Summary:


NtAddAtom(>)  1 
NtUserGetThreadDesktop(>)  1 
NtUserFindWindowEx(>)  4 
NtUserRegisterWindowMessage(>)  19 

NtAdjustPrivilegesToken(>)  1 
NtAccessCheck(>)  2 
NtWaitForSingleObject(>)  4 
NtCreateSection(>)  20 

NtCallbackReturn(>)  1 
NtCreateIoCompletion(>)  2 
NtDuplicateObject(>)  5 
NtOpenProcess(>)  24 

NtCreateProcessEx(>)  1 
NtCreateKey(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenProcessTokenEx(>)  25 

NtDuplicateToken(>)  1 
NtCreateThread(>)  2 
NtSetInformationFile(>)  5 
NtOpenThreadTokenEx(>)  25 

NtEnumerateValueKey(>)  1 
NtEnumerateKey(>)  2 
NtWriteFile(>)  5 
NtQueryAttributesFile(>)  27 

NtGdiCreateBitmap(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtFreeVirtualMemory(>)  6 
NtReadVirtualMemory(>)  28 

NtGdiInit(>)  1 
NtOpenDirectoryObject(>)  2 
NtOpenProcessToken(>)  6 
NtQuerySystemInformation(>)  30 

NtGdiQueryFontAssocInfo(>)  1 
NtOpenEvent(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtQueryInformationToken(>)  31 

NtGdiSelectBitmap(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtCreateFile(>)  7 
NtOpenFile(>)  35 

NtNotifyChangeKey(>)  1 
NtQueryInstallUILanguage(>)  2 
NtSetInformationProcess(>)  7 
NtUnmapViewOfSection(>)  39 

NtOpenKeyedEvent(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtContinue(>)  8 
NtQueryValueKey(>)  40 

NtQueryInformationJobObject(>)  1 
NtRaiseException(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtUserUnregisterClass(>)  45 

NtQueryObject(>)  1 
NtResumeThread(>)  2 
NtQuerySection(>)  8 
NtOpenSection(>)  47 

NtQueryPerformanceCounter(>)  1 
NtTerminateProcess(>)  2 
NtSetInformationThread(>)  8 
NtUserFindExistingCursorIcon(>)  48 

NtQuerySystemTime(>)  1 
NtCreateSemaphore(>)  3 
NtCreateEvent(>)  9 
NtAllocateVirtualMemory(>)  56 

NtReadFile(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtRequestWaitReplyPort(>)  9 
NtWriteVirtualMemory(>)  58 

NtRegisterThreadTerminatePort(>)  1 
NtOpenMutant(>)  3 
NtQueryDirectoryFile(>)  10 
NtUserRegisterClassExWOW(>)  63 

NtSecureConnectPort(>)  1 
NtSetInformationObject(>)  3 
NtUserSystemParametersInfo(>)  10 
NtMapViewOfSection(>)  82 

NtSetSecurityObject(>)  1 
NtFsControlFile(>)  4 
NtFlushInstructionCache(>)  11 
NtUserGetClassInfo(>)  82 

NtTestAlert(>)  1 
NtOpenThreadToken(>)  4 
NtQueryInformationFile(>)  13 
NtProtectVirtualMemory(>)  96 

NtUserCallNoParam(>)  1 
NtQueryVirtualMemory(>)  4 
NtQueryInformationProcess(>)  14 
NtOpenKey(>)  108 

NtUserCallOneParam(>)  1 
NtReleaseMutant(>)  4 
NtQueryDebugFilterState(>)  15 
NtUserQueryWindow(>)  132 

NtUserGetDC(>)  1 
NtUserBuildHwndList(>)  4 
NtQueryDefaultLocale(>)  15 
NtClose(>)  198 


Trace:
 00001   444   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   444   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   444   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   444   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   444   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   444   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   444   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   444   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   444   NtClose  (12, ... ) == 0x0
 00014   444   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   444   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   444   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   444   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   444   NtClose  (16, ... ) == 0x0
 00021   444   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   444   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   444   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18350080}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18350080}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   444   NtClose  (16, ... ) == 0x0
 00026   444   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   444   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   444   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   444   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\30\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\30\1\4\0\0\0" ... {28, 56, reply, 0, 440, 444, 1479, 0} "\330\375\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\30\1\4\0\0\0" )  ... {28, 56, reply, 0, 440, 444, 1479, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\30\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\30\1\4\0\0\0" ... {28, 56, reply, 0, 440, 444, 1479, 0} "\330\375\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\30\1\4\0\0\0" )  ) == 0x0
 00032   444   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   444   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   444   NtClose  (16, ... ) == 0x0
 00036   444   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   444   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   444   NtClose  (28, ... ) == 0x0
 00041   444   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   444   NtClose  (28, ... ) == 0x0
 00045   444   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   444   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   444   NtClose  (28, ... ) == 0x0
 00049   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   444   NtClose  (28, ... ) == 0x0
 00052   444   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\30\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\30\18\6\0\0" ... {28, 56, reply, 0, 440, 444, 1484, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\30\18\6\0\0" )  ... {28, 56, reply, 0, 440, 444, 1484, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\30\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\30\18\6\0\0" ... {28, 56, reply, 0, 440, 444, 1484, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\30\18\6\0\0" )  ) == 0x0
 00056   444   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 128, ) == 0x0
 00057   444   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 128, ... (0x45d000), 204800, 4, ) == 0x0
 00058   444   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00059   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   444   NtClose  (28, ... ) == 0x0
 00062   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   444   NtClose  (28, ... ) == 0x0
 00065   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   444   NtClose  (28, ... ) == 0x0
 00068   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   444   NtClose  (28, ... ) == 0x0
 00071   444   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 4, ... (0x45d000), 204800, 64, ) == 0x0
 00072   444   NtProtectVirtualMemory  (-1, (0x45d000), 204800, 64, ... (0x45d000), 204800, 4, ) == 0x0
 00073   444   NtFlushInstructionCache  (-1, 4575232, 204800, ... ) == 0x0
 00074   444   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   444   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   444   NtClose  (28, ... ) == 0x0
 00077   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   444   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   444   NtClose  (28, ... ) == 0x0
 00080   444   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00081   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   444   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   444   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   444   NtClose  (28, ... ) == 0x0
 00085   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   444   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   444   NtClose  (28, ... ) == 0x0
 00088   444   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   444   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\30\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\30\1$\1\0\0" ... {28, 56, reply, 0, 440, 444, 1486, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\30\1$\1\0\0" )  ... {28, 56, reply, 0, 440, 444, 1486, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\30\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\30\1$\1\0\0" ... {28, 56, reply, 0, 440, 444, 1486, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\30\1$\1\0\0" )  ) == 0x0
 00093   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   444   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4a0000), 0x0, 1060864, ) == 0x0
 00095   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   444   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   444   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00098   444   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   444   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   444   NtClose  (-2147482208, ... ) == 0x0
 00101   444   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5963776, 4096, ) == 0x0
 00102   444   NtFreeVirtualMemory  (-1, (0x5b0000), 4096, 32768, ... (0x5b0000), 4096, ) == 0x0
 00103   444   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   444   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00105   444   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   444   NtClose  (-2147482208, ... ) == 0x0
 00107   444   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00108   444   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   444   NtClose  (-2147482208, ... ) == 0x0
 00110   444   NtQueryDefaultLocale  (0, -130708980, ... ) == 0x0
 00111   444   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   444   NtUserCallNoParam  (24, ... ) == 0x0
 00113   444   NtGdiCreateCompatibleDC  (0, ...
 00114   444   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5963776, 4096, ) == 0x0
 00113   444   NtGdiCreateCompatibleDC  ... ) == 0x1a010323
 00115   444   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   444   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   444   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xc0503e1
 00118   444   NtGdiCreateSolidBrush  (0, 0, ...
 00119   444   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9175040, 4096, ) == 0x0
 00118   444   NtGdiCreateSolidBrush  ... ) == 0xb1003e0
 00120   444   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   444   NtGdiCreateCompatibleDC  (0, ... ) == 0x6d0103e5
 00122   444   NtGdiSelectBitmap  (1828783077, 201655265, ... ) == 0x185000f
 00123   444   NtUserGetThreadDesktop  (444, 0, ... ) == 0x2c
 00124   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   444   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   444   NtClose  (52, ... ) == 0x0
 00127   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00141   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00143   444   NtAllocateVirtualMemory  (-1, 6123520, 0, 4096, 4096, 32, ... 6123520, 4096, ) == 0x0
 00142   444   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00144   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00146   444   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00147   444   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00148   444   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00149   444   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00150   444   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   444   NtCallbackReturn  (0, 0, 0, ...
 00152   444   NtGdiInit  (... ) == 0x1
 00153   444   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   444   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   444   NtAllocateVirtualMemory  (-1, 0, 0, 17506, 4096, 4, ... 9240576, 20480, ) == 0x0
 00156   444   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 20480, ) == 0x0
 00157   444   NtQueryVirtualMemory  (-1, 0x401000, Basic, 52, ... {BaseAddress=0x401000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x23000,State=0x1000,Protect=0x80,Type=0x1000000,}, 28, ) == 0x0
 00158   444   NtQueryVirtualMemory  (-1, 0x45754c, Basic, 28, ... {BaseAddress=0x457000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x6000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00159   444   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00160   444   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00161   444   NtProtectVirtualMemory  (-1, (0x4001f0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00162   444   NtProtectVirtualMemory  (-1, (0x400218), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00163   444   NtProtectVirtualMemory  (-1, (0x400218), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00164   444   NtProtectVirtualMemory  (-1, (0x400240), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00165   444   NtProtectVirtualMemory  (-1, (0x400240), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00166   444   NtProtectVirtualMemory  (-1, (0x400268), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00167   444   NtProtectVirtualMemory  (-1, (0x400268), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00168   444   NtProtectVirtualMemory  (-1, (0x400290), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00169   444   NtProtectVirtualMemory  (-1, (0x400290), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00170   444   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00171   444   NtProtectVirtualMemory  (-1, (0x4002b8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00172   444   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00173   444   NtProtectVirtualMemory  (-1, (0x4002e0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00174   444   NtProtectVirtualMemory  (-1, (0x400308), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00175   444   NtProtectVirtualMemory  (-1, (0x400308), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00176   444   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00177   444   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00178   444   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x30044, 0x10066, 0x30046, 0x30036, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x5004a, 0x4004e, 0x50048, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00179   444   NtUserQueryWindow  (65706, 0, ... ) == 0x7e4
 00180   444   NtUserQueryWindow  (65706, 1, ... ) == 0x7e8
 00181   444   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2020, 0}, ... 52, ) == 0x0
 00182   444   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \1\0\0", 64, ) , 64, ) == 0x0
 00183   444   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00184   444   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00185   444   NtClose  (52, ... ) == 0x0
 00186   444   NtUserQueryWindow  (65704, 0, ... ) == 0x7e4
 00187   444   NtUserQueryWindow  (65704, 1, ... ) == 0x7e8
 00188   444   NtUserQueryWindow  (65702, 0, ... ) == 0x7e4
 00189   444   NtUserQueryWindow  (65702, 1, ... ) == 0x7e8
 00190   444   NtUserQueryWindow  (131168, 0, ... ) == 0x7e4
 00191   444   NtUserQueryWindow  (131168, 1, ... ) == 0x7e8
 00192   444   NtUserQueryWindow  (65696, 0, ... ) == 0x774
 00193   444   NtUserQueryWindow  (65696, 1, ... ) == 0x780
 00194   444   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1908, 0}, ... 52, ) == 0x0
 00195   444   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00196   444   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00197   444   NtContinue  (-130712420, 0, ...
 00196   444   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00198   444   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00199   444   NtContinue  (-130712420, 0, ...
 00198   444   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00200   444   NtClose  (52, ... ) == 0x0
 00201   444   NtUserQueryWindow  (65662, 0, ... ) == 0x774
 00202   444   NtUserQueryWindow  (65662, 1, ... ) == 0x780
 00203   444   NtUserQueryWindow  (65652, 0, ... ) == 0x774
 00204   444   NtUserQueryWindow  (65652, 1, ... ) == 0x780
 00205   444   NtUserQueryWindow  (65640, 0, ... ) == 0x774
 00206   444   NtUserQueryWindow  (65640, 1, ... ) == 0x780
 00207   444   NtUserQueryWindow  (196676, 0, ... ) == 0x774
 00208   444   NtUserQueryWindow  (196676, 1, ... ) == 0x780
 00209   444   NtUserQueryWindow  (65638, 0, ... ) == 0x774
 00210   444   NtUserQueryWindow  (65638, 1, ... ) == 0x780
 00211   444   NtUserQueryWindow  (196678, 0, ... ) == 0x774
 00212   444   NtUserQueryWindow  (196678, 1, ... ) == 0x780
 00213   444   NtUserQueryWindow  (196662, 0, ... ) == 0x774
 00214   444   NtUserQueryWindow  (196662, 1, ... ) == 0x780
 00215   444   NtUserQueryWindow  (65688, 0, ... ) == 0x774
 00216   444   NtUserQueryWindow  (65688, 1, ... ) == 0x780
 00217   444   NtUserQueryWindow  (65676, 0, ... ) == 0x774
 00218   444   NtUserQueryWindow  (65676, 1, ... ) == 0x780
 00219   444   NtUserQueryWindow  (65660, 0, ... ) == 0x774
 00220   444   NtUserQueryWindow  (65660, 1, ... ) == 0x778
 00221   444   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00222   444   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 00223   444   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 52, ) == 0x0
 00224   444   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00225   444   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00226   444   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00227   444   NtClose  (52, ... ) == 0x0
 00228   444   NtUserQueryWindow  (65726, 0, ... ) == 0x7ec
 00229   444   NtUserQueryWindow  (65726, 1, ... ) == 0x7f0
 00230   444   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2028, 0}, ... 52, ) == 0x0
 00231   444   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0", 64, ) , 64, ) == 0x0
 00232   444   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\377\0\377\377", 4, ) , 4, ) == 0x0
 00233   444   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\210fvx\210x\206wfvGe$\306d\21\26\210ls\210\210\250g\207\210hhx\207xhvwdfF|d\21\27\210\206hx\250\252\206\210\207v\207\210x\207\207gfv4F\306G\21\21\210\206\207\210\212\250\250h\210\207x\210\210wvwgFD$d!\21\21x\250g\210\212\252\250\206\210\207w\210\207\207wvvgBGd\21\21\21\210\212\203\210\250\252\212\210x\210w\210\210xwgcd%F\1\21\21\21\27\212\250\210\212\252\252\210f\210\207x\210\207w7fR@`\21\21\21\21\21\210\2508\212\252\250\250\210gw\21088vvu$$!\21\21\21\21\21\30\210\210\210\212\252\210\206vgw\210\203wsb`\7\21\21\21\21\21\21\21\210\203\210\210\210\210\207vvwwwsf4\7\21\21\21\21\21\21\21\21\30\210\210\210\210\210wGwvwww5\2\21\21\21\21\21\21", 256, ) , 256, ) == 0x0
 00234   444   NtClose  (52, ... ) == 0x0
 00235   444   NtUserQueryWindow  (65724, 0, ... ) == 0x7ec
 00236   444   NtUserQueryWindow  (65724, 1, ... ) == 0x7f0
 00237   444   NtUserQueryWindow  (65722, 0, ... ) == 0x7ec
 00238   444   NtUserQueryWindow  (65722, 1, ... ) == 0x7f0
 00239   444   NtUserQueryWindow  (65720, 0, ... ) == 0x7ec
 00240   444   NtUserQueryWindow  (65720, 1, ... ) == 0x7f0
 00241   444   NtUserQueryWindow  (65718, 0, ... ) == 0x7ec
 00242   444   NtUserQueryWindow  (65718, 1, ... ) == 0x7f0
 00243   444   NtUserQueryWindow  (65716, 0, ... ) == 0x7ec
 00244   444   NtUserQueryWindow  (65716, 1, ... ) == 0x7f0
 00245   444   NtUserQueryWindow  (65714, 0, ... ) == 0x7ec
 00246   444   NtUserQueryWindow  (65714, 1, ... ) == 0x7f0
 00247   444   NtUserQueryWindow  (65712, 0, ... ) == 0x7ec
 00248   444   NtUserQueryWindow  (65712, 1, ... ) == 0x7f0
 00249   444   NtUserQueryWindow  (131172, 0, ... ) == 0x7f8
 00250   444   NtUserQueryWindow  (131172, 1, ... ) == 0x7fc
 00251   444   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2040, 0}, ... 52, ) == 0x0
 00252   444   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\301\0\0\0\0\1\0\0\377\356\377\356\11\0\0\0\11\0\0\0\0\376\0\0\0\0\20\0\0 \0\0\0\2\0\0\0 \0\0q\0\0\0\377\357\375\177\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00253   444   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00254   444   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00255   444   NtClose  (52, ... ) == 0x0
 00256   444   NtUserQueryWindow  (65708, 0, ... ) == 0x7e4
 00257   444   NtUserQueryWindow  (65708, 1, ... ) == 0x7e8
 00258   444   NtUserQueryWindow  (131170, 0, ... ) == 0x7dc
 00259   444   NtUserQueryWindow  (131170, 1, ... ) == 0x7e0
 00260   444   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2012, 0}, ... 52, ) == 0x0
 00261   444   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0", 64, ) , 64, ) == 0x0
 00262   444   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00263   444   NtContinue  (-130712420, 0, ...
 00262   444   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00264   444   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00265   444   NtContinue  (-130712420, 0, ...
 00264   444   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00266   444   NtClose  (52, ... ) == 0x0
 00267   444   NtUserQueryWindow  (65644, 0, ... ) == 0x774
 00268   444   NtUserQueryWindow  (65644, 1, ... ) == 0x79c
 00269   444   NtUserQueryWindow  (327754, 0, ... ) == 0x774
 00270   444   NtUserQueryWindow  (327754, 1, ... ) == 0x778
 00271   444   NtUserQueryWindow  (262222, 0, ... ) == 0x774
 00272   444   NtUserQueryWindow  (262222, 1, ... ) == 0x778
 00273   444   NtUserQueryWindow  (327752, 0, ... ) == 0x774
 00274   444   NtUserQueryWindow  (327752, 1, ... ) == 0x778
 00275   444   NtUserQueryWindow  (65666, 0, ... ) == 0x774
 00276   444   NtUserQueryWindow  (65666, 1, ... ) == 0x778
 00277   444   NtUserQueryWindow  (65654, 0, ... ) == 0x774
 00278   444   NtUserQueryWindow  (65654, 1, ... ) == 0x778
 00279   444   NtRaiseException  (1242696, 1241956, 1, ...
 00280   444   NtContinue  (1240752, 0, ...
 00281   444   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00282   444   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 56, ) }, ... 56, ) == 0x0
 00283   444   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00284   444   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00285   444   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00286   444   NtDuplicateObject  (-1, 3101, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00287   444   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00288   444   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00289   444   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x30044, 0x10066, 0x30046, 0x30036, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x5004a, 0x4004e, 0x50048, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00290   444   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00291   444   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00292   444   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x30044, 0x10066, 0x30046, 0x30036, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x5004a, 0x4004e, 0x50048, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00293   444   NtUserQueryWindow  (65706, 0, ... ) == 0x7e4
 00294   444   NtUserQueryWindow  (65706, 1, ... ) == 0x7e8
 00295   444   NtUserQueryWindow  (65704, 0, ... ) == 0x7e4
 00296   444   NtUserQueryWindow  (65704, 1, ... ) == 0x7e8
 00297   444   NtUserQueryWindow  (65702, 0, ... ) == 0x7e4
 00298   444   NtUserQueryWindow  (65702, 1, ... ) == 0x7e8
 00299   444   NtUserQueryWindow  (131168, 0, ... ) == 0x7e4
 00300   444   NtUserQueryWindow  (131168, 1, ... ) == 0x7e8
 00301   444   NtUserQueryWindow  (65696, 0, ... ) == 0x774
 00302   444   NtUserQueryWindow  (65696, 1, ... ) == 0x780
 00303   444   NtUserQueryWindow  (65662, 0, ... ) == 0x774
 00304   444   NtUserQueryWindow  (65662, 1, ... ) == 0x780
 00305   444   NtUserQueryWindow  (65652, 0, ... ) == 0x774
 00306   444   NtUserQueryWindow  (65652, 1, ... ) == 0x780
 00307   444   NtUserQueryWindow  (65640, 0, ... ) == 0x774
 00308   444   NtUserQueryWindow  (65640, 1, ... ) == 0x780
 00309   444   NtUserQueryWindow  (196676, 0, ... ) == 0x774
 00310   444   NtUserQueryWindow  (196676, 1, ... ) == 0x780
 00311   444   NtUserQueryWindow  (65638, 0, ... ) == 0x774
 00312   444   NtUserQueryWindow  (65638, 1, ... ) == 0x780
 00313   444   NtUserQueryWindow  (196678, 0, ... ) == 0x774
 00314   444   NtUserQueryWindow  (196678, 1, ... ) == 0x780
 00315   444   NtUserQueryWindow  (196662, 0, ... ) == 0x774
 00316   444   NtUserQueryWindow  (196662, 1, ... ) == 0x780
 00317   444   NtUserQueryWindow  (65688, 0, ... ) == 0x774
 00318   444   NtUserQueryWindow  (65688, 1, ... ) == 0x780
 00319   444   NtUserQueryWindow  (65676, 0, ... ) == 0x774
 00320   444   NtUserQueryWindow  (65676, 1, ... ) == 0x780
 00321   444   NtUserQueryWindow  (65660, 0, ... ) == 0x774
 00322   444   NtUserQueryWindow  (65660, 1, ... ) == 0x778
 00323   444   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00324   444   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 00325   444   NtUserQueryWindow  (65726, 0, ... ) == 0x7ec
 00326   444   NtUserQueryWindow  (65726, 1, ... ) == 0x7f0
 00327   444   NtUserQueryWindow  (65724, 0, ... ) == 0x7ec
 00328   444   NtUserQueryWindow  (65724, 1, ... ) == 0x7f0
 00329   444   NtUserQueryWindow  (65722, 0, ... ) == 0x7ec
 00330   444   NtUserQueryWindow  (65722, 1, ... ) == 0x7f0
 00331   444   NtUserQueryWindow  (65720, 0, ... ) == 0x7ec
 00332   444   NtUserQueryWindow  (65720, 1, ... ) == 0x7f0
 00333   444   NtUserQueryWindow  (65718, 0, ... ) == 0x7ec
 00334   444   NtUserQueryWindow  (65718, 1, ... ) == 0x7f0
 00335   444   NtUserQueryWindow  (65716, 0, ... ) == 0x7ec
 00336   444   NtUserQueryWindow  (65716, 1, ... ) == 0x7f0
 00337   444   NtUserQueryWindow  (65714, 0, ... ) == 0x7ec
 00338   444   NtUserQueryWindow  (65714, 1, ... ) == 0x7f0
 00339   444   NtUserQueryWindow  (65712, 0, ... ) == 0x7ec
 00340   444   NtUserQueryWindow  (65712, 1, ... ) == 0x7f0
 00341   444   NtUserQueryWindow  (131172, 0, ... ) == 0x7f8
 00342   444   NtUserQueryWindow  (131172, 1, ... ) == 0x7fc
 00343   444   NtUserQueryWindow  (65708, 0, ... ) == 0x7e4
 00344   444   NtUserQueryWindow  (65708, 1, ... ) == 0x7e8
 00345   444   NtUserQueryWindow  (131170, 0, ... ) == 0x7dc
 00346   444   NtUserQueryWindow  (131170, 1, ... ) == 0x7e0
 00347   444   NtUserQueryWindow  (65644, 0, ... ) == 0x774
 00348   444   NtUserQueryWindow  (65644, 1, ... ) == 0x79c
 00349   444   NtUserQueryWindow  (327754, 0, ... ) == 0x774
 00350   444   NtUserQueryWindow  (327754, 1, ... ) == 0x778
 00351   444   NtUserQueryWindow  (262222, 0, ... ) == 0x774
 00352   444   NtUserQueryWindow  (262222, 1, ... ) == 0x778
 00353   444   NtUserQueryWindow  (327752, 0, ... ) == 0x774
 00354   444   NtUserQueryWindow  (327752, 1, ... ) == 0x778
 00355   444   NtUserQueryWindow  (65666, 0, ... ) == 0x774
 00356   444   NtUserQueryWindow  (65666, 1, ... ) == 0x778
 00357   444   NtUserQueryWindow  (65654, 0, ... ) == 0x774
 00358   444   NtUserQueryWindow  (65654, 1, ... ) == 0x778
 00359   444   NtRaiseException  (1242640, 1241900, 1, ...
 00360   444   NtContinue  (1240696, 0, ...
 00361   444   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00362   444   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   444   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00364   444   NtDuplicateObject  (-1, 3380, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00365   444   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00366   444   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00367   444   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x30044, 0x10066, 0x30046, 0x30036, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x5004a, 0x4004e, 0x50048, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 00368   444   NtSetSecurityObject  (-1, 4, {1, 0, 0x4, 0, 0, 0, 1242476}, ... ) == 0x0
 00369   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00370   444   NtQueryValueKey  (60,  (60, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   444   NtClose  (60, ... ) == 0x0
 00372   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00373   444   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00374   444   NtClose  (60, ... ) == 0x0
 00375   444   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 60, ) == 0x0
 00376   444   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00377   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 68, ) }, ... 68, ) == 0x0
 00378   444   NtNotifyChangeKey  (68, 64, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00379   444   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00380   444   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00381   444   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00382   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00384   444   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00386   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00387   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 84, ) == 0x0
 00388   444   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00389   444   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00390   444   NtQueryInformationToken  (88, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00391   444   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00392   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 92, ) }, ... 92, ) == 0x0
 00393   444   NtQueryValueKey  (92,  (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00394   444   NtClose  (92, ... ) == 0x0
 00395   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00396   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00397   444   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00398   444   NtClose  (92, ... ) == 0x0
 00399   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400   444   NtClose  (88, ... ) == 0x0
 00401   444   NtClose  (80, ... ) == 0x0
 00402   444   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00403   444   NtClose  (84, ... ) == 0x0
 00404   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00405   444   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00406   444   NtClose  (84, ... ) == 0x0
 00407   444   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00408   444   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00409   444   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00410   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00411   444   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00412   444   NtClose  (84, ... ) == 0x0
 00413   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00414   444   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00415   444   NtClose  (84, ... ) == 0x0
 00416   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00417   444   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00418   444   NtClose  (84, ... ) == 0x0
 00419   444   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00420   444   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00421   444   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00422   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00423   444   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00424   444   NtClose  (84, ... ) == 0x0
 00425   444   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {440, 0}, ... 84, ) == 0x0
 00426   444   NtQueryInformationProcess  (84, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00427   444   NtClose  (84, ... ) == 0x0
 00428   444   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00429   444   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00430   444   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00431   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00432   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00433   444   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00434   444   NtClose  (84, ... ) == 0x0
 00435   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 84, ) }, ... 84, ) == 0x0
 00436   444   NtSetInformationObject  (84, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00437   444   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00438   444   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00439   444   NtClose  (80, ... ) == 0x0
 00440   444   NtUserSystemParametersInfo  (41, 500, 1241216, 0, ... ) == 0x1
 00441   444   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00442   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00443   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00444   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03b
 00445   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00446   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03d
 00447   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00448   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00449   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc03f
 00450   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00451   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00452   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc041
 00453   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00454   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00455   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc043
 00456   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00457   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc045
 00458   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00459   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00460   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc047
 00461   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00462   444   NtUserFindExistingCursorIcon  (1241004, 1241020, 1241588, ... ) == 0x10011
 00463   444   NtUserRegisterClassExWOW  (1241456, 1241536, 1241520, 1241552, 0, 384, 0, ... ) == 0x810dc049
 00464   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00465   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00466   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04b
 00467   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00468   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00469   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04d
 00470   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00471   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00472   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc04f
 00473   444   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0x0
 00474   444   NtUserRegisterClassExWOW  (1241464, 1241544, 1241528, 1241560, 0, 384, 0, ... ) == 0x810dc051
 00475   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00476   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00477   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc053
 00478   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00479   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00480   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc055
 00481   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc057
 00482   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00483   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00484   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc059
 00485   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00486   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10013
 00487   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05b
 00488   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00489   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00490   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05d
 00491   444   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00492   444   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00493   444   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810dc05f
 00494   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00495   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 00496   444   NtAllocateVirtualMemory  (-1, 9240576, 0, 4096, 4096, 4, ... 9240576, 4096, ) == 0x0
 00497   444   NtAllocateVirtualMemory  (-1, 9244672, 0, 8192, 4096, 4, ... 9244672, 8192, ) == 0x0
 00498   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 80, ) }, ... 80, ) == 0x0
 00499   444   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8e0000), 0x0, 12288, ) == 0x0
 00500   444   NtClose  (80, ... ) == 0x0
 00501   444   NtAllocateVirtualMemory  (-1, 9252864, 0, 4096, 4096, 4, ... 9252864, 4096, ) == 0x0
 00502   444   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00503   444   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 00504   444   NtQueryValueKey  (80,  (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00505   444   NtClose  (80, ... ) == 0x0
 00506   444   NtQueryDefaultUILanguage  (1239840, ...
 00507   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00508   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00509   444   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00510   444   NtClose  (-2147482208, ... ) == 0x0
 00511   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00512   444   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00513   444   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00514   444   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   444   NtClose  (-2147482196, ... ) == 0x0
 00516   444   NtClose  (-2147482208, ... ) == 0x0
 00506   444   NtQueryDefaultUILanguage  ... ) == 0x0
 00517   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00518   444   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00519   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00520   444   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 88, ) == 0x0
 00521   444   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 8323072, ) == 0x0
 00522   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   444   NtQueryDefaultUILanguage  (2013024600, ...
 00524   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00525   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00526   444   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00527   444   NtClose  (-2147482208, ... ) == 0x0
 00528   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00529   444   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530   444   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00531   444   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00532   444   NtClose  (-2147482196, ... ) == 0x0
 00533   444   NtClose  (-2147482208, ... ) == 0x0
 00523   444   NtQueryDefaultUILanguage  ... ) == 0x0
 00534   444   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00535   444   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00536   444   NtQueryDefaultLocale  (1, 1237876, ... ) == 0x0
 00537   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538   444   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\30\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\30\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\30\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 444, 1495, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\30\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\30\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 440, 444, 1495, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\30\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\30\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\30\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 444, 1495, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\30\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\30\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ) == 0x0
 00539   444   NtClose  (80, ... ) == 0x0
 00540   444   NtClose  (88, ... ) == 0x0
 00541   444   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00542   444   NtUnmapViewOfSection  (-1, 0x12edcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00543   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00544   444   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00545   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00546   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00547   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236960, ... ) }, 1236960, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00548   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00549   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00550   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00551   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237552, ... ) }, 1237552, ... ) == 0x0
 00552   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 88, {status=0x0, info=1}, ) }, 3, 33, ... 88, {status=0x0, info=1}, ) == 0x0
 00553   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00554   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00555   444   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00556   444   NtClose  (80, ... ) == 0x0
 00557   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00558   444   NtClose  (92, ... ) == 0x0
 00559   444   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00560   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00561   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 80, ) == 0x0
 00562   444   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00563   444   NtClose  (92, ... ) == 0x0
 00564   444   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00565   444   NtClose  (80, ... ) == 0x0
 00566   444   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00567   444   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00568   444   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00569   444   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00570   444   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00571   444   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00572   444   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00573   444   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00574   444   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00575   444   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00576   444   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00577   444   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00578   444   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00579   444   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00580   444   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00581   444   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00582   444   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00583   444   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00584   444   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00585   444   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00586   444   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00587   444   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238736, ... ) , 42, 1238736, ... ) == 0x0
 00588   444   NtQueryDefaultUILanguage  (1237452, ...
 00589   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00590   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00591   444   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00592   444   NtClose  (-2147482208, ... ) == 0x0
 00593   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00594   444   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   444   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00596   444   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00597   444   NtClose  (-2147482196, ... ) == 0x0
 00598   444   NtClose  (-2147482208, ... ) == 0x0
 00588   444   NtQueryDefaultUILanguage  ... ) == 0x0
 00599   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236304, ... ) }, 1236304, ... ) == 0x0
 00601   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00602   444   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00603   444   NtClose  (80, ... ) == 0x0
 00604   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 4096, ) == 0x0
 00605   444   NtClose  (92, ... ) == 0x0
 00606   444   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00607   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235944, ... ) }, 1235944, ... ) == 0x0
 00608   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236644,  (0x80100080, {24, 0, 0x40, 0, 1236644, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00609   444   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 92, ... 80, ) == 0x0
 00610   444   NtClose  (92, ... ) == 0x0
 00611   444   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8f0000), {0, 0}, 4096, ) == 0x0
 00612   444   NtClose  (80, ... ) == 0x0
 00613   444   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00614   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00615   444   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 92, ) == 0x0
 00616   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 4096, ) == 0x0
 00617   444   NtQueryInformationFile  (80, 1236264, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00618   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619   444   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\30\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\30\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\30\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 444, 1496, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\30\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\30\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 440, 444, 1496, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\30\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\30\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\30\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 444, 1496, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\30\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\30\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ) == 0x0
 00620   444   NtClose  (80, ... ) == 0x0
 00621   444   NtClose  (92, ... ) == 0x0
 00622   444   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00623   444   NtUnmapViewOfSection  (-1, 0x12e478, ... ) == STATUS_NOT_MAPPED_VIEW
 00624   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00625   444   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00626   444   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00627   444   NtUserGetDC  (0, ... ) == 0x1010050
 00628   444   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00629   444   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00630   444   NtUserSystemParametersInfo  (66, 12, 1238756, 0, ... ) == 0x1
 00631   444   NtOpenProcessToken  (-1, 0x8, ... 92, ) == 0x0
 00632   444   NtAccessCheck  (1393640, 92, 0x1, 1238160, 1238104, 56, 1238188, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00633   444   NtClose  (92, ... ) == 0x0
 00634   444   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 92, ) }, ... 92, ) == 0x0
 00635   444   NtQueryValueKey  (92,  (92, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00636   444   NtClose  (92, ... ) == 0x0
 00637   444   NtUserSystemParametersInfo  (41, 500, 1238256, 0, ... ) == 0x1
 00638   444   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00639   444   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 92, ) }, ... 92, ) == 0x0
 00640   444   NtQueryValueKey  (92,  (92, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00641   444   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 80, ) }, ... 80, ) == 0x0
 00642   444   NtQueryValueKey  (80,  (80, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00643   444   NtClose  (80, ... ) == 0x0
 00644   444   NtClose  (92, ... ) == 0x0
 00645   444   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00646   444   NtUserSystemParametersInfo  (4130, 0, 1238780, 0, ... ) == 0x1
 00647   444   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 92, ) }, ... 92, ) == 0x0
 00648   444   NtEnumerateValueKey  (92, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00649   444   NtClose  (92, ... ) == 0x0
 00650   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00651   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03b
 00652   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03d
 00653   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00654   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc03f
 00655   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00656   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc041
 00657   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00658   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ...
 00659   444   NtAllocateVirtualMemory  (-1, 6127616, 0, 4096, 4096, 32, ... 6127616, 4096, ) == 0x0
 00658   444   NtUserRegisterClassExWOW  ... ) == 0x810dc043
 00660   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc045
 00661   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00662   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc047
 00663   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00664   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc049
 00665   444   NtUserGetClassInfo  (1905590272, 1238676, 1238628, 1238704, 0, ... ) == 0xc049
 00666   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00667   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04b
 00668   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00669   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04d
 00670   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00671   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04f
 00672   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc051
 00673   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00674   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc053
 00675   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00676   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc055
 00677   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc057
 00678   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00679   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc059
 00680   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10013
 00681   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05b
 00682   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00683   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05d
 00684   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00685   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05f
 00686   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00687   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc017
 00688   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00689   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc019
 00690   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10013
 00691   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc018
 00692   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00693   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01a
 00694   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00695   444   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc01c
 00696   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00697   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01e
 00698   444   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00699   444   NtUserRegisterClassExWOW  (1238572, 1238652, 1238636, 1238668, 0, 384, 0, ... ) == 0x810dc01b
 00700   444   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00701   444   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc068
 00702   444   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00703   444   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc06a
 00704   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03b
 00705   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03d
 00706   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03f
 00707   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc041
 00708   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc043
 00709   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc045
 00710   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc047
 00711   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc049
 00712   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04b
 00713   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04d
 00714   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04f
 00715   444   NtUserGetClassInfo  (1999896576, 1241580, 1241532, 1241608, 0, ... ) == 0xc051
 00716   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc053
 00717   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc055
 00718   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc059
 00719   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05b
 00720   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05d
 00721   444   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05f
 00722   444   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00723   444   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00724   444   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00725   444   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00726   444   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00727   444   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00728   444   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00729   444   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00730   444   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00731   444   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00732   444   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00733   444   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00734   444   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00735   444   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00736   444   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00737   444   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00738   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00739   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00740   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00741   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00742   444   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9502720, 262144, ) == 0x0
 00743   444   NtAllocateVirtualMemory  (-1, 9502720, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 00744   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00745   444   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9764864, 262144, ) == 0x0
 00746   444   NtAllocateVirtualMemory  (-1, 9764864, 0, 4096, 4096, 4, ... 9764864, 4096, ) == 0x0
 00747   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00748   444   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10027008, 262144, ) == 0x0
 00749   444   NtAllocateVirtualMemory  (-1, 10027008, 0, 4096, 4096, 4, ... 10027008, 4096, ) == 0x0
 00750   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00751   444   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10289152, 262144, ) == 0x0
 00752   444   NtAllocateVirtualMemory  (-1, 10289152, 0, 4096, 4096, 4, ... 10289152, 4096, ) == 0x0
 00753   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00754   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00755   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00756   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00757   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 00758   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00759   444   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 80, ) == 0x0
 00760   444   NtClose  (92, ... ) == 0x0
 00761   444   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa10000), 0x0, 90112, ) == 0x0
 00762   444   NtClose  (80, ... ) == 0x0
 00763   444   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00764   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 00765   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00766   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 92, ) == 0x0
 00767   444   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00768   444   NtClose  (80, ... ) == 0x0
 00769   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00770   444   NtClose  (92, ... ) == 0x0
 00771   444   NtQueryDefaultLocale  (1, 1239460, ... ) == 0x0
 00772   444   NtAllocateVirtualMemory  (-1, 9506816, 0, 4096, 4096, 4, ... 9506816, 4096, ) == 0x0
 00773   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 92, ) }, ... 92, ) == 0x0
 00774   444   NtClose  (92, ... ) == 0x0
 00775   444   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00777   444   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00780   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00781   444   NtClose  (92, ... ) == 0x0
 00782   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00783   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00784   444   NtClose  (92, ... ) == 0x0
 00785   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00786   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00787   444   NtClose  (92, ... ) == 0x0
 00788   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00789   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00790   444   NtClose  (92, ... ) == 0x0
 00791   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 92, ) }, ... 92, ) == 0x0
 00792   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00793   444   NtClose  (92, ... ) == 0x0
 00794   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00795   444   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00796   444   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00797   444   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00798   444   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1241616, 0,  (0x1f0003, {24, 52, 0x80, 1241616, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00799   444   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 92, ) }, ... 92, ) == 0x0
 00800   444   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00801   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00802   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00803   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 80, ) }, ... 80, ) == 0x0
 00804   444   NtQueryValueKey  (80,  (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00805   444   NtClose  (80, ... ) == 0x0
 00806   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00807   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00808   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00809   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00810   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 80, ) }, ... 80, ) == 0x0
 00811   444   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00812   444   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00813   444   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00814   444   NtClose  (80, ... ) == 0x0
 00815   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 80, ) }, ... 80, ) == 0x0
 00816   444   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00817   444   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818   444   NtClose  (80, ... ) == 0x0
 00819   444   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820   444   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00821   444   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00822   444   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00823   444   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00824   444   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00825   444   NtCreateKey  (0xf003f, {24, 84, 0x40, 0, 0,  (0xf003f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 80, 2, ) }, 0, 0x0, 0, ... 80, 2, ) == 0x0
 00826   444   NtQueryDefaultUILanguage  (1239852, ...
 00827   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00828   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00829   444   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00830   444   NtClose  (-2147482208, ... ) == 0x0
 00831   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00832   444   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00833   444   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00834   444   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   444   NtClose  (-2147482196, ... ) == 0x0
 00836   444   NtClose  (-2147482208, ... ) == 0x0
 00826   444   NtQueryDefaultUILanguage  ... ) == 0x0
 00837   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00838   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00839   444   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00840   444   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa10000), 0x0, 593920, ) == 0x0
 00841   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00842   444   NtQueryDefaultLocale  (1, 1237888, ... ) == 0x0
 00843   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   444   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\30\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\30\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\30\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 444, 1497, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\30\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\30\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 440, 444, 1497, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\30\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\30\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\30\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 444, 1497, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\30\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\30\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ) == 0x0
 00845   444   NtClose  (96, ... ) == 0x0
 00846   444   NtClose  (100, ... ) == 0x0
 00847   444   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00848   444   NtUnmapViewOfSection  (-1, 0x12edd8, ... ) == STATUS_NOT_MAPPED_VIEW
 00849   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00850   444   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00852   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00853   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236428, ... ) }, 1236428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00855   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00856   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00857   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237020, ... ) }, 1237020, ... ) == 0x0
 00858   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00859   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00860   444   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00861   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00862   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00863   444   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00865   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00866   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00867   444   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00868   444   NtClose  (104, ... ) == 0x0
 00869   444   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00870   444   NtClose  (108, ... ) == 0x0
 00871   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00872   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   444   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00874   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00875   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00876   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00877   444   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00878   444   NtClose  (108, ... ) == 0x0
 00879   444   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00880   444   NtClose  (104, ... ) == 0x0
 00881   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00882   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00883   444   NtTestAlert  (... ) == 0x0
 00884   444   NtContinue  (1244464, 1, ...
 00885   444   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x490000,}, 4, ... ) == 0x0
 00886   444   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1245092, 0,  (0x1f0003, {24, 52, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 104, ) }, 1, 0, ... 104, ) == 0x0
 00887   444   NtCreateSection  (0xf0007, {24, 52, 0x80, 1245092, 0,  (0xf0007, {24, 52, 0x80, 1245092, 0, "W32_Virtu"}, {22589, 0}, 4, 134217728, 0, ... 108, ) }, {22589, 0}, 4, 134217728, 0, ... 108, ) == 0x0
 00888   444   NtMapViewOfSection  (108, -1, (0x0), 0, 22589, 0x0, 22589, 2, 0, 4, ... (0xa10000), 0x0, 24576, ) == 0x0
 00889   444   NtOpenProcessToken  (-1, 0x20, ... 112, ) == 0x0
 00890   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00891   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00892   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 00893   444   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00894   444   NtClose  (116, ... ) == 0x0
 00895   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00896   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00897   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 00898   444   NtQuerySystemTime  (... {-1010369206, 29868085}, ) == 0x0
 00899   444   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 00900   444   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00901   444   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00902   444   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00903   444   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00904   444   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 00905   444   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 132, ) == 0x0
 00906   444   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 00907   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00908   444   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "ActiveComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 00909   444   NtQueryValueKey  (140,  (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00910   444   NtClose  (140, ... ) == 0x0
 00911   444   NtClose  (136, ... ) == 0x0
 00912   444   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 136, ) == 0x0
 00913   444   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 140, ) == 0x0
 00914   444   NtDuplicateObject  (-1, 136, -1, 0x0, 0, 2, ... 144, ) == 0x0
 00915   444   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00916   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 00917   444   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00918   444   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00919   444   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243268,  (0xc0100080, {24, 0, 0x40, 0, 1243268, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 00920   444   NtSetInformationFile  (152, 1243324, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00921   444   NtSetInformationFile  (152, 1243316, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00922   444   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00923   444   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00924   444   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ... 1429504, 4096, ) == 0x0
 00925   444   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20W\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00926   444   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20W\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20W\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00927   444   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0U\347=\375(,\334\21\261\306\0\14)\371\246\305 \0"\0(\262\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0U\347=\375(,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \0(\262\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0U\347=\375(,\334\21\261\306\0\14)\371\246\305 \0"\0(\262\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0U\347=\375(,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0U\347=\375(,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) == 0x103
 00928   444   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0U\347=\375(,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0U\347=\375(,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00929   444   NtClose  (148, ... ) == 0x0
 00930   444   NtClose  (152, ... ) == 0x0
 00931   444   NtAdjustPrivilegesToken  (112, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00932   444   NtClose  (112, ... ) == 0x0
 00933   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 10616832, 65536, ) == 0x0
 00934   444   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00935   444   NtCreateSection  (0xf0007, 0x0, {11728, 0}, 4, 134217728, 0, ... 112, ) == 0x0
 00936   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 12288, ) == 0x0
 00937   444   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 00938   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 12288, ) == 0x0
 00939   444   NtFreeVirtualMemory  (-1, (0xa20000), 0, 32768, ... (0xa20000), 65536, ) == 0x0
 00940   444   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 00941   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00942   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00943   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00944   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00945   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00946   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00947   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00948   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00949   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00950   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00951   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 152, ) == 0x0
 00952   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 148, ) }, ... 148, ) == 0x0
 00953   444   NtMapViewOfSection  (148, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 00954   444   NtClose  (148, ... ) == 0x0
 00955   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00956   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00957   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00958   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\1\10", 5, ... 0x0, ) -\1\10", 5, ... 0x0, ) == 0x0
 00959   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00960   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00961   444   NtAllocateVirtualMemory  (152, 0, 0, 1048576, 8192, 4, ... 22020096, 1048576, ) == 0x0
 00962   444   NtAllocateVirtualMemory  (152, 23060480, 0, 8192, 4096, 4, ... 23060480, 8192, ) == 0x0
 00963   444   NtProtectVirtualMemory  (152, (0x15fe000), 4096, 260, ... (0x15fe000), 4096, 4, ) == 0x0
 00964   444   NtCreateThread  (0x1f03ff, 0x0, 152, 1244008, 1244724, 1, ... 148, {616, 636}, ) == 0x0
 00965   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\25\0\0\0\0\0\224\0\0\0h\2\0\0|\2\0\0" ... {28, 56, reply, 0, 440, 444, 1498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\0\0\0h\2\0\0|\2\0\0" )  ... {28, 56, reply, 0, 440, 444, 1498, 0}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\25\0\0\0\0\0\224\0\0\0h\2\0\0|\2\0\0" ... {28, 56, reply, 0, 440, 444, 1498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\0\0\0h\2\0\0|\2\0\0" )  ) == 0x0
 00966   444   NtResumeThread  (148, ... 1, ) == 0x0
 00967   444   NtClose  (152, ... ) == 0x0
 00968   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00969   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00970   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {660, 0}, ... 152, ) == 0x0
 00971   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 00972   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00973   444   NtClose  (156, ... ) == 0x0
 00974   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00975   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00976   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00977   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 00978   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00979   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00980   444   NtClose  (152, ... ) == 0x0
 00981   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00982   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00983   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {672, 0}, ... 152, ) == 0x0
 00984   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 00985   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 00986   444   NtClose  (156, ... ) == 0x0
 00987   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00988   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00989   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00990   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\1\10", 5, ... 0x0, ) -\1\10", 5, ... 0x0, ) == 0x0
 00991   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00992   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00993   444   NtClose  (152, ... ) == 0x0
 00994   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 00995   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00996   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {844, 0}, ... 152, ) == 0x0
 00997   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 00998   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00999   444   NtClose  (156, ... ) == 0x0
 01000   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01001   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01002   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01003   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01004   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01005   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01006   444   NtClose  (152, ... ) == 0x0
 01007   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01008   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01009   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {972, 0}, ... 152, ) == 0x0
 01010   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01011   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ff70000), 0x0, 24576, ) == 0x0
 01012   444   NtClose  (156, ... ) == 0x0
 01013   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01014   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01015   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01016   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\377\7", 5, ... 0x0, ) -\377\7", 5, ... 0x0, ) == 0x0
 01017   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01018   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01019   444   NtClose  (152, ... ) == 0x0
 01020   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01021   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01022   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1060, 0}, ... 152, ) == 0x0
 01023   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01024   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01025   444   NtClose  (156, ... ) == 0x0
 01026   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01027   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01028   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01029   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01030   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01031   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01032   444   NtClose  (152, ... ) == 0x0
 01033   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01034   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01035   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1140, 0}, ... 152, ) == 0x0
 01036   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01037   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01038   444   NtClose  (156, ... ) == 0x0
 01039   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01040   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01041   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01042   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01043   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01044   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01045   444   NtClose  (152, ... ) == 0x0
 01046   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01047   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01048   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1368, 0}, ... 152, ) == 0x0
 01049   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01050   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01051   444   NtClose  (156, ... ) == 0x0
 01052   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01053   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01054   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01055   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01056   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01057   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01058   444   NtClose  (152, ... ) == 0x0
 01059   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01060   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01061   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1644, 0}, ... 152, ) == 0x0
 01062   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01063   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01064   444   NtClose  (156, ... ) == 0x0
 01065   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01066   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01067   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01068   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01069   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01070   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01071   444   NtClose  (152, ... ) == 0x0
 01072   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01073   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01074   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1860, 0}, ... 152, ) == 0x0
 01075   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01076   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01077   444   NtClose  (156, ... ) == 0x0
 01078   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01079   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01080   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01081   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01082   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01083   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01084   444   NtClose  (152, ... ) == 0x0
 01085   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01086   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01087   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1908, 0}, ... 152, ) == 0x0
 01088   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01089   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01090   444   NtClose  (156, ... ) == 0x0
 01091   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01092   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01093   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01094   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01095   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01096   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01097   444   NtClose  (152, ... ) == 0x0
 01098   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01099   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01100   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2012, 0}, ... 152, ) == 0x0
 01101   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01102   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01103   444   NtClose  (156, ... ) == 0x0
 01104   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01105   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01106   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01107   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01108   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01109   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01110   444   NtClose  (152, ... ) == 0x0
 01111   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01112   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01113   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2020, 0}, ... 152, ) == 0x0
 01114   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01115   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01116   444   NtClose  (156, ... ) == 0x0
 01117   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01118   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01119   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01120   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01121   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01122   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01123   444   NtClose  (152, ... ) == 0x0
 01124   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01125   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01126   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2028, 0}, ... 152, ) == 0x0
 01127   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01128   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01129   444   NtClose  (156, ... ) == 0x0
 01130   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01131   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01132   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01133   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01134   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01135   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01136   444   NtClose  (152, ... ) == 0x0
 01137   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01138   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01139   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2040, 0}, ... 152, ) == 0x0
 01140   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01141   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01142   444   NtClose  (156, ... ) == 0x0
 01143   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01144   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01145   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01146   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01147   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01148   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01149   444   NtClose  (152, ... ) == 0x0
 01150   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01151   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01152   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {208, 0}, ... 152, ) == 0x0
 01153   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01154   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01155   444   NtClose  (156, ... ) == 0x0
 01156   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01157   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01158   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01159   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01160   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01161   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01162   444   NtClose  (152, ... ) == 0x0
 01163   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01164   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01165   444   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {440, 0}, ... 152, ) == 0x0
 01166   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 156, ) }, ... 156, ) == 0x0
 01167   444   NtMapViewOfSection  (156, 152, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01168   444   NtClose  (156, ... ) == 0x0
 01169   444   NtProtectVirtualMemory  (152, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01170   444   NtWriteVirtualMemory  (152, 0x77f7e603,  (152, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01171   444   NtProtectVirtualMemory  (152, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01172   444   NtWriteVirtualMemory  (152, 0x77f7e6a3,  (152, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01173   444   NtProtectVirtualMemory  (152, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01174   444   NtWriteVirtualMemory  (152, 0x77f7e6b3,  (152, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01175   444   NtClose  (152, ... ) == 0x0
 01176   444   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 12288, ) == 0x0
 01177   444   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01178   444   NtClose  (112, ... ) == 0x0
 01179   444   NtClose  (104, ... ) == 0x0
 01180   444   NtQueryPerformanceCounter  (... {99838885, 0}, {3579545, 0}, ) == 0x0
 01181   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01182   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10616832, 65536, ) == 0x0
 01183   444   NtAllocateVirtualMemory  (-1, 10616832, 0, 4096, 4096, 4, ... 10616832, 4096, ) == 0x0
 01184   444   NtAllocateVirtualMemory  (-1, 10620928, 0, 8192, 4096, 4, ... 10620928, 8192, ) == 0x0
 01185   444   NtAllocateVirtualMemory  (-1, 10629120, 0, 4096, 4096, 4, ... 10629120, 4096, ) == 0x0
 01186   444   NtAllocateVirtualMemory  (-1, 10633216, 0, 4096, 4096, 4, ... 10633216, 4096, ) == 0x0
 01187   444   NtAllocateVirtualMemory  (-1, 0, 0, 6, 12288, 64, ... 10682368, 4096, ) == 0x0
 01188   444   NtProtectVirtualMemory  (-1, (0xa30000), 6, 64, ...
 01189   444   NtContinue  (-130711764, 0, ...
 01188   444   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 01190   444   NtFreeVirtualMemory  (-1, (0xa30000), 0, 32768, ... (0xa30000), 4096, ) == 0x0
 01191   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1241688, ... ) }, 1241688, ... ) == 0x0
 01192   444   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 01193   444   NtSetInformationFile  (104, 1241664, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01194   444   NtClose  (104, ... ) == 0x0
 01195   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241932,  (0x80100080, {24, 0, 0x40, 0, 1241932, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 01196   444   NtQueryInformationFile  (104, 1242868, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01197   444   NtQueryInformationFile  (104, 1242840, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01198   444   NtQueryInformationFile  (104, 1242792, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01199   444   NtAllocateVirtualMemory  (-1, 1433600, 0, 8192, 4096, 4, ... 1433600, 8192, ) == 0x0
 01200   444   NtQueryInformationFile  (104, 1431152, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01201   444   NtQueryInformationFile  (104, 1241336, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01202   444   NtQueryInformationFile  (104, 1241180, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01203   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\EUPSVC.EXE"}, 1240072, ... ) }, 1240072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   444   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1241188,  (0x40110080, {24, 0, 0x40, 0, 1241188, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01205   444   NtClose  (-2147482208, ... ) == 0x0
 01204   444   NtCreateFile  ... 112, {status=0x0, info=2}, ) == 0x0
 01206   444   NtQueryVolumeInformationFile  (112, 1240560, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01207   444   NtQueryInformationFile  (112, 1240520, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01208   444   NtQueryVolumeInformationFile  (104, 1240560, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01209   444   NtQueryVolumeInformationFile  (104, 1240244, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01210   444   NtSetInformationFile  (112, 1240348, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01211   444   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 104, ... 152, ) == 0x0
 01212   444   NtMapViewOfSection  (152, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa30000), {0, 0}, 221184, ) == 0x0
 01213   444   NtClose  (152, ... ) == 0x0
 01214   444   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01215   444   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352 (112, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353 (112, 0, 0, 0, "\240\326\243_\3413\226\361\305d\223d\313?f\366\201\319\22\271\10\230\316Up}1T\356e\148\236@k\316\31f\346\324Z1-\354j\15\202\357K\321\352.uj\264r!\27I\355"\236\202I\0\4B\27\223\2005c\X\3]\235J\4[\12\216QY\200\211(\21\355RN\17AD\270%\255\21o\247\230\240\221\210$w\11\366H\6$\22\1=\31\371\240\230\202D\3046\356\0\344ru\377\207Kb\310\324)N\256\42D\314\267\265\276\251`\277AEM\16\270u\25\314U\3474\360Q\200\277\324\227\327\200\264(\1\7K\352"s\323\331\212\356jl5\225\223"b\253\301T\13\201\324\245\311\0\243%2\327\352\241\250\210\301m\272\330\325\270MY\26\37l\264\221\267\273\350\243\256\342\347\264\20z\273{\355\227BO\352Z\37\273\353"D\261\300q\341\11\247}G\353\26\365\236\324\336\2\334\316\344BE\216Z\231\20\312\363#\12\304\\304V\5\336W\374\212\325\250*\226\361U\210\331J\367*\365\3\266t\235\211\222@\301JF\21\316~=\275\306W.\252\30\5.\356I\367{\10\374\373^\214J\254'\351F|*\376\232\304.\256\7fCKB\267h\221\326\31\25,F.\355(+\343\334\35\14\204#\257k\223E24\210\223\5\364Y(?4i\3665]\227@\236\250v\214M::vS\355\367c\253\2031s\31\21\361\245*\356\311\316E\234\5\206)\316i)\316%a\203\326#\311x9A\247\374\12\274hs\201\245\4$W@\312h#"Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) Xe\28R3\373\303;\212N\233\232\324!%i\271U\7\13\243][\370``\365\1\223\32V\21)\244\352\207C\305\200\342xc\220:`\232T\2302?\14\243\315\2kW\245\300\330\314\367\273\3001\225", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01216   444   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\353`m\263\222\16Zi\373\3759\377Al:\306\233\30\21!g\226\254j\14Q\312\366P)6\252\361\374wR\276\216\30\3\6\310\255\6\303'tiZ\357L\17{\272\303\341\201\245\20\361\323yf&\17\6\11\261\207\300\303\321\17\30\367u@\301\324\371\356-\253.S\255\244"O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) O2\34\22\255\274;T\237\363\354\11g\5\17\260Q\25e\345\233k\272O\313\202dw\355\277N\371:\373\346N\324R\352\11\21\36\225H\31\253\326g_\31-w\264'\304\336\245r\330\\277\3C&\3\341(\372\275\244\2113&y\366\12\331\11H\22E\331P\320\324\374\304\375b\232b\354\253nU\230\266\32U\372\330\266FP\207^b,\256\27G\325Hz|\264\315\216S\247\2c\263\34\267\10\320G\205\237\323\37\36\367\235\253\322\211\226\263\325#%\272\325\252V\357T\336Hw[9x\37\374\26G\207\35\253\7\225[<~\257\20221a\375\233\300<\374^\337\352\231D\225m\25\21s\225\244\340\3\206\15\302\331\13\257`\221\352\355=;\377}\104\363L\224\1181\243\346u\317\346\204\350\33=\276,z\263\203\227\353\342\361\340G\263\345\274\6\253c\230\262n\2260V-?\370\242\371\376=\235\355+\232\306\315\353\27\235[^\17\245\322\4K\271B\252\314\343E{0q\206\325\212\352\314\16\342\244\27\241\324U_[oL\327\332\320h\264\22\311\206\255\312\301\2774\364\300\242\310\34J\277.\261k\13g\353\251\32\307\234\7XX\301e7\227\26\322\360\226R\200\242\12m\363\331r\336+\202\30\341]\263\254\273l\21\27\343\210\24\255\245EV\4\305\310_\247\322\237|\326fT\213\251\255\267\2\255\13Uev(\374\375\37\226\275M\300]\310\215\316\303\7\202H\343p3\45\367\247}\377\26Fb\255", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01217   444   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\25\313\36\270\214\226\21B\304\243`\371\275\66-:\177\243\35\264OQ\207\273\321\2559\243/O\202\300\216\234\3505\315D*\27+\220\360\354\201\205G\337\266\240\331\221\303\273\333\242\5w\247\254\25_\376\332\12\240\26\4!\212e\22e\344\276/Y\341\235] \362\240!YK\343F\36\370\36\13\255\270\361\316\245\210#\16\3\332\215\371fC\263\243\253\262\220\323]\21\37\12\277o\222\252\231\316T\354\207U\205\334\25-r\251\274\373%\22\251\66\313\2534g}S\177\17\271\232\360~\313E\234U\305\2515z\252\226\376g\211\15\203\364\316\275\314\310\237Iz\227+\233\317\270f\21\310?\266\367\213\251\24\34\365\321\307\370;\31?\334+\232\231~\30\0i\231c\303\36\325\253\361[\276\205lp\264O\224<\365\353\200B@\247\4\360\225\366B\212H9\336\252\242Ui\265\330\331\364\371\305a\3663\347\213[\315\250\343m\321\273$\203\210\350\27\234\271"\16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", 35328, 0x0, 0, ... {status=0x0, info=35328}, ) \16\3774\312\215^\26\275{Yv}\366\322Tc\321'\221&2\275\244\352\343\12%\245\323\274\231\320\237,\270{\333a2m\331G\352\243\261\320\262~_\376A~wS-\366X*\275d?_\241S\37J\321\311fITQF\341Zm\320\320\312\23\30QfoQ%\236\24\241\202T\334t\264\211\376\320\300\25jt\331\365\2\245\15\276s\26\307\\331\267m`n5\272J\312\360\201\317\324(\375f]\355\33\256\13#\6\320\5D\6\247%\200\376\210oe\30+\368\243\2454\2137\327e\371\27\336\201\314\331$\3N]\177\341\227\3270\5\236\355\352\344\306\366\303t0\370\230i->LX\4\263\345 \364/\10\342\325\363X\33\277\357\260\357>G\344\344\244D)\373\23\23?\321^\205\16\337\372\240C\342\276", 35328, 0x0, 0, ... {status=0x0, info=35328}, ) == 0x0
 01218   444   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 01219   444   NtSetInformationFile  (112, 1242792, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01220   444   NtClose  (104, ... ) == 0x0
 01221   444   NtClose  (112, ... ) == 0x0
 01222   444   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01223   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1239084, ... ) }, 1239084, ... ) == 0x0
 01224   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1239776, ... ) }, 1239776, ... ) == 0x0
 01225   444   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01226   444   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 112, ... 104, ) == 0x0
 01227   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01228   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 152, ) }, ... 152, ) == 0x0
 01229   444   NtQueryValueKey  (152,  (152, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01230   444   NtClose  (152, ... ) == 0x0
 01231   444   NtQueryVolumeInformationFile  (112, 1239084, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01232   444   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 152, ) }, ... 152, ) == 0x0
 01233   444   NtWaitForSingleObject  (152, 0, {-1000000, -1}, ... ) == 0x0
 01234   444   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 156, ) }, ... 156, ) == 0x0
 01235   444   NtMapViewOfSection  (156, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 57344, ) == 0x0
 01236   444   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01237   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237068, ... ) }, 1237068, ... ) == 0x0
 01238   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 01239   444   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 160, ... 164, ) == 0x0
 01240   444   NtClose  (160, ... ) == 0x0
 01241   444   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa40000), 0x0, 106496, ) == 0x0
 01242   444   NtClose  (164, ... ) == 0x0
 01243   444   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01244   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237384, ... ) }, 1237384, ... ) == 0x0
 01245   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 164, {status=0x0, info=1}, ) }, 5, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 01246   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 164, ... 160, ) == 0x0
 01247   444   NtQuerySection  (160, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01248   444   NtClose  (164, ... ) == 0x0
 01249   444   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01250   444   NtClose  (160, ... ) == 0x0
 01251   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01252   444   NtQueryInformationFile  (160, 1237672, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01253   444   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 160, ... 164, ) == 0x0
 01254   444   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa40000), 0x0, 1028096, ) == 0x0
 01255   444   NtQueryInformationFile  (160, 1237768, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01256   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01258   444   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01259   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01260   444   NtQueryDirectoryFile  (168, 0, 0, 0, 1235332, 616, BothDirectory, 1,  (168, 0, 0, 0, 1235332, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01261   444   NtClose  (168, ... ) == 0x0
 01262   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01263   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01264   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1234720, ... ) }, 1234720, ... ) == 0x0
 01265   444   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01266   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01267   444   NtQueryDirectoryFile  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01268   444   NtClose  (168, ... ) == 0x0
 01269   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01270   444   NtQueryDirectoryFile  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01271   444   NtClose  (168, ... ) == 0x0
 01272   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01273   444   NtQueryDirectoryFile  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1,  (168, 0, 0, 0, 1234080, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01274   444   NtClose  (168, ... ) == 0x0
 01275   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01276   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01277   444   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01278   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01279   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01280   444   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01281   444   NtClose  (168, ... ) == 0x0
 01282   444   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01283   444   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\eupsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01284   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01285   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01286   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1237000, ... ) }, 1237000, ... ) == 0x0
 01287   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01288   444   NtQueryDirectoryFile  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01289   444   NtClose  (168, ... ) == 0x0
 01290   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01291   444   NtQueryDirectoryFile  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01292   444   NtClose  (168, ... ) == 0x0
 01293   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01294   444   NtQueryDirectoryFile  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1,  (168, 0, 0, 0, 1236360, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01295   444   NtClose  (168, ... ) == 0x0
 01296   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01297   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01298   444   NtWaitForSingleObject  (152, 0, {-1000000, -1}, ... ) == 0x0
 01299   444   NtQueryVolumeInformationFile  (112, 1237644, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01300   444   NtQueryInformationFile  (112, 1237624, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01301   444   NtQueryInformationFile  (112, 1237664, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01302   444   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01303   444   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01304   444   NtClose  (164, ... ) == 0x0
 01305   444   NtClose  (160, ... ) == 0x0
 01306   444   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01307   444   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eupsvc.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01308   444   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01309   444   NtOpenProcessToken  (-1, 0xa, ... 160, ) == 0x0
 01310   444   NtQueryInformationToken  (160, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01311   444   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01312   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 164, ) }, ... 164, ) == 0x0
 01313   444   NtQueryValueKey  (164,  (164, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (164, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01314   444   NtQueryValueKey  (164,  (164, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (164, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01315   444   NtClose  (164, ... ) == 0x0
 01316   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 164, ) }, ... 164, ) == 0x0
 01317   444   NtQueryValueKey  (164,  (164, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01318   444   NtQueryValueKey  (164,  (164, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (164, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01319   444   NtClose  (164, ... ) == 0x0
 01320   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 164, ) }, ... 164, ) == 0x0
 01322   444   NtQueryValueKey  (164,  (164, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01323   444   NtClose  (164, ... ) == 0x0
 01324   444   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01325   444   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01326   444   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01327   444   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01328   444   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01329   444   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01330   444   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01331   444   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01332   444   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01333   444   NtQueryDefaultLocale  (1, 1238456, ... ) == 0x0
 01334   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 164, ) }, ... 164, ) == 0x0
 01335   444   NtEnumerateKey  (164, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (164, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01336   444   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 168, ) }, ... 168, ) == 0x0
 01337   444   NtQueryValueKey  (168,  (168, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (168, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01338   444   NtQueryValueKey  (168,  (168, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (168, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01339   444   NtClose  (168, ... ) == 0x0
 01340   444   NtEnumerateKey  (164, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01341   444   NtClose  (164, ... ) == 0x0
 01342   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01343   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01345   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01346   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01347   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01350   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01351   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01352   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01353   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01354   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01355   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01356   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01357   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01358   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01359   444   NtClose  (164, ... ) == 0x0
 01360   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01361   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01362   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01363   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01364   444   NtClose  (164, ... ) == 0x0
 01365   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01366   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01367   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01368   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01369   444   NtClose  (164, ... ) == 0x0
 01370   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01371   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01372   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01373   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01374   444   NtClose  (164, ... ) == 0x0
 01375   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01376   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01377   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01378   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01379   444   NtClose  (164, ... ) == 0x0
 01380   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01381   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01382   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01383   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01384   444   NtClose  (164, ... ) == 0x0
 01385   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01386   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01387   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01388   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01389   444   NtClose  (164, ... ) == 0x0
 01390   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01391   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01392   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01393   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01394   444   NtClose  (164, ... ) == 0x0
 01395   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01396   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01397   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01398   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01399   444   NtClose  (164, ... ) == 0x0
 01400   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01401   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01402   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01403   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01404   444   NtClose  (164, ... ) == 0x0
 01405   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01406   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01407   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01408   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01409   444   NtClose  (164, ... ) == 0x0
 01410   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01411   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01412   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01413   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01414   444   NtClose  (164, ... ) == 0x0
 01415   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01417   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01418   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01419   444   NtClose  (164, ... ) == 0x0
 01420   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01421   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01422   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01423   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01424   444   NtClose  (164, ... ) == 0x0
 01425   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01427   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01428   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01429   444   NtClose  (164, ... ) == 0x0
 01430   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 164, ) }, ... 164, ) == 0x0
 01432   444   NtQueryValueKey  (164,  (164, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (164, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (164, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01433   444   NtClose  (164, ... ) == 0x0
 01434   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01435   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01436   444   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01437   444   NtClose  (164, ... ) == 0x0
 01438   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   444   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01440   444   NtOpenProcessToken  (-1, 0xa, ... 164, ) == 0x0
 01441   444   NtDuplicateToken  (164, 0xc, {24, 0, 0x0, 0, 1238976, 0x0}, 0, 2, ... 168, ) == 0x0
 01442   444   NtClose  (164, ... ) == 0x0
 01443   444   NtAccessCheck  (1438096, 168, 0x1, 1239104, 1239048, 56, 1239132, ... (0x1), ) == 0x0
 01444   444   NtClose  (168, ... ) == 0x0
 01445   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 168, ) }, ... 168, ) == 0x0
 01446   444   NtQueryValueKey  (168,  (168, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (168, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01447   444   NtClose  (168, ... ) == 0x0
 01448   444   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 168, ) }, ... 168, ) == 0x0
 01449   444   NtQuerySymbolicLinkObject  (168, ...  (168, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01450   444   NtClose  (168, ... ) == 0x0
 01451   444   NtQueryInformationFile  (112, 1237436, 528, Name, ... {status=0x0, info=60}, ) == 0x0
 01452   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01453   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01454   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe"}, 1236116, ... ) }, 1236116, ... ) == 0x0
 01455   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01456   444   NtQueryDirectoryFile  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01457   444   NtClose  (168, ... ) == 0x0
 01458   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01459   444   NtQueryDirectoryFile  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01460   444   NtClose  (168, ... ) == 0x0
 01461   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01462   444   NtQueryDirectoryFile  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1,  (168, 0, 0, 0, 1235476, 616, BothDirectory, 1, "eupsvc.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01463   444   NtClose  (168, ... ) == 0x0
 01464   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01465   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01466   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01467   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01468   444   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01469   444   NtClose  (168, ... ) == 0x0
 01470   444   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 168, ) }, ... 168, ) == 0x0
 01471   444   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 164, ) }, ... 164, ) == 0x0
 01472   444   NtClose  (168, ... ) == 0x0
 01473   444   NtQueryValueKey  (164,  (164, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01474   444   NtQueryValueKey  (164,  (164, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (164, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01475   444   NtClose  (164, ... ) == 0x0
 01476   444   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10747904, 4096, ) == 0x0
 01477   444   NtAllocateVirtualMemory  (-1, 10747904, 0, 4096, 4096, 4, ... 10747904, 4096, ) == 0x0
 01478   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 164, ) }, ... 164, ) == 0x0
 01479   444   NtQueryValueKey  (164,  (164, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480   444   NtClose  (164, ... ) == 0x0
 01481   444   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482   444   NtQueryInformationToken  (160, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01483   444   NtQueryInformationToken  (160, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01484   444   NtClose  (160, ... ) == 0x0
 01485   444   NtCreateProcessEx  (1241712, 2035711, 0, -1, 0, 104, 0, 0, 0, ... ) == 0x0
 01486   444   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 164, ) }, ... 164, ) == 0x0
 01487   444   NtMapViewOfSection  (164, 160, (0x0), 0, 22589, 0x0, 22589, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 01488   444   NtClose  (164, ... ) == 0x0
 01489   444   NtProtectVirtualMemory  (160, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 01490   444   NtWriteVirtualMemory  (160, 0x77f7e603,  (160, 0x77f7e603, "\350u-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01491   444   NtProtectVirtualMemory  (160, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01492   444   NtWriteVirtualMemory  (160, 0x77f7e6a3,  (160, 0x77f7e6a3, "\350"-\2\10", 5, ... 0x0, ) -\2\10", 5, ... 0x0, ) == 0x0
 01493   444   NtProtectVirtualMemory  (160, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 01494   444   NtWriteVirtualMemory  (160, 0x77f7e6b3,  (160, 0x77f7e6b3, "\350\37-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01495   444   NtSetInformationProcess  (160, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 01496   444   NtQueryInformationProcess  (160, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=836,ParentPid=440,}, 0x0, ) == 0x0
 01497   444   NtReadVirtualMemory  (160, 0x7ffdf008, 4, ...  (160, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 01498   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499   444   NtAllocateVirtualMemory  (-1, 1441792, 0, 8192, 4096, 4, ... 1441792, 8192, ) == 0x0
 01500   444   NtReadVirtualMemory  (160, 0x400000, 4096, ...  (160, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^\2517\22?\307d\22?\307d\22?\307d5\371\272d\11?\307d5\371\252d\234?\307d5\371\251d ?\307d\2217\232d\20?\307d\3210\232d\35?\307d\22?\306d\277?\307d5\371\265d\16?\307d5\371\277d\23?\307dRich\22?\307d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0o\241\3\243"\202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 4096, ) \202\300O\253\236\215\371S\364\26\360PE\0\0L\1\10\0!u\342E\0\0\0\0\0\0\0\0\340\0\3\1\13\1\10\0\0\320\1\0\0\260\0\0\0\0\0\0\0\0\11\0\0\320\5\0\0\340\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\11\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\320\5\0\20\1\0\0\0\220\3\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\321\5\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 4096, ) == 0x0
 01501   444   NtReadVirtualMemory  (160, 0x439000, 256, ...  (160, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) urn:schemas-microsoft-com:asm.v1 (160, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) 1.0 (160, 0x439000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\30\0\0\0\30\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0\15\12PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING", 256, ) , 256, ) == 0x0
 01502   444   NtReadVirtualMemory  (160, 0x439018, 24, ...  (160, 0x439018, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\1\0\0\00\0\0\200", 24, ) , 24, ) == 0x0
 01503   444   NtReadVirtualMemory  (160, 0x439030, 24, ...  (160, 0x439030, 24, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\11\4\0\0H\0\0\0", 24, ) , 24, ) == 0x0
 01504   444   NtReadVirtualMemory  (160, 0x439048, 16, ...  (160, 0x439048, 16, ... "X\220\3\0V\0\0\0\344\4\0\0\0\0\0\0", 16, ) , 16, ) == 0x0
 01505   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eupsvc.exe.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506   444   NtQueryInformationProcess  (160, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=836,ParentPid=440,}, 0x0, ) == 0x0
 01507   444   NtAllocateVirtualMemory  (-1, 0, 0, 1716, 4096, 4, ... 10813440, 4096, ) == 0x0
 01508   444   NtAllocateVirtualMemory  (160, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01509   444   NtWriteVirtualMemory  (160, 0x10000,  (160, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01510   444   NtAllocateVirtualMemory  (160, 0, 0, 1716, 4096, 4, ... 131072, 4096, ) == 0x0
 01511   444   NtWriteVirtualMemory  (160, 0x20000,  (160, 0x20000, "\0\20\0\0\264\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0<\0>\0\230\5\0\0v\0x\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\0>\0P\6\0\0\36\0 \0\220\6\0\0\0\0\2\0\260\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1716, ... 0x0, ) , 1716, ... 0x0, ) == 0x0
 01512   444   NtWriteVirtualMemory  (160, 0x7ffdf010,  (160, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01513   444   NtWriteVirtualMemory  (160, 0x7ffdf1e8,  (160, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01514   444   NtFreeVirtualMemory  (-1, (0xa50000), 0, 32768, ... (0xa50000), 4096, ) == 0x0
 01515   444   NtAllocateVirtualMemory  (160, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01516   444   NtAllocateVirtualMemory  (160, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01517   444   NtProtectVirtualMemory  (160, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01518   444   NtCreateThread  (0x1f03ff, 0x0, 160, 1239976, 1240696, 1, ... 164, {836, 308}, ) == 0x0
 01519   444   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796}  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796} "\210\6\30\1\0\0\1\0\2$\370w U\367w\243\0\0\0\244\0\0\0D\3\0\04\1\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\30\1p\0\0\0\240\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\30\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" ... {168, 196, reply, 0, 440, 444, 1512, 0} "\320\231\26\0\0\0\1\0\0\0\0\0 U\367w\240\0\0\0\244\0\0\0D\3\0\04\1\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\30\1p\0\0\0\240\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\30\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" )  ... {168, 196, reply, 0, 440, 444, 1512, 0}  (24, {168, 196, new_msg, 0, 1378696, 1376256, 1396744, 1241796} "\210\6\30\1\0\0\1\0\2$\370w U\367w\243\0\0\0\244\0\0\0D\3\0\04\1\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\30\1p\0\0\0\240\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\30\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" ... {168, 196, reply, 0, 440, 444, 1512, 0} "\320\231\26\0\0\0\1\0\0\0\0\0 U\367w\240\0\0\0\244\0\0\0D\3\0\04\1\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\215\26\365w\0\0\0\0\1\0\0\0\0\0\0\0\1\1\1\0<\0@\0\244\6\30\1p\0\0\0\240\0\0\0\0\0\0\0X\220C\0\0\0\0\0V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0@\0\344\6\30\1\0\360\375\177\0\0\0\0\0\0\242\0\220\36\242\0" )  ) == 0x0
 01520   444   NtResumeThread  (164, ... 1, ) == 0x0
 01521   444   NtClose  (112, ... ) == 0x0
 01522   444   NtClose  (104, ... ) == 0x0
 01523   444   NtTerminateProcess  (0, 0, ... ) == 0x0
 01524   444   NtClose  (96, ... ) == 0x0
 01525   444   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01526   444   NtClose  (100, ... ) == 0x0
 01527   444   NtClose  (80, ... ) == 0x0
 01528   444   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01529   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01530   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01531   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01532   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01533   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01534   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01535   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01536   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01537   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01538   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01539   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01540   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01541   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01542   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01543   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01544   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01545   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01546   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01547   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01548   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01549   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01550   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01551   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01552   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01553   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01554   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01555   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01556   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01557   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01558   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01559   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01560   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01561   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01562   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01563   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01564   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01565   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc017
 01566   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01567   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc019
 01568   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01569   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc018
 01570   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01571   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01a
 01572   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01573   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01c
 01574   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01575   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01e
 01576   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01577   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc01b
 01578   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01579   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc068
 01580   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01581   444   NtUserGetClassInfo  (1905590272, 1244380, 1244332, 1244408, 0, ... ) == 0xc06a
 01582   444   NtUserUnregisterClass  (1244384, 1905590272, 1244372, ... ) == 0x1
 01583   444   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 01584   444   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01585   444   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01586   444   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01587   444   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01588   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03b
 01589   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01590   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03d
 01591   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01592   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc03f
 01593   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01594   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc041
 01595   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01596   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc043
 01597   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01598   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc045
 01599   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01600   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc047
 01601   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01602   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc049
 01603   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01604   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04b
 01605   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01606   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04d
 01607   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01608   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc04f
 01609   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01610   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc051
 01611   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01612   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc053
 01613   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01614   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc057
 01615   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01616   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc059
 01617   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01618   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05b
 01619   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01620   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05d
 01621   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01622   444   NtUserGetClassInfo  (1999896576, 1244380, 1244332, 1244408, 0, ... ) == 0xc05f
 01623   444   NtUserUnregisterClass  (1244384, 1999896576, 1244372, ... ) == 0x1
 01624   444   NtFreeVirtualMemory  (-1, (0xa40000), 4096, 32768, ... (0xa40000), 4096, ) == 0x0
 01625   444   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244} "\0\0\0\0\3\0\1\0\320vC\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 440, 444, 1520, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ... {20, 48, reply, 0, 440, 444, 1520, 0}  (24, {20, 48, new_msg, 0, -1, 4199054, 4310954, 4421244} "\0\0\0\0\3\0\1\0\320vC\0C:\W\0\0\0\0" ... {20, 48, reply, 0, 440, 444, 1520, 0} "\0\0\0\0\3\0\1\0\0\0\0\0C:\W\0\0\0\0" )  ) == 0x0
 01626   444   NtTerminateProcess  (-1, 0, ...
 01627   444   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtUserGetThreadDesktop(>)	1	NtUserFindWindowEx(>)	4	NtUserRegisterWindowMessage(>)	19
NtAdjustPrivilegesToken(>)	1	NtAccessCheck(>)	2	NtWaitForSingleObject(>)	4	NtCreateSection(>)	20
NtCallbackReturn(>)	1	NtCreateIoCompletion(>)	2	NtDuplicateObject(>)	5	NtOpenProcess(>)	24
NtCreateProcessEx(>)	1	NtCreateKey(>)	2	NtGdiGetStockObject(>)	5	NtOpenProcessTokenEx(>)	25
NtDuplicateToken(>)	1	NtCreateThread(>)	2	NtSetInformationFile(>)	5	NtOpenThreadTokenEx(>)	25
NtEnumerateValueKey(>)	1	NtEnumerateKey(>)	2	NtWriteFile(>)	5	NtQueryAttributesFile(>)	27
NtGdiCreateBitmap(>)	1	NtGdiCreateSolidBrush(>)	2	NtFreeVirtualMemory(>)	6	NtReadVirtualMemory(>)	28
NtGdiInit(>)	1	NtOpenDirectoryObject(>)	2	NtOpenProcessToken(>)	6	NtQuerySystemInformation(>)	30
NtGdiQueryFontAssocInfo(>)	1	NtOpenEvent(>)	2	NtQueryVolumeInformationFile(>)	6	NtQueryInformationToken(>)	31
NtGdiSelectBitmap(>)	1	NtOpenSymbolicLinkObject(>)	2	NtCreateFile(>)	7	NtOpenFile(>)	35
NtNotifyChangeKey(>)	1	NtQueryInstallUILanguage(>)	2	NtSetInformationProcess(>)	7	NtUnmapViewOfSection(>)	39
NtOpenKeyedEvent(>)	1	NtQuerySymbolicLinkObject(>)	2	NtContinue(>)	8	NtQueryValueKey(>)	40
NtQueryInformationJobObject(>)	1	NtRaiseException(>)	2	NtQueryDefaultUILanguage(>)	8	NtUserUnregisterClass(>)	45
NtQueryObject(>)	1	NtResumeThread(>)	2	NtQuerySection(>)	8	NtOpenSection(>)	47
NtQueryPerformanceCounter(>)	1	NtTerminateProcess(>)	2	NtSetInformationThread(>)	8	NtUserFindExistingCursorIcon(>)	48
NtQuerySystemTime(>)	1	NtCreateSemaphore(>)	3	NtCreateEvent(>)	9	NtAllocateVirtualMemory(>)	56
NtReadFile(>)	1	NtGdiCreateCompatibleDC(>)	3	NtRequestWaitReplyPort(>)	9	NtWriteVirtualMemory(>)	58
NtRegisterThreadTerminatePort(>)	1	NtOpenMutant(>)	3	NtQueryDirectoryFile(>)	10	NtUserRegisterClassExWOW(>)	63
NtSecureConnectPort(>)	1	NtSetInformationObject(>)	3	NtUserSystemParametersInfo(>)	10	NtMapViewOfSection(>)	82
NtSetSecurityObject(>)	1	NtFsControlFile(>)	4	NtFlushInstructionCache(>)	11	NtUserGetClassInfo(>)	82
NtTestAlert(>)	1	NtOpenThreadToken(>)	4	NtQueryInformationFile(>)	13	NtProtectVirtualMemory(>)	96
NtUserCallNoParam(>)	1	NtQueryVirtualMemory(>)	4	NtQueryInformationProcess(>)	14	NtOpenKey(>)	108
NtUserCallOneParam(>)	1	NtReleaseMutant(>)	4	NtQueryDebugFilterState(>)	15	NtUserQueryWindow(>)	132
NtUserGetDC(>)	1	NtUserBuildHwndList(>)	4	NtQueryDefaultLocale(>)	15	NtClose(>)	198