   440   NtNotifyChangeKey  (60, 56, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00185   440   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00186   440   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 64, ) == 0x0
 00187   440   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 68, ) == 0x0
 00188   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   440   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00191   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00192   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00193   440   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 76, ) == 0x0
 00194   440   NtQuerySection  (76, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00195   440   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00196   440   NtQueryInformationToken  (80, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00197   440   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00198   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 84, ) }, ... 84, ) == 0x0
 00199   440   NtQueryValueKey  (84,  (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00200   440   NtClose  (84, ... ) == 0x0
 00201   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00202   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00203   440   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00204   440   NtClose  (84, ... ) == 0x0
 00205   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00206   440   NtClose  (80, ... ) == 0x0
 00207   440   NtClose  (72, ... ) == 0x0
 00208   440   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00209   440   NtClose  (76, ... ) == 0x0
 00210   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 76, ) }, ... 76, ) == 0x0
 00211   440   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00212   440   NtClose  (76, ... ) == 0x0
 00213   440   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00214   440   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00215   440   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00216   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 76, ) }, ... 76, ) == 0x0
 00217   440   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00218   440   NtClose  (76, ... ) == 0x0
 00219   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 76, ) }, ... 76, ) == 0x0
 00220   440   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00221   440   NtClose  (76, ... ) == 0x0
 00222   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 76, ) }, ... 76, ) == 0x0
 00223   440   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00224   440   NtClose  (76, ... ) == 0x0
 00225   440   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00226   440   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00227   440   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00228   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 76, ) }, ... 76, ) == 0x0
 00229   440   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00230   440   NtClose  (76, ... ) == 0x0
 00231   440   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {420, 0}, ... 76, ) == 0x0
 00232   440   NtQueryInformationProcess  (76, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00233   440   NtClose  (76, ... ) == 0x0
 00234   440   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00235   440   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00236   440   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00237   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00238   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00239   440   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00240   440   NtClose  (76, ... ) == 0x0
 00241   440   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 76, ) }, ... 76, ) == 0x0
 00242   440   NtSetInformationObject  (76, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00243   440   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "Control Panel\Desktop"}, ... 72, ) }, ... 72, ) == 0x0
 00244   440   NtQueryValueKey  (72,  (72, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00245   440   NtClose  (72, ... ) == 0x0
 00246   440   NtUserSystemParametersInfo  (41, 500, 1241216, 0, ... ) == 0x1
 00247   440   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00248   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00249   440   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00250   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03b
 00251   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00252   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03d
 00253   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00254   440   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00255   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03f
 00256   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00257   440   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00258   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc041
 00259   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00260   440   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00261   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc043
 00262   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00263   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc045
 00264   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00265   440   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00266   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc047
 00267   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00268   440   NtUserFindExistingCursorIcon  (1241004, 1241020, 1241588, ... ) == 0x10011
 00269   440   NtUserRegisterClassExWOW  (1241456, 1241536, 1241520, 1241552, 0, 384, 0, ... ) == 0x810dc049
 00270   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00271   440   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00272   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04b
 00273   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00274   440   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00275   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04d
 00276   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00277   440   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00278   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04f
 00279   440   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0x0
 00280   440   NtUserRegisterClassExWOW  (1241464, 1241544, 1241528, 1241560, 0, 384, 0, ... ) == 0x810dc051
 00281   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00282   440   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00283   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc053
 00284   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00285   440   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00286   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc055
 00287   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc057
 00288   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00289   440   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00290   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc059
 00291   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00292   440   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10013
 00293   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05b
 00294   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00295   440   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00296   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05d
 00297   440   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00298   440   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00299   440   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05f
 00300   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00301   440   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 00302   440   NtAllocateVirtualMemory  (-1, 9109504, 0, 4096, 4096, 4, ... 9109504, 4096, ) == 0x0
 00303   440   NtAllocateVirtualMemory  (-1, 9113600, 0, 8192, 4096, 4, ... 9113600, 8192, ) == 0x0
 00304   440   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 72, ) }, ... 72, ) == 0x0
 00305   440   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8c0000), 0x0, 12288, ) == 0x0
 00306   440   NtClose  (72, ... ) == 0x0
 00307   440   NtAllocateVirtualMemory  (-1, 9121792, 0, 4096, 4096, 4, ... 9121792, 4096, ) == 0x0
 00308   440   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   440   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 72, ) }, ... 72, ) == 0x0
 00310   440   NtQueryValueKey  (72,  (72, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00311   440   NtClose  (72, ... ) == 0x0
 00312   440   NtQueryDefaultUILanguage  (1239840, ...
 00313   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00314   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00315   440   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00316   440   NtClose  (-2147482208, ... ) == 0x0
 00317   440   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00318   440   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00319   440   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00320   440   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00321   440   NtClose  (-2147482196, ... ) == 0x0
 00322   440   NtClose  (-2147482208, ... ) == 0x0
 00312   440   NtQueryDefaultUILanguage  ... ) == 0x0
 00323   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00324   440   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00325   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 72, {status=0x0, info=1}, ) }, 1, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00326   440   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00327   440   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8d0000), 0x0, 8323072, ) == 0x0
 00328   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   440   NtQueryDefaultUILanguage  (2013024600, ...
 00330   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00331   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00332   440   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00333   440   NtClose  (-2147482208, ... ) == 0x0
 00334   440   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00335   440   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00336   440   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00337   440   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00338   440   NtClose  (-2147482196, ... ) == 0x0
 00339   440   NtClose  (-2147482208, ... ) == 0x0
 00329   440   NtQueryDefaultUILanguage  ... ) == 0x0
 00340   440   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00341   440   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00342   440   NtQueryDefaultLocale  (1, 1237876, ... ) == 0x0
 00343   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00344   440   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\20\311\304\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 420, 440, 1450, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\20\311\304\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 420, 440, 1450, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\20\311\304\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 420, 440, 1450, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\20\311\304\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ) == 0x0
 00345   440   NtClose  (72, ... ) == 0x0
 00346   440   NtClose  (80, ... ) == 0x0
 00347   440   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 00348   440   NtUnmapViewOfSection  (-1, 0x12edcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00349   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00350   440   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00351   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00352   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00353   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236960, ... ) }, 1236960, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00354   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00355   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00356   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00357   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237552, ... ) }, 1237552, ... ) == 0x0
 00358   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 80, {status=0x0, info=1}, ) }, 3, 33, ... 80, {status=0x0, info=1}, ) == 0x0
 00359   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00360   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00361   440   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 72, ... 84, ) == 0x0
 00362   440   NtClose  (72, ... ) == 0x0
 00363   440   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8d0000), 0x0, 921600, ) == 0x0
 00364   440   NtClose  (84, ... ) == 0x0
 00365   440   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 00366   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 00367   440   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 84, ... 72, ) == 0x0
 00368   440   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00369   440   NtClose  (84, ... ) == 0x0
 00370   440   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00371   440   NtClose  (72, ... ) == 0x0
 00372   440   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00373   440   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00374   440   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00375   440   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00376   440   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00377   440   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00378   440   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00379   440   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00380   440   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00381   440   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00382   440   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00383   440   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00384   440   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00385   440   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00386   440   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00387   440   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00388   440   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00389   440   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00390   440   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00391   440   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00392   440   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00393   440   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238736, ... ) , 42, 1238736, ... ) == 0x0
 00394   440   NtQueryDefaultUILanguage  (1237452, ...
 00395   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00396   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00397   440   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00398   440   NtClose  (-2147482208, ... ) == 0x0
 00399   440   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00400   440   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00401   440   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00402   440   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403   440   NtClose  (-2147482196, ... ) == 0x0
 00404   440   NtClose  (-2147482208, ... ) == 0x0
 00394   440   NtQueryDefaultUILanguage  ... ) == 0x0
 00405   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236304, ... ) }, 1236304, ... ) == 0x0
 00407   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00408   440   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 72, ... 84, ) == 0x0
 00409   440   NtClose  (72, ... ) == 0x0
 00410   440   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8d0000), 0x0, 4096, ) == 0x0
 00411   440   NtClose  (84, ... ) == 0x0
 00412   440   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 00413   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235944, ... ) }, 1235944, ... ) == 0x0
 00414   440   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236644,  (0x80100080, {24, 0, 0x40, 0, 1236644, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 84, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 84, {status=0x0, info=1}, ) == 0x0
 00415   440   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 84, ... 72, ) == 0x0
 00416   440   NtClose  (84, ... ) == 0x0
 00417   440   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8d0000), {0, 0}, 4096, ) == 0x0
 00418   440   NtClose  (72, ... ) == 0x0
 00419   440   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 00420   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 72, {status=0x0, info=1}, ) }, 1, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00421   440   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 84, ) == 0x0
 00422   440   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8d0000), 0x0, 4096, ) == 0x0
 00423   440   NtQueryInformationFile  (72, 1236264, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00424   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00425   440   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1H\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 420, 440, 1451, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1H\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 420, 440, 1451, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1H\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 420, 440, 1451, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1H\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ) == 0x0
 00426   440   NtClose  (72, ... ) == 0x0
 00427   440   NtClose  (84, ... ) == 0x0
 00428   440   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 00429   440   NtUnmapViewOfSection  (-1, 0x12e478, ... ) == STATUS_NOT_MAPPED_VIEW
 00430   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00431   440   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00432   440   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00433   440   NtUserGetDC  (0, ... ) == 0x1010054
 00434   440   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00435   440   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00436   440   NtUserSystemParametersInfo  (66, 12, 1238756, 0, ... ) == 0x1
 00437   440   NtOpenProcessToken  (-1, 0x8, ... 84, ) == 0x0
 00438   440   NtAccessCheck  (1393080, 84, 0x1, 1238160, 1238104, 56, 1238188, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00439   440   NtClose  (84, ... ) == 0x0
 00440   440   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "Control Panel\Desktop"}, ... 84, ) }, ... 84, ) == 0x0
 00441   440   NtQueryValueKey  (84,  (84, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00442   440   NtClose  (84, ... ) == 0x0
 00443   440   NtUserSystemParametersInfo  (41, 500, 1238256, 0, ... ) == 0x1
 00444   440   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 84, ) }, ... 84, ) == 0x0
 00445   440   NtQueryValueKey  (84,  (84, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00446   440   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 72, ) }, ... 72, ) == 0x0
 00447   440   NtQueryValueKey  (72,  (72, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00448   440   NtClose  (72, ... ) == 0x0
 00449   440   NtClose  (84, ... ) == 0x0
 00450   440   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00451   440   NtUserSystemParametersInfo  (4130, 0, 1238780, 0, ... ) == 0x1
 00452   440   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 84, ) }, ... 84, ) == 0x0
 00453   440   NtEnumerateValueKey  (84, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00454   440   NtClose  (84, ... ) == 0x0
 00455   440   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00456   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03b
 00457   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03d
 00458   440   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00459   440   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc03f
 00460   440   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00461   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc041
 00462   440   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00463   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc043
 00464   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc045
 00465   440   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00466   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ...
 00467   440   NtAllocateVirtualMemory  (-1, 5996544, 0, 4096, 4096, 32, ... 5996544, 4096, ) == 0x0
 00466   440   NtUserRegisterClassExWOW  ... ) == 0x810dc047
 00468   440   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00469   440   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc049
 00470   440   NtUserGetClassInfo  (1905590272, 1238676, 1238628, 1238704, 0, ... ) == 0xc049
 00471   440   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00472   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04b
 00473   440   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00474   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04d
 00475   440   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00476   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04f
 00477   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc051
 00478   440   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00479   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc053
 00480   440   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00481   440   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc055
 00482   440   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc057
 00483   440   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00484   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc059
 00485   440   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10013
 00486   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05b
 00487   440   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00488   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05d
 00489   440   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00490   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05f
 00491   440   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00492   440   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc017
 00493   440   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00494   440   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc019
 00495   440   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10013
 00496   440   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc018
 00497   440   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00498   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01a
 00499   440   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00500   440   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc01c
 00501   440   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00502   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01e
 00503   440   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00504   440   NtUserRegisterClassExWOW  (1238572, 1238652, 1238636, 1238668, 0, 384, 0, ... ) == 0x810dc01b
 00505   440   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00506   440   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc068
 00507   440   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00508   440   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc06a
 00509   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03b
 00510   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03d
 00511   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03f
 00512   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc041
 00513   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc043
 00514   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc045
 00515   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc047
 00516   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc049
 00517   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04b
 00518   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04d
 00519   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04f
 00520   440   NtUserGetClassInfo  (1999896576, 1241580, 1241532, 1241608, 0, ... ) == 0xc051
 00521   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc053
 00522   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc055
 00523   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc059
 00524   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05b
 00525   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05d
 00526   440   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05f
 00527   440   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00528   440   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00529   440   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00530   440   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00531   440   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00532   440   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00533   440   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00534   440   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00535   440   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00536   440   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00537   440   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00538   440   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00539   440   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00540   440   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00541   440   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00542   440   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00543   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00544   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00545   440   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00546   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00547   440   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9371648, 262144, ) == 0x0
 00548   440   NtAllocateVirtualMemory  (-1, 9371648, 0, 4096, 4096, 4, ... 9371648, 4096, ) == 0x0
 00549   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00550   440   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9633792, 262144, ) == 0x0
 00551   440   NtAllocateVirtualMemory  (-1, 9633792, 0, 4096, 4096, 4, ... 9633792, 4096, ) == 0x0
 00552   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00553   440   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9895936, 262144, ) == 0x0
 00554   440   NtAllocateVirtualMemory  (-1, 9895936, 0, 4096, 4096, 4, ... 9895936, 4096, ) == 0x0
 00555   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00556   440   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10158080, 262144, ) == 0x0
 00557   440   NtAllocateVirtualMemory  (-1, 10158080, 0, 4096, 4096, 4, ... 10158080, 4096, ) == 0x0
 00558   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00559   440   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00560   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00561   440   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00562   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 00563   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 00564   440   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 84, ... 72, ) == 0x0
 00565   440   NtClose  (84, ... ) == 0x0
 00566   440   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9f0000), 0x0, 90112, ) == 0x0
 00567   440   NtClose  (72, ... ) == 0x0
 00568   440   NtUnmapViewOfSection  (-1, 0x9f0000, ... ) == 0x0
 00569   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 00570   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00571   440   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 84, ) == 0x0
 00572   440   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00573   440   NtClose  (72, ... ) == 0x0
 00574   440   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00575   440   NtClose  (84, ... ) == 0x0
 00576   440   NtQueryDefaultLocale  (1, 1239460, ... ) == 0x0
 00577   440   NtAllocateVirtualMemory  (-1, 9375744, 0, 4096, 4096, 4, ... 9375744, 4096, ) == 0x0
 00578   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 84, ) }, ... 84, ) == 0x0
 00579   440   NtClose  (84, ... ) == 0x0
 00580   440   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00581   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00582   440   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00583   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00584   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00585   440   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00586   440   NtClose  (84, ... ) == 0x0
 00587   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00588   440   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00589   440   NtClose  (84, ... ) == 0x0
 00590   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00591   440   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00592   440   NtClose  (84, ... ) == 0x0
 00593   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00594   440   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00595   440   NtClose  (84, ... ) == 0x0
 00596   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 84, ) }, ... 84, ) == 0x0
 00597   440   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00598   440   NtClose  (84, ... ) == 0x0
 00599   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   440   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00601   440   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00602   440   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00603   440   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00604   440   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 84, ) }, ... 84, ) == 0x0
 00605   440   NtCreateEvent  (0x1f0003, {24, 84, 0x80, 1241616, 0,  (0x1f0003, {24, 84, 0x80, 1241616, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00606   440   NtOpenEvent  (0x100000, {24, 84, 0x0, 0, 0,  (0x100000, {24, 84, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 72, ) }, ... 72, ) == 0x0
 00607   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00608   440   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00609   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 88, ) }, ... 88, ) == 0x0
 00610   440   NtQueryValueKey  (88,  (88, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00611   440   NtClose  (88, ... ) == 0x0
 00612   440   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00613   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00614   440   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00615   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00616   440   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00617   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 88, ) }, ... 88, ) == 0x0
 00618   440   NtQueryValueKey  (88,  (88, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619   440   NtQueryValueKey  (88,  (88, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00620   440   NtQueryValueKey  (88,  (88, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00621   440   NtClose  (88, ... ) == 0x0
 00622   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 88, ) }, ... 88, ) == 0x0
 00623   440   NtQueryValueKey  (88,  (88, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00624   440   NtQueryValueKey  (88,  (88, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00625   440   NtClose  (88, ... ) == 0x0
 00626   440   NtOpenEvent  (0x1f0003, {24, 84, 0x0, 0, 0,  (0x1f0003, {24, 84, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00627   440   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00628   440   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00629   440   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00630   440   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00631   440   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00632   440   NtCreateKey  (0xf003f, {24, 76, 0x40, 0, 0,  (0xf003f, {24, 76, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 88, 2, ) }, 0, 0x0, 0, ... 88, 2, ) == 0x0
 00633   440   NtQueryDefaultUILanguage  (1239852, ...
 00634   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00635   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00636   440   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00637   440   NtClose  (-2147482208, ... ) == 0x0
 00638   440   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00639   440   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00640   440   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00641   440   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00642   440   NtClose  (-2147482196, ... ) == 0x0
 00643   440   NtClose  (-2147482208, ... ) == 0x0
 00633   440   NtQueryDefaultUILanguage  ... ) == 0x0
 00644   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00645   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 92, {status=0x0, info=1}, ) }, 1, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00646   440   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 92, ... 96, ) == 0x0
 00647   440   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x9f0000), 0x0, 593920, ) == 0x0
 00648   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00649   440   NtQueryDefaultLocale  (1, 1237888, ... ) == 0x0
 00650   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00651   440   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\246\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 420, 440, 1452, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\246\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 420, 440, 1452, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\246\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 420, 440, 1452, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\246\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ) == 0x0
 00652   440   NtClose  (92, ... ) == 0x0
 00653   440   NtClose  (96, ... ) == 0x0
 00654   440   NtUnmapViewOfSection  (-1, 0x9f0000, ... ) == 0x0
 00655   440   NtUnmapViewOfSection  (-1, 0x12edd8, ... ) == STATUS_NOT_MAPPED_VIEW
 00656   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00657   440   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00658   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00659   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00660   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236428, ... ) }, 1236428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00661   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00662   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00663   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00664   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237020, ... ) }, 1237020, ... ) == 0x0
 00665   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 96, {status=0x0, info=1}, ) }, 3, 33, ... 96, {status=0x0, info=1}, ) == 0x0
 00666   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00667   440   NtCreateKey  (0x2001f, {24, 76, 0x40, 0, 0,  (0x2001f, {24, 76, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 92, 2, ) }, 0, 0x0, 0, ... 92, 2, ) == 0x0
 00668   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00669   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00670   440   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00671   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00672   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00673   440   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 104, ) == 0x0
 00674   440   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00675   440   NtClose  (100, ... ) == 0x0
 00676   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00677   440   NtClose  (104, ... ) == 0x0
 00678   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00679   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00680   440   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00681   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00682   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00683   440   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 100, ) == 0x0
 00684   440   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00685   440   NtClose  (104, ... ) == 0x0
 00686   440   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00687   440   NtClose  (100, ... ) == 0x0
 00688   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00689   440   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00690   440   NtTestAlert  (... ) == 0x0
 00691   440   NtContinue  (1244464, 1, ...
 00692   440   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x47637c,}, 4, ... ) == 0x0
 00693   440   NtQueryPerformanceCounter  (... {114330010, 0}, {3579545, 0}, ) == 0x0
 00694   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00695   440   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10420224, 65536, ) == 0x0
 00696   440   NtAllocateVirtualMemory  (-1, 10420224, 0, 4096, 4096, 4, ... 10420224, 4096, ) == 0x0
 00697   440   NtAllocateVirtualMemory  (-1, 10424320, 0, 8192, 4096, 4, ... 10424320, 8192, ) == 0x0
 00698   440   NtAllocateVirtualMemory  (-1, 10432512, 0, 4096, 4096, 4, ... 10432512, 4096, ) == 0x0
 00699   440   NtAllocateVirtualMemory  (-1, 10436608, 0, 4096, 4096, 4, ... 10436608, 4096, ) == 0x0
 00700   440   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 100, ) == 0x0
 00701   440   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0xa00000), 0x0, 4194304, ) == 0x0
 00702   440   NtAllocateVirtualMemory  (-1, 10485760, 0, 1, 4096, 4, ... 10485760, 4096, ) == 0x0
 00703   440   NtAllocateVirtualMemory  (-1, 10489856, 0, 2536, 4096, 4, ... 10489856, 4096, ) == 0x0
 00704   440   NtCreateSection  (0xf0007, 0x0, {24524, 0}, 4, 134217728, 0, ... 104, ) == 0x0
 00705   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xe00000), {0, 0}, 24576, ) == 0x0
 00706   440   NtUnmapViewOfSection  (-1, 0xe00000, ... ) == 0x0
 00707   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xe00000), {0, 0}, 24576, ) == 0x0
 00708   440   NtClose  (100, ... ) == 0x0
 00709   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00710   440   NtUnmapViewOfSection  (-1, 0xe00000, ... ) == 0x0
 00711   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00712   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00713   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00714   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00715   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00716   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00717   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00718   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00719   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00720   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00721   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00722   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00723   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00724   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00725   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00726   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00727   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00728   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00729   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00730   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00731   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00732   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00733   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00734   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00735   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00736   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00737   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00738   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00739   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00740   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00741   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00742   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00743   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00744   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00745   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00746   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00747   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00748   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00749   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00750   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00751   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00752   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00753   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00754   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00755   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00756   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00757   440   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 24576, ) == 0x0
 00758   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00759   440   NtClose  (104, ... ) == 0x0
 00760   440   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241940,  (0x80100080, {24, 0, 0x40, 0, 1241940, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 00761   440   NtQueryInformationFile  (104, 1242876, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00762   440   NtQueryInformationFile  (104, 1242848, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00763   440   NtQueryInformationFile  (104, 1242800, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00764   440   NtAllocateVirtualMemory  (-1, 1425408, 0, 8192, 4096, 4, ... 1425408, 8192, ) == 0x0
 00765   440   NtQueryInformationFile  (104, 1422408, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00766   440   NtQueryInformationFile  (104, 1241344, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00767   440   NtQueryInformationFile  (104, 1241188, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00768   440   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1241196,  (0x40110080, {24, 0, 0x40, 0, 1241196, "\??\C:\WINDOWS\System32\ltcisi.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00769   440   NtClose  (-2147482208, ... ) == 0x0
 00768   440   NtCreateFile  ... 100, {status=0x0, info=2}, ) == 0x0
 00770   440   NtQueryVolumeInformationFile  (100, 1240568, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00771   440   NtQueryInformationFile  (100, 1240528, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00772   440   NtQueryVolumeInformationFile  (104, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00773   440   NtQueryVolumeInformationFile  (104, 1240252, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00774   440   NtSetInformationFile  (100, 1240356, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00775   440   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 104, ... 108, ) == 0x0
 00776   440   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa00000), {0, 0}, 172032, ) == 0x0
 00777   440   NtClose  (108, ... ) == 0x0
 00778   440   NtWriteFile  (100, 0, 0, 0,  (100, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\177\6\12\277;gd\354;gd\354;gd\354\34\241\31\354!gd\354\34\241\11\354\265gd\354\34\241\12\354\11gd\354\270o9\3549gd\354\370h9\354*gd\354;ge\354\224gd\354\34\241\26\354!gd\354\34\241\34\354:gd\354Rich;gd\354\0\0\0\0\0\0\0\0\230b\204\276\370\31\360!-\217m\240J2\323\227PE\0\0L\1\10\09\320vF\0\0\0\0\0\0\0\0\340\0\2\1\13\1\10\0\0\320\1\0\0\220\0\0\0\0\0\0|c\7\0\0\360\4\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\7\0\0\20\0\0=\6\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\360\4\0\20\1\0\0\0P\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\7\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\234\367\4\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\320\1\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00779   440   NtWriteFile  (100, 0, 0, 0,  (100, 0, 0, 0, "\5\3721o\332\2413\0~z_i\311\250\270\246\215{\233R'\6\341\177\353\350"#g\332]\231\343:\371\302\313+\354L\254\215\313\360R\364\256x\367\256\23,u\30zgRD-\25\367\272Y\177\374\1>\354>\300\232\3254\245~\357\3574\253N\340\255BSU\212E/\235l\302I\3678\254\256\266t\355\300\35\213\246\233\336V\303I?\252\376M\246q\233Y\\251\33=\232\216\210\2\365\265I\2601v\206\214\271\262q\226t\325\204i\21\327\277\266b\376\307\274\353\342\215\216\4b\21\246r4$\214\227Fb\223+\220s\255\27X\216\23[\327%\340\35\243\10\217b]\304\314\4\23\225']\203\231U\366ej\357\271\2106\302J\272\2.\301\240x\247\260\343\257u\351\27T\13\201\242H\327\3\17\220\371\355*\\331'\26\210\302\5\350\12x\331\306\230\263\323\342\272\306Q\1\221\257d@\340\303\360\203&\337\30|\202\330U\26\26X\347\271\277h:h\377\263I\246\202\342\327:\301N\251\337\0\206`\317y\272\374\203\241u>\27\243Te\3\32\2325\210\253p\231\336R?z7+J\10I,/i\230P\36\240\341s\265]# \213Qi\237\304\352PH\246\201\254C\273V3W\234\1\301?\237\322x\277\213\206\24F#\216\345\205_\225+\325\24\240J\12\320p\20f\35\323\335\342O\243[qo\312\373\275\234\242\340U\215\247\251\s\12\233u>\221U* xZ\26634\347\317\357\W\213\336\346\242\7\23\207\10~\256\376\202\262\257\312\321\347\Y\351s_T\321\362\221\310\27\210\31\201\227c\372\202\12\302_\311\361\342\207\3727\177\3\3038_x\345w\304U\236\353\237\252\251\236\353b\344\3714\364\16?\234x\307\337\305\362{\347m]T\352\211\11\35\265\334\205c\206\207\35", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) #g\332]\231\343:\371\302\313+\354L\254\215\313\360R\364\256x\367\256\23,u\30zgRD-\25\367\272Y\177\374\1>\354>\300\232\3254\245~\357\3574\253N\340\255BSU\212E/\235l\302I\3678\254\256\266t\355\300\35\213\246\233\336V\303I?\252\376M\246q\233Y\\251\33=\232\216\210\2\365\265I\2601v\206\214\271\262q\226t\325\204i\21\327\277\266b\376\307\274\353\342\215\216\4b\21\246r4$\214\227Fb\223+\220s\255\27X\216\23[\327%\340\35\243\10\217b]\304\314\4\23\225']\203\231U\366ej\357\271\2106\302J\272\2.\301\240x\247\260\343\257u\351\27T\13\201\242H\327\3\17\220\371\355*\\331'\26\210\302\5\350\12x\331\306\230\263\323\342\272\306Q\1\221\257d@\340\303\360\203&\337\30|\202\330U\26\26X\347\271\277h:h\377\263I\246\202\342\327:\301N\251\337\0\206`\317y\272\374\203\241u>\27\243Te\3\32\2325\210\253p\231\336R?z7+J\10I,/i\230P\36\240\341s\265]# \213Qi\237\304\352PH\246\201\254C\273V3W\234\1\301?\237\322x\277\213\206\24F#\216\345\205_\225+\325\24\240J\12\320p\20f\35\323\335\342O\243[qo\312\373\275\234\242\340U\215\247\251\s\12\233u>\221U* xZ\26634\347\317\357\W\213\336\346\242\7\23\207\10~\256\376\202\262\257\312\321\347\Y\351s_T\321\362\221\310\27\210\31\201\227c\372\202\12\302_\311\361\342\207\3727\177\3\3038_x\345w\304U\236\353\237\252\251\236\353b\344\3714\364\16?\234x\307\337\305\362{\347m]T\352\211\11\35\265\334\205c\206\207\35", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00780   440   NtWriteFile  (100, 0, 0, 0,  (100, 0, 0, 0, "%\22F;Qb\207\204+.*]\362*\275\251\221\346\213B\33\14O\363MA\300\316-\232\351\27\246\370\223\207\24276\21[\324Z\267f\274\351\24x\276\12B/\352&9F\204\25\27Xg\22\15\375\254\355\20\246\322\335?Q_\253/\256\34D\313\236hU\374E_\311\276\206%5\253\304o\22d\354\354~\30\177y\33\224\363:\27\373<\314\227Zu\3#-uL*\304\275>J\14\37\334)s\257V\322\376\246\302\266\12\234xW\325\256\102D\352\24\317\253lA\367O\324\375R"`\331>\251MB\221\356n\206\300\35]\2367M\341Y\205j\244}\15\337\276[\232\267\273\275!SZ\222k\302]s\364\263=0\256\2149\26\252\234\35J\376k\210\304:cS\264\213`\301\245\320,\15\373\325\35\214U\274\226V\235l[\25\247\7\326M1w\325\307g\27[\242B\325c"\257\227\367\335\311lr\265\3WF\344\322.\352\302\2426\23\264\331'F\254b\314\321\25{5\320\252\34\367I\202\216\7\257\256F\357\177\256\266k"\354:"\344\0\336\17\3740\341\264\252n\272\367\217\25Tl\356L\?\326\345\237\177\11=\334\\5v-N4\227\201h7\210Cg\275\252\332\370!'\317=\376\2\321\273\203\315\234\10u\242\365s\222\207\367\3555\261F\257\16Y\317\356F\366Ul\249\26\247\5\343{\353\201?$\317\327\273\276\211\27\207"\275[LW\253\335\234\2640\215\303\203\7\327\20\4\135\257\324\322SD\21ZM\241\212\0\2158\337\277\33\224\221\243\3368\236\273\3263\307\367\240j\243\252\275\230\244;M\250\333\333>\332\331\2652\327\352\37\266)\5U\241]ik\215C\305X\360m\330\220\366\360\35\212\344#q\207\231\334[{d\355\33_\345\76K\362`", 47616, 0x0, 0, ... {status=0x0, info=47616}, ) `\331>\251MB\221\356n\206\300\35]\2367M\341Y\205j\244}\15\337\276[\232\267\273\275!SZ\222k\302]s\364\263=0\256\2149\26\252\234\35J\376k\210\304:cS\264\213`\301\245\320,\15\373\325\35\214U\274\226V\235l[\25\247\7\326M1w\325\307g\27[\242B\325c (100, 0, 0, 0, "%\22F;Qb\207\204+.*]\362*\275\251\221\346\213B\33\14O\363MA\300\316-\232\351\27\246\370\223\207\24276\21[\324Z\267f\274\351\24x\276\12B/\352&9F\204\25\27Xg\22\15\375\254\355\20\246\322\335?Q_\253/\256\34D\313\236hU\374E_\311\276\206%5\253\304o\22d\354\354~\30\177y\33\224\363:\27\373<\314\227Zu\3#-uL*\304\275>J\14\37\334)s\257V\322\376\246\302\266\12\234xW\325\256\102D\352\24\317\253lA\367O\324\375R"`\331>\251MB\221\356n\206\300\35]\2367M\341Y\205j\244}\15\337\276[\232\267\273\275!SZ\222k\302]s\364\263=0\256\2149\26\252\234\35J\376k\210\304:cS\264\213`\301\245\320,\15\373\325\35\214U\274\226V\235l[\25\247\7\326M1w\325\307g\27[\242B\325c"\257\227\367\335\311lr\265\3WF\344\322.\352\302\2426\23\264\331'F\254b\314\321\25{5\320\252\34\367I\202\216\7\257\256F\357\177\256\266k"\354:"\344\0\336\17\3740\341\264\252n\272\367\217\25Tl\356L\?\326\345\237\177\11=\334\\5v-N4\227\201h7\210Cg\275\252\332\370!'\317=\376\2\321\273\203\315\234\10u\242\365s\222\207\367\3555\261F\257\16Y\317\356F\366Ul\249\26\247\5\343{\353\201?$\317\327\273\276\211\27\207"\275[LW\253\335\234\2640\215\303\203\7\327\20\4\135\257\324\322SD\21ZM\241\212\0\2158\337\277\33\224\221\243\3368\236\273\3263\307\367\240j\243\252\275\230\244;M\250\333\333>\332\331\2652\327\352\37\266)\5U\241]ik\215C\305X\360m\330\220\366\360\35\212\344#q\207\231\334[{d\355\33_\345\76K\362`", 47616, 0x0, 0, ... {status=0x0, info=47616}, ) \354: (100, 0, 0, 0, "%\22F;Qb\207\204+.*]\362*\275\251\221\346\213B\33\14O\363MA\300\316-\232\351\27\246\370\223\207\24276\21[\324Z\267f\274\351\24x\276\12B/\352&9F\204\25\27Xg\22\15\375\254\355\20\246\322\335?Q_\253/\256\34D\313\236hU\374E_\311\276\206%5\253\304o\22d\354\354~\30\177y\33\224\363:\27\373<\314\227Zu\3#-uL*\304\275>J\14\37\334)s\257V\322\376\246\302\266\12\234xW\325\256\102D\352\24\317\253lA\367O\324\375R"`\331>\251MB\221\356n\206\300\35]\2367M\341Y\205j\244}\15\337\276[\232\267\273\275!SZ\222k\302]s\364\263=0\256\2149\26\252\234\35J\376k\210\304:cS\264\213`\301\245\320,\15\373\325\35\214U\274\226V\235l[\25\247\7\326M1w\325\307g\27[\242B\325c"\257\227\367\335\311lr\265\3WF\344\322.\352\302\2426\23\264\331'F\254b\314\321\25{5\320\252\34\367I\202\216\7\257\256F\357\177\256\266k"\354:"\344\0\336\17\3740\341\264\252n\272\367\217\25Tl\356L\?\326\345\237\177\11=\334\\5v-N4\227\201h7\210Cg\275\252\332\370!'\317=\376\2\321\273\203\315\234\10u\242\365s\222\207\367\3555\261F\257\16Y\317\356F\366Ul\249\26\247\5\343{\353\201?$\317\327\273\276\211\27\207"\275[LW\253\335\234\2640\215\303\203\7\327\20\4\135\257\324\322SD\21ZM\241\212\0\2158\337\277\33\224\221\243\3368\236\273\3263\307\367\240j\243\252\275\230\244;M\250\333\333>\332\331\2652\327\352\37\266)\5U\241]ik\215C\305X\360m\330\220\366\360\35\212\344#q\207\231\334[{d\355\33_\345\76K\362`", 47616, 0x0, 0, ... {status=0x0, info=47616}, ) \275[LW\253\335\234\2640\215\303\203\7\327\20\4\135\257\324\322SD\21ZM\241\212\0\2158\337\277\33\224\221\243\3368\236\273\3263\307\367\240j\243\252\275\230\244;M\250\333\333>\332\331\2652\327\352\37\266)\5U\241]ik\215C\305X\360m\330\220\366\360\35\212\344#q\207\231\334[{d\355\33_\345\76K\362`", 47616, 0x0, 0, ... {status=0x0, info=47616}, ) == 0x0
 00781   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00782   440   NtSetInformationFile  (100, 1242800, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00783   440   NtClose  (104, ... ) == 0x0
 00784   440   NtClose  (100, ... ) == 0x0
 00785   440   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00786   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ltcisi.exe"}, 1239092, ... ) }, 1239092, ... ) == 0x0
 00787   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ltcisi.exe"}, 1239784, ... ) }, 1239784, ... ) == 0x0
 00788   440   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ltcisi.exe"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00789   440   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 100, ... 104, ) == 0x0
 00790   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00791   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 108, ) }, ... 108, ) == 0x0
 00792   440   NtQueryValueKey  (108,  (108, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00793   440   NtClose  (108, ... ) == 0x0
 00794   440   NtQueryVolumeInformationFile  (100, 1239092, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00795   440   NtOpenMutant  (0x120001, {24, 84, 0x0, 0, 0,  (0x120001, {24, 84, 0x0, 0, 0, "ShimCacheMutex"}, ... 108, ) }, ... 108, ) == 0x0
 00796   440   NtWaitForSingleObject  (108, 0, {-1000000, -1}, ... ) == 0x0
 00797   440   NtOpenSection  (0x2, {24, 84, 0x0, 0, 0,  (0x2, {24, 84, 0x0, 0, 0, "ShimSharedMemory"}, ... 112, ) }, ... 112, ) == 0x0
 00798   440   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 57344, ) == 0x0
 00799   440   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 00800   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237076, ... ) }, 1237076, ... ) == 0x0
 00801   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00802   440   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 116, ... 120, ) == 0x0
 00803   440   NtClose  (116, ... ) == 0x0
 00804   440   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa10000), 0x0, 106496, ) == 0x0
 00805   440   NtClose  (120, ... ) == 0x0
 00806   440   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00807   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237392, ... ) }, 1237392, ... ) == 0x0
 00808   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00809   440   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 120, ... 116, ) == 0x0
 00810   440   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00811   440   NtClose  (120, ... ) == 0x0
 00812   440   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00813   440   NtClose  (116, ... ) == 0x0
 00814   440   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 00815   440   NtQueryInformationFile  (116, 1237680, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00816   440   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 116, ... 120, ) == 0x0
 00817   440   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa10000), 0x0, 1028096, ) == 0x0
 00818   440   NtQueryInformationFile  (116, 1237776, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00819   440   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820   440   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00821   440   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00822   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 00823   440   NtQueryDirectoryFile  (124, 0, 0, 0, 1235340, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235340, 616, BothDirectory, 1, "ltcisi.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00824   440   NtClose  (124, ... ) == 0x0
 00825   440   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00826   440   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00827   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ltcisi.exe"}, 1234728, ... ) }, 1234728, ... ) == 0x0
 00828   440   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00829   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 00830   440   NtQueryDirectoryFile  (124, 0, 0, 0, 1234088, 616, BothDirectory, 1,  (124, 0, 0, 0, 1234088, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00831   440   NtClose  (124, ... ) == 0x0
 00832   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 00833   440   NtQueryDirectoryFile  (124, 0, 0, 0, 1234088, 616, BothDirectory, 1,  (124, 0, 0, 0, 1234088, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00834   440   NtClose  (124, ... ) == 0x0
 00835   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 00836   440   NtQueryDirectoryFile  (124, 0, 0, 0, 1234088, 616, BothDirectory, 1,  (124, 0, 0, 0, 1234088, 616, BothDirectory, 1, "ltcisi.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00837   440   NtClose  (124, ... ) == 0x0
 00838   440   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00839   440   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00840   440   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00841   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00842   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00843   440   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00844   440   NtClose  (124, ... ) == 0x0
 00845   440   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00846   440   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\ltcisi.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00847   440   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00848   440   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00849   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ltcisi.exe"}, 1237008, ... ) }, 1237008, ... ) == 0x0
 00850   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 00851   440   NtQueryDirectoryFile  (124, 0, 0, 0, 1236368, 616, BothDirectory, 1,  (124, 0, 0, 0, 1236368, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00852   440   NtClose  (124, ... ) == 0x0
 00853   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 00854   440   NtQueryDirectoryFile  (124, 0, 0, 0, 1236368, 616, BothDirectory, 1,  (124, 0, 0, 0, 1236368, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00855   440   NtClose  (124, ... ) == 0x0
 00856   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 00857   440   NtQueryDirectoryFile  (124, 0, 0, 0, 1236368, 616, BothDirectory, 1,  (124, 0, 0, 0, 1236368, 616, BothDirectory, 1, "ltcisi.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00858   440   NtClose  (124, ... ) == 0x0
 00859   440   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00860   440   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00861   440   NtWaitForSingleObject  (108, 0, {-1000000, -1}, ... ) == 0x0
 00862   440   NtQueryVolumeInformationFile  (100, 1237652, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00863   440   NtQueryInformationFile  (100, 1237632, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00864   440   NtQueryInformationFile  (100, 1237672, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00865   440   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 00866   440   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00867   440   NtClose  (120, ... ) == 0x0
 00868   440   NtClose  (116, ... ) == 0x0
 00869   440   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00870   440   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ltcisi.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00871   440   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00872   440   NtOpenProcessToken  (-1, 0xa, ... 116, ) == 0x0
 00873   440   NtQueryInformationToken  (116, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00874   440   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00875   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 120, ) }, ... 120, ) == 0x0
 00876   440   NtQueryValueKey  (120,  (120, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (120, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00877   440   NtQueryValueKey  (120,  (120, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (120, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00878   440   NtClose  (120, ... ) == 0x0
 00879   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 120, ) }, ... 120, ) == 0x0
 00880   440   NtQueryValueKey  (120,  (120, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00881   440   NtQueryValueKey  (120,  (120, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (120, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00882   440   NtClose  (120, ... ) == 0x0
 00883   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 120, ) }, ... 120, ) == 0x0
 00885   440   NtQueryValueKey  (120,  (120, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00886   440   NtClose  (120, ... ) == 0x0
 00887   440   NtQueryDefaultLocale  (1, 1238464, ... ) == 0x0
 00888   440   NtQueryDefaultLocale  (1, 1238464, ... ) == 0x0
 00889   440   NtQueryDefaultLocale  (1, 1238464, ... ) == 0x0
 00890   440   NtQueryDefaultLocale  (1, 1238464, ... ) == 0x0
 00891   440   NtQueryDefaultLocale  (1, 1238464, ... ) == 0x0
 00892   440   NtQueryDefaultLocale  (1, 1238464, ... ) == 0x0
 00893   440   NtQueryDefaultLocale  (1, 1238464, ... ) == 0x0
 00894   440   NtQueryDefaultLocale  (1, 1238464, ... ) == 0x0
 00895   440   NtQueryDefaultLocale  (1, 1238464, ... ) == 0x0
 00896   440   NtQueryDefaultLocale  (1, 1238464, ... ) == 0x0
 00897   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 120, ) }, ... 120, ) == 0x0
 00898   440   NtEnumerateKey  (120, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (120, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00899   440   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 124, ) }, ... 124, ) == 0x0
 00900   440   NtQueryValueKey  (124,  (124, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (124, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00901   440   NtQueryValueKey  (124,  (124, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (124, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00902   440   NtClose  (124, ... ) == 0x0
 00903   440   NtEnumerateKey  (120, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00904   440   NtClose  (120, ... ) == 0x0
 00905   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00906   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00907   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00909   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00913   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00920   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00921   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00922   440   NtClose  (120, ... ) == 0x0
 00923   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00924   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00925   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00926   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00927   440   NtClose  (120, ... ) == 0x0
 00928   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00929   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00930   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00931   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00932   440   NtClose  (120, ... ) == 0x0
 00933   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00935   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00936   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00937   440   NtClose  (120, ... ) == 0x0
 00938   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00940   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00941   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00942   440   NtClose  (120, ... ) == 0x0
 00943   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00945   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00946   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00947   440   NtClose  (120, ... ) == 0x0
 00948   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00950   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00951   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00952   440   NtClose  (120, ... ) == 0x0
 00953   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00955   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00956   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00957   440   NtClose  (120, ... ) == 0x0
 00958   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00959   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00960   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00961   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00962   440   NtClose  (120, ... ) == 0x0
 00963   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00965   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00966   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00967   440   NtClose  (120, ... ) == 0x0
 00968   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00970   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00971   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00972   440   NtClose  (120, ... ) == 0x0
 00973   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00975   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00976   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00977   440   NtClose  (120, ... ) == 0x0
 00978   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00980   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00981   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00982   440   NtClose  (120, ... ) == 0x0
 00983   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00985   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00986   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00987   440   NtClose  (120, ... ) == 0x0
 00988   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00989   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00990   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00991   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00992   440   NtClose  (120, ... ) == 0x0
 00993   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 120, ) }, ... 120, ) == 0x0
 00995   440   NtQueryValueKey  (120,  (120, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (120, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (120, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 00996   440   NtClose  (120, ... ) == 0x0
 00997   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00998   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00999   440   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01000   440   NtClose  (120, ... ) == 0x0
 01001   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002   440   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01003   440   NtOpenProcessToken  (-1, 0xa, ... 120, ) == 0x0
 01004   440   NtDuplicateToken  (120, 0xc, {24, 0, 0x0, 0, 1238984, 0x0}, 0, 2, ... 124, ) == 0x0
 01005   440   NtClose  (120, ... ) == 0x0
 01006   440   NtAccessCheck  (1430232, 124, 0x1, 1239112, 1239056, 56, 1239140, ... (0x1), ) == 0x0
 01007   440   NtClose  (124, ... ) == 0x0
 01008   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01009   440   NtQueryValueKey  (124,  (124, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (124, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01010   440   NtClose  (124, ... ) == 0x0
 01011   440   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 124, ) }, ... 124, ) == 0x0
 01012   440   NtQuerySymbolicLinkObject  (124, ...  (124, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01013   440   NtClose  (124, ... ) == 0x0
 01014   440   NtQueryInformationFile  (100, 1237444, 528, Name, ... {status=0x0, info=60}, ) == 0x0
 01015   440   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01016   440   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01017   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ltcisi.exe"}, 1236124, ... ) }, 1236124, ... ) == 0x0
 01018   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01019   440   NtQueryDirectoryFile  (124, 0, 0, 0, 1235484, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235484, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01020   440   NtClose  (124, ... ) == 0x0
 01021   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01022   440   NtQueryDirectoryFile  (124, 0, 0, 0, 1235484, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235484, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01023   440   NtClose  (124, ... ) == 0x0
 01024   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01025   440   NtQueryDirectoryFile  (124, 0, 0, 0, 1235484, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235484, 616, BothDirectory, 1, "ltcisi.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01026   440   NtClose  (124, ... ) == 0x0
 01027   440   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01028   440   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01029   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01030   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01031   440   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01032   440   NtClose  (124, ... ) == 0x0
 01033   440   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 124, ) }, ... 124, ) == 0x0
 01034   440   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 120, ) }, ... 120, ) == 0x0
 01035   440   NtClose  (124, ... ) == 0x0
 01036   440   NtQueryValueKey  (120,  (120, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01037   440   NtQueryValueKey  (120,  (120, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (120, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01038   440   NtClose  (120, ... ) == 0x0
 01039   440   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10551296, 4096, ) == 0x0
 01040   440   NtAllocateVirtualMemory  (-1, 10551296, 0, 4096, 4096, 4, ... 10551296, 4096, ) == 0x0
 01041   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 120, ) }, ... 120, ) == 0x0
 01042   440   NtQueryValueKey  (120,  (120, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01043   440   NtClose  (120, ... ) == 0x0
 01044   440   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01045   440   NtQueryInformationToken  (116, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01046   440   NtQueryInformationToken  (116, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01047   440   NtClose  (116, ... ) == 0x0
 01048   440   NtCreateProcessEx  (1241720, 2035711, 0, -1, 0, 104, 0, 0, 0, ... ) == 0x0
 01049   440   NtSetInformationProcess  (116, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 01050   440   NtQueryInformationProcess  (116, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=588,ParentPid=420,}, 0x0, ) == 0x0
 01051   440   NtReadVirtualMemory  (116, 0x7ffdf008, 4, ...  (116, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 01052   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ltcisi.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01053   440   NtAllocateVirtualMemory  (-1, 1433600, 0, 8192, 4096, 4, ... 1433600, 8192, ) == 0x0
 01054   440   NtReadVirtualMemory  (116, 0x400000, 4096, ...  (116, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\177\6\12\277;gd\354;gd\354;gd\354\34\241\31\354!gd\354\34\241\11\354\265gd\354\34\241\12\354\11gd\354\270o9\3549gd\354\370h9\354*gd\354;ge\354\224gd\354\34\241\26\354!gd\354\34\241\34\354:gd\354Rich;gd\354\0\0\0\0\0\0\0\0\230b\204\276\370\31\360!-\217m\240J2\323\227PE\0\0L\1\10\09\320vF\0\0\0\0\0\0\0\0\340\0\2\1\13\1\10\0\0\320\1\0\0\220\0\0\0\0\0\0|c\7\0\0\360\4\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\7\0\0\20\0\0=\6\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\360\4\0\20\1\0\0\0P\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\7\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\234\367\4\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\320\1\0", 4096, ) , 4096, ) == 0x0
 01055   440   NtReadVirtualMemory  (116, 0x435000, 256, ...  (116, 0x435000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0XP\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) urn:schemas-microsoft-com:asm.v1 (116, 0x435000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0XP\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) 1.0 (116, 0x435000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0XP\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) , 256, ) == 0x0
 01056   440   NtReadVirtualMemory  (116, 0x435018, 24, ...  (116, 0x435018, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200", 24, ) , 24, ) == 0x0
 01057   440   NtReadVirtualMemory  (116, 0x435030, 24, ...  (116, 0x435030, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0", 24, ) , 24, ) == 0x0
 01058   440   NtReadVirtualMemory  (116, 0x435048, 16, ...  (116, 0x435048, 16, ... "XP\3\0V\0\0\0\344\4\0\0\0\0\0\0", 16, ) , 16, ) == 0x0
 01059   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ltcisi.exe.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01060   440   NtQueryInformationProcess  (116, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=588,ParentPid=420,}, 0x0, ) == 0x0
 01061   440   NtAllocateVirtualMemory  (-1, 0, 0, 1708, 4096, 4, ... 10616832, 4096, ) == 0x0
 01062   440   NtAllocateVirtualMemory  (116, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01063   440   NtWriteVirtualMemory  (116, 0x10000,  (116, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01064   440   NtAllocateVirtualMemory  (116, 0, 0, 1708, 4096, 4, ... 131072, 4096, ) == 0x0
 01065   440   NtWriteVirtualMemory  (116, 0x20000,  (116, 0x20000, "\0\20\0\0\254\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0<\0>\0\230\5\0\0l\0n\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\0>\0H\6\0\0\36\0 \0\210\6\0\0\0\0\2\0\250\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1708, ... 0x0, ) , 1708, ... 0x0, ) == 0x0
 01066   440   NtWriteVirtualMemory  (116, 0x7ffdf010,  (116, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01067   440   NtWriteVirtualMemory  (116, 0x7ffdf1e8,  (116, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01068   440   NtFreeVirtualMemory  (-1, (0xa20000), 0, 32768, ... (0xa20000), 4096, ) == 0x0
 01069   440   NtAllocateVirtualMemory  (116, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01070   440   NtAllocateVirtualMemory  (116, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01071   440   NtProtectVirtualMemory  (116, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01072   440   NtCreateThread  (0x1f03ff, 0x0, 116, 1239984, 1240704, 1, ... 120, {588, 592}, ) == 0x0
 01073   440   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1378648, 1376256, 0, 1241804}  (24, {168, 196, new_msg, 0, 1378648, 1376256, 0, 1241804} "\210\6\31\1\0\0\1\0\2$\370w@\264\25\0w\0\0\0x\0\0\0L\2\0\0P\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1d\0\0\0t\0\0\0\0\0\0\0XPC\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\237\0\220\36\237\0" ... {168, 196, reply, 0, 420, 440, 1456, 0} "\320\231\26\0\0\0\1\0\0\0\0\0@\264\25\0t\0\0\0x\0\0\0L\2\0\0P\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1d\0\0\0t\0\0\0\0\0\0\0XPC\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\237\0\220\36\237\0" )  ... {168, 196, reply, 0, 420, 440, 1456, 0}  (24, {168, 196, new_msg, 0, 1378648, 1376256, 0, 1241804} "\210\6\31\1\0\0\1\0\2$\370w@\264\25\0w\0\0\0x\0\0\0L\2\0\0P\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1d\0\0\0t\0\0\0\0\0\0\0XPC\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\237\0\220\36\237\0" ... {168, 196, reply, 0, 420, 440, 1456, 0} "\320\231\26\0\0\0\1\0\0\0\0\0@\264\25\0t\0\0\0x\0\0\0L\2\0\0P\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\31\1d\0\0\0t\0\0\0\0\0\0\0XPC\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\31\1\0\360\375\177\0\0\0\0\0\0\237\0\220\36\237\0" )  ) == 0x0
 01074   440   NtResumeThread  (120, ... 1, ) == 0x0
 01075   440   NtClose  (100, ... ) == 0x0
 01076   440   NtClose  (104, ... ) == 0x0
 01077   440   NtTerminateProcess  (0, 0, ... ) == 0x0
 01078   440   NtClose  (92, ... ) == 0x0
 01079   440   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 01080   440   NtClose  (96, ... ) == 0x0
 01081   440   NtClose  (88, ... ) == 0x0
 01082   440   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01083   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01084   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01085   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01086   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01087   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01088   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01089   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01090   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01091   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01092   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01093   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01094   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01095   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01096   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01097   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01098   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01099   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01100   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01101   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01102   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01103   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01104   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01105   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01106   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01107   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01108   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01109   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01110   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01111   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01112   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01113   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01114   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01115   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01116   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01117   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01118   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01119   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc017
 01120   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01121   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc019
 01122   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01123   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc018
 01124   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01125   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01a
 01126   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01127   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01c
 01128   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01129   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01e
 01130   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01131   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01b
 01132   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01133   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc068
 01134   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01135   440   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc06a
 01136   440   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01137   440   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 01138   440   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01139   440   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01140   440   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01141   440   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01142   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01143   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01144   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01145   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01146   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01147   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01148   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01149   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01150   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01151   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01152   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01153   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01154   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01155   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01156   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01157   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01158   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01159   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01160   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01161   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01162   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01163   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01164   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01165   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01166   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01167   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01168   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01169   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01170   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01171   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01172   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01173   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01174   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01175   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01176   440   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01177   440   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01178   440   NtFreeVirtualMemory  (-1, (0xa10000), 4096, 32768, ... (0xa10000), 4096, ) == 0x0
 01179   440   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, -1, 4202544, 4202147, 4406196}  (24, {20, 48, new_msg, 0, -1, 4202544, 4202147, 4406196} "\0\0\0\0\3\0\1\0\330;C\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 420, 440, 1464, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ... {20, 48, reply, 0, 420, 440, 1464, 0}  (24, {20, 48, new_msg, 0, -1, 4202544, 4202147, 4406196} "\0\0\0\0\3\0\1\0\330;C\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 420, 440, 1464, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ) == 0x0
 01180   440   NtTerminateProcess  (-1, 0, ...
 01181   440   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtTestAlert(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQueryDefaultLocale(>)	15
NtCallbackReturn(>)	1	NtUserCallNoParam(>)	1	NtQueryVirtualMemory(>)	3	NtUserRegisterWindowMessage(>)	19
NtContinue(>)	1	NtUserCallOneParam(>)	1	NtSetInformationObject(>)	3	NtCreateSection(>)	20
NtCreateProcessEx(>)	1	NtUserGetDC(>)	1	NtWriteFile(>)	3	NtOpenProcessTokenEx(>)	25
NtCreateThread(>)	1	NtUserGetThreadDesktop(>)	1	NtFreeVirtualMemory(>)	4	NtOpenThreadTokenEx(>)	25
NtDuplicateObject(>)	1	NtAccessCheck(>)	2	NtWriteVirtualMemory(>)	4	NtQueryAttributesFile(>)	25
NtDuplicateToken(>)	1	NtCreateKey(>)	2	NtGdiGetStockObject(>)	5	NtOpenSection(>)	27
NtEnumerateValueKey(>)	1	NtEnumerateKey(>)	2	NtOpenProcessToken(>)	5	NtQuerySystemInformation(>)	27
NtFsControlFile(>)	1	NtGdiCreateSolidBrush(>)	2	NtCreateFile(>)	6	NtQueryInformationToken(>)	31
NtGdiCreateBitmap(>)	1	NtOpenDirectoryObject(>)	2	NtQueryVolumeInformationFile(>)	6	NtOpenFile(>)	34
NtGdiInit(>)	1	NtOpenEvent(>)	2	NtReadVirtualMemory(>)	6	NtQueryValueKey(>)	38
NtGdiQueryFontAssocInfo(>)	1	NtOpenMutant(>)	2	NtSetInformationThread(>)	6	NtProtectVirtualMemory(>)	39
NtGdiSelectBitmap(>)	1	NtOpenSymbolicLinkObject(>)	2	NtSetInformationProcess(>)	7	NtUnmapViewOfSection(>)	42
NtNotifyChangeKey(>)	1	NtOpenThreadToken(>)	2	NtQueryDefaultUILanguage(>)	8	NtUserUnregisterClass(>)	45
NtOpenKeyedEvent(>)	1	NtQueryInstallUILanguage(>)	2	NtQuerySection(>)	8	NtUserFindExistingCursorIcon(>)	48
NtOpenProcess(>)	1	NtQuerySymbolicLinkObject(>)	2	NtRequestWaitReplyPort(>)	8	NtAllocateVirtualMemory(>)	52
NtQueryInformationJobObject(>)	1	NtReleaseMutant(>)	2	NtQueryDirectoryFile(>)	10	NtUserRegisterClassExWOW(>)	63
NtQueryObject(>)	1	NtSetInformationFile(>)	2	NtUserSystemParametersInfo(>)	10	NtMapViewOfSection(>)	66
NtQueryPerformanceCounter(>)	1	NtTerminateProcess(>)	2	NtFlushInstructionCache(>)	11	NtUserGetClassInfo(>)	82
NtRegisterThreadTerminatePort(>)	1	NtWaitForSingleObject(>)	2	NtQueryInformationProcess(>)	12	NtOpenKey(>)	102
NtResumeThread(>)	1	NtCreateEvent(>)	3	NtQueryInformationFile(>)	13	NtClose(>)	146
NtSecureConnectPort(>)	1	NtCreateSemaphore(>)	3	NtQueryDebugFilterState(>)	15