Summary:


NtAddAtom(>)  1 
NtOpenMutant(>)  2 
NtUserCallNoParam(>)  7 
NtUnmapViewOfSection(>)  36 

NtCallbackReturn(>)  1 
NtQueryInformationJobObject(>)  2 
NtOpenSymbolicLinkObject(>)  8 
NtOpenSection(>)  37 

NtConnectPort(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQuerySymbolicLinkObject(>)  8 
NtWaitForSingleObject(>)  39 

NtDuplicateToken(>)  1 
NtQueryPerformanceCounter(>)  2 
NtWriteFile(>)  8 
NtProtectVirtualMemory(>)  40 

NtGdiCreateBitmap(>)  1 
NtQueryVirtualMemory(>)  2 
NtWriteVirtualMemory(>)  8 
NtSetValueKey(>)  40 

NtGdiCreatePatternBrushInternal(>)  1 
NtResumeThread(>)  2 
NtFsControlFile(>)  10 
NtCreateEvent(>)  41 

NtGdiInit(>)  1 
NtUserGetDC(>)  2 
NtOpenProcessToken(>)  10 
NtEnumerateKey(>)  42 

NtGdiQueryFontAssocInfo(>)  1 
NtUserGetForegroundWindow(>)  2 
NtUserGetWindowDC(>)  10 
NtUserFindExistingCursorIcon(>)  52 

NtGdiSelectBitmap(>)  1 
NtUserGetProcessWindowStation(>)  2 
NtQueryVolumeInformationFile(>)  11 
NtSetInformationFile(>)  54 

NtOpenKeyedEvent(>)  1 
NtUserUnregisterClass(>)  2 
NtReleaseMutant(>)  11 
NtDeviceIoControlFile(>)  55 

NtQueryObject(>)  1 
NtCreateMutant(>)  3 
NtUserSystemParametersInfo(>)  11 
NtUserGetClassInfo(>)  55 

NtQuerySystemTime(>)  1 
NtDuplicateObject(>)  3 
NtUserCallOneParam(>)  12 
NtCreateKey(>)  56 

NtRegisterThreadTerminatePort(>)  1 
NtOpenProcess(>)  3 
NtQuerySection(>)  13 
NtMapViewOfSection(>)  56 

NtSecureConnectPort(>)  1 
NtUserGetAtomName(>)  3 
NtRequestWaitReplyPort(>)  13 
NtQueryInformationProcess(>)  61 

NtTestAlert(>)  1 
NtUserGetObjectInformation(>)  3 
NtQueryDefaultUILanguage(>)  14 
NtUserRegisterClassExWOW(>)  68 

NtUserGetGUIThreadInfo(>)  1 
NtUserSetProp(>)  3 
NtSetInformationThread(>)  14 
NtAllocateVirtualMemory(>)  74 

NtUserGetThreadDesktop(>)  1 
NtOpenEvent(>)  4 
NtFreeVirtualMemory(>)  15 
NtQueryAttributesFile(>)  84 

NtAccessCheck(>)  2 
NtReadVirtualMemory(>)  4 
NtFlushInstructionCache(>)  19 
NtQuerySystemInformation(>)  90 

NtAdjustPrivilegesToken(>)  2 
NtUserDestroyWindow(>)  4 
NtQueryDefaultLocale(>)  23 
NtOpenFile(>)  101 

NtCreateIoCompletion(>)  2 
NtContinue(>)  5 
NtNotifyChangeKey(>)  28 
NtQueryValueKey(>)  259 

NtCreateProcessEx(>)  2 
NtEnumerateValueKey(>)  5 
NtSetInformationProcess(>)  28 
NtOpenProcessTokenEx(>)  282 

NtCreateSemaphore(>)  2 
NtGdiCreateCompatibleDC(>)  5 
NtOpenThreadToken(>)  30 
NtOpenThreadTokenEx(>)  282 

NtCreateThread(>)  2 
NtGdiGetStockObject(>)  5 
NtReadFile(>)  30 
NtQueryInformationToken(>)  292 

NtGdiCreateHalftonePalette(>)  2 
NtSetInformationObject(>)  5 
NtQueryDebugFilterState(>)  31 
NtQueryKey(>)  344 

NtGdiCreatePaletteInternal(>)  2 
NtUserRegisterWindowMessage(>)  5 
NtCreateSection(>)  32 
NtClose(>)  878 

NtGdiCreateSolidBrush(>)  2 
NtGdiDeleteObjectApp(>)  6 
NtQueryDirectoryFile(>)  32 
NtOpenKey(>)  903 

NtGdiDoPalette(>)  2 
NtUserCreateWindowEx(>)  6 
NtReleaseSemaphore(>)  32 

NtGdiHfontCreate(>)  2 
NtUserMessageCall(>)  6 
NtCreateFile(>)  33 

NtOpenDirectoryObject(>)  2 

Trace:
 00001   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   408   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   408   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   408   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   408   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   408   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   408   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   408   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   408   NtClose  (12, ... ) == 0x0
 00014   408   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   408   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   408   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   408   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   408   NtClose  (16, ... ) == 0x0
 00021   408   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   408   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   408   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   408   NtClose  (16, ... ) == 0x0
 00026   408   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   408   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   408   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   408   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 404, 408, 1479, 0} "\20\260\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ... {28, 56, reply, 0, 404, 408, 1479, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 404, 408, 1479, 0} "\20\260\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ) == 0x0
 00032   408   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   408   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   408   NtClose  (16, ... ) == 0x0
 00036   408   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   408   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   408   NtClose  (28, ... ) == 0x0
 00041   408   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   408   NtClose  (28, ... ) == 0x0
 00045   408   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   408   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   408   NtClose  (28, ... ) == 0x0
 00049   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   408   NtClose  (28, ... ) == 0x0
 00052   408   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 404, 408, 1482, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ... {28, 56, reply, 0, 404, 408, 1482, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 404, 408, 1482, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ) == 0x0
 00056   408   NtProtectVirtualMemory  (-1, (0x42c000), 8192, 4, ... (0x42c000), 8192, 8, ) == 0x0
 00057   408   NtProtectVirtualMemory  (-1, (0x42c000), 8192, 8, ... (0x42c000), 8192, 4, ) == 0x0
 00058   408   NtFlushInstructionCache  (-1, 4374528, 8192, ... ) == 0x0
 00059   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00061   408   NtClose  (28, ... ) == 0x0
 00062   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00064   408   NtClose  (28, ... ) == 0x0
 00065   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00067   408   NtClose  (28, ... ) == 0x0
 00068   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00070   408   NtClose  (28, ... ) == 0x0
 00071   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00072   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00073   408   NtClose  (28, ... ) == 0x0
 00074   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00076   408   NtClose  (28, ... ) == 0x0
 00077   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00079   408   NtClose  (28, ... ) == 0x0
 00080   408   NtProtectVirtualMemory  (-1, (0x42c000), 8192, 4, ... (0x42c000), 8192, 4, ) == 0x0
 00081   408   NtProtectVirtualMemory  (-1, (0x42c000), 8192, 4, ... (0x42c000), 8192, 4, ) == 0x0
 00082   408   NtFlushInstructionCache  (-1, 4374528, 8192, ... ) == 0x0
 00083   408   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00084   408   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00085   408   NtClose  (28, ... ) == 0x0
 00086   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00087   408   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00088   408   NtClose  (28, ... ) == 0x0
 00089   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00090   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00091   408   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00092   408   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00093   408   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00094   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 28, ) }, ... 28, ) == 0x0
 00095   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00096   408   NtClose  (28, ... ) == 0x0
 00097   408   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00098   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00099   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\35\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 404, 408, 1484, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\35\1$\1\0\0" )  ... {28, 56, reply, 0, 404, 408, 1484, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\35\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 404, 408, 1484, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\35\1$\1\0\0" )  ) == 0x0
 00100   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00101   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00102   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00103   408   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00104   408   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00105   408   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00106   408   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00107   408   NtClose  (-2147482208, ... ) == 0x0
 00108   408   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00109   408   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00110   408   NtDuplicateObject  (-1, 36, -1, 0x0, 0, 2, ... 44, ) == 0x0
 00111   408   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00112   408   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00113   408   NtClose  (-2147482208, ... ) == 0x0
 00114   408   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00115   408   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00116   408   NtClose  (-2147482208, ... ) == 0x0
 00117   408   NtQueryDefaultLocale  (0, -130840052, ... ) == 0x0
 00118   408   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00119   408   NtUserCallNoParam  (24, ... ) == 0x0
 00120   408   NtGdiCreateCompatibleDC  (0, ...
 00121   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00120   408   NtGdiCreateCompatibleDC  ... ) == 0x120103c5
 00122   408   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00123   408   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00124   408   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x160503cb
 00125   408   NtGdiCreateSolidBrush  (0, 0, ...
 00126   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00125   408   NtGdiCreateSolidBrush  ... ) == 0x111003cf
 00127   408   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00128   408   NtGdiCreateCompatibleDC  (0, ... ) == 0x3e01040c
 00129   408   NtGdiSelectBitmap  (1040253964, 369427403, ... ) == 0x185000f
 00130   408   NtUserGetThreadDesktop  (408, 0, ... ) == 0x28
 00131   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 48, ) }, ... 48, ) == 0x0
 00132   408   NtQueryValueKey  (48,  (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00133   408   NtClose  (48, ... ) == 0x0
 00134   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00135   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00136   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00137   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00138   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00139   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00140   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00141   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00142   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00143   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00144   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00146   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00147   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00148   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00149   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00150   408   NtAllocateVirtualMemory  (-1, 6451200, 0, 4096, 4096, 32, ... 6451200, 4096, ) == 0x0
 00149   408   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00151   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00152   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00153   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00154   408   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00155   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00156   408   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00157   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00158   408   NtCallbackReturn  (0, 0, 0, ...
 00159   408   NtGdiInit  (... ) == 0x1
 00160   408   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00161   408   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00162   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 48, ) }, ... 48, ) == 0x0
 00163   408   NtQueryValueKey  (48,  (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00164   408   NtQueryValueKey  (48,  (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00165   408   NtClose  (48, ... ) == 0x0
 00166   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 48, ) }, ... 48, ) == 0x0
 00167   408   NtQueryValueKey  (48,  (48, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00168   408   NtClose  (48, ... ) == 0x0
 00169   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 48, ) }, ... 48, ) == 0x0
 00170   408   NtSetInformationObject  (48, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00171   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00172   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00173   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00174   408   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00175   408   NtClose  (52, ... ) == 0x0
 00176   408   NtQueryDefaultUILanguage  (1241756, ...
 00177   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00178   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00179   408   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00180   408   NtClose  (-2147482208, ... ) == 0x0
 00181   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00182   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00183   408   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482204, ) }, ... -2147482204, ) == 0x0
 00184   408   NtQueryValueKey  (-2147482204,  (-2147482204, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00185   408   NtClose  (-2147482204, ... ) == 0x0
 00186   408   NtClose  (-2147482208, ... ) == 0x0
 00176   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00187   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   408   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00189   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00190   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00191   408   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x910000), 0x0, 8323072, ) == 0x0
 00192   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   408   NtQueryDefaultUILanguage  (2013024600, ...
 00194   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00195   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00196   408   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00197   408   NtClose  (-2147482208, ... ) == 0x0
 00198   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00199   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00200   408   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482204, ) }, ... -2147482204, ) == 0x0
 00201   408   NtQueryValueKey  (-2147482204,  (-2147482204, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00202   408   NtClose  (-2147482204, ... ) == 0x0
 00203   408   NtClose  (-2147482208, ... ) == 0x0
 00193   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00204   408   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00205   408   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00206   408   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00207   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1493, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 404, 408, 1493, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1493, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00209   408   NtClose  (52, ... ) == 0x0
 00210   408   NtClose  (56, ... ) == 0x0
 00211   408   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00212   408   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00213   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00214   408   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00215   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00216   408   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00217   408   NtClose  (56, ... ) == 0x0
 00218   408   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00219   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00220   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00221   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00222   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00223   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00224   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00225   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00226   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00227   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00228   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00229   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00230   408   NtClose  (52, ... ) == 0x0
 00231   408   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x910000), 0x0, 921600, ) == 0x0
 00232   408   NtClose  (60, ... ) == 0x0
 00233   408   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00234   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00235   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00236   408   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00237   408   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00238   408   NtQueryInformationToken  (64, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00239   408   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 68, ) }, ... 68, ) == 0x0
 00241   408   NtQueryValueKey  (68,  (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00242   408   NtClose  (68, ... ) == 0x0
 00243   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00244   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00245   408   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00246   408   NtClose  (68, ... ) == 0x0
 00247   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   408   NtClose  (64, ... ) == 0x0
 00249   408   NtClose  (60, ... ) == 0x0
 00250   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00251   408   NtClose  (52, ... ) == 0x0
 00252   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00253   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00254   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00255   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00256   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00257   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00258   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00259   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00260   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00261   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00262   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00263   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00264   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00265   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00266   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00267   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00268   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00269   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00270   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00271   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00272   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00273   408   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00274   408   NtQueryDefaultUILanguage  (1239368, ...
 00275   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00276   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00277   408   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00278   408   NtClose  (-2147482208, ... ) == 0x0
 00279   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00280   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   408   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482204, ) }, ... -2147482204, ) == 0x0
 00282   408   NtQueryValueKey  (-2147482204,  (-2147482204, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   408   NtClose  (-2147482204, ... ) == 0x0
 00284   408   NtClose  (-2147482208, ... ) == 0x0
 00274   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00285   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00286   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00287   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00288   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00289   408   NtClose  (52, ... ) == 0x0
 00290   408   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x370000), 0x0, 4096, ) == 0x0
 00291   408   NtClose  (60, ... ) == 0x0
 00292   408   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00293   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00294   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00295   408   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00296   408   NtClose  (60, ... ) == 0x0
 00297   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x370000), {0, 0}, 4096, ) == 0x0
 00298   408   NtClose  (52, ... ) == 0x0
 00299   408   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00300   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00301   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00302   408   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x370000), 0x0, 4096, ) == 0x0
 00303   408   NtQueryInformationFile  (52, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00304   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00305   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1494, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 404, 408, 1494, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1494, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00306   408   NtClose  (52, ... ) == 0x0
 00307   408   NtClose  (60, ... ) == 0x0
 00308   408   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00309   408   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00310   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00311   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00312   408   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00313   408   NtUserGetDC  (0, ... ) == 0x1010052
 00314   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00315   408   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00316   408   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00317   408   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00318   408   NtAccessCheck  (1329160, 60, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00319   408   NtClose  (60, ... ) == 0x0
 00320   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00321   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00322   408   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00323   408   NtClose  (60, ... ) == 0x0
 00324   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00325   408   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00326   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00327   408   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00328   408   NtClose  (52, ... ) == 0x0
 00329   408   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00330   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00331   408   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00332   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00333   408   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   408   NtClose  (64, ... ) == 0x0
 00335   408   NtClose  (52, ... ) == 0x0
 00336   408   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00337   408   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00338   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 52, ) }, ... 52, ) == 0x0
 00339   408   NtEnumerateValueKey  (52, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00340   408   NtClose  (52, ... ) == 0x0
 00341   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00342   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03b
 00343   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03d
 00344   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00345   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc03f
 00346   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00347   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc041
 00348   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00349   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc043
 00350   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc045
 00351   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00352   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc047
 00353   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00354   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc049
 00355   408   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00356   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00357   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04b
 00358   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00359   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04d
 00360   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00361   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04f
 00362   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc051
 00363   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00364   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc053
 00365   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00366   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc055
 00367   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc057
 00368   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00369   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc059
 00370   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00371   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05b
 00372   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00373   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05d
 00374   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00375   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05f
 00376   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00377   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc017
 00378   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00379   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc019
 00380   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00381   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc018
 00382   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00383   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01a
 00384   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00385   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc01c
 00386   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00387   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ...
 00388   408   NtAllocateVirtualMemory  (-1, 6455296, 0, 4096, 4096, 32, ... 6455296, 4096, ) == 0x0
 00387   408   NtUserRegisterClassExWOW  ... ) == 0x810dc01e
 00389   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00390   408   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810dc01b
 00391   408   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00392   408   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810dc068
 00393   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00394   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc06a
 00395   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00396   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00397   408   NtClose  (52, ... ) == 0x0
 00398   408   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {404, 0}, ... 52, ) == 0x0
 00399   408   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00400   408   NtClose  (52, ... ) == 0x0
 00401   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00402   408   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00403   408   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00404   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00405   408   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   408   NtClose  (52, ... ) == 0x0
 00407   408   NtUserSystemParametersInfo  (41, 500, 1241332, 0, ... ) == 0x1
 00408   408   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00409   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00410   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00411   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc03b
 00412   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00413   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc03d
 00414   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00415   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00416   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc03f
 00417   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00418   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00419   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc041
 00420   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00421   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00422   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc043
 00423   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00424   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc045
 00425   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00426   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00427   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc047
 00428   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00429   408   NtUserFindExistingCursorIcon  (1241120, 1241136, 1241704, ... ) == 0x10011
 00430   408   NtUserRegisterClassExWOW  (1241572, 1241652, 1241636, 1241668, 0, 384, 0, ... ) == 0x810dc049
 00431   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00432   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00433   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc04b
 00434   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00435   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00436   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc04d
 00437   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00438   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00439   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc04f
 00440   408   NtUserGetClassInfo  (1999896576, 1241744, 1241696, 1241772, 0, ... ) == 0x0
 00441   408   NtUserRegisterClassExWOW  (1241580, 1241660, 1241644, 1241676, 0, 384, 0, ... ) == 0x810dc051
 00442   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00443   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00444   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc053
 00445   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00446   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00447   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc055
 00448   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc057
 00449   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00450   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00451   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc059
 00452   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00453   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10013
 00454   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc05b
 00455   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00456   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00457   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc05d
 00458   408   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00459   408   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00460   408   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc05f
 00461   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03b
 00462   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03d
 00463   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03f
 00464   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc041
 00465   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc043
 00466   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc045
 00467   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc047
 00468   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc049
 00469   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04b
 00470   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04d
 00471   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04f
 00472   408   NtUserGetClassInfo  (1999896576, 1243496, 1243448, 1243524, 0, ... ) == 0xc051
 00473   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc053
 00474   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc055
 00475   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc059
 00476   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05b
 00477   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05d
 00478   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05f
 00479   408   NtTestAlert  (... ) == 0x0
 00480   408   NtContinue  (1244464, 1, ...
 00481   408   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x42c001,}, 4, ... ) == 0x0
 00482   408   NtAllocateVirtualMemory  (-1, 0, 0, 6144, 4096, 4, ... 3604480, 8192, ) == 0x0
 00483   408   NtAllocateVirtualMemory  (-1, 0, 0, 16654, 4096, 4, ... 3735552, 20480, ) == 0x0
 00484   408   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 20480, ) == 0x0
 00485   408   NtAllocateVirtualMemory  (-1, 0, 0, 8462, 4096, 4, ... 3735552, 12288, ) == 0x0
 00486   408   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 12288, ) == 0x0
 00487   408   NtAllocateVirtualMemory  (-1, 0, 0, 4366, 4096, 4, ... 3735552, 8192, ) == 0x0
 00488   408   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 8192, ) == 0x0
 00489   408   NtAllocateVirtualMemory  (-1, 0, 0, 147486, 4096, 4, ... 3735552, 151552, ) == 0x0
 00490   408   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 151552, ) == 0x0
 00491   408   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 8192, ) == 0x0
 00492   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00493   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00494   408   NtAllocateVirtualMemory  (-1, 3604480, 0, 4096, 4096, 4, ... 3604480, 4096, ) == 0x0
 00495   408   NtAllocateVirtualMemory  (-1, 3608576, 0, 4096, 4096, 4, ... 3608576, 4096, ) == 0x0
 00496   408   NtQueryPerformanceCounter  (... {107421428, 0}, {3579545, 0}, ) == 0x0
 00497   408   NtQueryDefaultLocale  (1, 1243752, ... ) == 0x0
 00498   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243880,  (0xc0100080, {24, 0, 0x40, 0, 1243880, "\??\C:\WINDOWS\System32\iea.dll"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00499   408   NtClose  (-2147482208, ... ) == 0x0
 00498   408   NtCreateFile  ... 52, {status=0x0, info=2}, ) == 0x0
 00500   408   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\353\223\323\213\257\362\275\330\257\362\275\330\257\362\275\330,\372\342\330\246\362\275\330\274\372\340\330\255\362\275\330\252\376\262\330\263\362\275\330U\321\244\330\251\362\275\330,\372\340\330\276\362\275\330\257\362\274\330B\363\275\330\252\376\335\330\342\362\275\330\252\376\342\330+\362\275\330\252\376\341\330\256\362\275\330C\371\343\330\256\362\275\330\252\376\347\330\256\362\275\330Rich\257\362\275\330\0\0\0\0\0\0\0\0PE\0\0L\1\7\0\35X/F\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0\240\1\0\0@\1\0\0\0\0\0\1\360\2\0\0\20\0\0\0\260\1\0\0\0\0\20\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \3\0\0\6\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\200\26\2\0\250\0\0\0\254\377\2\0\24\2\0\0\0\200\2\0\210\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0T\377\2\0\10\0\0\0`\264\1\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0.tex", 107520, 0x0, 0, ... {status=0x0, info=107520}, ) , 107520, 0x0, 0, ... {status=0x0, info=107520}, ) == 0x0
 00501   408   NtClose  (52, ... ) == 0x0
 00502   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 1241696, ... ) }, 1241696, ... ) == 0x0
 00503   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00504   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 64, ) == 0x0
 00505   408   NtClose  (52, ... ) == 0x0
 00506   408   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 110592, ) == 0x0
 00507   408   NtClose  (64, ... ) == 0x0
 00508   408   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00509   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 1242012, ... ) }, 1242012, ... ) == 0x0
 00510   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00511   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 52, ) == 0x0
 00512   408   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00513   408   NtClose  (64, ... ) == 0x0
 00514   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 204800, ) == 0x0
 00515   408   NtClose  (52, ... ) == 0x0
 00516   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 8, ) == 0x0
 00517   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 8, ... (0x1002f000), 8192, 4, ) == 0x0
 00518   408   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00519   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00520   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00521   408   NtClose  (52, ... ) == 0x0
 00522   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00523   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00524   408   NtClose  (52, ... ) == 0x0
 00525   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00526   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00527   408   NtClose  (52, ... ) == 0x0
 00528   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00529   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00530   408   NtClose  (52, ... ) == 0x0
 00531   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 52, ) }, ... 52, ) == 0x0
 00532   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00533   408   NtClose  (52, ... ) == 0x0
 00534   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00535   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00536   408   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00537   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00538   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00539   408   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00540   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00541   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00542   408   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00543   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00544   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00545   408   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00546   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "winspool.drv"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00547   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\winspool.drv"}, 1241228, ... ) }, 1241228, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00548   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "winspool.drv"}, 1241228, ... ) }, 1241228, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winspool.drv"}, 1241228, ... ) }, 1241228, ... ) == 0x0
 00550   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winspool.drv"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00551   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 64, ) == 0x0
 00552   408   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00553   408   NtClose  (52, ... ) == 0x0
 00554   408   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73000000), 0x0, 143360, ) == 0x0
 00555   408   NtClose  (64, ... ) == 0x0
 00556   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00557   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00558   408   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00559   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00560   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00561   408   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00562   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00563   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00564   408   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00565   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00566   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00567   408   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00568   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00569   408   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00570   408   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00571   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00572   408   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00573   408   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00574   408   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00575   408   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00576   408   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 64, ) }, ... 64, ) == 0x0
 00577   408   NtCreateEvent  (0x1f0003, {24, 64, 0x80, 1242136, 0,  (0x1f0003, {24, 64, 0x80, 1242136, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00578   408   NtOpenEvent  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 52, ) }, ... 52, ) == 0x0
 00579   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00580   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00581   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 68, ) }, ... 68, ) == 0x0
 00582   408   NtQueryValueKey  (68,  (68, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00583   408   NtClose  (68, ... ) == 0x0
 00584   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00585   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00586   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00587   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00588   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 68, ) }, ... 68, ) == 0x0
 00589   408   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00590   408   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00591   408   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00592   408   NtClose  (68, ... ) == 0x0
 00593   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 68, ) }, ... 68, ) == 0x0
 00594   408   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   408   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00596   408   NtClose  (68, ... ) == 0x0
 00597   408   NtOpenEvent  (0x1f0003, {24, 64, 0x0, 0, 0,  (0x1f0003, {24, 64, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00598   408   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00599   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   408   NtOpenKey  (0x9, {24, 48, 0x40, 0, 0,  (0x9, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00601   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00602   408   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00603   408   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 68, 2, ) }, 0, 0x0, 0, ... 68, 2, ) == 0x0
 00604   408   NtQueryDefaultUILanguage  (1240372, ...
 00605   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00606   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00607   408   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00608   408   NtClose  (-2147482208, ... ) == 0x0
 00609   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00610   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00611   408   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00612   408   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00613   408   NtClose  (-2147482196, ... ) == 0x0
 00614   408   NtClose  (-2147482208, ... ) == 0x0
 00604   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00615   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00616   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 72, {status=0x0, info=1}, ) }, 1, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00617   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 76, ) == 0x0
 00618   408   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x910000), 0x0, 593920, ) == 0x0
 00619   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00620   408   NtQueryDefaultLocale  (1, 1238408, ... ) == 0x0
 00621   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00622   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1239264, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1239264, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1H\0\0\0\377\377\377\377\0\0\0\0P\275\230\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\340\357\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1497, 0} " S\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1H\0\0\0\377\377\377\377\0\0\0\0P\275\230\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\340\357\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 404, 408, 1497, 0}  (24, {128, 156, new_msg, 0, 1239264, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1H\0\0\0\377\377\377\377\0\0\0\0P\275\230\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\340\357\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1497, 0} " S\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1H\0\0\0\377\377\377\377\0\0\0\0P\275\230\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\340\357\22\0\0\0\0\0" )  ) == 0x0
 00623   408   NtClose  (72, ... ) == 0x0
 00624   408   NtClose  (76, ... ) == 0x0
 00625   408   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00626   408   NtUnmapViewOfSection  (-1, 0x12efe0, ... ) == STATUS_NOT_MAPPED_VIEW
 00627   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00628   408   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00629   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00630   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00631   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236948, ... ) }, 1236948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00632   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00633   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00634   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00635   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237540, ... ) }, 1237540, ... ) == 0x0
 00636   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 76, {status=0x0, info=1}, ) }, 3, 33, ... 76, {status=0x0, info=1}, ) == 0x0
 00637   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00638   408   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 72, 2, ) }, 0, 0x0, 0, ... 72, 2, ) == 0x0
 00639   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00640   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3801088, 65536, ) == 0x0
 00641   408   NtAllocateVirtualMemory  (-1, 3801088, 0, 4096, 4096, 4, ... 3801088, 4096, ) == 0x0
 00642   408   NtAllocateVirtualMemory  (-1, 3805184, 0, 8192, 4096, 4, ... 3805184, 8192, ) == 0x0
 00643   408   NtAllocateVirtualMemory  (-1, 0, 0, 6144, 4096, 4, ... 3866624, 8192, ) == 0x0
 00644   408   NtAllocateVirtualMemory  (-1, 0, 0, 106766, 4096, 4, ... 3932160, 110592, ) == 0x0
 00645   408   NtFreeVirtualMemory  (-1, (0x3c0000), 0, 32768, ... (0x3c0000), 110592, ) == 0x0
 00646   408   NtAllocateVirtualMemory  (-1, 0, 0, 8462, 4096, 4, ... 3932160, 12288, ) == 0x0
 00647   408   NtFreeVirtualMemory  (-1, (0x3c0000), 0, 32768, ... (0x3c0000), 12288, ) == 0x0
 00648   408   NtAllocateVirtualMemory  (-1, 0, 0, 4034, 4096, 4, ... 3932160, 4096, ) == 0x0
 00649   408   NtFreeVirtualMemory  (-1, (0x3c0000), 0, 32768, ... (0x3c0000), 4096, ) == 0x0
 00650   408   NtAllocateVirtualMemory  (-1, 0, 0, 20750, 4096, 4, ... 3932160, 24576, ) == 0x0
 00651   408   NtFreeVirtualMemory  (-1, (0x3c0000), 0, 32768, ... (0x3c0000), 24576, ) == 0x0
 00652   408   NtFreeVirtualMemory  (-1, (0x3b0000), 0, 32768, ... (0x3b0000), 8192, ) == 0x0
 00653   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00654   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3866624, 65536, ) == 0x0
 00655   408   NtAllocateVirtualMemory  (-1, 3866624, 0, 4096, 4096, 4, ... 3866624, 4096, ) == 0x0
 00656   408   NtAllocateVirtualMemory  (-1, 3870720, 0, 8192, 4096, 4, ... 3870720, 8192, ) == 0x0
 00657   408   NtAllocateVirtualMemory  (-1, 3878912, 0, 4096, 4096, 4, ... 3878912, 4096, ) == 0x0
 00658   408   NtQueryPerformanceCounter  (... {107544514, 0}, {3579545, 0}, ) == 0x0
 00659   408   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 9502720, 524288, ) == 0x0
 00660   408   NtAllocateVirtualMemory  (-1, 9502720, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 00661   408   NtAllocateVirtualMemory  (-1, 1355776, 0, 8192, 4096, 4, ... 1355776, 8192, ) == 0x0
 00662   408   NtUserGetDC  (0, ... ) == 0x1010052
 00663   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00664   408   NtUserFindExistingCursorIcon  (1241376, 1241392, 1241960, ... ) == 0x10015
 00665   408   NtUserFindExistingCursorIcon  (1241376, 1241392, 1241960, ... ) == 0x10011
 00666   408   NtUserRegisterWindowMessage  ( ("commctrl_DragListMsg", ... ) , ... ) == 0xc0bc
 00667   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00668   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00669   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00670   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00671   408   NtQueryDefaultUILanguage  (1241536, ...
 00672   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00673   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00674   408   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00675   408   NtClose  (-2147482208, ... ) == 0x0
 00676   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00677   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678   408   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00679   408   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00680   408   NtClose  (-2147482196, ... ) == 0x0
 00681   408   NtClose  (-2147482208, ... ) == 0x0
 00671   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00682   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00683   408   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00684   408   NtQueryInformationToken  (80, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00685   408   NtClose  (80, ... ) == 0x0
 00686   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00687   408   NtReleaseMutant  (16, ...
 00688   408   NtContinue  (-130842488, 0, ...
 00687   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00689   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1238912, ... ) }, 1238912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00690   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1239228, ... ) }, 1239228, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00691   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00692   408   NtReleaseMutant  (16, ...
 00693   408   NtContinue  (-130842488, 0, ...
 00692   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00694   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1238912, ... ) }, 1238912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00695   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1239228, ... ) }, 1239228, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00696   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00697   408   NtReleaseMutant  (16, ...
 00698   408   NtContinue  (-130842488, 0, ...
 00697   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00699   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1238912, ... ) }, 1238912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00700   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1239228, ... ) }, 1239228, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00701   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00702   408   NtReleaseMutant  (16, ...
 00703   408   NtContinue  (-130842488, 0, ...
 00702   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00704   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1238912, ... ) }, 1238912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00705   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1239228, ... ) }, 1239228, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00706   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaLOC.dll"}, 1238912, ... ) }, 1238912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00707   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaLOC.dll"}, 1239228, ... ) }, 1239228, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00708   408   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00709   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 1239160, ... ) }, 1239160, ... ) == 0x0
 00710   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 1237972, ... ) }, 1237972, ... ) == 0x0
 00711   408   NtQueryDefaultLocale  (1, 1240040, ... ) == 0x0
 00712   408   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 00713   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00714   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00715   408   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00716   408   NtClose  (80, ... ) == 0x0
 00717   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 80, ) }, ... 80, ) == 0x0
 00718   408   NtSetInformationObject  (82, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00719   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00720   408   NtOpenKey  (0x2001f, {24, 82, 0x40, 0, 0,  (0x2001f, {24, 82, 0x40, 0, 0, "AppID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00721   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\AppID"}, ... 84, ) }, ... 84, ) == 0x0
 00722   408   NtQueryKey  (86, Name, 384, ... {Name= (86, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID"}, 84, ) }, 84, ) == 0x0
 00723   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00724   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00725   408   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00726   408   NtClose  (88, ... ) == 0x0
 00727   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00728   408   NtOpenKey  (0x2001f, {24, 86, 0x40, 0, 0,  (0x2001f, {24, 86, 0x40, 0, 0, "{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00729   408   NtQueryKey  (86, Name, 384, ... {Name= (86, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID"}, 84, ) }, 84, ) == 0x0
 00730   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00731   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00732   408   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00733   408   NtClose  (88, ... ) == 0x0
 00734   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00735   408   NtOpenKey  (0x20019, {24, 86, 0x40, 0, 0,  (0x20019, {24, 86, 0x40, 0, 0, "{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00736   408   NtQueryKey  (86, Name, 382, ... {Name= (86, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID"}, 84, ) }, 84, ) == 0x0
 00737   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00738   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00739   408   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00740   408   NtClose  (88, ... ) == 0x0
 00741   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00742   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 88, ) }, ... 88, ) == 0x0
 00743   408   NtCreateKey  (0x2001f, {24, 88, 0x40, 0, 0,  (0x2001f, {24, 88, 0x40, 0, 0, "AppID\{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 00744   408   NtSetInformationFile  (-2147482808, -130841564, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00745   408   NtSetInformationFile  (-2147482808, -130842036, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00746   408   NtSetInformationFile  (-2147482808, -130841660, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00743   408   NtCreateKey  ... 92, 1, ) == 0x0
 00747   408   NtClose  (88, ... ) == 0x0
 00748   408   NtQueryKey  (94, Name, 392, ... {Name= (94, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}_"}, 162, ) }, 162, ) == 0x0
 00749   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00750   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00751   408   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00752   408   NtClose  (88, ... ) == 0x0
 00753   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00754   408   NtSetValueKey  (94, 0x0, 0, 1,  (94, 0x0, 0, 1, "I\0E\0A\0s\0s\0i\0s\0t\0a\0n\0t\0\0\0", 24, ... ) , 24, ... ) == 0x0
 00755   408   NtQueryKey  (86, Name, 384, ... {Name= (86, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID"}, 84, ) }, 84, ) == 0x0
 00756   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00757   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00758   408   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00759   408   NtClose  (88, ... ) == 0x0
 00760   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\IEAssistant.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761   408   NtOpenKey  (0x2001f, {24, 86, 0x40, 0, 0,  (0x2001f, {24, 86, 0x40, 0, 0, "IEAssistant.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00762   408   NtQueryKey  (86, Name, 384, ... {Name= (86, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID"}, 84, ) }, 84, ) == 0x0
 00763   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00764   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00765   408   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00766   408   NtClose  (88, ... ) == 0x0
 00767   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\IEAssistant.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00768   408   NtOpenKey  (0x20019, {24, 86, 0x40, 0, 0,  (0x20019, {24, 86, 0x40, 0, 0, "IEAssistant.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00769   408   NtQueryKey  (86, Name, 382, ... {Name= (86, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID"}, 84, ) }, 84, ) == 0x0
 00770   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00771   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00772   408   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00773   408   NtClose  (88, ... ) == 0x0
 00774   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\IEAssistant.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00775   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 88, ) }, ... 88, ) == 0x0
 00776   408   NtCreateKey  (0x2001f, {24, 88, 0x40, 0, 0,  (0x2001f, {24, 88, 0x40, 0, 0, "AppID\IEAssistant.DLL"}, 0, 0x0, 0, ... 96, 1, ) }, 0, 0x0, 0, ... 96, 1, ) == 0x0
 00777   408   NtClose  (88, ... ) == 0x0
 00778   408   NtClose  (94, ... ) == 0x0
 00779   408   NtQueryKey  (98, Name, 392, ... {Name= (98, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IEAssistant.DLL"}, 116, ) }, 116, ) == 0x0
 00780   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00781   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00782   408   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00783   408   NtClose  (92, ... ) == 0x0
 00784   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\IEAssistant.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00785   408   NtSetValueKey  (98,  (98, "AppID", 0, 1, "{\0B\0D\04\0B\0A\0F\0B\03\0-\03\0E\03\08\0-\04\06\06\08\0-\08\0E\0C\05\0-\0A\0E\00\01\01\08\05\06\00\0A\0C\05\0}\0\0\0", 78, ... ) , 0, 1,  (98, "AppID", 0, 1, "{\0B\0D\04\0B\0A\0F\0B\03\0-\03\0E\03\08\0-\04\06\06\08\0-\08\0E\0C\05\0-\0A\0E\00\01\01\08\05\06\00\0A\0C\05\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 00786   408   NtClose  (98, ... ) == 0x0
 00787   408   NtClose  (86, ... ) == 0x0
 00788   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 1239136, ... ) }, 1239136, ... ) == 0x0
 00789   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 1237948, ... ) }, 1237948, ... ) == 0x0
 00790   408   NtQueryDefaultLocale  (1, 1240016, ... ) == 0x0
 00791   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00792   408   NtOpenKey  (0x2001f, {24, 82, 0x40, 0, 0,  (0x2001f, {24, 82, 0x40, 0, 0, "IEAssistant.Assistant.1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00793   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\IEAssistant.Assistant.1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00794   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESA"}, 138, ) }, 138, ) == 0x0
 00795   408   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "IEAssistant.Assistant.1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00796   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\IEAssistant.Assistant.1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00797   408   NtQueryKey  (82, Name, 382, ... {Name= (82, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESA"}, 138, ) }, 138, ) == 0x0
 00798   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "IEAssistant.Assistant.1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00799   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 84, ) }, ... 84, ) == 0x0
 00800   408   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "IEAssistant.Assistant.1"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 00801   408   NtSetInformationFile  (-2147482808, -130841668, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00802   408   NtSetInformationFile  (-2147482808, -130841660, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00800   408   NtCreateKey  ... 96, 1, ) == 0x0
 00803   408   NtClose  (84, ... ) == 0x0
 00804   408   NtQueryKey  (98, Name, 392, ... {Name= (98, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant.1"}, 120, ) }, 120, ) == 0x0
 00805   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00806   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00807   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00808   408   NtClose  (84, ... ) == 0x0
 00809   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant.1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00810   408   NtSetValueKey  (98, 0x0, 0, 1,  (98, 0x0, 0, 1, "A\0s\0s\0i\0s\0t\0a\0n\0t\0 \0C\0l\0a\0s\0s\0\0\0", 32, ... ) , 32, ... ) == 0x0
 00811   408   NtQueryKey  (98, Name, 384, ... {Name= (98, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant.1"}, 120, ) }, 120, ) == 0x0
 00812   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00813   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00814   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00815   408   NtClose  (84, ... ) == 0x0
 00816   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant.1\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00817   408   NtOpenKey  (0x2001f, {24, 98, 0x40, 0, 0,  (0x2001f, {24, 98, 0x40, 0, 0, "CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818   408   NtQueryKey  (98, Name, 384, ... {Name= (98, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant.1"}, 120, ) }, 120, ) == 0x0
 00819   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00820   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00821   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00822   408   NtClose  (84, ... ) == 0x0
 00823   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant.1\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00824   408   NtOpenKey  (0x20019, {24, 98, 0x40, 0, 0,  (0x20019, {24, 98, 0x40, 0, 0, "CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00825   408   NtQueryKey  (98, Name, 382, ... {Name= (98, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant.1"}, 120, ) }, 120, ) == 0x0
 00826   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00827   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00828   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00829   408   NtClose  (84, ... ) == 0x0
 00830   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant.1\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00831   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 84, ) }, ... 84, ) == 0x0
 00832   408   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "IEAssistant.Assistant.1\CLSID"}, 0, 0x0, 0, ... 92, 1, ) }, 0, 0x0, 0, ... 92, 1, ) == 0x0
 00833   408   NtClose  (84, ... ) == 0x0
 00834   408   NtQueryKey  (94, Name, 392, ... {Name= (94, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant.1\CLSID"}, 132, ) }, 132, ) == 0x0
 00835   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00836   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00837   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00838   408   NtClose  (84, ... ) == 0x0
 00839   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant.1\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00840   408   NtSetValueKey  (94, 0x0, 0, 1,  (94, 0x0, 0, 1, "{\0B\00\08\0D\03\02\0D\0E\0-\06\04\0B\02\0-\04\01\03\07\0-\08\03\04\05\0-\08\07\02\09\03\0E\07\00\0D\04\00\0B\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 00841   408   NtClose  (94, ... ) == 0x0
 00842   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00843   408   NtOpenKey  (0x2001f, {24, 82, 0x40, 0, 0,  (0x2001f, {24, 82, 0x40, 0, 0, "IEAssistant.Assistant"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\IEAssistant.Assistant"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00845   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESA"}, 138, ) }, 138, ) == 0x0
 00846   408   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "IEAssistant.Assistant"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00847   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\IEAssistant.Assistant"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00848   408   NtQueryKey  (82, Name, 382, ... {Name= (82, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESA"}, 138, ) }, 138, ) == 0x0
 00849   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "IEAssistant.Assistant"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00850   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 92, ) }, ... 92, ) == 0x0
 00851   408   NtCreateKey  (0x2001f, {24, 92, 0x40, 0, 0,  (0x2001f, {24, 92, 0x40, 0, 0, "IEAssistant.Assistant"}, 0, 0x0, 0, ... 84, 1, ) }, 0, 0x0, 0, ... 84, 1, ) == 0x0
 00852   408   NtClose  (92, ... ) == 0x0
 00853   408   NtClose  (98, ... ) == 0x0
 00854   408   NtQueryKey  (86, Name, 392, ... {Name= (86, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant"}, 116, ) }, 116, ) == 0x0
 00855   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00856   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 00857   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00858   408   NtClose  (96, ... ) == 0x0
 00859   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00860   408   NtSetValueKey  (86, 0x0, 0, 1,  (86, 0x0, 0, 1, "A\0s\0s\0i\0s\0t\0a\0n\0t\0 \0C\0l\0a\0s\0s\0\0\0", 32, ... ) , 32, ... ) == 0x0
 00861   408   NtQueryKey  (86, Name, 384, ... {Name= (86, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant"}, 116, ) }, 116, ) == 0x0
 00862   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00863   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 00864   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00865   408   NtClose  (96, ... ) == 0x0
 00866   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00867   408   NtOpenKey  (0x2001f, {24, 86, 0x40, 0, 0,  (0x2001f, {24, 86, 0x40, 0, 0, "CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00868   408   NtQueryKey  (86, Name, 384, ... {Name= (86, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant"}, 116, ) }, 116, ) == 0x0
 00869   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00870   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 00871   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00872   408   NtClose  (96, ... ) == 0x0
 00873   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00874   408   NtOpenKey  (0x20019, {24, 86, 0x40, 0, 0,  (0x20019, {24, 86, 0x40, 0, 0, "CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00875   408   NtQueryKey  (86, Name, 382, ... {Name= (86, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant"}, 116, ) }, 116, ) == 0x0
 00876   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00877   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 00878   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00879   408   NtClose  (96, ... ) == 0x0
 00880   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00881   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 96, ) }, ... 96, ) == 0x0
 00882   408   NtCreateKey  (0x2001f, {24, 96, 0x40, 0, 0,  (0x2001f, {24, 96, 0x40, 0, 0, "IEAssistant.Assistant\CLSID"}, 0, 0x0, 0, ... 92, 1, ) }, 0, 0x0, 0, ... 92, 1, ) == 0x0
 00883   408   NtClose  (96, ... ) == 0x0
 00884   408   NtQueryKey  (94, Name, 392, ... {Name= (94, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant\CLSID"}, 128, ) }, 128, ) == 0x0
 00885   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00886   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 00887   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00888   408   NtClose  (96, ... ) == 0x0
 00889   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   408   NtSetValueKey  (94, 0x0, 0, 1,  (94, 0x0, 0, 1, "{\0B\00\08\0D\03\02\0D\0E\0-\06\04\0B\02\0-\04\01\03\07\0-\08\03\04\05\0-\08\07\02\09\03\0E\07\00\0D\04\00\0B\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 00891   408   NtQueryKey  (86, Name, 384, ... {Name= (86, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant"}, 116, ) }, 116, ) == 0x0
 00892   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00893   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 00894   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00895   408   NtClose  (96, ... ) == 0x0
 00896   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   408   NtOpenKey  (0x2001f, {24, 86, 0x40, 0, 0,  (0x2001f, {24, 86, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898   408   NtQueryKey  (86, Name, 384, ... {Name= (86, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant"}, 116, ) }, 116, ) == 0x0
 00899   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00900   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 00901   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00902   408   NtClose  (96, ... ) == 0x0
 00903   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   408   NtOpenKey  (0x20019, {24, 86, 0x40, 0, 0,  (0x20019, {24, 86, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   408   NtQueryKey  (86, Name, 382, ... {Name= (86, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant"}, 116, ) }, 116, ) == 0x0
 00906   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00907   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 00908   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00909   408   NtClose  (96, ... ) == 0x0
 00910   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 96, ) }, ... 96, ) == 0x0
 00912   408   NtCreateKey  (0x2001f, {24, 96, 0x40, 0, 0,  (0x2001f, {24, 96, 0x40, 0, 0, "IEAssistant.Assistant\CurVer"}, 0, 0x0, 0, ... 88, 1, ) }, 0, 0x0, 0, ... 88, 1, ) == 0x0
 00913   408   NtClose  (96, ... ) == 0x0
 00914   408   NtClose  (94, ... ) == 0x0
 00915   408   NtQueryKey  (90, Name, 392, ... {Name= (90, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant\CurVer9"}, 130, ) }, 130, ) == 0x0
 00916   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00917   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00918   408   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00919   408   NtClose  (92, ... ) == 0x0
 00920   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921   408   NtSetValueKey  (90, 0x0, 0, 1,  (90, 0x0, 0, 1, "I\0E\0A\0s\0s\0i\0s\0t\0a\0n\0t\0.\0A\0s\0s\0i\0s\0t\0a\0n\0t\0.\01\0\0\0", 48, ... ) , 48, ... ) == 0x0
 00922   408   NtClose  (90, ... ) == 0x0
 00923   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00924   408   NtOpenKey  (0x2001f, {24, 82, 0x40, 0, 0,  (0x2001f, {24, 82, 0x40, 0, 0, "CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID"}, ... 88, ) }, ... 88, ) == 0x0
 00926   408   NtClose  (86, ... ) == 0x0
 00927   408   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID"}, 84, ) }, 84, ) == 0x0
 00928   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00929   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00930   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00931   408   NtClose  (84, ... ) == 0x0
 00932   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   408   NtOpenKey  (0x2001f, {24, 90, 0x40, 0, 0,  (0x2001f, {24, 90, 0x40, 0, 0, "{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934   408   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID"}, 84, ) }, 84, ) == 0x0
 00935   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00936   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00937   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00938   408   NtClose  (84, ... ) == 0x0
 00939   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   408   NtOpenKey  (0x2001f, {24, 90, 0x40, 0, 0,  (0x2001f, {24, 90, 0x40, 0, 0, "{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941   408   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID"}, 84, ) }, 84, ) == 0x0
 00942   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00943   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00944   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00945   408   NtClose  (84, ... ) == 0x0
 00946   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   408   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948   408   NtQueryKey  (90, Name, 382, ... {Name= (90, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID"}, 84, ) }, 84, ) == 0x0
 00949   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00950   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00951   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00952   408   NtClose  (84, ... ) == 0x0
 00953   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 84, ) }, ... 84, ) == 0x0
 00955   408   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 00956   408   NtSetInformationFile  (-2147482808, -130841564, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00957   408   NtSetInformationFile  (-2147482808, -130841668, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00958   408   NtSetInformationFile  (-2147482808, -130841660, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00955   408   NtCreateKey  ... 92, 1, ) == 0x0
 00959   408   NtClose  (84, ... ) == 0x0
 00960   408   NtQueryKey  (94, Name, 392, ... {Name= (94, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00961   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00962   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00963   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00964   408   NtClose  (84, ... ) == 0x0
 00965   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00966   408   NtSetValueKey  (94, 0x0, 0, 1,  (94, 0x0, 0, 1, "A\0s\0s\0i\0s\0t\0a\0n\0t\0 \0C\0l\0a\0s\0s\0\0\0", 32, ... ) , 32, ... ) == 0x0
 00967   408   NtQueryKey  (94, Name, 384, ... {Name= (94, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00968   408   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00969   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00970   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00971   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00972   408   NtClose  (84, ... ) == 0x0
 00973   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\ProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974   408   NtOpenKey  (0x2001f, {24, 94, 0x40, 0, 0,  (0x2001f, {24, 94, 0x40, 0, 0, "ProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   408   NtQueryKey  (94, Name, 384, ... {Name= (94, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00976   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00977   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00978   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00979   408   NtClose  (84, ... ) == 0x0
 00980   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\ProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   408   NtOpenKey  (0x20019, {24, 94, 0x40, 0, 0,  (0x20019, {24, 94, 0x40, 0, 0, "ProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00982   408   NtQueryKey  (94, Name, 382, ... {Name= (94, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00983   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00984   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00985   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00986   408   NtClose  (84, ... ) == 0x0
 00987   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\ProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 84, ) }, ... 84, ) == 0x0
 00989   408   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\ProgID"}, 0, 0x0, 0, ... 96, 1, ) }, 0, 0x0, 0, ... 96, 1, ) == 0x0
 00990   408   NtClose  (84, ... ) == 0x0
 00991   408   NtQueryKey  (98, Name, 392, ... {Name= (98, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\ProgID"}, 176, ) }, 176, ) == 0x0
 00992   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00993   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00994   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00995   408   NtClose  (84, ... ) == 0x0
 00996   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\ProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00997   408   NtSetValueKey  (98, 0x0, 0, 1,  (98, 0x0, 0, 1, "I\0E\0A\0s\0s\0i\0s\0t\0a\0n\0t\0.\0A\0s\0s\0i\0s\0t\0a\0n\0t\0.\01\0\0\0", 48, ... ) , 48, ... ) == 0x0
 00998   408   NtQueryKey  (94, Name, 384, ... {Name= (94, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00999   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01000   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 01001   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01002   408   NtClose  (84, ... ) == 0x0
 01003   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\VersionIndependentProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01004   408   NtOpenKey  (0x2001f, {24, 94, 0x40, 0, 0,  (0x2001f, {24, 94, 0x40, 0, 0, "VersionIndependentProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01005   408   NtQueryKey  (94, Name, 384, ... {Name= (94, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01006   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01007   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 01008   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01009   408   NtClose  (84, ... ) == 0x0
 01010   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\VersionIndependentProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01011   408   NtOpenKey  (0x20019, {24, 94, 0x40, 0, 0,  (0x20019, {24, 94, 0x40, 0, 0, "VersionIndependentProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012   408   NtQueryKey  (94, Name, 382, ... {Name= (94, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01013   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01014   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 01015   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01016   408   NtClose  (84, ... ) == 0x0
 01017   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\VersionIndependentProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01018   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 84, ) }, ... 84, ) == 0x0
 01019   408   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\VersionIndependentProgID"}, 0, 0x0, 0, ... 100, 1, ) }, 0, 0x0, 0, ... 100, 1, ) == 0x0
 01020   408   NtClose  (84, ... ) == 0x0
 01021   408   NtClose  (98, ... ) == 0x0
 01022   408   NtQueryKey  (102, Name, 392, ... {Name= (102, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\VersionIndependentProgID"}, 212, ) }, 212, ) == 0x0
 01023   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01024   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01025   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01026   408   NtClose  (96, ... ) == 0x0
 01027   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\VersionIndependentProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01028   408   NtSetValueKey  (102, 0x0, 0, 1,  (102, 0x0, 0, 1, "I\0E\0A\0s\0s\0i\0s\0t\0a\0n\0t\0.\0A\0s\0s\0i\0s\0t\0a\0n\0t\0\0\0", 44, ... ) , 44, ... ) == 0x0
 01029   408   NtQueryKey  (94, Name, 384, ... {Name= (94, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01030   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01031   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01032   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01033   408   NtClose  (96, ... ) == 0x0
 01034   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\Programmable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01035   408   NtOpenKey  (0x2001f, {24, 94, 0x40, 0, 0,  (0x2001f, {24, 94, 0x40, 0, 0, "Programmable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01036   408   NtQueryKey  (94, Name, 384, ... {Name= (94, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01037   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01038   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01039   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01040   408   NtClose  (96, ... ) == 0x0
 01041   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\Programmable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   408   NtOpenKey  (0x2001f, {24, 94, 0x40, 0, 0,  (0x2001f, {24, 94, 0x40, 0, 0, "Programmable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01043   408   NtQueryKey  (94, Name, 384, ... {Name= (94, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01044   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01045   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01046   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01047   408   NtClose  (96, ... ) == 0x0
 01048   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\Programmable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01049   408   NtOpenKey  (0x20019, {24, 94, 0x40, 0, 0,  (0x20019, {24, 94, 0x40, 0, 0, "Programmable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01050   408   NtQueryKey  (94, Name, 382, ... {Name= (94, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01051   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01052   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01053   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01054   408   NtClose  (96, ... ) == 0x0
 01055   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\Programmable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01056   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 96, ) }, ... 96, ) == 0x0
 01057   408   NtCreateKey  (0x2001f, {24, 96, 0x40, 0, 0,  (0x2001f, {24, 96, 0x40, 0, 0, "CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\Programmable"}, 0, 0x0, 0, ... 84, 1, ) }, 0, 0x0, 0, ... 84, 1, ) == 0x0
 01058   408   NtClose  (96, ... ) == 0x0
 01059   408   NtClose  (102, ... ) == 0x0
 01060   408   NtQueryKey  (94, Name, 384, ... {Name= (94, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, 162, ) }, 162, ) == 0x0
 01061   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01062   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 01063   408   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01064   408   NtClose  (100, ... ) == 0x0
 01065   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01066   408   NtOpenKey  (0x2001f, {24, 94, 0x40, 0, 0,  (0x2001f, {24, 94, 0x40, 0, 0, "InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01067   408   NtQueryKey  (94, Name, 384, ... {Name= (94, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01068   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01069   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 01070   408   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01071   408   NtClose  (100, ... ) == 0x0
 01072   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01073   408   NtOpenKey  (0x20019, {24, 94, 0x40, 0, 0,  (0x20019, {24, 94, 0x40, 0, 0, "InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01074   408   NtQueryKey  (94, Name, 382, ... {Name= (94, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01075   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01076   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 01077   408   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01078   408   NtClose  (100, ... ) == 0x0
 01079   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01080   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 100, ) }, ... 100, ) == 0x0
 01081   408   NtCreateKey  (0x2001f, {24, 100, 0x40, 0, 0,  (0x2001f, {24, 100, 0x40, 0, 0, "CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, 0, 0x0, 0, ... 96, 1, ) }, 0, 0x0, 0, ... 96, 1, ) == 0x0
 01082   408   NtClose  (100, ... ) == 0x0
 01083   408   NtClose  (86, ... ) == 0x0
 01084   408   NtQueryKey  (98, Name, 392, ... {Name= (98, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, 192, ) }, 192, ) == 0x0
 01085   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01086   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 01087   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01088   408   NtClose  (84, ... ) == 0x0
 01089   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01090   408   NtSetValueKey  (98, 0x0, 0, 1,  (98, 0x0, 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0i\0e\0a\0.\0d\0l\0l\0\0\0", 56, ... ) , 56, ... ) == 0x0
 01091   408   NtQueryKey  (98, Name, 392, ... {Name= (98, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, 192, ) }, 192, ) == 0x0
 01092   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01093   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 01094   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01095   408   NtClose  (84, ... ) == 0x0
 01096   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01097   408   NtSetValueKey  (98,  (98, "ThreadingModel", 0, 1, "A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0", 20, ... ) , 0, 1,  (98, "ThreadingModel", 0, 1, "A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0", 20, ... ) , 20, ... ) == 0x0
 01098   408   NtQueryKey  (94, Name, 392, ... {Name= (94, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01099   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01100   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 01101   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01102   408   NtClose  (84, ... ) == 0x0
 01103   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01104   408   NtSetValueKey  (94,  (94, "AppID", 0, 1, "{\0B\0D\04\0B\0A\0F\0B\03\0-\03\0E\03\08\0-\04\06\06\08\0-\08\0E\0C\05\0-\0A\0E\00\01\01\08\05\06\00\0A\0C\05\0}\0\0\0", 78, ... ) , 0, 1,  (94, "AppID", 0, 1, "{\0B\0D\04\0B\0A\0F\0B\03\0-\03\0E\03\08\0-\04\06\06\08\0-\08\0E\0C\05\0-\0A\0E\00\01\01\08\05\06\00\0A\0C\05\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01105   408   NtQueryKey  (94, Name, 384, ... {Name= (94, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01106   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01107   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 01108   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01109   408   NtClose  (84, ... ) == 0x0
 01110   408   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01111   408   NtOpenKey  (0x2001f, {24, 94, 0x40, 0, 0,  (0x2001f, {24, 94, 0x40, 0, 0, "TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01112   408   NtQueryKey  (94, Name, 384, ... {Name= (94, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01113   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01114   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 01115   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01116   408   NtClose  (84, ... ) == 0x0
 01117   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01118   408   NtOpenKey  (0x20019, {24, 94, 0x40, 0, 0,  (0x20019, {24, 94, 0x40, 0, 0, "TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01119   408   NtQueryKey  (94, Name, 382, ... {Name= (94, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01120   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01121   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 01122   408   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01123   408   NtClose  (84, ... ) == 0x0
 01124   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01125   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 84, ) }, ... 84, ) == 0x0
 01126   408   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\TypeLib"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01127   408   NtSetInformationFile  (-2147482808, -130841792, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01126   408   NtCreateKey  ... 100, 1, ) == 0x0
 01128   408   NtClose  (84, ... ) == 0x0
 01129   408   NtClose  (98, ... ) == 0x0
 01130   408   NtQueryKey  (102, Name, 392, ... {Name= (102, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\TypeLib\"}, 178, ) }, 178, ) == 0x0
 01131   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01132   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01133   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01134   408   NtClose  (96, ... ) == 0x0
 01135   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01136   408   NtSetValueKey  (102, 0x0, 0, 1,  (102, 0x0, 0, 1, "{\0E\00\0F\07\03\0B\00\05\0-\0A\09\08\02\0-\04\0B\01\0D\0-\08\05\0A\06\0-\09\05\06\06\09\0E\09\04\0E\00\07\00\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01137   408   NtClose  (102, ... ) == 0x0
 01138   408   NtClose  (94, ... ) == 0x0
 01139   408   NtClose  (90, ... ) == 0x0
 01140   408   NtOpenKey  (0x2001f, {24, 48, 0x40, 0, 0,  (0x2001f, {24, 48, 0x40, 0, 0, "SOFTWARE"}, ... 88, ) }, ... 88, ) == 0x0
 01141   408   NtOpenKey  (0x2001f, {24, 88, 0x40, 0, 0,  (0x2001f, {24, 88, 0x40, 0, 0, "Microsoft"}, ... 92, ) }, ... 92, ) == 0x0
 01142   408   NtOpenKey  (0x2001f, {24, 92, 0x40, 0, 0,  (0x2001f, {24, 92, 0x40, 0, 0, "Windows"}, ... 100, ) }, ... 100, ) == 0x0
 01143   408   NtOpenKey  (0x2001f, {24, 100, 0x40, 0, 0,  (0x2001f, {24, 100, 0x40, 0, 0, "CurrentVersion"}, ... 96, ) }, ... 96, ) == 0x0
 01144   408   NtOpenKey  (0x2001f, {24, 96, 0x40, 0, 0,  (0x2001f, {24, 96, 0x40, 0, 0, "Explorer"}, ... 84, ) }, ... 84, ) == 0x0
 01145   408   NtOpenKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "Browser Helper Objects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01146   408   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Browser Helper Objects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147   408   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "Browser Helper Objects"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01148   408   NtSetInformationFile  (-2147482808, -130841564, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01149   408   NtSetInformationFile  (-2147482808, -130841660, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01147   408   NtCreateKey  ... 104, 1, ) == 0x0
 01150   408   NtOpenKey  (0x2001f, {24, 104, 0x40, 0, 0,  (0x2001f, {24, 104, 0x40, 0, 0, "{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01151   408   NtOpenKey  (0x2001f, {24, 104, 0x40, 0, 0,  (0x2001f, {24, 104, 0x40, 0, 0, "{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01152   408   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01153   408   NtCreateKey  (0x2001f, {24, 104, 0x40, 0, 0,  (0x2001f, {24, 104, 0x40, 0, 0, "{B08D32DE-64B2-4137-8345-87293E70D40B}"}, 0, 0x0, 0, ... 108, 1, ) }, 0, 0x0, 0, ... 108, 1, ) == 0x0
 01154   408   NtSetValueKey  (108, 0x0, 0, 1,  (108, 0x0, 0, 1, "I\0E\0 \0A\0s\0s\0i\0s\0t\0a\0n\0t\0\0\0", 26, ... ) , 26, ... ) == 0x0
 01155   408   NtClose  (108, ... ) == 0x0
 01156   408   NtClose  (104, ... ) == 0x0
 01157   408   NtClose  (84, ... ) == 0x0
 01158   408   NtClose  (96, ... ) == 0x0
 01159   408   NtClose  (100, ... ) == 0x0
 01160   408   NtClose  (92, ... ) == 0x0
 01161   408   NtClose  (88, ... ) == 0x0
 01162   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242720,  (0x80100080, {24, 0, 0x40, 0, 1242720, "\??\C:\WINDOWS\System32\iea.dll"}, 0x0, 0, 1, 1, 2144, 0, 0, ... 88, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2144, 0, 0, ... 88, {status=0x0, info=1}, ) == 0x0
 01163   408   NtQueryInformationFile  (88, 1242760, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01164   408   NtSetInformationFile  (88, 1242760, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01165   408   NtReadFile  (88, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64},  (88, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0", ) , ) == 0x0
 01166   408   NtSetInformationFile  (88, 1242760, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01167   408   NtSetInformationFile  (88, 1242356, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01168   408   NtReadFile  (88, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (88, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "PE\0\0", ) , ) == 0x0
 01169   408   NtReadFile  (88, 0, 0, 0, 20, 0x0, 0, ... {status=0x0, info=20},  (88, 0, 0, 0, 20, 0x0, 0, ... {status=0x0, info=20}, "L\1\7\0\35X/F\0\0\0\0\0\0\0\0\340\0\16!", ) , ) == 0x0
 01170   408   NtQueryInformationFile  (88, 1242356, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01171   408   NtSetInformationFile  (88, 1242356, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01172   408   NtReadFile  (88, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40},  (88, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40}, ".text\0\0\0\0\240\1\0\0\20\0\0\0\342\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300", ) , ) == 0x0
 01173   408   NtReadFile  (88, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40},  (88, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40}, ".rdata\0\0\0p\0\0\0\260\1\0\0p\0\0\0\350\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300", ) , ) == 0x0
 01174   408   NtReadFile  (88, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40},  (88, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40}, ".data\0\0\0\0`\0\0\0 \2\0\0\12\0\0\0X\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300", ) , ) == 0x0
 01175   408   NtReadFile  (88, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40},  (88, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40}, ".rsrc\0\0\0\0 \0\0\0\200\2\0\0\22\0\0\0b\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300", ) , ) == 0x0
 01176   408   NtQueryInformationFile  (88, 1242028, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01177   408   NtSetInformationFile  (88, 1242028, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01178   408   NtSetInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01179   408   NtReadFile  (88, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16},  (88, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16}, "\0\0\0\0\0\0\0\0\0\0\0\0\2\0\2\0", ) , ) == 0x0
 01180   408   NtReadFile  (88, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8},  (88, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8}, "`\1\0\2000\0\0\200", ) , ) == 0x0
 01181   408   NtQueryInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01182   408   NtSetInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01183   408   NtSetInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01184   408   NtReadFile  (88, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (88, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "\10\0", ) , ) == 0x0
 01185   408   NtSetInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01186   408   NtReadFile  (88, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8},  (88, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8}, "r\1\0\200P\0\0\200", ) , ) == 0x0
 01187   408   NtQueryInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01188   408   NtSetInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01189   408   NtSetInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01190   408   NtReadFile  (88, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (88, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "\7\0", ) , ) == 0x0
 01191   408   NtReadFile  (88, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (88, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "T\0Y\0P\0E\0L\0I\0B\0", ) , ) == 0x0
 01192   408   NtSetInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01193   408   NtSetInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01194   408   NtQueryInformationFile  (88, 1242028, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01195   408   NtSetInformationFile  (88, 1242028, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01196   408   NtSetInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01197   408   NtReadFile  (88, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16},  (88, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0", ) , ) == 0x0
 01198   408   NtQueryInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01199   408   NtSetInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01200   408   NtReadFile  (88, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8},  (88, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8}, "\1\0\0\0\310\0\0\200", ) , ) == 0x0
 01201   408   NtSetInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01202   408   NtQueryInformationFile  (88, 1242028, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01203   408   NtSetInformationFile  (88, 1242028, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01204   408   NtSetInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01205   408   NtReadFile  (88, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16},  (88, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0", ) , ) == 0x0
 01206   408   NtReadFile  (88, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8},  (88, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8}, "\11\4\0\00\1\0\0", ) , ) == 0x0
 01207   408   NtSetInformationFile  (88, 1242024, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01208   408   NtSetInformationFile  (88, 1242356, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01209   408   NtReadFile  (88, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16},  (88, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16}, "\340\211\2\0l\7\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01210   408   NtQueryInformationFile  (88, 1242708, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01211   408   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 88, ... 92, ) == 0x0
 01212   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01213   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01214   408   NtMapViewOfSection  (92, -1, (0x0), 0, 0, {65536, 0}, 29516, 1, 0, 2, ... (0x3c0000), {65536, 0}, 32768, ) == 0x0
 01215   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01216   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01217   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01218   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\TypeLib"}, ... 100, ) }, ... 100, ) == 0x0
 01220   408   NtQueryKey  (102, Name, 384, ... {Name= (102, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib"}, 88, ) }, 88, ) == 0x0
 01221   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01222   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01223   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01224   408   NtClose  (96, ... ) == 0x0
 01225   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01226   408   NtOpenKey  (0x2000000, {24, 102, 0x40, 0, 0,  (0x2000000, {24, 102, 0x40, 0, 0, "{E0F73B05-A982-4B1D-85A6-95669E94E070}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   408   NtQueryKey  (102, Name, 382, ... {Name= (102, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib"}, 88, ) }, 88, ) == 0x0
 01228   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01229   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01230   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01231   408   NtClose  (96, ... ) == 0x0
 01232   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01233   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 96, ) }, ... 96, ) == 0x0
 01234   408   NtCreateKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01235   408   NtSetInformationFile  (-2147482808, -130841564, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01236   408   NtSetInformationFile  (-2147482808, -130841660, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01234   408   NtCreateKey  ... 84, 1, ) == 0x0
 01237   408   NtClose  (96, ... ) == 0x0
 01238   408   NtQueryKey  (86, Name, 384, ... {Name= (86, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}l"}, 166, ) }, 166, ) == 0x0
 01239   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01240   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01241   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01242   408   NtClose  (96, ... ) == 0x0
 01243   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01244   408   NtOpenKey  (0x2000000, {24, 86, 0x40, 0, 0,  (0x2000000, {24, 86, 0x40, 0, 0, "1.0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01245   408   NtQueryKey  (86, Name, 382, ... {Name= (86, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}l"}, 166, ) }, 166, ) == 0x0
 01246   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01247   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01248   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01249   408   NtClose  (96, ... ) == 0x0
 01250   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01251   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 96, ) }, ... 96, ) == 0x0
 01252   408   NtCreateKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0"}, 0, 0x0, 0, ... 104, 1, ) }, 0, 0x0, 0, ... 104, 1, ) == 0x0
 01253   408   NtClose  (96, ... ) == 0x0
 01254   408   NtQueryKey  (106, Name, 392, ... {Name= (106, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01255   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01256   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01257   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01258   408   NtClose  (96, ... ) == 0x0
 01259   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01260   408   NtQueryValueKey  (106, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01261   408   NtQueryKey  (106, Name, 392, ... {Name= (106, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01262   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01263   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01264   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01265   408   NtClose  (96, ... ) == 0x0
 01266   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01267   408   NtSetValueKey  (106, 0x0, 0, 1,  (106, 0x0, 0, 1, "I\0E\0A\0s\0s\0i\0s\0t\0a\0n\0t\0 \01\0.\00\0 \0T\0y\0p\0e\0 \0L\0i\0b\0r\0a\0r\0y\0\0\0", 58, ... ) , 58, ... ) == 0x0
 01268   408   NtQueryKey  (106, Name, 384, ... {Name= (106, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01269   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01270   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01271   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01272   408   NtClose  (96, ... ) == 0x0
 01273   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\FLAGS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01274   408   NtOpenKey  (0x2000000, {24, 106, 0x40, 0, 0,  (0x2000000, {24, 106, 0x40, 0, 0, "FLAGS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01275   408   NtQueryKey  (106, Name, 382, ... {Name= (106, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01276   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01277   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01278   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01279   408   NtClose  (96, ... ) == 0x0
 01280   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\FLAGS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 96, ) }, ... 96, ) == 0x0
 01282   408   NtCreateKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\FLAGS"}, 0, 0x0, 0, ... 108, 1, ) }, 0, 0x0, 0, ... 108, 1, ) == 0x0
 01283   408   NtClose  (96, ... ) == 0x0
 01284   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\FLAGSe"}, 186, ) }, 186, ) == 0x0
 01285   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01286   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01287   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01288   408   NtClose  (96, ... ) == 0x0
 01289   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\FLAGS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01290   408   NtQueryValueKey  (110, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01291   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\FLAGSe"}, 186, ) }, 186, ) == 0x0
 01292   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01293   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01294   408   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01295   408   NtClose  (96, ... ) == 0x0
 01296   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\FLAGS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01297   408   NtSetValueKey  (110, 0x0, 0, 1,  (110, 0x0, 0, 1, "0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01298   408   NtClose  (110, ... ) == 0x0
 01299   408   NtQueryKey  (106, Name, 384, ... {Name= (106, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01300   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01301   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01302   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01303   408   NtClose  (108, ... ) == 0x0
 01304   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01305   408   NtOpenKey  (0x2000000, {24, 106, 0x40, 0, 0,  (0x2000000, {24, 106, 0x40, 0, 0, "0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01306   408   NtQueryKey  (106, Name, 382, ... {Name= (106, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01307   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01308   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01309   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01310   408   NtClose  (108, ... ) == 0x0
 01311   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01312   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 108, ) }, ... 108, ) == 0x0
 01313   408   NtCreateKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0"}, 0, 0x0, 0, ... 96, 1, ) }, 0, 0x0, 0, ... 96, 1, ) == 0x0
 01314   408   NtClose  (108, ... ) == 0x0
 01315   408   NtQueryKey  (98, Name, 384, ... {Name= (98, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\"}, 178, ) }, 178, ) == 0x0
 01316   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01317   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01318   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01319   408   NtClose  (108, ... ) == 0x0
 01320   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\win32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321   408   NtOpenKey  (0x2000000, {24, 98, 0x40, 0, 0,  (0x2000000, {24, 98, 0x40, 0, 0, "win32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01322   408   NtQueryKey  (98, Name, 382, ... {Name= (98, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\"}, 178, ) }, 178, ) == 0x0
 01323   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01324   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01325   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01326   408   NtClose  (108, ... ) == 0x0
 01327   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\win32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01328   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 108, ) }, ... 108, ) == 0x0
 01329   408   NtCreateKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\win32"}, 0, 0x0, 0, ... 112, 1, ) }, 0, 0x0, 0, ... 112, 1, ) == 0x0
 01330   408   NtClose  (108, ... ) == 0x0
 01331   408   NtQueryKey  (114, Name, 392, ... {Name= (114, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\win32i"}, 190, ) }, 190, ) == 0x0
 01332   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01333   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01334   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01335   408   NtClose  (108, ... ) == 0x0
 01336   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\win32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01337   408   NtQueryValueKey  (114, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01338   408   NtQueryKey  (114, Name, 392, ... {Name= (114, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\win32i"}, 190, ) }, 190, ) == 0x0
 01339   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01340   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01341   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01342   408   NtClose  (108, ... ) == 0x0
 01343   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\win32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344   408   NtSetValueKey  (114, 0x0, 0, 1,  (114, 0x0, 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0i\0e\0a\0.\0d\0l\0l\0\0\0", 56, ... ) , 56, ... ) == 0x0
 01345   408   NtQueryKey  (106, Name, 384, ... {Name= (106, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01346   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01347   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01348   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01349   408   NtClose  (108, ... ) == 0x0
 01350   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\HELPDIR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01351   408   NtOpenKey  (0x2000000, {24, 106, 0x40, 0, 0,  (0x2000000, {24, 106, 0x40, 0, 0, "HELPDIR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01352   408   NtQueryKey  (106, Name, 382, ... {Name= (106, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01353   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01354   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01355   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01356   408   NtClose  (108, ... ) == 0x0
 01357   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\HELPDIR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01358   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 108, ) }, ... 108, ) == 0x0
 01359   408   NtCreateKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\HELPDIR"}, 0, 0x0, 0, ... 116, 1, ) }, 0, 0x0, 0, ... 116, 1, ) == 0x0
 01360   408   NtClose  (108, ... ) == 0x0
 01361   408   NtQueryKey  (118, Name, 392, ... {Name= (118, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\HELPDIRi"}, 190, ) }, 190, ) == 0x0
 01362   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01363   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01364   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01365   408   NtClose  (108, ... ) == 0x0
 01366   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\HELPDIR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01367   408   NtQueryValueKey  (118, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368   408   NtQueryKey  (118, Name, 392, ... {Name= (118, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\HELPDIRi"}, 190, ) }, 190, ) == 0x0
 01369   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01370   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01371   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01372   408   NtClose  (108, ... ) == 0x0
 01373   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\HELPDIR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01374   408   NtSetValueKey  (118, 0x0, 0, 1,  (118, 0x0, 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0\0\0", 42, ... ) , 42, ... ) == 0x0
 01375   408   NtClose  (118, ... ) == 0x0
 01376   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01377   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "Interface"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01378   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 116, ) }, ... 116, ) == 0x0
 01379   408   NtQueryKey  (118, Name, 384, ... {Name= (118, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface"}, 92, ) }, 92, ) == 0x0
 01380   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01381   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01382   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01383   408   NtClose  (108, ... ) == 0x0
 01384   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01385   408   NtOpenKey  (0x2000000, {24, 118, 0x40, 0, 0,  (0x2000000, {24, 118, 0x40, 0, 0, "{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01386   408   NtQueryKey  (118, Name, 382, ... {Name= (118, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface"}, 92, ) }, 92, ) == 0x0
 01387   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01388   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01389   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01390   408   NtClose  (108, ... ) == 0x0
 01391   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01392   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 108, ) }, ... 108, ) == 0x0
 01393   408   NtCreateKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01394   408   NtSetInformationFile  (-2147482808, -130841564, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01395   408   NtSetInformationFile  (-2147482808, -130841668, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01396   408   NtSetInformationFile  (-2147482808, -130841660, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01393   408   NtCreateKey  ... 120, 1, ) == 0x0
 01397   408   NtClose  (108, ... ) == 0x0
 01398   408   NtQueryKey  (122, Name, 392, ... {Name= (122, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01399   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01400   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01401   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01402   408   NtClose  (108, ... ) == 0x0
 01403   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01404   408   NtQueryValueKey  (122, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01405   408   NtQueryKey  (122, Name, 392, ... {Name= (122, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01406   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01407   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01408   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01409   408   NtClose  (108, ... ) == 0x0
 01410   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01411   408   NtSetValueKey  (122, 0x0, 0, 1,  (122, 0x0, 0, 1, "_\0I\0A\0s\0s\0i\0s\0t\0a\0n\0t\0E\0v\0e\0n\0t\0s\0\0\0", 36, ... ) , 36, ... ) == 0x0
 01412   408   NtQueryKey  (122, Name, 384, ... {Name= (122, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01413   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01414   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01415   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01416   408   NtClose  (108, ... ) == 0x0
 01417   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01418   408   NtOpenKey  (0x2000000, {24, 122, 0x40, 0, 0,  (0x2000000, {24, 122, 0x40, 0, 0, "ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01419   408   NtQueryKey  (122, Name, 382, ... {Name= (122, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01420   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01421   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01422   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01423   408   NtClose  (108, ... ) == 0x0
 01424   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01425   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 108, ) }, ... 108, ) == 0x0
 01426   408   NtCreateKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid"}, 0, 0x0, 0, ... 124, 1, ) }, 0, 0x0, 0, ... 124, 1, ) == 0x0
 01427   408   NtClose  (108, ... ) == 0x0
 01428   408   NtQueryKey  (126, Name, 392, ... {Name= (126, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid"}, 200, ) }, 200, ) == 0x0
 01429   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01430   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01431   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01432   408   NtClose  (108, ... ) == 0x0
 01433   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434   408   NtQueryValueKey  (126, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01435   408   NtQueryKey  (126, Name, 392, ... {Name= (126, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid"}, 200, ) }, 200, ) == 0x0
 01436   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01437   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01438   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01439   408   NtClose  (108, ... ) == 0x0
 01440   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   408   NtSetValueKey  (126, 0x0, 0, 1,  (126, 0x0, 0, 1, "{\00\00\00\02\00\04\02\00\0-\00\00\00\00\0-\00\00\00\00\0-\0C\00\00\00\0-\00\00\00\00\00\00\00\00\00\00\04\06\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01442   408   NtClose  (126, ... ) == 0x0
 01443   408   NtQueryKey  (122, Name, 384, ... {Name= (122, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01444   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01445   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01446   408   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01447   408   NtClose  (124, ... ) == 0x0
 01448   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449   408   NtOpenKey  (0x2000000, {24, 122, 0x40, 0, 0,  (0x2000000, {24, 122, 0x40, 0, 0, "ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01450   408   NtQueryKey  (122, Name, 382, ... {Name= (122, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01451   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01452   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01453   408   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01454   408   NtClose  (124, ... ) == 0x0
 01455   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01456   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 124, ) }, ... 124, ) == 0x0
 01457   408   NtCreateKey  (0x2000000, {24, 124, 0x40, 0, 0,  (0x2000000, {24, 124, 0x40, 0, 0, "Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid32"}, 0, 0x0, 0, ... 108, 1, ) }, 0, 0x0, 0, ... 108, 1, ) == 0x0
 01458   408   NtClose  (124, ... ) == 0x0
 01459   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01460   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01461   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01462   408   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01463   408   NtClose  (124, ... ) == 0x0
 01464   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01465   408   NtQueryValueKey  (110, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01466   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01467   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01468   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01469   408   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01470   408   NtClose  (124, ... ) == 0x0
 01471   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01472   408   NtSetValueKey  (110, 0x0, 0, 1,  (110, 0x0, 0, 1, "{\00\00\00\02\00\04\02\00\0-\00\00\00\00\0-\00\00\00\00\0-\0C\00\00\00\0-\00\00\00\00\00\00\00\00\00\00\04\06\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01473   408   NtClose  (110, ... ) == 0x0
 01474   408   NtQueryKey  (122, Name, 384, ... {Name= (122, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01475   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01476   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01477   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01478   408   NtClose  (108, ... ) == 0x0
 01479   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480   408   NtOpenKey  (0x2000000, {24, 122, 0x40, 0, 0,  (0x2000000, {24, 122, 0x40, 0, 0, "TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   408   NtQueryKey  (122, Name, 382, ... {Name= (122, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01482   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01483   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01484   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01485   408   NtClose  (108, ... ) == 0x0
 01486   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01487   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 108, ) }, ... 108, ) == 0x0
 01488   408   NtCreateKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLib"}, 0, 0x0, 0, ... 124, 1, ) }, 0, 0x0, 0, ... 124, 1, ) == 0x0
 01489   408   NtClose  (108, ... ) == 0x0
 01490   408   NtQueryKey  (126, Name, 392, ... {Name= (126, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01491   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01492   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01493   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01494   408   NtClose  (108, ... ) == 0x0
 01495   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01496   408   NtQueryValueKey  (126, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01497   408   NtQueryKey  (126, Name, 392, ... {Name= (126, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01498   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01499   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01500   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01501   408   NtClose  (108, ... ) == 0x0
 01502   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   408   NtSetValueKey  (126, 0x0, 0, 1,  (126, 0x0, 0, 1, "{\0E\00\0F\07\03\0B\00\05\0-\0A\09\08\02\0-\04\0B\01\0D\0-\08\05\0A\06\0-\09\05\06\06\09\0E\09\04\0E\00\07\00\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01504   408   NtQueryKey  (126, Name, 392, ... {Name= (126, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01505   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01506   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01507   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01508   408   NtClose  (108, ... ) == 0x0
 01509   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01510   408   NtQueryValueKey  (126,  (126, "Version", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01511   408   NtQueryKey  (126, Name, 392, ... {Name= (126, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01512   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01513   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01514   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01515   408   NtClose  (108, ... ) == 0x0
 01516   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01517   408   NtSetValueKey  (126,  (126, "Version", 0, 1, "1\0.\00\0\0\0", 8, ... ) , 0, 1,  (126, "Version", 0, 1, "1\0.\00\0\0\0", 8, ... ) , 8, ... ) == 0x0
 01518   408   NtClose  (126, ... ) == 0x0
 01519   408   NtClose  (122, ... ) == 0x0
 01520   408   NtQueryKey  (118, Name, 384, ... {Name= (118, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface"}, 92, ) }, 92, ) == 0x0
 01521   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01522   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01523   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01524   408   NtClose  (120, ... ) == 0x0
 01525   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526   408   NtOpenKey  (0x2000000, {24, 118, 0x40, 0, 0,  (0x2000000, {24, 118, 0x40, 0, 0, "{B04FF886-12BF-4359-A280-311A94A8663D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01527   408   NtQueryKey  (118, Name, 382, ... {Name= (118, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface"}, 92, ) }, 92, ) == 0x0
 01528   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01529   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01530   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01531   408   NtClose  (120, ... ) == 0x0
 01532   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01533   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 120, ) }, ... 120, ) == 0x0
 01534   408   NtCreateKey  (0x2000000, {24, 120, 0x40, 0, 0,  (0x2000000, {24, 120, 0x40, 0, 0, "Interface\{B04FF886-12BF-4359-A280-311A94A8663D}"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01535   408   NtSetInformationFile  (-2147482808, -130841660, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01534   408   NtCreateKey  ... 124, 1, ) == 0x0
 01536   408   NtClose  (120, ... ) == 0x0
 01537   408   NtQueryKey  (126, Name, 392, ... {Name= (126, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01538   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01539   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01540   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01541   408   NtClose  (120, ... ) == 0x0
 01542   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01543   408   NtQueryValueKey  (126, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01544   408   NtQueryKey  (126, Name, 392, ... {Name= (126, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01545   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01546   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01547   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01548   408   NtClose  (120, ... ) == 0x0
 01549   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01550   408   NtSetValueKey  (126, 0x0, 0, 1,  (126, 0x0, 0, 1, "I\0A\0s\0s\0i\0s\0t\0a\0n\0t\0\0\0", 22, ... ) , 22, ... ) == 0x0
 01551   408   NtQueryKey  (126, Name, 384, ... {Name= (126, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01552   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01553   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01554   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01555   408   NtClose  (120, ... ) == 0x0
 01556   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01557   408   NtOpenKey  (0x2000000, {24, 126, 0x40, 0, 0,  (0x2000000, {24, 126, 0x40, 0, 0, "ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01558   408   NtQueryKey  (126, Name, 382, ... {Name= (126, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01559   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01560   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01561   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01562   408   NtClose  (120, ... ) == 0x0
 01563   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01564   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 120, ) }, ... 120, ) == 0x0
 01565   408   NtCreateKey  (0x2000000, {24, 120, 0x40, 0, 0,  (0x2000000, {24, 120, 0x40, 0, 0, "Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid"}, 0, 0x0, 0, ... 108, 1, ) }, 0, 0x0, 0, ... 108, 1, ) == 0x0
 01566   408   NtClose  (120, ... ) == 0x0
 01567   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid"}, 200, ) }, 200, ) == 0x0
 01568   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01569   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01570   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01571   408   NtClose  (120, ... ) == 0x0
 01572   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573   408   NtQueryValueKey  (110, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01574   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid"}, 200, ) }, 200, ) == 0x0
 01575   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01576   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01577   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01578   408   NtClose  (120, ... ) == 0x0
 01579   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01580   408   NtSetValueKey  (110, 0x0, 0, 1,  (110, 0x0, 0, 1, "{\00\00\00\02\00\04\02\04\0-\00\00\00\00\0-\00\00\00\00\0-\0C\00\00\00\0-\00\00\00\00\00\00\00\00\00\00\04\06\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01581   408   NtClose  (110, ... ) == 0x0
 01582   408   NtQueryKey  (126, Name, 384, ... {Name= (126, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01583   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01584   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01585   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01586   408   NtClose  (108, ... ) == 0x0
 01587   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01588   408   NtOpenKey  (0x2000000, {24, 126, 0x40, 0, 0,  (0x2000000, {24, 126, 0x40, 0, 0, "ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01589   408   NtQueryKey  (126, Name, 382, ... {Name= (126, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01590   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01591   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01592   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01593   408   NtClose  (108, ... ) == 0x0
 01594   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01595   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 108, ) }, ... 108, ) == 0x0
 01596   408   NtCreateKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid32"}, 0, 0x0, 0, ... 120, 1, ) }, 0, 0x0, 0, ... 120, 1, ) == 0x0
 01597   408   NtClose  (108, ... ) == 0x0
 01598   408   NtQueryKey  (122, Name, 392, ... {Name= (122, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01599   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01600   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01601   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01602   408   NtClose  (108, ... ) == 0x0
 01603   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01604   408   NtQueryValueKey  (122, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01605   408   NtQueryKey  (122, Name, 392, ... {Name= (122, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01606   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01607   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01608   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01609   408   NtClose  (108, ... ) == 0x0
 01610   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01611   408   NtSetValueKey  (122, 0x0, 0, 1,  (122, 0x0, 0, 1, "{\00\00\00\02\00\04\02\04\0-\00\00\00\00\0-\00\00\00\00\0-\0C\00\00\00\0-\00\00\00\00\00\00\00\00\00\00\04\06\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01612   408   NtClose  (122, ... ) == 0x0
 01613   408   NtQueryKey  (126, Name, 384, ... {Name= (126, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01614   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01615   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01616   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01617   408   NtClose  (120, ... ) == 0x0
 01618   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01619   408   NtOpenKey  (0x2000000, {24, 126, 0x40, 0, 0,  (0x2000000, {24, 126, 0x40, 0, 0, "TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01620   408   NtQueryKey  (126, Name, 382, ... {Name= (126, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01621   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01622   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01623   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01624   408   NtClose  (120, ... ) == 0x0
 01625   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01626   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 120, ) }, ... 120, ) == 0x0
 01627   408   NtCreateKey  (0x2000000, {24, 120, 0x40, 0, 0,  (0x2000000, {24, 120, 0x40, 0, 0, "Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLib"}, 0, 0x0, 0, ... 108, 1, ) }, 0, 0x0, 0, ... 108, 1, ) == 0x0
 01628   408   NtClose  (120, ... ) == 0x0
 01629   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01630   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01631   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01632   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01633   408   NtClose  (120, ... ) == 0x0
 01634   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01635   408   NtQueryValueKey  (110, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01636   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01637   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01638   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01639   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01640   408   NtClose  (120, ... ) == 0x0
 01641   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01642   408   NtSetValueKey  (110, 0x0, 0, 1,  (110, 0x0, 0, 1, "{\0E\00\0F\07\03\0B\00\05\0-\0A\09\08\02\0-\04\0B\01\0D\0-\08\05\0A\06\0-\09\05\06\06\09\0E\09\04\0E\00\07\00\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01643   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01644   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01645   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01646   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01647   408   NtClose  (120, ... ) == 0x0
 01648   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01649   408   NtQueryValueKey  (110,  (110, "Version", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01650   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01651   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01652   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01653   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01654   408   NtClose  (120, ... ) == 0x0
 01655   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01656   408   NtSetValueKey  (110,  (110, "Version", 0, 1, "1\0.\00\0\0\0", 8, ... ) , 0, 1,  (110, "Version", 0, 1, "1\0.\00\0\0\0", 8, ... ) , 8, ... ) == 0x0
 01657   408   NtClose  (110, ... ) == 0x0
 01658   408   NtClose  (126, ... ) == 0x0
 01659   408   NtClose  (118, ... ) == 0x0
 01660   408   NtClose  (114, ... ) == 0x0
 01661   408   NtClose  (98, ... ) == 0x0
 01662   408   NtClose  (106, ... ) == 0x0
 01663   408   NtClose  (86, ... ) == 0x0
 01664   408   NtClose  (102, ... ) == 0x0
 01665   408   NtClose  (88, ... ) == 0x0
 01666   408   NtUnmapViewOfSection  (-1, 0x3c0000, ... ) == 0x0
 01667   408   NtClose  (92, ... ) == 0x0
 01668   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 01669   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01670   408   NtFreeVirtualMemory  (-1, (0x3b0000), 0, 32768, ... (0x3b0000), 65536, ) == 0x0
 01671   408   NtFreeVirtualMemory  (-1, (0x3a0000), 0, 32768, ... (0x3a0000), 65536, ) == 0x0
 01672   408   NtClose  (72, ... ) == 0x0
 01673   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 01674   408   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01675   408   NtClose  (76, ... ) == 0x0
 01676   408   NtClose  (68, ... ) == 0x0
 01677   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 01678   408   NtClose  (52, ... ) == 0x0
 01679   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01680   408   NtUnmapViewOfSection  (-1, 0x10000000, ... ) == 0x0
 01681   408   NtUnmapViewOfSection  (-1, 0x73000000, ... ) == 0x0
 01682   408   NtUnmapViewOfSection  (-1, 0x76200000, ... ) == 0x0
 01683   408   NtUnmapViewOfSection  (-1, 0x77120000, ... ) == 0x0
 01684   408   NtUnmapViewOfSection  (-1, 0x762c0000, ... ) == 0x0
 01685   408   NtUnmapViewOfSection  (-1, 0x762a0000, ... ) == 0x0
 01686   408   NtUnmapViewOfSection  (-1, 0x771b0000, ... ) == 0x0
 01687   408   NtQueryDefaultLocale  (1, 1243752, ... ) == 0x0
 01688   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243880,  (0xc0100080, {24, 0, 0x40, 0, 1243880, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\clr.exe"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 01689   408   NtClose  (-2147482208, ... ) == 0x0
 01688   408   NtCreateFile  ... 52, {status=0x0, info=2}, ) == 0x0
 01690   408   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\327\310\33L\223\251u\37\223\251u\37\223\251u\37\226\245*\37\265\251u\37\226\245z\37\230\251u\37i\212l\37\221\251u\37\20\241(\37\220\251u\37\223\251t\37\322\251u\37\226\245\25\37\220\251u\37\226\245/\37\222\251u\37Rich\223\251u\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\177U/F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0@\0\0\00\0\0\0\0\0\0\1\200\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\6\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\254\217\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0T\217\0\0\10\0\0\0\20Q\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0.text\0\0\0\0@\0\0\0\20\0\0\0&\0\0", 18432, 0x0, 0, ... {status=0x0, info=18432}, ) , 18432, 0x0, 0, ... {status=0x0, info=18432}, ) == 0x0
 01691   408   NtClose  (52, ... ) == 0x0
 01692   408   NtOpenKey  (0x9, {24, 48, 0x40, 0, 0,  (0x9, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01693   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 01694   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 01695   408   NtClose  (52, ... ) == 0x0
 01696   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01697   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01698   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 01699   408   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 01700   408   NtClose  (52, ... ) == 0x0
 01701   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01702   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01703   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01704   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01705   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 01706   408   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01707   408   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01708   408   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01709   408   NtClose  (52, ... ) == 0x0
 01710   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 01711   408   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01712   408   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01713   408   NtClose  (52, ... ) == 0x0
 01714   408   NtOpenEvent  (0x1f0003, {24, 64, 0x0, 0, 0,  (0x1f0003, {24, 64, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01715   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1237248, ... ) }, 1237248, ... ) == 0x0
 01716   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 01717   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 68, ) == 0x0
 01718   408   NtClose  (52, ... ) == 0x0
 01719   408   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 262144, ) == 0x0
 01720   408   NtClose  (68, ... ) == 0x0
 01721   408   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01722   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01723   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01724   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01725   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 68, {status=0x0, info=0}, ) }, 7, 16, ... 68, {status=0x0, info=0}, ) == 0x0
 01726   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\374yu\17\15\0\12\2603\265\232\34?\260\350\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01727   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01728   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01729   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01730   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01731   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01732   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01733   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01734   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 01735   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\201\226\5\374\270=\311R>\211e\341\250Xk/\336\11\322\221\363\301\346Oi\257.\204\10\27fJ\317h\6\210!\223\-\241a;1\4\376<\214w\366\33\20\214\7~\31o\6|\233\203\355\215\231\325Lht}\246\262|\370\356H\24M\351", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\201\226\5\374\270=\311R>\211e\341\250Xk/\336\11\322\221\363\301\346Oi\257.\204\10\27fJ\317h\6\210!\223\-\241a;1\4\376<\214w\366\33\20\214\7~\31o\6|\233\203\355\215\231\325Lht}\246\262|\370\356H\24M\351", 80, ... ) , 80, ... ) == 0x0
 01736   408   NtClose  (-2147482208, ... ) == 0x0
 01726   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\361\265\200q\362\331I\326\327\5;\17\2519\351\306/\336\200>TY\352%\216\253\335\231\275GS@\253\322!\243\21351\265\25 \340\256L\250\216\316\324\27\276m~J\263;\17\31S64){b\356+_\225omk\310\10\270C{\360x\21e\246Jw\15\17\360\346\355\250\332\376\15\22\30\301vt\2249\232\273\253T\234\3617K\226\214\322\310\373\25\352\257\27\241czW\31\273\367\370M\30\315\33\306\237\255L+\17\241", ) , ) == 0x0
 01737   408   NtAllocateVirtualMemory  (-1, 1368064, 0, 16384, 4096, 4, ... 1368064, 16384, ) == 0x0
 01738   408   NtUserRegisterClassExWOW  (1239332, 1239412, 1239396, 1239428, 0, 384, 0, ... ) == 0x810dc038
 01739   408   NtUserGetAtomName  (49208, 1238096, ... ) == 0x15
 01740   408   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 01741   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1235620, ... ) }, 1235620, ... ) == 0x0
 01742   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 01743   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 76, ) == 0x0
 01744   408   NtClose  (52, ... ) == 0x0
 01745   408   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 204800, ) == 0x0
 01746   408   NtClose  (76, ... ) == 0x0
 01747   408   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01748   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1235936, ... ) }, 1235936, ... ) == 0x0
 01749   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 01750   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 52, ) == 0x0
 01751   408   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01752   408   NtClose  (76, ... ) == 0x0
 01753   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01754   408   NtClose  (52, ... ) == 0x0
 01755   408   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01756   408   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01757   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01758   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 01759   408   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01760   408   NtClose  (52, ... ) == 0x0
 01761   408   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 52, ) }, ... 52, ) == 0x0
 01762   408   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 76, ) }, ... 76, ) == 0x0
 01763   408   NtQueryValueKey  (76,  (76, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01764   408   NtClose  (76, ... ) == 0x0
 01765   408   NtClose  (52, ... ) == 0x0
 01766   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01767   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 01768   408   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01769   408   NtClose  (52, ... ) == 0x0
 01770   408   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 52, ) }, ... 52, ) == 0x0
 01771   408   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 01772   408   NtQueryValueKey  (76,  (76, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01773   408   NtClose  (76, ... ) == 0x0
 01774   408   NtClose  (52, ... ) == 0x0
 01775   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1235436, ... ) }, 1235436, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01776   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1235436, ... ) }, 1235436, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01777   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1235436, ... ) }, 1235436, ... ) == 0x0
 01778   408   NtUserGetProcessWindowStation  (... ) == 0x24
 01779   408   NtUserGetObjectInformation  (36, 2, 0, 0, 1237732, ... ) == 0x0
 01780   408   NtUserGetObjectInformation  (36, 2, 1360544, 16, 1237732, ... ) == 0x1
 01781   408   NtUserGetGUIThreadInfo  (408, 1237688, ... ) == 0x1
 01782   408   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1237508, 64, ... 52, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1237508, 64, ... 52, 0x0, 0x0, 0x0, 64, ) == 0x0
 01783   408   NtRequestWaitReplyPort  (52, {32, 56, new_msg, 0, 0, 0, 0, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 404, 408, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 404, 408, 1499, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 404, 408, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01784   408   NtRequestWaitReplyPort  (52, {32, 56, new_msg, 0, 0, 0, 0, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 404, 408, 1500, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 404, 408, 1500, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 404, 408, 1500, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01785   408   NtUserCallNoParam  (29, ...
 01786   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1234980, ... ) }, 1234980, ... ) == 0x0
 01785   408   NtUserCallNoParam  ... ) == 0x0
 01787   408   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01788   408   NtGdiHfontCreate  (1237060, 356, 0, 0, 1329232, ... ) == 0x170a040b
 01789   408   NtGdiHfontCreate  (1237060, 356, 0, 0, 1329224, ... ) == 0x80a03d2
 01790   408   NtRequestWaitReplyPort  (52, {32, 56, new_msg, 0, 0, 0, 0, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 404, 408, 1501, 0} "\0\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 404, 408, 1501, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 404, 408, 1501, 0} "\0\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01791   408   NtMapViewOfSection  (76, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x390000), {0, 0}, 331776, ) == 0x0
 01792   408   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01793   408   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01794   408   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01795   408   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01796   408   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01797   408   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01798   408   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01799   408   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01800   408   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01801   408   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01802   408   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01803   408   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01804   408   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01805   408   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01806   408   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01807   408   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01808   408   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 01809   408   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01810   408   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x2b10040d
 01811   408   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01812   408   NtUserCallNoParam  (29, ...
 01813   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1234424, ... ) }, 1234424, ... ) == 0x0
 01812   408   NtUserCallNoParam  ... ) == 0x0
 01814   408   NtUserCallNoParam  (29, ...
 01815   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1234420, ... ) }, 1234420, ... ) == 0x0
 01814   408   NtUserCallNoParam  ... ) == 0x0
 01816   408   NtUserMessageCall  (0x200b0, WM_NCCREATE, 0x0, 0x12e3fc, 0, 670, 0, ... ) == 0x1
 01817   408   NtUserMessageCall  (0x200b0, WM_NCCALCSIZE, 0x0, 0x12e424, 0, 670, 0, ... ) == 0x0
 01818   408   NtUserSetProp  (131248, 43288, -1, ... ) == 0x1
 01740   408   NtUserCreateWindowEx  ... ) == 0x200b0
 01819   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\374yu\17\15\0\12|\306#\357V*\324\25^.\256\361\313\276hE\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01820   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01821   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01822   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01823   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01824   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01825   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01826   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01827   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 01828   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "dKQ\247\303\274\274\11\5\220G\321\345u\243\225\215\25\370\250\16-\351\7\247\247\357w^\352\3\305?x;\230\314\310O^\227\325\226\243\321KA\245]\177\266\327G\361\300\267\254\325\362\331\325\26HYF\24\255\272{k-q\330R\363$\204\333", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "dKQ\247\303\274\274\11\5\220G\321\345u\243\225\215\25\370\250\16-\351\7\247\247\357w^\352\3\305?x;\230\314\310O^\227\325\226\243\321KA\245]\177\266\327G\361\300\267\254\325\362\331\325\26HYF\24\255\272{k-q\330R\363$\204\333", 80, ... ) , 80, ... ) == 0x0
 01829   408   NtClose  (-2147482208, ... ) == 0x0
 01819   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\326_\263i2P9V\313h\350\223\244\204\260e.\227\35|l\261\236C\207\324l\4u\177\274\261\202\312\232\3320u\231S\31\314\267\36@N\266\177\203X@\346\366'\321\343H\330\2=\17\221t\271\255\207\277\17\23\21\353\213\247\236K\341o\3*\214\227+\306\370\304|x\272\0\236\277\214\10\37I\240\138\221x\214\343\307\246,\210\206\31\320\227\332}\231\311\324\226\337\303\346\355\205\366\335FX\25\13s\224\254N\267\270\323M\340\236\4\363)\225\203\12\267\216\237\300\354\23{n$\2551\207C\230\214A\267r\2\225t^Qn\266g{\375+\344\250i.\5\244bi\305G\311 \264S#G\345\223(B\200E\352\205\350\226\322\203\31\337\303\32\242\371\21\224\314\364\300A\203\330b\242\240\357L\330p\3114\23\327\15\20\215@5\263\266M\344\357$\35_]\253\345\35\247", ) \203\31\337\303\32\242\371\21\224\314\364\300A\203\330b\242\240\357L\330p\3114\23\327\15\20\215@5\263\266M\344\357$\35_]\253\345\35\247", ) == 0x0
 01830   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\374yu\17\15\0\12|\306#\357V*\324\331\253\270\333\273\336\332\225\30.\256\361\313\276hE\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01831   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01832   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01833   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01834   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01835   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01836   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01837   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01838   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 01839   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\357\336\313\342\334[b{t?\10\35\26 \351\242A\340\6??1\312\266\347\7\15\354\315\272\374\244\244\201\217\276jS\03\276\374\210\21\3437sj\215$\352\344\213\311X\3\256]J*I\267\236\321\247z\26E\310I&\263\216\1\271\32Cu\316", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\357\336\313\342\334[b{t?\10\35\26 \351\242A\340\6??1\312\266\347\7\15\354\315\272\374\244\244\201\217\276jS\03\276\374\210\21\3437sj\215$\352\344\213\311X\3\256]J*I\267\236\321\247z\26E\310I&\263\216\1\271\32Cu\316", 80, ... ) , 80, ... ) == 0x0
 01840   408   NtClose  (-2147482208, ... ) == 0x0
 01830   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\26C\217Y\12\251\#\270\5'\245\327\346\224\276'\265\221\17{B\360\26\371\3735\201\342B\273\371\202\356/\275\275\240\206\236\343\236\326\346E\32\227\240\377\260\7\345C\226l\300/u\307H\26$\221q\6\304N\371v\310\325\2\372\245\251l(\272\224,*g\273\203D\327\265\21\10K\34\377\253\325e\224\254\216B\34\3lG\5\31'\306\0>-f:\26a$\256z\311\232\30\231\324\="\260yY\307\375\270\267\210\266\363\343N\236\300\177I\342\253\22\333Q\327\302\4<\6\1\342\34(e\16\366\307\5\355/\245\350@\347\26\206\341\370\233\304\277\300>s\325\30\260\366o\3169\217"I\263H\363\263p=\35\205z\316\200+\374$\327H\25/\31F*_7\201\263\350Hc\30r<\302\2048\330\332\13\351b\342\27\1\225\210\234\275xQ7\362s\307\261>5w\210\334w\325", ) \236\343\236\326\346E\32\227\240\377\260\7\345C\226l\300/u\307H\26$\221q\6\304N\371v\310\325\2\372\245\251l(\272\224,*g\273\203D\327\265\21\10K\34\377\253\325e\224\254\216B\34\3lG\5\31'\306\0>-f:\26a$\256z\311\232\30\231\324\= ... {status=0x0, info=256}, "\26C\217Y\12\251\#\270\5'\245\327\346\224\276'\265\221\17{B\360\26\371\3735\201\342B\273\371\202\356/\275\275\240\206\236\343\236\326\346E\32\227\240\377\260\7\345C\226l\300/u\307H\26$\221q\6\304N\371v\310\325\2\372\245\251l(\272\224,*g\273\203D\327\265\21\10K\34\377\253\325e\224\254\216B\34\3lG\5\31'\306\0>-f:\26a$\256z\311\232\30\231\324\="\260yY\307\375\270\267\210\266\363\343N\236\300\177I\342\253\22\333Q\327\302\4<\6\1\342\34(e\16\366\307\5\355/\245\350@\347\26\206\341\370\233\304\277\300>s\325\30\260\366o\3169\217"I\263H\363\263p=\35\205z\316\200+\374$\327H\25/\31F*_7\201\263\350Hc\30r<\302\2048\330\332\13\351b\342\27\1\225\210\234\275xQ7\362s\307\261>5w\210\334w\325", ) I\263H\363\263p=\35\205z\316\200+\374$\327H\25/\31F*_7\201\263\350Hc\30r<\302\2048\330\332\13\351b\342\27\1\225\210\234\275xQ7\362s\307\261>5w\210\334w\325", ) == 0x0
 01841   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\374yu\17\15\0\12|\306#\357V*\324\331\253\270\333\273\336\332Y\355\270\333\273\336\332\225\30.\256\361\313\276hE\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01842   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01843   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01844   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01845   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01846   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01847   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01848   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01849   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 01850   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\224\244Iw\26\24\3\254\270U\270\365\3314\27\243si\244\233\242\315\222\6\17\4}\250\304m~1\15\4\26.\305\34\225+\267\26g\34\345{H\325\325zNeJu\261i\253\27\257\345\251\207ix\262\244\242\23\262\324\371\313\26\340\267po"h", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\224\244Iw\26\24\3\254\270U\270\365\3314\27\243si\244\233\242\315\222\6\17\4}\250\304m~1\15\4\26.\305\34\225+\267\26g\34\345{H\325\325zNeJu\261i\253\27\257\345\251\207ix\262\244\242\23\262\324\371\313\26\340\267po"h", 80, ... ) h", 80, ... ) == 0x0
 01851   408   NtClose  (-2147482208, ... ) == 0x0
 01841   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "V$?>\31c\343Q\332y\2523\367\315&\6\357\35\355\6s\214\235\202\222\204m\275\13\257\7\323\305\303\26U\264CZ\216\336;a\272{?\340\372\374&\3619\303 \376\360\243\350q;~\260u\3647\223\33\261\3627|\245\345^&+\236\271;\364\207C\241\15L,bG\324\257y\333\230\214~\3626{\273\347H4e\323\23\34\13\371\223[\377~\342F\225\354>hJ.\206\304H\337h\4&\376\262\212p\222Kv\237\35D\342:[l\217N>\235\33\226\13\22\355\351b\317\302\214\17\216\15/\325\267<\227&\271\267<\370\366\312\253\206\243\351\301\320q\7\343\346$\216\272\257\225\206\270m\346\342\217\364\372I6!\306\326\4\303\320y\247\370\12\313\\266\325\245z\3170V8c8\371tg\10\207yq\305\264\215\353\30;\205\365q\267\32C\272\330&7\220\343\246n\366ik\357*x\326\25\350\235\315\22", ) , ) == 0x0
 01852   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\374yu\17\15\0\12|\306#\357V*\324\331\253\270\333\273\336\332Y\355\270\333\273\336\332Y\355\270\333\273\336\332\225\30.\256\361\313\276hE\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01853   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01854   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01855   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01856   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01857   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01858   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01859   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01860   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 01861   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\363R\326\266;K\230\372w(g2\26\244\375X\236\36\356\1\313\240\365\240\313\233\370\317\24M\310\332\31\0\20\325%\346c\215\274tX>\306\317\177 \315B\264\32{\335\300\301\266\277"0\30;\0y\25\312$\11\213|\274\252\32io\230Q\36\3079", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\363R\326\266;K\230\372w(g2\26\244\375X\236\36\356\1\313\240\365\240\313\233\370\317\24M\310\332\31\0\20\325%\346c\215\274tX>\306\317\177 \315B\264\32{\335\300\301\266\277"0\30;\0y\25\312$\11\213|\274\252\32io\230Q\36\3079", 80, ... ) 0\30;\0y\25\312$\11\213|\274\252\32io\230Q\36\3079", 80, ... ) == 0x0
 01862   408   NtClose  (-2147482208, ... ) == 0x0
 01852   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\231\274y\212\267D\21\252\20\253\243\37\118\21\253p\271\232n\322\223=\363.\311\211*~Y\227\207\4lwG\265j\250v\371\307\313E \325<@\5hI\375e\346\341@\227\220\326\261q*\337S\235\346UN=\334\240\223GW7\351\222\273K\202E\376n\242\216\272[\325\1M/4}\24>L{\303\15K%\33\322\363\261\3$\323\25\0\234\350\201\14\247\334w\351K\323\306\332\356\201\36\23\206,a\307"\23lGQE=\300\12\326V\275\365\245M<\334\0\215\274\375\206\3\256fR;\11\326\230e\6\5\313%\256\344\332\327\231\332\325$\355_\216&`\225@\3576PtG\256qY\311\242\372\30\312`\305\32\344\331\221\313tak\274\213\211\335)\315\13/\251\252{t\30.HN\207(\27\261\305\331\345\335\3415\234o\366\362\340\271\4\36\210\34\217<\362H\227J\37Sy0O&Sg\203J", ) \23lGQE=\300\12\326V\275\365\245M<\334\0\215\274\375\206\3\256fR;\11\326\230e\6\5\313%\256\344\332\327\231\332\325$\355_\216&`\225@\3576PtG\256qY\311\242\372\30\312`\305\32\344\331\221\313tak\274\213\211\335)\315\13/\251\252{t\30.HN\207(\27\261\305\331\345\335\3415\234o\366\362\340\271\4\36\210\34\217<\362H\227J\37Sy0O&Sg\203J", ) == 0x0
 01863   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\374yu\17\15\0\12|\306#\357V*\324\331\253\270\333\273\336\332Y\355\270\333\273\336\332Y\355\270\333\273\336\332Y\355\270\333\273\336\332\225\30.\256\361\313\276hE\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01864   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01865   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01866   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01867   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01868   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01869   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01870   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01871   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 01872   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "kw;\30r_\235\300\313A6\217\365/\\31=Nb\221\240\247\346l\202\267\213\26t\325\303V\14V\324\264\13\310\264\5F\212\215\7M\243\227\321\353\326\325\230\313\253\254\246\353\302G\211\331r\211\336z\356\235\267\230\212s\324\260\35\263\36\25`d\257", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "kw;\30r_\235\300\313A6\217\365/\\31=Nb\221\240\247\346l\202\267\213\26t\325\303V\14V\324\264\13\310\264\5F\212\215\7M\243\227\321\353\326\325\230\313\253\254\246\353\302G\211\331r\211\336z\356\235\267\230\212s\324\260\35\263\36\25`d\257", 80, ... ) , 80, ... ) == 0x0
 01873   408   NtClose  (-2147482208, ... ) == 0x0
 01863   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\27/\4\230\217h\5"+\230\252\25\214\323\2364\255\350\346\332z\304\344u\235\252\0\340i\3471\202\264\304\300\0`5\332\257\266c#fH,M \274\37\202\231\321\240\355\357\232\210\327\252rCj\255\336\252\5\326%\304\7\301\271\325c\257\354\\2701X\346\312Zi\334H\330H\10\204\27v\314X\370j=\242\313\265,\10bR\34\224\241\10mw\207\276p\335d\371\316\360\3557\352<[YDP\321\3205Y{\261\270\357\376\336PJ\370\264]l\345=}\222\322\4;H\276\350\3135~\351\20R$\246\371\307?\223\253,.`\2\254\365\236`\342C\330\211\334\365\347{,\232[\364\215\263F\341b;\22\341h\354\204\251.\347\320\300\231\342\322g\242\205\272\330\2368\370\261\330\20q\377\\331\25\270\333z\274Q1)\232,#nO\352:\252X\332\24\353&Fn\1Ayx\331\23\10\354\364\222\215", ) +\230\252\25\214\323\2364\255\350\346\332z\304\344u\235\252\0\340i\3471\202\264\304\300\0`5\332\257\266c#fH,M \274\37\202\231\321\240\355\357\232\210\327\252rCj\255\336\252\5\326%\304\7\301\271\325c\257\354\\2701X\346\312Zi\334H\330H\10\204\27v\314X\370j=\242\313\265,\10bR\34\224\241\10mw\207\276p\335d\371\316\360\3557\352<[YDP\321\3205Y{\261\270\357\376\336PJ\370\264]l\345=}\222\322\4;H\276\350\3135~\351\20R$\246\371\307?\223\253,.`\2\254\365\236`\342C\330\211\334\365\347{,\232[\364\215\263F\341b;\22\341h\354\204\251.\347\320\300\231\342\322g\242\205\272\330\2368\370\261\330\20q\377\\331\25\270\333z\274Q1)\232,#nO\352:\252X\332\24\353&Fn\1Ayx\331\23\10\354\364\222\215", ) == 0x0
 01874   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\374yu\17\15\0\12|\306#\357V*\324\331\253\270\333\273\336\332Y\355\270\333\273\336\332Y\355\270\333\273\336\332Y\355\270\333\273\336\332Y\355\270\333\273\336\332\225\30.\256\361\313\276hE\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01875   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01876   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01877   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01878   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01879   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01880   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01881   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01882   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 01883   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\222Noa\303\353\322\277F\266\306\325fg\370c\242\4qt\220k, 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\222Noa\303\353\322\277F\266\306\325fg\370c\242\4qt\220k, 80, ... ) , 80, ... ) == 0x0
 01884   408   NtClose  (-2147482208, ... ) == 0x0
 01874   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\355t\1\310\247\216\312H+x\25\273>*\377:\200\343U(\5\21\7\2165\25\31\275:\220\234\330\320f\373\352\15jfa\345'\351o\221l\205]7tAJ\257\202\231\200\311\305r\3716\373\235\344)\355\354\270\203U\254Q\223\364\0\247\360\327\242+\2c\335\206\330\236\276\310\366\351\277.\365\6\20\0)\37\255\23\257\364N\222\6\221\331\240\327m\276\341\336[/\371\226\21-eV\32\235\1\311\36\365\5\267\34\33Pg\362\1\361\10\330\360\23\15\347a\316F\264t\343\323\362\204*(i\315\20\265\314\224\326V\12\3307PtF\342\34k\237\30\200TUnQh\203e\247\275uQ\1&B\p\274O\347hf\37\217\345\245\321\224\301\27C\306d\346\3028\263jgo\236\334~~\267\32\242j43\344e\202\214\340\353\310\377\3473+\263\251G\340t\350\324M\270I\302\32\331}j\210\277r\317a\356M'", ) , ) == 0x0
 01885   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\374yu\17\15\0\12|\306#\357V*\324\331\253\270\333\273\336\332Y\355\270\333\273\336\332Y\355\270\333\273\336\332Y\355\270\333\273\336\332Y\355\270\333\273\336\332Y\355\270\333\273\336\332\225\30.\256\361\313\276hE\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01886   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01887   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01888   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01889   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01890   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01891   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01892   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01893   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 01894   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "2.\273\266bP\300\346\252\342\260n;\266R\2742\226\272LX\14\315oP\212\266c\356\330e\361\317\210!y"A\7p\357\10o\17t\324\334g\251\212\375h\2730\227\277y\26\210\25 _c\221\224\322R\7\362F\316c\11\352xc\0p\252\211", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "2.\273\266bP\300\346\252\342\260n;\266R\2742\226\272LX\14\315oP\212\266c\356\330e\361\317\210!y"A\7p\357\10o\17t\324\334g\251\212\375h\2730\227\277y\26\210\25 _c\221\224\322R\7\362F\316c\11\352xc\0p\252\211", 80, ... ) A\7p\357\10o\17t\324\334g\251\212\375h\2730\227\277y\26\210\25 _c\221\224\322R\7\362F\316c\11\352xc\0p\252\211", 80, ... ) == 0x0
 01895   408   NtClose  (-2147482208, ... ) == 0x0
 01885   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\302\351\24\245\15-\177\227~>\25Is\360c\376-\5\343\357~\245,\372\253+Yv\20\376\276XX'\205nf1#p\245\250W\252\326\345\217\15\200\14\207\0\364\216\205\367R"\231\210Z[\267\240>\255t9\207\200pXT\334\374\33Q\346\323$\366\212\303\252\201T\13D\204\13\15\252Ae19a\3118\232s\244\301\16\322\253%\201\11O\310%\5H\344\364\10\354\31\12J=@\2771\200\232\200y\215\355\264\3:\211\26U\223\367Z\22\371\301\16g\224\377;\277\304&\204\320"\312g76D"F\216z\234\244\205I]\226\7\300|\246{\346K\252kE\354\253\1\2\362\6\34\363\346\2\304\235\325\331\214*\340\301\3522C\245\330\310?\326\334\250\340\11\235\374\12\251\325\331\21\205\364\217\337\345\276\3757R\241f`\253\357\262\311\11n\264\366t\254\261wP\7\272+>\2248;\32\6\375\20U", ) \231\210Z[\267\240>\255t9\207\200pXT\334\374\33Q\346\323$\366\212\303\252\201T\13D\204\13\15\252Ae19a\3118\232s\244\301\16\322\253%\201\11O\310%\5H\344\364\10\354\31\12J=@\2771\200\232\200y\215\355\264\3:\211\26U\223\367Z\22\371\301\16g\224\377;\277\304&\204\320 ... {status=0x0, info=256}, "\302\351\24\245\15-\177\227~>\25Is\360c\376-\5\343\357~\245,\372\253+Yv\20\376\276XX'\205nf1#p\245\250W\252\326\345\217\15\200\14\207\0\364\216\205\367R"\231\210Z[\267\240>\255t9\207\200pXT\334\374\33Q\346\323$\366\212\303\252\201T\13D\204\13\15\252Ae19a\3118\232s\244\301\16\322\253%\201\11O\310%\5H\344\364\10\354\31\12J=@\2771\200\232\200y\215\355\264\3:\211\26U\223\367Z\22\371\301\16g\224\377;\277\304&\204\320"\312g76D"F\216z\234\244\205I]\226\7\300|\246{\346K\252kE\354\253\1\2\362\6\34\363\346\2\304\235\325\331\214*\340\301\3522C\245\330\310?\326\334\250\340\11\235\374\12\251\325\331\21\205\364\217\337\345\276\3757R\241f`\253\357\262\311\11n\264\366t\254\261wP\7\272+>\2248;\32\6\375\20U", ) F\216z\234\244\205I]\226\7\300|\246{\346K\252kE\354\253\1\2\362\6\34\363\346\2\304\235\325\331\214*\340\301\3522C\245\330\310?\326\334\250\340\11\235\374\12\251\325\331\21\205\364\217\337\345\276\3757R\241f`\253\357\262\311\11n\264\366t\254\261wP\7\272+>\2248;\32\6\375\20U", ) == 0x0
 01896   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 72, ) }, ... 72, ) == 0x0
 01897   408   NtQueryValueKey  (72,  (72, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01898   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 92, ) }, ... 92, ) == 0x0
 01899   408   NtQueryValueKey  (92,  (92, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01900   408   NtClose  (92, ... ) == 0x0
 01901   408   NtClose  (72, ... ) == 0x0
 01902   408   NtAllocateVirtualMemory  (-1, 1384448, 0, 24576, 4096, 4, ... 1384448, 24576, ) == 0x0
 01903   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01904   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1237492, ... ) }, 1237492, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01905   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1237492, ... ) }, 1237492, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01906   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1237492, ... ) }, 1237492, ... ) == 0x0
 01907   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 01908   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 92, ) == 0x0
 01909   408   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01910   408   NtClose  (72, ... ) == 0x0
 01911   408   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01912   408   NtClose  (92, ... ) == 0x0
 01913   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01914   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01915   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 92, ) }, ... 92, ) == 0x0
 01916   408   NtQueryValueKey  (92,  (92, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01917   408   NtClose  (92, ... ) == 0x0
 01918   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01919   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 92, ) == 0x0
 01920   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 72, ) == 0x0
 01921   408   NtQuerySystemTime  (... {1472362222, 29868093}, ) == 0x0
 01922   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 01923   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01924   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01925   408   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01926   408   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01927   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 100, ) == 0x0
 01928   408   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 84, ) == 0x0
 01929   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 104, ) }, ... 104, ) == 0x0
 01930   408   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "ActiveComputerName"}, ... 96, ) }, ... 96, ) == 0x0
 01931   408   NtQueryValueKey  (96,  (96, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (96, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (96, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01932   408   NtClose  (96, ... ) == 0x0
 01933   408   NtClose  (104, ... ) == 0x0
 01934   408   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 104, ) == 0x0
 01935   408   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 96, ) == 0x0
 01936   408   NtDuplicateObject  (-1, 104, -1, 0x0, 0, 2, ... 112, ) == 0x0
 01937   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01938   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 01939   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01940   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01941   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237860,  (0xc0100080, {24, 0, 0x40, 0, 1237860, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 01942   408   NtSetInformationFile  (124, 1237916, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01943   408   NtSetInformationFile  (124, 1237908, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01944   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01945   408   NtWriteFile  (124, 101, 0, 0,  (124, 101, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01946   408   NtReadFile  (124, 101, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (124, 101, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20f"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 01947   408   NtFsControlFile  (124, 101, 0x0, 0x0, 0x11c017,  (124, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20f"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (124, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20f"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01948   408   NtClose  (116, ... ) == 0x0
 01949   408   NtClose  (124, ... ) == 0x0
 01950   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1237904, ... ) }, 1237904, ... ) == 0x0
 01951   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01952   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01953   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\clr.exe"}, 1237724, ... ) }, 1237724, ... ) == 0x0
 01954   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01955   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01956   408   NtCreateSemaphore  (0x1f0003, {24, 64, 0x80, 1363000, 0,  (0x1f0003, {24, 64, 0x80, 1363000, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 124, ) }, 0, 2147483647, ... 124, ) == STATUS_OBJECT_NAME_EXISTS
 01957   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 01958   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 01959   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01960   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 01961   408   NtQueryValueKey  (116,  (116, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01962   408   NtClose  (116, ... ) == 0x0
 01963   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 01964   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 01965   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01966   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 01967   408   NtQueryValueKey  (116,  (116, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01968   408   NtClose  (116, ... ) == 0x0
 01969   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 01970   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 01971   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01972   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 01973   408   NtQueryValueKey  (116,  (116, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01974   408   NtClose  (116, ... ) == 0x0
 01975   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 01976   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 01977   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01978   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 01979   408   NtQueryValueKey  (116,  (116, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01980   408   NtClose  (116, ... ) == 0x0
 01981   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01982   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 01983   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 01984   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01985   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 01986   408   NtQueryValueKey  (116,  (116, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01987   408   NtClose  (116, ... ) == 0x0
 01988   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 01989   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 01990   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01991   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 01992   408   NtQueryValueKey  (116,  (116, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01993   408   NtClose  (116, ... ) == 0x0
 01994   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESi"}, 138, ) }, 138, ) == 0x0
 01995   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01996   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 116, ) }, ... 116, ) == 0x0
 01997   408   NtQueryKey  (118, Name, 392, ... {Name= (118, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01998   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01999   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 02000   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02001   408   NtClose  (108, ... ) == 0x0
 02002   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02003   408   NtQueryValueKey  (118, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (118, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02004   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1235632, ... ) }, 1235632, ... ) == 0x0
 02005   408   NtClose  (118, ... ) == 0x0
 02006   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02007   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02008   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 116, ) }, ... 116, ) == 0x0
 02009   408   NtQueryKey  (118, Name, 392, ... {Name= (118, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 02010   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02011   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 02012   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02013   408   NtClose  (108, ... ) == 0x0
 02014   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02015   408   NtEnumerateKey  (118, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (118, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 02016   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02017   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02018   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 108, ) }, ... 108, ) == 0x0
 02019   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 02020   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02021   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 02022   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02023   408   NtClose  (120, ... ) == 0x0
 02024   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02025   408   NtQueryValueKey  (110,  (110, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (110, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 02026   408   NtClose  (110, ... ) == 0x0
 02027   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02028   408   NtEnumerateKey  (118, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02029   408   NtClose  (118, ... ) == 0x0
 02030   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace"}, ... 116, ) }, ... 116, ) == 0x0
 02031   408   NtEnumerateKey  (116, 0, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (116, 0, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="Controls"}, 32, ) }, 32, ) == 0x0
 02032   408   NtOpenKey  (0x20019, {24, 116, 0x40, 0, 0,  (0x20019, {24, 116, 0x40, 0, 0, "Controls"}, ... 108, ) }, ... 108, ) == 0x0
 02033   408   NtQueryValueKey  (108,  (108, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02034   408   NtQueryValueKey  (108, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (108, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\02\01\0E\0C\02\00\02\00\0-\03\0A\0E\0A\0-\01\00\06\09\0-\0A\02\0D\0D\0-\00\08\00\00\02\0B\03\00\03\00\09\0D\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02035   408   NtClose  (108, ... ) == 0x0
 02036   408   NtEnumerateKey  (116, 1, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (116, 1, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="DelegateFolders6"}, 46, ) }, 46, ) == 0x0
 02037   408   NtOpenKey  (0x20019, {24, 116, 0x40, 0, 0,  (0x20019, {24, 116, 0x40, 0, 0, "DelegateFolders"}, ... 108, ) }, ... 108, ) == 0x0
 02038   408   NtQueryValueKey  (108,  (108, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02039   408   NtQueryValueKey  (108, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02040   408   NtClose  (108, ... ) == 0x0
 02041   408   NtEnumerateKey  (116, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02042   408   NtClose  (116, ... ) == 0x0
 02043   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace"}, ... 116, ) }, ... 116, ) == 0x0
 02044   408   NtEnumerateKey  (116, 0, Basic, 288, ... {LastWrite={0x9324a644,0x1c7399c}, TitleIdx=0, Name= (116, 0, Basic, 288, ... {LastWrite={0x9324a644,0x1c7399c}, TitleIdx=0, Name="{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"}, 92, ) }, 92, ) == 0x0
 02045   408   NtOpenKey  (0x20019, {24, 116, 0x40, 0, 0,  (0x20019, {24, 116, 0x40, 0, 0, "{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"}, ... 108, ) }, ... 108, ) == 0x0
 02046   408   NtQueryValueKey  (108,  (108, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02047   408   NtClose  (108, ... ) == 0x0
 02048   408   NtEnumerateKey  (116, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02049   408   NtClose  (116, ... ) == 0x0
 02050   408   NtOpenProcessToken  (-1, 0x8, ... 116, ) == 0x0
 02051   408   NtQueryInformationToken  (116, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02052   408   NtClose  (116, ... ) == 0x0
 02053   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02054   408   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 02055   408   NtOpenKey  (0x2000000, {24, 116, 0x40, 0, 0, ""}, ... 108, ) == 0x0
 02056   408   NtCreateKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "SessionInfo\00000000000091e5"}, 0, 0x0, 1, ... 120, 2, ) }, 0, 0x0, 1, ... 120, 2, ) == 0x0
 02057   408   NtClose  (108, ... ) == 0x0
 02058   408   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "MyComputer\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02059   408   NtClose  (120, ... ) == 0x0
 02060   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 02061   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02062   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder"}, ... 120, ) }, ... 120, ) == 0x0
 02063   408   NtQueryKey  (122, Name, 392, ... {Name= (122, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 02064   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02065   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 02066   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02067   408   NtClose  (108, ... ) == 0x0
 02068   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02069   408   NtQueryValueKey  (122,  (122, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02070   408   NtClose  (122, ... ) == 0x0
 02071   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02072   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02073   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}\ShellFolder"}, ... 120, ) }, ... 120, ) == 0x0
 02074   408   NtQueryKey  (122, Name, 392, ... {Name= (122, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BDEADF00-C265-11d0-BCED-00A0C90AB50F}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 02075   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02076   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 02077   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02078   408   NtClose  (108, ... ) == 0x0
 02079   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{BDEADF00-C265-11d0-BCED-00A0C90AB50F}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02080   408   NtQueryValueKey  (122,  (122, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02081   408   NtClose  (122, ... ) == 0x0
 02082   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 120, ) }, ... 120, ) == 0x0
 02083   408   NtEnumerateKey  (120, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (120, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0
 02084   408   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 108, ) }, ... 108, ) == 0x0
 02085   408   NtQueryValueKey  (108,  (108, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02086   408   NtClose  (108, ... ) == 0x0
 02087   408   NtEnumerateKey  (120, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name= (120, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0
 02088   408   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 108, ) }, ... 108, ) == 0x0
 02089   408   NtQueryValueKey  (108,  (108, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02090   408   NtClose  (108, ... ) == 0x0
 02091   408   NtEnumerateKey  (120, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (120, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0
 02092   408   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 108, ) }, ... 108, ) == 0x0
 02093   408   NtQueryValueKey  (108,  (108, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02094   408   NtClose  (108, ... ) == 0x0
 02095   408   NtEnumerateKey  (120, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (120, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0
 02096   408   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 108, ) }, ... 108, ) == 0x0
 02097   408   NtQueryValueKey  (108,  (108, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02098   408   NtClose  (108, ... ) == 0x0
 02099   408   NtEnumerateKey  (120, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02100   408   NtClose  (120, ... ) == 0x0
 02101   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02102   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02103   408   NtOpenKey  (0x2000000, {24, 116, 0x40, 0, 0, ""}, ... 120, ) == 0x0
 02104   408   NtCreateKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "SessionInfo\00000000000091e5"}, 0, 0x0, 1, ... 108, 2, ) }, 0, 0x0, 1, ... 108, 2, ) == 0x0
 02105   408   NtClose  (120, ... ) == 0x0
 02106   408   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02107   408   NtClose  (108, ... ) == 0x0
 02108   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02109   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02110   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... 108, ) }, ... 108, ) == 0x0
 02111   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 02112   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02113   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 02114   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02115   408   NtClose  (120, ... ) == 0x0
 02116   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02117   408   NtQueryValueKey  (110,  (110, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02118   408   NtClose  (110, ... ) == 0x0
 02119   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02120   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02121   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... 108, ) }, ... 108, ) == 0x0
 02122   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 02123   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02124   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 02125   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02126   408   NtClose  (120, ... ) == 0x0
 02127   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02128   408   NtQueryValueKey  (110,  (110, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02129   408   NtClose  (110, ... ) == 0x0
 02130   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02131   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02132   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... 108, ) }, ... 108, ) == 0x0
 02133   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 02134   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02135   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 02136   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02137   408   NtClose  (120, ... ) == 0x0
 02138   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02139   408   NtQueryValueKey  (110,  (110, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (110, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02140   408   NtClose  (110, ... ) == 0x0
 02141   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02142   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 02143   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02144   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... 108, ) }, ... 108, ) == 0x0
 02145   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02146   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02147   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 02148   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02149   408   NtClose  (120, ... ) == 0x0
 02150   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02151   408   NtQueryValueKey  (110, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (110, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02152   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02153   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02154   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 02155   408   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02156   408   NtClose  (120, ... ) == 0x0
 02157   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02158   408   NtQueryValueKey  (110,  (110, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02159   408   NtClose  (110, ... ) == 0x0
 02160   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 02161   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 02162   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02163   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 108, ) }, ... 108, ) == 0x0
 02164   408   NtQueryValueKey  (108,  (108, "EnforceShellExtensionSecurity", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02165   408   NtClose  (108, ... ) == 0x0
 02166   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "appHelp.dll"}, ... 108, ) }, ... 108, ) == 0x0
 02167   408   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 02168   408   NtClose  (108, ... ) == 0x0
 02169   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 108, ) }, ... 108, ) == 0x0
 02170   408   NtQueryValueKey  (108,  (108, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02171   408   NtClose  (108, ... ) == 0x0
 02172   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32"}, ... 108, ) }, ... 108, ) == 0x0
 02173   408   NtQueryValueKey  (108, " (108, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, )  (108, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) %\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) == 0x0
 02174   408   NtClose  (108, ... ) == 0x0
 02175   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) == 0x0
 02176   408   NtQueryVolumeInformationFile  (108, 1238044, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02177   408   NtOpenMutant  (0x120001, {24, 64, 0x0, 0, 0,  (0x120001, {24, 64, 0x0, 0, 0, "ShimCacheMutex"}, ... 120, ) }, ... 120, ) == 0x0
 02178   408   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 02179   408   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "ShimSharedMemory"}, ... 128, ) }, ... 128, ) == 0x0
 02180   408   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 57344, ) == 0x0
 02181   408   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 02182   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 02183   408   NtQueryInformationFile  (132, 1237460, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02184   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 132, ... 136, ) == 0x0
 02185   408   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x990000), 0x0, 1028096, ) == 0x0
 02186   408   NtQueryInformationFile  (132, 1237556, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02187   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02188   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02189   408   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02190   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 140, {status=0x0, info=1}, ) }, 3, 16417, ... 140, {status=0x0, info=1}, ) == 0x0
 02191   408   NtQueryDirectoryFile  (140, 0, 0, 0, 1235004, 616, BothDirectory, 1,  (140, 0, 0, 0, 1235004, 616, BothDirectory, 1, "shdocvw.dll", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02192   408   NtClose  (140, ... ) == 0x0
 02193   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02194   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02195   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1234392, ... ) }, 1234392, ... ) == 0x0
 02196   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 140, {status=0x0, info=1}, ) }, 3, 16417, ... 140, {status=0x0, info=1}, ) == 0x0
 02197   408   NtQueryDirectoryFile  (140, 0, 0, 0, 1233752, 616, BothDirectory, 1,  (140, 0, 0, 0, 1233752, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02198   408   NtClose  (140, ... ) == 0x0
 02199   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 140, {status=0x0, info=1}, ) }, 3, 16417, ... 140, {status=0x0, info=1}, ) == 0x0
 02200   408   NtQueryDirectoryFile  (140, 0, 0, 0, 1233752, 616, BothDirectory, 1,  (140, 0, 0, 0, 1233752, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02201   408   NtClose  (140, ... ) == 0x0
 02202   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 140, {status=0x0, info=1}, ) }, 3, 16417, ... 140, {status=0x0, info=1}, ) == 0x0
 02203   408   NtQueryDirectoryFile  (140, 0, 0, 0, 1233752, 616, BothDirectory, 1,  (140, 0, 0, 0, 1233752, 616, BothDirectory, 1, "shdocvw.dll", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02204   408   NtClose  (140, ... ) == 0x0
 02205   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02206   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02207   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02208   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02209   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 140, ) == 0x0
 02210   408   NtQueryInformationToken  (140, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02211   408   NtClose  (140, ... ) == 0x0
 02212   408   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02213   408   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\shdocvw.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02214   408   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 02215   408   NtQueryVolumeInformationFile  (108, 1238048, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02216   408   NtQueryInformationFile  (108, 1238028, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02217   408   NtQueryInformationFile  (108, 1238068, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02218   408   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 02219   408   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 02220   408   NtClose  (136, ... ) == 0x0
 02221   408   NtClose  (132, ... ) == 0x0
 02222   408   NtClose  (108, ... ) == 0x0
 02223   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 108, ) }, ... 108, ) == 0x0
 02224   408   NtQueryValueKey  (108,  (108, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02225   408   NtClose  (108, ... ) == 0x0
 02226   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02227   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1235796, ... ) }, 1235796, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02228   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "CLBCATQ.DLL"}, 1235796, ... ) }, 1235796, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02229   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 1235796, ... ) }, 1235796, ... ) == 0x0
 02230   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 02231   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 132, ) == 0x0
 02232   408   NtQuerySection  (132, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02233   408   NtClose  (108, ... ) == 0x0
 02234   408   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 02235   408   NtClose  (132, ... ) == 0x0
 02236   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 132, ) }, ... 132, ) == 0x0
 02237   408   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 02238   408   NtClose  (132, ... ) == 0x0
 02239   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02240   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1234992, ... ) }, 1234992, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02241   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "COMRes.dll"}, 1234992, ... ) }, 1234992, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02242   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 1234992, ... ) }, 1234992, ... ) == 0x0
 02243   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 02244   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 108, ) == 0x0
 02245   408   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02246   408   NtClose  (132, ... ) == 0x0
 02247   408   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 02248   408   NtClose  (108, ... ) == 0x0
 02249   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 108, ) }, ... 108, ) == 0x0
 02250   408   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 02251   408   NtClose  (108, ... ) == 0x0
 02252   408   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 02253   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02254   408   NtOpenKey  (0x9, {24, 48, 0x40, 0, 0,  (0x9, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02255   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02256   408   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02257   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02258   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 108, ) }, ... 108, ) == 0x0
 02259   408   NtQueryValueKey  (108,  (108, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02260   408   NtQueryValueKey  (108,  (108, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02261   408   NtClose  (108, ... ) == 0x0
 02262   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1235824, ... ) }, 1235824, ... ) == 0x0
 02263   408   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02264   408   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02265   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 108, ) }, ... 108, ) == 0x0
 02266   408   NtQueryValueKey  (108,  (108, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02267   408   NtClose  (108, ... ) == 0x0
 02268   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Classes"}, ... 108, ) }, ... 108, ) == 0x0
 02269   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 132, ) == 0x0
 02270   408   NtNotifyChangeKey  (108, 132, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02271   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 136, ) }, ... 136, ) == 0x0
 02272   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 140, ) == 0x0
 02273   408   NtNotifyChangeKey  (136, 140, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02274   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 144, ) == 0x0
 02275   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 148, ) }, ... 148, ) == 0x0
 02276   408   NtSetInformationObject  (148, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 02277   408   NtNotifyChangeKey  (148, 144, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02278   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Classes"}, ... 152, ) }, ... 152, ) == 0x0
 02279   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 156, ) == 0x0
 02280   408   NtNotifyChangeKey  (152, 156, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02281   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 02282   408   NtNotifyChangeKey  (148, 160, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02283   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 164, ) }, ... 164, ) == 0x0
 02284   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 168, ) == 0x0
 02285   408   NtNotifyChangeKey  (164, 168, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02286   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 172, ) }, ... 172, ) == 0x0
 02287   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 02288   408   NtNotifyChangeKey  (172, 176, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02289   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 180, ) }, ... 180, ) == 0x0
 02290   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0
 02291   408   NtNotifyChangeKey  (180, 184, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02292   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Classes"}, ... 188, ) }, ... 188, ) == 0x0
 02293   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0
 02294   408   NtNotifyChangeKey  (188, 192, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02295   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 196, ) }, ... 196, ) == 0x0
 02296   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 02297   408   NtNotifyChangeKey  (196, 200, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02298   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 02299   408   NtNotifyChangeKey  (148, 204, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02300   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 208, ) }, ... 208, ) == 0x0
 02301   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 212, ) == 0x0
 02302   408   NtNotifyChangeKey  (208, 212, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02303   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 216, ) }, ... 216, ) == 0x0
 02304   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 220, ) == 0x0
 02305   408   NtNotifyChangeKey  (216, 220, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02306   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 224, ) }, ... 224, ) == 0x0
 02307   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 228, ) == 0x0
 02308   408   NtNotifyChangeKey  (224, 228, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02309   408   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02310   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 232, ) }, ... 232, ) == 0x0
 02311   408   NtQueryValueKey  (232,  (232, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (232, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02312   408   NtClose  (232, ... ) == 0x0
 02313   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02314   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02315   408   NtOpenSection  (0x4, {24, 64, 0x0, 0, 0,  (0x4, {24, 64, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 232, ) }, ... 232, ) == 0x0
 02316   408   NtMapViewOfSection  (232, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x990000), {0, 0}, 24576, ) == 0x0
 02317   408   NtAllocateVirtualMemory  (-1, 3297280, 0, 8192, 4096, 4, ... 3297280, 8192, ) == 0x0
 02318   408   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02319   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 236, ) }, ... 236, ) == 0x0
 02320   408   NtQueryValueKey  (236,  (236, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (236, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02321   408   NtClose  (236, ... ) == 0x0
 02322   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02323   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02324   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 10092544, 65536, ) == 0x0
 02325   408   NtAllocateVirtualMemory  (-1, 10092544, 0, 4096, 4096, 4, ... 10092544, 4096, ) == 0x0
 02326   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES\"}, 138, ) }, 138, ) == 0x0
 02327   408   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02328   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 236, ) }, ... 236, ) == 0x0
 02329   408   NtQueryKey  (238, Name, 384, ... {Name= (238, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02330   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02331   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02332   408   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02333   408   NtClose  (240, ... ) == 0x0
 02334   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02335   408   NtOpenKey  (0x1, {24, 238, 0x40, 0, 0,  (0x1, {24, 238, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02336   408   NtClose  (238, ... ) == 0x0
 02337   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02338   408   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02339   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 236, ) }, ... 236, ) == 0x0
 02340   408   NtQueryKey  (238, Name, 384, ... {Name= (238, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02341   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02342   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02343   408   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02344   408   NtClose  (240, ... ) == 0x0
 02345   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02346   408   NtOpenKey  (0x2000000, {24, 238, 0x40, 0, 0,  (0x2000000, {24, 238, 0x40, 0, 0, "InprocServer32"}, ... 240, ) }, ... 240, ) == 0x0
 02347   408   NtQueryKey  (242, Name, 392, ... {Name= (242, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02348   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02349   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02350   408   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02351   408   NtClose  (244, ... ) == 0x0
 02352   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02353   408   NtQueryValueKey  (242,  (242, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02354   408   NtClose  (242, ... ) == 0x0
 02355   408   NtQueryKey  (238, Name, 384, ... {Name= (238, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02356   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02357   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02358   408   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02359   408   NtClose  (240, ... ) == 0x0
 02360   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02361   408   NtOpenKey  (0x2000000, {24, 238, 0x40, 0, 0,  (0x2000000, {24, 238, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02362   408   NtQueryKey  (238, Name, 384, ... {Name= (238, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02363   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02364   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02365   408   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02366   408   NtClose  (240, ... ) == 0x0
 02367   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02368   408   NtOpenKey  (0x2000000, {24, 238, 0x40, 0, 0,  (0x2000000, {24, 238, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02369   408   NtQueryKey  (238, Name, 384, ... {Name= (238, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02370   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02371   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02372   408   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02373   408   NtClose  (240, ... ) == 0x0
 02374   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02375   408   NtOpenKey  (0x2000000, {24, 238, 0x40, 0, 0,  (0x2000000, {24, 238, 0x40, 0, 0, "InprocServer32"}, ... 240, ) }, ... 240, ) == 0x0
 02376   408   NtQueryKey  (242, Name, 392, ... {Name= (242, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02377   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02378   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02379   408   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02380   408   NtClose  (244, ... ) == 0x0
 02381   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02382   408   NtQueryValueKey  (242, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (242, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02383   408   NtClose  (242, ... ) == 0x0
 02384   408   NtQueryKey  (238, Name, 384, ... {Name= (238, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02385   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02386   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02387   408   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02388   408   NtClose  (240, ... ) == 0x0
 02389   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02390   408   NtOpenKey  (0x2000000, {24, 238, 0x40, 0, 0,  (0x2000000, {24, 238, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02391   408   NtQueryKey  (238, Name, 384, ... {Name= (238, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02392   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02393   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02394   408   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02395   408   NtClose  (240, ... ) == 0x0
 02396   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02397   408   NtOpenKey  (0x2000000, {24, 238, 0x40, 0, 0,  (0x2000000, {24, 238, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02398   408   NtQueryKey  (238, Name, 384, ... {Name= (238, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02399   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02400   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02401   408   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02402   408   NtClose  (240, ... ) == 0x0
 02403   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02404   408   NtOpenKey  (0x2000000, {24, 238, 0x40, 0, 0,  (0x2000000, {24, 238, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02405   408   NtQueryKey  (238, Name, 384, ... {Name= (238, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02406   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02407   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02408   408   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02409   408   NtClose  (240, ... ) == 0x0
 02410   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02411   408   NtOpenKey  (0x2000000, {24, 238, 0x40, 0, 0,  (0x2000000, {24, 238, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02412   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02413   408   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02414   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 240, ) }, ... 240, ) == 0x0
 02415   408   NtQueryKey  (242, Name, 392, ... {Name= (242, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02416   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02417   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02418   408   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02419   408   NtClose  (244, ... ) == 0x0
 02420   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02421   408   NtQueryValueKey  (242,  (242, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02422   408   NtClose  (242, ... ) == 0x0
 02423   408   NtClose  (238, ... ) == 0x0
 02424   408   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {404, 0}, ... 236, ) == 0x0
 02425   408   NtQueryInformationProcess  (236, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02426   408   NtClose  (236, ... ) == 0x0
 02427   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02428   408   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02429   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 236, ) }, ... 236, ) == 0x0
 02430   408   NtClose  (238, ... ) == 0x0
 02431   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES3"}, 138, ) }, 138, ) == 0x0
 02432   408   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02433   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 236, ) }, ... 236, ) == 0x0
 02434   408   NtQueryKey  (238, Name, 384, ... {Name= (238, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02435   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02436   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02437   408   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02438   408   NtClose  (240, ... ) == 0x0
 02439   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02440   408   NtOpenKey  (0x2000000, {24, 238, 0x40, 0, 0,  (0x2000000, {24, 238, 0x40, 0, 0, "InprocServer32"}, ... 240, ) }, ... 240, ) == 0x0
 02441   408   NtQueryKey  (242, Name, 392, ... {Name= (242, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02442   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02443   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02444   408   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02445   408   NtClose  (244, ... ) == 0x0
 02446   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02447   408   NtQueryValueKey  (242,  (242, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (242, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 02448   408   NtClose  (242, ... ) == 0x0
 02449   408   NtClose  (238, ... ) == 0x0
 02450   408   NtAllocateVirtualMemory  (-1, 1409024, 0, 8192, 4096, 4, ... 1409024, 8192, ) == 0x0
 02451   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02452   408   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02453   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 236, ) }, ... 236, ) == 0x0
 02454   408   NtQueryKey  (238, Name, 384, ... {Name= (238, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02455   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02456   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02457   408   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02458   408   NtClose  (240, ... ) == 0x0
 02459   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02460   408   NtOpenKey  (0x1, {24, 238, 0x40, 0, 0,  (0x1, {24, 238, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02461   408   NtClose  (238, ... ) == 0x0
 02462   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1232216, ... ) }, 1232216, ... ) == 0x0
 02463   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 02464   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 236, ... 240, ) == 0x0
 02465   408   NtClose  (236, ... ) == 0x0
 02466   408   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9b0000), 0x0, 1339392, ) == 0x0
 02467   408   NtClose  (240, ... ) == 0x0
 02468   408   NtUnmapViewOfSection  (-1, 0x9b0000, ... ) == 0x0
 02469   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1232532, ... ) }, 1232532, ... ) == 0x0
 02470   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02471   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 236, ) == 0x0
 02472   408   NtQuerySection  (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02473   408   NtClose  (240, ... ) == 0x0
 02474   408   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 1347584, ) == 0x0
 02475   408   NtClose  (236, ... ) == 0x0
 02476   408   NtQueryDefaultUILanguage  (1230896, ...
 02477   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02478   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 02479   408   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02480   408   NtClose  (-2147482208, ... ) == 0x0
 02481   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 02482   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02483   408   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 02484   408   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02485   408   NtClose  (-2147482196, ... ) == 0x0
 02486   408   NtClose  (-2147482208, ... ) == 0x0
 02476   408   NtQueryDefaultUILanguage  ... ) == 0x0
 02487   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02488   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1, 96, ... 236, {status=0x0, info=1}, ) }, 1, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 02489   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 236, ... 240, ) == 0x0
 02490   408   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x9b0000), 0x0, 1339392, ) == 0x0
 02491   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02492   408   NtQueryDefaultLocale  (1, 1228932, ... ) == 0x0
 02493   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02494   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1229788, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1229788, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\307\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\354\0\0\0\377\377\377\377\0\0\0\0\10\340\246\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\334\312\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1502, 0} " S\26\0\33\0\1\0\0\0\0\0\1\307\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\354\0\0\0\377\377\377\377\0\0\0\0\10\340\246\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\334\312\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 404, 408, 1502, 0}  (24, {128, 156, new_msg, 0, 1229788, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\307\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\354\0\0\0\377\377\377\377\0\0\0\0\10\340\246\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\334\312\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1502, 0} " S\26\0\33\0\1\0\0\0\0\0\1\307\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\354\0\0\0\377\377\377\377\0\0\0\0\10\340\246\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\334\312\22\0\0\0\0\0" )  ) == 0x0
 02495   408   NtClose  (236, ... ) == 0x0
 02496   408   NtClose  (240, ... ) == 0x0
 02497   408   NtUnmapViewOfSection  (-1, 0x9b0000, ... ) == 0x0
 02498   408   NtUnmapViewOfSection  (-1, 0x12cadc, ... ) == STATUS_NOT_MAPPED_VIEW
 02499   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02500   408   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02501   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02502   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02503   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1227472, ... ) }, 1227472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02504   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02505   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02506   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02507   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1228064, ... ) }, 1228064, ... ) == 0x0
 02508   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 240, {status=0x0, info=1}, ) }, 3, 33, ... 240, {status=0x0, info=1}, ) == 0x0
 02509   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02510   408   NtUserFindExistingCursorIcon  (1232016, 1232032, 1232600, ... ) == 0x10011
 02511   408   NtUserRegisterClassExWOW  (1232468, 1232548, 1232532, 1232564, 0, 384, 0, ... ) == 0x810d0000
 02512   408   NtUserGetClassInfo  (1905590272, 1232632, 1232584, 1232660, 0, ... ) == 0xc05f
 02513   408   NtGdiCreateHalftonePalette  (0, ... ) == 0x1408040a
 02514   408   NtGdiDoPalette  (336069642, 0, 256, 1231724, 2, 0, ... ) == 0x100
 02515   408   NtGdiDeleteObjectApp  (336069642, ... ) == 0x1
 02516   408   NtGdiCreateCompatibleDC  (0, ... ) == 0x1501040a
 02517   408   NtGdiCreatePaletteInternal  (1231720, 256, ... ) == 0x19080404
 02518   408   NtGdiDeleteObjectApp  (352388106, ... ) == 0x1
 02519   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESn"}, 138, ) }, 138, ) == 0x0
 02520   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02521   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 236, ) }, ... 236, ) == 0x0
 02522   408   NtQueryKey  (238, Name, 392, ... {Name= (238, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0
 02523   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02524   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02525   408   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02526   408   NtClose  (244, ... ) == 0x0
 02527   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02528   408   NtQueryValueKey  (238, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (238, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02529   408   NtClose  (238, ... ) == 0x0
 02530   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02531   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02532   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 236, ) }, ... 236, ) == 0x0
 02533   408   NtQueryKey  (238, Name, 392, ... {Name= (238, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02534   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02535   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02536   408   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02537   408   NtClose  (244, ... ) == 0x0
 02538   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02539   408   NtQueryValueKey  (238, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (238, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02540   408   NtClose  (238, ... ) == 0x0
 02541   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02542   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02543   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 236, ) }, ... 236, ) == 0x0
 02544   408   NtQueryKey  (238, Name, 392, ... {Name= (238, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02545   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02546   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02547   408   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02548   408   NtClose  (244, ... ) == 0x0
 02549   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02550   408   NtQueryValueKey  (238, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (238, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02551   408   NtClose  (238, ... ) == 0x0
 02552   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02553   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02554   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 236, ) }, ... 236, ) == 0x0
 02555   408   NtQueryKey  (238, Name, 392, ... {Name= (238, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02556   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02557   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02558   408   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02559   408   NtClose  (244, ... ) == 0x0
 02560   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02561   408   NtQueryValueKey  (238, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (238, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02562   408   NtClose  (238, ... ) == 0x0
 02563   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02564   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02565   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 236, ) }, ... 236, ) == 0x0
 02566   408   NtQueryKey  (238, Name, 392, ... {Name= (238, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02567   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02568   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02569   408   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02570   408   NtClose  (244, ... ) == 0x0
 02571   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02572   408   NtQueryValueKey  (238, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (238, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02573   408   NtClose  (238, ... ) == 0x0
 02574   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02575   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 02576   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02577   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... 236, ) }, ... 236, ) == 0x0
 02578   408   NtQueryKey  (238, Name, 392, ... {Name= (238, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 02579   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02580   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02581   408   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02582   408   NtClose  (244, ... ) == 0x0
 02583   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02584   408   NtQueryValueKey  (238,  (238, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02585   408   NtClose  (238, ... ) == 0x0
 02586   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02587   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02588   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... 236, ) }, ... 236, ) == 0x0
 02589   408   NtQueryKey  (238, Name, 392, ... {Name= (238, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder6"}, 186, ) }, 186, ) == 0x0
 02590   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02591   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02592   408   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02593   408   NtClose  (244, ... ) == 0x0
 02594   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02595   408   NtQueryValueKey  (238,  (238, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02596   408   NtClose  (238, ... ) == 0x0
 02597   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02598   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02599   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... 236, ) }, ... 236, ) == 0x0
 02600   408   NtQueryKey  (238, Name, 392, ... {Name= (238, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder0"}, 186, ) }, 186, ) == 0x0
 02601   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02602   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02603   408   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02604   408   NtClose  (244, ... ) == 0x0
 02605   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02606   408   NtQueryValueKey  (238,  (238, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02607   408   NtClose  (238, ... ) == 0x0
 02608   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02609   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02610   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... 236, ) }, ... 236, ) == 0x0
 02611   408   NtQueryKey  (238, Name, 392, ... {Name= (238, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 02612   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02613   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02614   408   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02615   408   NtClose  (244, ... ) == 0x0
 02616   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02617   408   NtQueryValueKey  (238,  (238, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02618   408   NtClose  (238, ... ) == 0x0
 02619   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 236, ) }, ... 236, ) == 0x0
 02620   408   NtEnumerateValueKey  (236, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (236, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (236, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 02621   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02622   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02623   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 244, ) }, ... 244, ) == 0x0
 02624   408   NtQueryKey  (246, Name, 392, ... {Name= (246, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02625   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02626   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 248, ) == 0x0
 02627   408   NtQueryInformationToken  (248, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02628   408   NtClose  (248, ... ) == 0x0
 02629   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02630   408   NtQueryValueKey  (246, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (246, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 02631   408   NtQueryKey  (246, Name, 392, ... {Name= (246, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02632   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02633   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 248, ) == 0x0
 02634   408   NtQueryInformationToken  (248, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02635   408   NtClose  (248, ... ) == 0x0
 02636   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02637   408   NtQueryValueKey  (246,  (246, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02638   408   NtClose  (246, ... ) == 0x0
 02639   408   NtEnumerateValueKey  (236, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02640   408   NtClose  (236, ... ) == 0x0
 02641   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02642   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02643   408   NtOpenEvent  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "_fCanRegisterWithShellService"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02644   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02645   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1235528, ... ) }, 1235528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02646   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1235528, ... ) }, 1235528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02647   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1235528, ... ) }, 1235528, ... ) == 0x0
 02648   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 02649   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 244, ) == 0x0
 02650   408   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02651   408   NtClose  (236, ... ) == 0x0
 02652   408   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 02653   408   NtClose  (244, ... ) == 0x0
 02654   408   NtQueryDefaultLocale  (1, 1235360, ... ) == 0x0
 02655   408   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02656   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 244, ) }, ... 244, ) == 0x0
 02657   408   NtQueryValueKey  (244,  (244, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02658   408   NtClose  (244, ... ) == 0x0
 02659   408   NtUserGetProcessWindowStation  (... ) == 0x24
 02660   408   NtUserGetObjectInformation  (36, 1, 1235032, 12, 1235044, ... ) == 0x1
 02661   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 244, ) }, ... 244, ) == 0x0
 02662   408   NtQueryValueKey  (244,  (244, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 02663   408   NtClose  (244, ... ) == 0x0
 02664   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 244, ) }, ... 244, ) == 0x0
 02665   408   NtQueryValueKey  (244,  (244, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02666   408   NtQueryValueKey  (244,  (244, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02667   408   NtClose  (244, ... ) == 0x0
 02668   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 244, ) }, ... 244, ) == 0x0
 02669   408   NtQueryValueKey  (244,  (244, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02670   408   NtQueryValueKey  (244,  (244, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02671   408   NtClose  (244, ... ) == 0x0
 02672   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 244, ) }, ... 244, ) == 0x0
 02673   408   NtQueryValueKey  (244,  (244, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02674   408   NtQueryValueKey  (244,  (244, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02675   408   NtClose  (244, ... ) == 0x0
 02676   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 244, ) }, ... 244, ) == 0x0
 02677   408   NtQueryValueKey  (244,  (244, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02678   408   NtQueryValueKey  (244,  (244, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02679   408   NtClose  (244, ... ) == 0x0
 02680   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 244, ) }, ... 244, ) == 0x0
 02681   408   NtQueryValueKey  (244,  (244, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (244, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02682   408   NtQueryValueKey  (244,  (244, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (244, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02683   408   NtClose  (244, ... ) == 0x0
 02684   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 244, ) }, ... 244, ) == 0x0
 02685   408   NtQueryValueKey  (244,  (244, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (244, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 02686   408   NtClose  (244, ... ) == 0x0
 02687   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 244, ) == 0x0
 02688   408   NtCreateMutant  (0x1f0001, 0x0, 0, ... 236, ) == 0x0
 02689   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 248, ) == 0x0
 02690   408   NtCreateMutant  (0x1f0001, 0x0, 0, ... 252, ) == 0x0
 02691   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 256, ) == 0x0
 02692   408   NtCreateMutant  (0x1f0001, 0x0, 0, ... 260, ) == 0x0
 02693   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 264, ) }, ... 264, ) == 0x0
 02694   408   NtQueryValueKey  (264,  (264, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02695   408   NtQueryValueKey  (264,  (264, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02696   408   NtOpenKey  (0x1, {24, 264, 0x40, 0, 0,  (0x1, {24, 264, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02697   408   NtClose  (264, ... ) == 0x0
 02698   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1234952, ... ) }, 1234952, ... ) == 0x0
 02699   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 264, ) }, ... 264, ) == 0x0
 02700   408   NtQueryValueKey  (264,  (264, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (264, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (264, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02701   408   NtClose  (264, ... ) == 0x0
 02702   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 264, ) }, ... 264, ) == 0x0
 02703   408   NtQueryValueKey  (264,  (264, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (264, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (264, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 02704   408   NtClose  (264, ... ) == 0x0
 02705   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02706   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 264, ) }, ... 264, ) == 0x0
 02707   408   NtQueryValueKey  (264,  (264, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (264, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (264, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02708   408   NtClose  (264, ... ) == 0x0
 02709   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02710   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 264, ) == 0x0
 02711   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02712   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02713   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235732,  (0xc0100080, {24, 0, 0x40, 0, 1235732, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 268, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 268, {status=0x0, info=1}, ) == 0x0
 02714   408   NtSetInformationFile  (268, 1235788, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02715   408   NtSetInformationFile  (268, 1235780, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02716   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02717   408   NtWriteFile  (268, 101, 0, 0,  (268, 101, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02718   408   NtReadFile  (268, 101, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (268, 101, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\205\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02719   408   NtFsControlFile  (268, 101, 0x0, 0x0, 0x11c017,  (268, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\341\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\205\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (268, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\341\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\205\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02720   408   NtFsControlFile  (268, 101, 0x0, 0x0, 0x11c017,  (268, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0X\256\2220,\334\21\261\306\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0X\256\2220,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 106, 1024, ... {status=0x103, info=48},  (268, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0X\256\2220,\334\21\261\306\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0X\256\2220,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02721   408   NtFsControlFile  (268, 101, 0x0, 0x0, 0x11c017,  (268, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0X\256\2220,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (268, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0X\256\2220,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02722   408   NtClose  (264, ... ) == 0x0
 02723   408   NtClose  (268, ... ) == 0x0
 02724   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02725   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 268, ) == 0x0
 02726   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02727   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02728   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235732,  (0xc0100080, {24, 0, 0x40, 0, 1235732, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 264, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 264, {status=0x0, info=1}, ) == 0x0
 02729   408   NtSetInformationFile  (264, 1235788, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02730   408   NtSetInformationFile  (264, 1235780, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02731   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02732   408   NtWriteFile  (264, 101, 0, 0,  (264, 101, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02733   408   NtReadFile  (264, 101, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (264, 101, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\206\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02734   408   NtFsControlFile  (264, 101, 0x0, 0x0, 0x11c017,  (264, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\341\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\206\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (264, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\341\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\206\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02735   408   NtFsControlFile  (264, 101, 0x0, 0x0, 0x11c017,  (264, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0Y\256\2220,\334\21\261\306\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Y\256\2220,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (264, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0Y\256\2220,\334\21\261\306\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Y\256\2220,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Y\256\2220,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) == 0x103
 02736   408   NtFsControlFile  (264, 101, 0x0, 0x0, 0x11c017,  (264, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Y\256\2220,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (264, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Y\256\2220,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02737   408   NtClose  (268, ... ) == 0x0
 02738   408   NtClose  (264, ... ) == 0x0
 02739   408   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 02740   408   NtOpenProcessToken  (-1, 0x20, ... 264, ) == 0x0
 02741   408   NtAdjustPrivilegesToken  (264, 0, 1361616, 0, 0, 0, ... ) == 0x0
 02742   408   NtClose  (264, ... ) == 0x0
 02743   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02744   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 264, ) == 0x0
 02745   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02746   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02747   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235972,  (0xc0100080, {24, 0, 0x40, 0, 1235972, "\??\PIPE\ntsvcs"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 268, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 268, {status=0x0, info=1}, ) == 0x0
 02748   408   NtSetInformationFile  (268, 1236028, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02749   408   NtSetInformationFile  (268, 1236020, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02750   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02751   408   NtWriteFile  (268, 101, 0, 0,  (268, 101, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02752   408   NtReadFile  (268, 101, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (268, 101, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\11!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02753   408   NtFsControlFile  (268, 101, 0x0, 0x0, 0x11c017,  (268, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\11!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (268, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\11!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02754   408   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 02755   408   NtOpenProcessToken  (-1, 0x20, ... 272, ) == 0x0
 02756   408   NtAdjustPrivilegesToken  (272, 0, 1405848, 0, 0, 0, ... ) == 0x0
 02757   408   NtClose  (272, ... ) == 0x0
 02758   408   NtFsControlFile  (268, 101, 0x0, 0x0, 0x11c017,  (268, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x103, info=32},  (268, 101, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , ) == 0x103
 02759   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 272, {status=0x0, info=1}, ) }, 3, 96, ... 272, {status=0x0, info=1}, ) == 0x0
 02760   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 276, ) }, ... 276, ) == 0x0
 02761   408   NtQuerySymbolicLinkObject  (276, ...  (276, ... "\Device\FloppyPDO0", 38, ) , 38, ) == 0x0
 02762   408   NtClose  (276, ... ) == 0x0
 02763   408   NtQueryVolumeInformationFile  (272, 1236432, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02764   408   NtClose  (272, ... ) == 0x0
 02765   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 272, {status=0x0, info=1}, ) }, 3, 16, ... 272, {status=0x0, info=1}, ) == 0x0
 02766   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32},  (272, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32}, "\36\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", ) , ) == 0x0
 02767   408   NtClose  (272, ... ) == 0x0
 02768   408   NtQueryInformationFile  (-1, 1236432, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 02769   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1236384,  (0x100080, {24, 0, 0x40, 0, 1236384, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 02770   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0008,  (272, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 32, ... , 54, 32, ...
 02771   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 02772   408   NtClose  (-2147482208, ... ) == 0x0
 02770   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 02773   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0008,  (272, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 374, ... , 54, 374, ...
 02774   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 02775   408   NtClose  (-2147482208, ... ) == 0x0
 02773   408   NtDeviceIoControlFile  ... {status=0x0, info=374},  ... {status=0x0, info=374}, "v\1\0\0\2\0\0\0\372\0\0\0`\0\0\08\0\0\0\244\0\0\0\334\0\0\0\36\0v\0Z\1\0\0\34\0\\08\0\0\0\244\0p\0\334\0\0\0\36\0\0\0\\0?\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0A\0:\0", ) , ) == 0x0
 02776   408   NtClose  (272, ... ) == 0x0
 02777   408   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ... 1417216, 4096, ) == 0x0
 02778   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 272, ) }, ... 272, ) == 0x0
 02779   408   NtOpenKey  (0x2000000, {24, 272, 0x40, 0, 0,  (0x2000000, {24, 272, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 276, ) }, ... 276, ) == 0x0
 02780   408   NtClose  (272, ... ) == 0x0
 02781   408   NtQueryValueKey  (276,  (276, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02782   408   NtQueryValueKey  (276,  (276, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\337\12\0\0\224\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\24\1\0\0\337\12\0\0\224\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\340\12\0\0\224\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\304\335\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\0\336\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (276, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\337\12\0\0\224\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\24\1\0\0\337\12\0\0\224\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\340\12\0\0\224\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\304\335\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\0\336\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 02783   408   NtClose  (276, ... ) == 0x0
 02784   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 276, ) }, ... 276, ) == 0x0
 02785   408   NtOpenKey  (0x2000000, {24, 276, 0x40, 0, 0,  (0x2000000, {24, 276, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 272, ) }, ... 272, ) == 0x0
 02786   408   NtClose  (276, ... ) == 0x0
 02787   408   NtQueryValueKey  (272,  (272, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02788   408   NtClose  (272, ... ) == 0x0
 02789   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 272, {status=0x0, info=0}, ) }, 3, 96, ... 272, {status=0x0, info=0}, ) == 0x0
 02790   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 276, ) }, ... 276, ) == 0x0
 02791   408   NtQuerySymbolicLinkObject  (276, ...  (276, ... "\Device\Ide\IdeDeviceP1T0L0-e", 60, ) , 60, ) == 0x0
 02792   408   NtClose  (276, ... ) == 0x0
 02793   408   NtQueryVolumeInformationFile  (272, 1236432, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02794   408   NtClose  (272, ... ) == 0x0
 02795   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 272, {status=0x0, info=0}, ) }, 3, 16, ... 272, {status=0x0, info=0}, ) == 0x0
 02796   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30},  (272, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30}, "\34\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", ) , ) == 0x0
 02797   408   NtClose  (272, ... ) == 0x0
 02798   408   NtQueryInformationFile  (-1, 1236432, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 02799   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1236384,  (0x100080, {24, 0, 0x40, 0, 1236384, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 02800   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0008,  (272, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 32, ... , 52, 32, ...
 02801   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 02802   408   NtClose  (-2147482208, ... ) == 0x0
 02800   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 02803   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0008,  (272, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 490, ... , 52, 490, ...
 02804   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 02805   408   NtClose  (-2147482208, ... ) == 0x0
 02803   408   NtDeviceIoControlFile  ... {status=0x0, info=490},  ... {status=0x0, info=490}, "\352\1\0\0\2\0\0\0n\1\0\0`\0\0\08\0\0\0\32\1\0\0R\1\0\0\34\0v\0\316\1\0\0\34\0\\08\0\0\0\32\1o\0R\1\0\0\34\0\0\0\\0?\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0D\0:\0", ) , ) == 0x0
 02806   408   NtClose  (272, ... ) == 0x0
 02807   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 272, ) }, ... 272, ) == 0x0
 02808   408   NtOpenKey  (0x2000000, {24, 272, 0x40, 0, 0,  (0x2000000, {24, 272, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 276, ) }, ... 276, ) == 0x0
 02809   408   NtClose  (272, ... ) == 0x0
 02810   408   NtQueryValueKey  (276,  (276, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02811   408   NtQueryValueKey  (276,  (276, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\374\12\0\0\224\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\24\1\0\0\374\12\0\0\224\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\12\0\0\224\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\304\335\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\0\336\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (276, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\374\12\0\0\224\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\24\1\0\0\374\12\0\0\224\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\12\0\0\224\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\304\335\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\0\336\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 02812   408   NtClose  (276, ... ) == 0x0
 02813   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 276, ) }, ... 276, ) == 0x0
 02814   408   NtOpenKey  (0x2000000, {24, 276, 0x40, 0, 0,  (0x2000000, {24, 276, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 272, ) }, ... 272, ) == 0x0
 02815   408   NtClose  (276, ... ) == 0x0
 02816   408   NtQueryValueKey  (272,  (272, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02817   408   NtClose  (272, ... ) == 0x0
 02818   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 272, {status=0x0, info=0}, ) }, 3, 96, ... 272, {status=0x0, info=0}, ) == 0x0
 02819   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 276, ) }, ... 276, ) == 0x0
 02820   408   NtQuerySymbolicLinkObject  (276, ...  (276, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02821   408   NtClose  (276, ... ) == 0x0
 02822   408   NtQueryVolumeInformationFile  (272, 1236432, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02823   408   NtClose  (272, ... ) == 0x0
 02824   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 272, {status=0x0, info=0}, ) }, 3, 16, ... 272, {status=0x0, info=0}, ) == 0x0
 02825   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48},  (272, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48}, ".\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", ) , ) == 0x0
 02826   408   NtClose  (272, ... ) == 0x0
 02827   408   NtQueryInformationFile  (-1, 1236432, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 02828   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1236384,  (0x100080, {24, 0, 0x40, 0, 1236384, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 02829   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0008,  (272, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 32, ... , 70, 32, ...
 02830   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 02831   408   NtClose  (-2147482208, ... ) == 0x0
 02829   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 02832   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0008,  (272, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 238, ... , 70, 238, ...
 02833   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 02834   408   NtClose  (-2147482208, ... ) == 0x0
 02832   408   NtDeviceIoControlFile  ... {status=0x0, info=238},  ... {status=0x0, info=238}, "\356\0\0\0\2\0\0\0r\0\0\0`\0\0\08\0\0\0\14\0\0\0D\0\0\0.\0v\0\322\0\0\0\34\0\\08\0\0\0\14\0d\0D\0\0\0.\0k\0;\357;\357\0~\0\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0C\0:\0", ) , ) == 0x0
 02835   408   NtClose  (272, ... ) == 0x0
 02836   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 272, ) }, ... 272, ) == 0x0
 02837   408   NtOpenKey  (0x2000000, {24, 272, 0x40, 0, 0,  (0x2000000, {24, 272, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 276, ) }, ... 276, ) == 0x0
 02838   408   NtClose  (272, ... ) == 0x0
 02839   408   NtQueryValueKey  (276,  (276, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02840   408   NtQueryValueKey  (276,  (276, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\31\13\0\0\224\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\24\1\0\0\31\13\0\0\224\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\13\0\0\224\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\304\335\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\0\336\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (276, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\31\13\0\0\224\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\24\1\0\0\31\13\0\0\224\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\13\0\0\224\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\304\335\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\0\336\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 02841   408   NtClose  (276, ... ) == 0x0
 02842   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 276, ) }, ... 276, ) == 0x0
 02843   408   NtOpenKey  (0x2000000, {24, 276, 0x40, 0, 0,  (0x2000000, {24, 276, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 272, ) }, ... 272, ) == 0x0
 02844   408   NtClose  (276, ... ) == 0x0
 02845   408   NtQueryValueKey  (272,  (272, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02846   408   NtClose  (272, ... ) == 0x0
 02847   408   NtQueryInformationFile  (-1, 1237636, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 02848   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1237588,  (0x100080, {24, 0, 0x40, 0, 1237588, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 02849   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0034,  (272, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 02850   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 02851   408   NtClose  (-2147482208, ... ) == 0x0
 02849   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 02852   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0034,  (272, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 02853   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 02854   408   NtClose  (-2147482208, ... ) == 0x0
 02852   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 02855   408   NtClose  (272, ... ) == 0x0
 02856   408   NtQueryInformationFile  (-1, 1237636, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 02857   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1237588,  (0x100080, {24, 0, 0x40, 0, 1237588, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 02858   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0034,  (272, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 02859   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 02860   408   NtClose  (-2147482208, ... ) == 0x0
 02858   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 02861   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0034,  (272, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 02862   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 02863   408   NtClose  (-2147482208, ... ) == 0x0
 02861   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 02864   408   NtClose  (272, ... ) == 0x0
 02865   408   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 272, 2, ) }, 0, 0x0, 0, ... 272, 2, ) == 0x0
 02866   408   NtSetValueKey  (272,  (272, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (272, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 02867   408   NtClose  (272, ... ) == 0x0
 02868   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02869   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02870   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02871   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02872   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02873   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02874   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02875   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02876   408   NtQueryInformationFile  (-1, 1237636, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 02877   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1237588,  (0x100080, {24, 0, 0x40, 0, 1237588, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 02878   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0034,  (272, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 02879   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 02880   408   NtClose  (-2147482208, ... ) == 0x0
 02878   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 02881   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0034,  (272, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 02882   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 02883   408   NtClose  (-2147482208, ... ) == 0x0
 02881   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 02884   408   NtClose  (272, ... ) == 0x0
 02885   408   NtQueryInformationFile  (-1, 1237636, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 02886   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1237588,  (0x100080, {24, 0, 0x40, 0, 1237588, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 02887   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0034,  (272, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 02888   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 02889   408   NtClose  (-2147482208, ... ) == 0x0
 02887   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 02890   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0034,  (272, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 02891   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 02892   408   NtClose  (-2147482208, ... ) == 0x0
 02890   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 02893   408   NtClose  (272, ... ) == 0x0
 02894   408   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 272, 2, ) }, 0, 0x0, 0, ... 272, 2, ) == 0x0
 02895   408   NtSetValueKey  (272,  (272, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (272, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 02896   408   NtClose  (272, ... ) == 0x0
 02897   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02898   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02899   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02900   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02901   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02902   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02903   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02904   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02905   408   NtQueryInformationFile  (-1, 1237636, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 02906   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1237588,  (0x100080, {24, 0, 0x40, 0, 1237588, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 02907   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0034,  (272, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 02908   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 02909   408   NtClose  (-2147482208, ... ) == 0x0
 02907   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 02910   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0034,  (272, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 02911   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 02912   408   NtClose  (-2147482208, ... ) == 0x0
 02910   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 02913   408   NtClose  (272, ... ) == 0x0
 02914   408   NtQueryInformationFile  (-1, 1237636, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 02915   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1237588,  (0x100080, {24, 0, 0x40, 0, 1237588, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 02916   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0034,  (272, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 02917   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 02918   408   NtClose  (-2147482208, ... ) == 0x0
 02916   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 02919   408   NtDeviceIoControlFile  (272, 0, 0x0, 0x0, 0x6d0034,  (272, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 02920   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 02921   408   NtClose  (-2147482208, ... ) == 0x0
 02919   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 02922   408   NtClose  (272, ... ) == 0x0
 02923   408   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 272, 2, ) }, 0, 0x0, 0, ... 272, 2, ) == 0x0
 02924   408   NtSetValueKey  (272,  (272, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (272, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 02925   408   NtClose  (272, ... ) == 0x0
 02926   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02927   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02928   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02929   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02930   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02931   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02932   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02933   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02934   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02935   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02936   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\F:"}, 3, 96, ... 272, {status=0x0, info=1}, ) }, 3, 96, ... 272, {status=0x0, info=1}, ) == 0x0
 02937   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\F:"}, ... 276, ) }, ... 276, ) == 0x0
 02938   408   NtQuerySymbolicLinkObject  (276, ...  (276, ... "\Device\WinDfs\F:00000000000091e5", 66, ) , 66, ) == 0x0
 02939   408   NtClose  (276, ... ) == 0x0
 02940   408   NtQueryVolumeInformationFile  (272, 1237680, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02941   408   NtClose  (272, ... ) == 0x0
 02942   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02943   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 272, {status=0x0, info=1}, ) }, 3, 96, ... 272, {status=0x0, info=1}, ) == 0x0
 02944   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 276, ) }, ... 276, ) == 0x0
 02945   408   NtQuerySymbolicLinkObject  (276, ...  (276, ... "\Device\WinDfs\U:00000000000091e5", 66, ) , 66, ) == 0x0
 02946   408   NtClose  (276, ... ) == 0x0
 02947   408   NtQueryVolumeInformationFile  (272, 1237680, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02948   408   NtClose  (272, ... ) == 0x0
 02949   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02950   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 272, ) }, ... 272, ) == 0x0
 02951   408   NtOpenKey  (0x2000000, {24, 272, 0x40, 0, 0,  (0x2000000, {24, 272, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 276, ) }, ... 276, ) == 0x0
 02952   408   NtClose  (272, ... ) == 0x0
 02953   408   NtQueryValueKey  (276,  (276, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (276, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02954   408   NtClose  (276, ... ) == 0x0
 02955   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02956   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02957   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\clr.exe"}, 1238300, ... ) }, 1238300, ... ) == 0x0
 02958   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02959   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02960   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 02961   408   NtQueryValueKey  (276,  (276, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (276, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (276, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 02962   408   NtClose  (276, ... ) == 0x0
 02963   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02964   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02965   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\clr.exe"}, 1238204, ... ) }, 1238204, ... ) == 0x0
 02966   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02967   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02968   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02969   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 02970   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 02971   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 02972   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 02973   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 02974   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02975   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 276, ) }, ... 276, ) == 0x0
 02976   408   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02977   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02978   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 272, ) == 0x0
 02979   408   NtQueryInformationToken  (272, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02980   408   NtClose  (272, ... ) == 0x0
 02981   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02982   408   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02983   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1235548, ... ) }, 1235548, ... ) == 0x0
 02984   408   NtClose  (278, ... ) == 0x0
 02985   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02986   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02987   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 276, ) }, ... 276, ) == 0x0
 02988   408   NtOpenKey  (0x2000000, {24, 276, 0x40, 0, 0,  (0x2000000, {24, 276, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 272, ) }, ... 272, ) == 0x0
 02989   408   NtClose  (276, ... ) == 0x0
 02990   408   NtQueryValueKey  (272,  (272, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02991   408   NtClose  (272, ... ) == 0x0
 02992   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02993   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02994   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 272, ) }, ... 272, ) == 0x0
 02995   408   NtQueryKey  (274, Name, 392, ... {Name= (274, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 02996   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02997   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02998   408   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02999   408   NtClose  (276, ... ) == 0x0
 03000   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03001   408   NtEnumerateKey  (274, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (274, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 03002   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03003   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03004   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 276, ) }, ... 276, ) == 0x0
 03005   408   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 03006   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03007   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 03008   408   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03009   408   NtClose  (280, ... ) == 0x0
 03010   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03011   408   NtQueryValueKey  (278,  (278, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (278, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 03012   408   NtClose  (278, ... ) == 0x0
 03013   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03014   408   NtEnumerateKey  (274, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03015   408   NtClose  (274, ... ) == 0x0
 03016   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 272, {status=0x0, info=1}, ) }, 3, 16417, ... 272, {status=0x0, info=1}, ) == 0x0
 03017   408   NtQueryDirectoryFile  (272, 0, 0, 0, 1237048, 616, BothDirectory, 1,  (272, 0, 0, 0, 1237048, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03018   408   NtClose  (272, ... ) == 0x0
 03019   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03020   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03021   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 272, ) }, ... 272, ) == 0x0
 03022   408   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03023   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03024   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 03025   408   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03026   408   NtClose  (276, ... ) == 0x0
 03027   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03028   408   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03029   408   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03030   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03031   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 03032   408   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03033   408   NtClose  (276, ... ) == 0x0
 03034   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03035   408   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0, ""}, ... 276, ) == 0x0
 03036   408   NtClose  (274, ... ) == 0x0
 03037   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 03038   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 03039   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03040   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 272, ) }, ... 272, ) == 0x0
 03041   408   NtQueryValueKey  (272,  (272, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03042   408   NtClose  (272, ... ) == 0x0
 03043   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03044   408   NtOpenKey  (0x2000000, {24, 116, 0x40, 0, 0, ""}, ... 272, ) == 0x0
 03045   408   NtQueryValueKey  (272,  (272, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (272, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03046   408   NtQueryValueKey  (272,  (272, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (272, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03047   408   NtClose  (272, ... ) == 0x0
 03048   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 03049   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 03050   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03051   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 272, ) }, ... 272, ) == 0x0
 03052   408   NtQueryValueKey  (272,  (272, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03053   408   NtClose  (272, ... ) == 0x0
 03054   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 03055   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 03056   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03057   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 272, ) }, ... 272, ) == 0x0
 03058   408   NtQueryValueKey  (272,  (272, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03059   408   NtClose  (272, ... ) == 0x0
 03060   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 03061   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 03062   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03063   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 272, ) }, ... 272, ) == 0x0
 03064   408   NtQueryValueKey  (272,  (272, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03065   408   NtClose  (272, ... ) == 0x0
 03066   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 03067   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 03068   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03069   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 272, ) }, ... 272, ) == 0x0
 03070   408   NtQueryValueKey  (272,  (272, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03071   408   NtClose  (272, ... ) == 0x0
 03072   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 03073   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 03074   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 03075   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 03076   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03077   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 272, ) }, ... 272, ) == 0x0
 03078   408   NtQueryValueKey  (272,  (272, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03079   408   NtClose  (272, ... ) == 0x0
 03080   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 03081   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 03082   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03083   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 272, ) }, ... 272, ) == 0x0
 03084   408   NtQueryValueKey  (272,  (272, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03085   408   NtClose  (272, ... ) == 0x0
 03086   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 03087   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 03088   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03089   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 272, ) }, ... 272, ) == 0x0
 03090   408   NtQueryValueKey  (272,  (272, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03091   408   NtClose  (272, ... ) == 0x0
 03092   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 03093   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 03094   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03095   408   NtOpenKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "Advanced"}, ... 272, ) }, ... 272, ) == 0x0
 03096   408   NtQueryValueKey  (272,  (272, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 03097   408   NtQueryValueKey  (272,  (272, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03098   408   NtQueryValueKey  (272,  (272, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03099   408   NtQueryValueKey  (272,  (272, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03100   408   NtQueryValueKey  (272,  (272, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03101   408   NtQueryValueKey  (272,  (272, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03102   408   NtQueryValueKey  (272,  (272, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03103   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 03104   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 03105   408   NtQueryValueKey  (272,  (272, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03106   408   NtQueryValueKey  (272,  (272, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03107   408   NtQueryValueKey  (272,  (272, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03108   408   NtQueryValueKey  (272,  (272, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03109   408   NtQueryValueKey  (272,  (272, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03110   408   NtClose  (272, ... ) == 0x0
 03111   408   NtCreateSemaphore  (0x1f0003, {24, 64, 0x80, 1363000, 0,  (0x1f0003, {24, 64, 0x80, 1363000, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 272, ) }, 0, 2147483647, ... 272, ) == STATUS_OBJECT_NAME_EXISTS
 03112   408   NtReleaseSemaphore  (272, 1, ... 0, ) == 0x0
 03113   408   NtWaitForSingleObject  (272, 0, {0, 0}, ... ) == 0x0
 03114   408   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03115   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03116   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 03117   408   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03118   408   NtClose  (280, ... ) == 0x0
 03119   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03120   408   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03121   408   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03122   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03123   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 03124   408   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03125   408   NtClose  (280, ... ) == 0x0
 03126   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03127   408   NtQueryValueKey  (278,  (278, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03128   408   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03129   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03130   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 03131   408   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03132   408   NtClose  (280, ... ) == 0x0
 03133   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03134   408   NtQueryValueKey  (278,  (278, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03135   408   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03136   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03137   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 03138   408   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03139   408   NtClose  (280, ... ) == 0x0
 03140   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03141   408   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03142   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03143   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03144   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 280, ) }, ... 280, ) == 0x0
 03145   408   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 03146   408   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ... 1421312, 4096, ) == 0x0
 03147   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03148   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 03149   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03150   408   NtClose  (284, ... ) == 0x0
 03151   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03152   408   NtOpenKey  (0x1, {24, 282, 0x40, 0, 0,  (0x1, {24, 282, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03153   408   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03154   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03155   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 03156   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03157   408   NtClose  (284, ... ) == 0x0
 03158   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03159   408   NtQueryValueKey  (278,  (278, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03160   408   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03161   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03162   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 03163   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03164   408   NtClose  (284, ... ) == 0x0
 03165   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03166   408   NtQueryValueKey  (278,  (278, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (278, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03167   408   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03168   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03169   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 03170   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03171   408   NtClose  (284, ... ) == 0x0
 03172   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03173   408   NtQueryValueKey  (278,  (278, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03174   408   NtClose  (278, ... ) == 0x0
 03175   408   NtClose  (282, ... ) == 0x0
 03176   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 03177   408   NtQueryDirectoryFile  (280, 0, 0, 0, 1236932, 616, BothDirectory, 1,  (280, 0, 0, 0, 1236932, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03178   408   NtClose  (280, ... ) == 0x0
 03179   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 03180   408   NtQueryDirectoryFile  (280, 0, 0, 0, 1236836, 616, BothDirectory, 1,  (280, 0, 0, 0, 1236836, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03181   408   NtClose  (280, ... ) == 0x0
 03182   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 03183   408   NtQueryDirectoryFile  (280, 0, 0, 0, 1236756, 616, BothDirectory, 1,  (280, 0, 0, 0, 1236756, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 03184   408   NtClose  (280, ... ) == 0x0
 03185   408   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 03186   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 03187   408   NtQueryDirectoryFile  (280, 0, 0, 0, 1236688, 616, BothDirectory, 1,  (280, 0, 0, 0, 1236688, 616, BothDirectory, 1, "clr.exe", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03188   408   NtClose  (280, ... ) == 0x0
 03189   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03190   408   NtOpenKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "FileExts"}, ... 280, ) }, ... 280, ) == 0x0
 03191   408   NtOpenKey  (0x2000000, {24, 280, 0x40, 0, 0,  (0x2000000, {24, 280, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03192   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03193   408   NtOpenKey  (0x2000000, {24, 280, 0x40, 0, 0,  (0x2000000, {24, 280, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03194   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES\"}, 138, ) }, 138, ) == 0x0
 03195   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03196   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.exe"}, ... 276, ) }, ... 276, ) == 0x0
 03197   408   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.exeo"}, 82, ) }, 82, ) == 0x0
 03198   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03199   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 03200   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03201   408   NtClose  (284, ... ) == 0x0
 03202   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03203   408   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="e\0x\0e\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03204   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03205   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03206   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\exefile"}, ... 284, ) }, ... 284, ) == 0x0
 03207   408   NtQueryKey  (286, Name, 384, ... {Name= (286, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 03208   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03209   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 03210   408   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03211   408   NtClose  (288, ... ) == 0x0
 03212   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03213   408   NtOpenKey  (0x1, {24, 286, 0x40, 0, 0,  (0x1, {24, 286, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03214   408   NtQueryKey  (286, Name, 384, ... {Name= (286, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 03215   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03216   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 03217   408   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03218   408   NtClose  (288, ... ) == 0x0
 03219   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03220   408   NtOpenKey  (0x2000000, {24, 286, 0x40, 0, 0, ""}, ... 288, ) == 0x0
 03221   408   NtClose  (286, ... ) == 0x0
 03222   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 03223   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 03224   408   NtReleaseSemaphore  (272, 1, ... 0, ) == 0x0
 03225   408   NtWaitForSingleObject  (272, 0, {0, 0}, ... ) == 0x0
 03226   408   NtQueryKey  (290, Name, 384, ... {Name= (290, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 03227   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03228   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 03229   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03230   408   NtClose  (284, ... ) == 0x0
 03231   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03232   408   NtOpenKey  (0x1, {24, 290, 0x40, 0, 0,  (0x1, {24, 290, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03233   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03234   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "SystemFileAssociations\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03235   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03236   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03237   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03238   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.exe"}, ... 284, ) }, ... 284, ) == 0x0
 03239   408   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.exeo"}, 82, ) }, 82, ) == 0x0
 03240   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03241   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 03242   408   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03243   408   NtClose  (292, ... ) == 0x0
 03244   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03245   408   NtQueryValueKey  (286,  (286, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03246   408   NtClose  (286, ... ) == 0x0
 03247   408   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 03248   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03249   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 03250   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03251   408   NtClose  (284, ... ) == 0x0
 03252   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03253   408   NtQueryValueKey  (290,  (290, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03254   408   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 03255   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03256   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 03257   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03258   408   NtClose  (284, ... ) == 0x0
 03259   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03260   408   NtQueryValueKey  (290,  (290, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03261   408   NtQueryKey  (290, Name, 384, ... {Name= (290, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 03262   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03263   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 03264   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03265   408   NtClose  (284, ... ) == 0x0
 03266   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03267   408   NtOpenKey  (0x1, {24, 290, 0x40, 0, 0,  (0x1, {24, 290, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03268   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03269   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03270   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 284, ) }, ... 284, ) == 0x0
 03271   408   NtQueryKey  (286, Name, 384, ... {Name= (286, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03272   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03273   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 03274   408   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03275   408   NtClose  (292, ... ) == 0x0
 03276   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03277   408   NtOpenKey  (0x1, {24, 286, 0x40, 0, 0,  (0x1, {24, 286, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03278   408   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 03279   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03280   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 03281   408   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03282   408   NtClose  (292, ... ) == 0x0
 03283   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03284   408   NtQueryValueKey  (290,  (290, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03285   408   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 03286   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03287   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 03288   408   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03289   408   NtClose  (292, ... ) == 0x0
 03290   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03291   408   NtQueryValueKey  (290,  (290, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03292   408   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 03293   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03294   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 03295   408   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03296   408   NtClose  (292, ... ) == 0x0
 03297   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03298   408   NtQueryValueKey  (290,  (290, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03299   408   NtClose  (278, ... ) == 0x0
 03300   408   NtClose  (290, ... ) == 0x0
 03301   408   NtClose  (286, ... ) == 0x0
 03302   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03303   408   NtOpenKey  (0x2000000, {24, 280, 0x40, 0, 0,  (0x2000000, {24, 280, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03304   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03305   408   NtOpenKey  (0x2000000, {24, 280, 0x40, 0, 0,  (0x2000000, {24, 280, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03306   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03307   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03308   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.exe"}, ... 284, ) }, ... 284, ) == 0x0
 03309   408   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.exeo"}, 82, ) }, 82, ) == 0x0
 03310   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03311   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 03312   408   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03313   408   NtClose  (288, ... ) == 0x0
 03314   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03315   408   NtQueryValueKey  (286, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (286, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="e\0x\0e\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03316   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03317   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03318   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\exefile"}, ... 288, ) }, ... 288, ) == 0x0
 03319   408   NtQueryKey  (290, Name, 384, ... {Name= (290, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 03320   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03321   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 03322   408   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03323   408   NtClose  (276, ... ) == 0x0
 03324   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03325   408   NtOpenKey  (0x1, {24, 290, 0x40, 0, 0,  (0x1, {24, 290, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03326   408   NtQueryKey  (290, Name, 384, ... {Name= (290, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 03327   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03328   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 03329   408   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03330   408   NtClose  (276, ... ) == 0x0
 03331   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03332   408   NtOpenKey  (0x2000000, {24, 290, 0x40, 0, 0, ""}, ... 276, ) == 0x0
 03333   408   NtClose  (290, ... ) == 0x0
 03334   408   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 03335   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03336   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 03337   408   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03338   408   NtClose  (288, ... ) == 0x0
 03339   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03340   408   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03341   408   NtQueryKey  (286, Name, 384, ... {Name= (286, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.exeC"}, 82, ) }, 82, ) == 0x0
 03342   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03343   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 03344   408   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03345   408   NtClose  (288, ... ) == 0x0
 03346   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.exe\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03347   408   NtOpenKey  (0x1, {24, 286, 0x40, 0, 0,  (0x1, {24, 286, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03348   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03349   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "SystemFileAssociations\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03350   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03351   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03352   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03353   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.exe"}, ... 288, ) }, ... 288, ) == 0x0
 03354   408   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.exeo"}, 82, ) }, 82, ) == 0x0
 03355   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03356   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 03357   408   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03358   408   NtClose  (292, ... ) == 0x0
 03359   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03360   408   NtQueryValueKey  (290,  (290, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03361   408   NtClose  (290, ... ) == 0x0
 03362   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03363   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03364   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 288, ) }, ... 288, ) == 0x0
 03365   408   NtQueryKey  (290, Name, 384, ... {Name= (290, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03366   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03367   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 03368   408   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03369   408   NtClose  (292, ... ) == 0x0
 03370   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03371   408   NtOpenKey  (0x1, {24, 290, 0x40, 0, 0,  (0x1, {24, 290, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03372   408   NtClose  (286, ... ) == 0x0
 03373   408   NtClose  (278, ... ) == 0x0
 03374   408   NtClose  (290, ... ) == 0x0
 03375   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03376   408   NtOpenKey  (0x2000000, {24, 280, 0x40, 0, 0,  (0x2000000, {24, 280, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03377   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03378   408   NtOpenKey  (0x2000000, {24, 280, 0x40, 0, 0,  (0x2000000, {24, 280, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03379   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03380   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03381   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.exe"}, ... 288, ) }, ... 288, ) == 0x0
 03382   408   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.exeo"}, 82, ) }, 82, ) == 0x0
 03383   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03384   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 03385   408   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03386   408   NtClose  (276, ... ) == 0x0
 03387   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03388   408   NtQueryValueKey  (290, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (290, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="e\0x\0e\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03389   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03390   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03391   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\exefile"}, ... 276, ) }, ... 276, ) == 0x0
 03392   408   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 03393   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03394   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 03395   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03396   408   NtClose  (284, ... ) == 0x0
 03397   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03398   408   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03399   408   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 03400   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03401   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 03402   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03403   408   NtClose  (284, ... ) == 0x0
 03404   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03405   408   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0, ""}, ... 284, ) == 0x0
 03406   408   NtClose  (278, ... ) == 0x0
 03407   408   NtQueryKey  (286, Name, 384, ... {Name= (286, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 03408   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03409   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 03410   408   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03411   408   NtClose  (276, ... ) == 0x0
 03412   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03413   408   NtOpenKey  (0x2000000, {24, 286, 0x40, 0, 0,  (0x2000000, {24, 286, 0x40, 0, 0, "shell\open"}, ... 276, ) }, ... 276, ) == 0x0
 03414   408   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03415   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03416   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 03417   408   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03418   408   NtClose  (292, ... ) == 0x0
 03419   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03420   408   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "command"}, ... 292, ) }, ... 292, ) == 0x0
 03421   408   NtQueryKey  (294, Name, 392, ... {Name= (294, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03422   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03423   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 296, ) == 0x0
 03424   408   NtQueryInformationToken  (296, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03425   408   NtClose  (296, ... ) == 0x0
 03426   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03427   408   NtQueryValueKey  (294, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (294, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03428   408   NtClose  (294, ... ) == 0x0
 03429   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03430   408   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03431   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03432   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 03433   408   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03434   408   NtClose  (292, ... ) == 0x0
 03435   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03436   408   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "command"}, ... 292, ) }, ... 292, ) == 0x0
 03437   408   NtQueryKey  (294, Name, 392, ... {Name= (294, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03438   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03439   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 296, ) == 0x0
 03440   408   NtQueryInformationToken  (296, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03441   408   NtClose  (296, ... ) == 0x0
 03442   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03443   408   NtQueryValueKey  (294,  (294, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03444   408   NtClose  (294, ... ) == 0x0
 03445   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\clr.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03446   408   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03447   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03448   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 03449   408   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03450   408   NtClose  (292, ... ) == 0x0
 03451   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03452   408   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "command"}, ... 292, ) }, ... 292, ) == 0x0
 03453   408   NtQueryKey  (294, Name, 392, ... {Name= (294, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03454   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03455   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 296, ) == 0x0
 03456   408   NtQueryInformationToken  (296, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03457   408   NtClose  (296, ... ) == 0x0
 03458   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03459   408   NtQueryValueKey  (294, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (294, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03460   408   NtClose  (294, ... ) == 0x0
 03461   408   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03462   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03463   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 03464   408   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03465   408   NtClose  (292, ... ) == 0x0
 03466   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03467   408   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03468   408   NtUserGetForegroundWindow  (... ) == 0x20064
 03469   408   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03470   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03471   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 03472   408   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03473   408   NtClose  (292, ... ) == 0x0
 03474   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03475   408   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "command"}, ... 292, ) }, ... 292, ) == 0x0
 03476   408   NtQueryKey  (294, Name, 392, ... {Name= (294, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03477   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03478   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 296, ) == 0x0
 03479   408   NtQueryInformationToken  (296, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03480   408   NtClose  (296, ... ) == 0x0
 03481   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03482   408   NtQueryValueKey  (294, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (294, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03483   408   NtClose  (294, ... ) == 0x0
 03484   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 03485   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 03486   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03487   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 292, ) }, ... 292, ) == 0x0
 03488   408   NtQueryValueKey  (292,  (292, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03489   408   NtClose  (292, ... ) == 0x0
 03490   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 03491   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 03492   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03493   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 292, ) }, ... 292, ) == 0x0
 03494   408   NtQueryValueKey  (292,  (292, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03495   408   NtClose  (292, ... ) == 0x0
 03496   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\clr.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03497   408   NtCreateFile  (0x80100180, {24, 0, 0x40, 0, 1238664,  (0x80100180, {24, 0, 0x40, 0, 1238664, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\clr.exe"}, 0x0, 0, 3, 1, 96, 0, 0, ... 292, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 292, {status=0x0, info=1}, ) == 0x0
 03498   408   NtQueryInformationFile  (292, 1238680, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03499   408   NtSetInformationFile  (292, 1238680, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03500   408   NtReadFile  (292, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64},  (292, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0", ) , ) == 0x0
 03501   408   NtSetInformationFile  (292, 1238720, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 03502   408   NtReadFile  (292, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64},  (292, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64}, "PE\0\0L\1\5\0\177U/F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0@\0\0\00\0\0\0\0\0\0\1\200\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0", ) , ) == 0x0
 03503   408   NtSetInformationFile  (292, 1238720, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 03504   408   NtReadFile  (292, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (292, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\4\0\0\0", ) , ) == 0x0
 03505   408   NtSetInformationFile  (292, 1238720, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 03506   408   NtReadFile  (292, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (292, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\2\0\0\0", ) , ) == 0x0
 03507   408   NtClose  (292, ... ) == 0x0
 03508   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps400"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03509   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\clr.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03510   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 03511   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 03512   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03513   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 292, ) }, ... 292, ) == 0x0
 03514   408   NtQueryValueKey  (292,  (292, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03515   408   NtClose  (292, ... ) == 0x0
 03516   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\clr.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03517   408   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03518   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\clr.exe"}, 1233504, ... ) }, 1233504, ... ) == 0x0
 03519   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\clr.exe"}, 1234196, ... ) }, 1234196, ... ) == 0x0
 03520   408   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\clr.exe"}, 5, 96, ... 292, {status=0x0, info=1}, ) }, 5, 96, ... 292, {status=0x0, info=1}, ) == 0x0
 03521   408   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 292, ... 296, ) == 0x0
 03522   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03523   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 300, ) }, ... 300, ) == 0x0
 03524   408   NtQueryValueKey  (300,  (300, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03525   408   NtClose  (300, ... ) == 0x0
 03526   408   NtQueryVolumeInformationFile  (292, 1233504, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03527   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1231488, ... ) }, 1231488, ... ) == 0x0
 03528   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 300, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 300, {status=0x0, info=1}, ) == 0x0
 03529   408   NtQueryInformationFile  (300, 1232092, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03530   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 300, ... 304, ) == 0x0
 03531   408   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x9b0000), 0x0, 1028096, ) == 0x0
 03532   408   NtQueryInformationFile  (300, 1232188, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03533   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03534   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 03535   408   NtQueryDirectoryFile  (308, 0, 0, 0, 1229752, 616, BothDirectory, 1,  (308, 0, 0, 0, 1229752, 616, BothDirectory, 1, "clr.exe", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03536   408   NtClose  (308, ... ) == 0x0
 03537   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03538   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03539   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\clr.exe"}, 1229140, ... ) }, 1229140, ... ) == 0x0
 03540   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 03541   408   NtQueryDirectoryFile  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1,  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03542   408   NtClose  (308, ... ) == 0x0
 03543   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 03544   408   NtQueryDirectoryFile  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1,  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03545   408   NtClose  (308, ... ) == 0x0
 03546   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 03547   408   NtQueryDirectoryFile  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1,  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03548   408   NtClose  (308, ... ) == 0x0
 03549   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 03550   408   NtQueryDirectoryFile  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1,  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 03551   408   NtClose  (308, ... ) == 0x0
 03552   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 03553   408   NtQueryDirectoryFile  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1,  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1, "clr.exe", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03554   408   NtClose  (308, ... ) == 0x0
 03555   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03556   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03557   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03558   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03559   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 308, ) == 0x0
 03560   408   NtQueryInformationToken  (308, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03561   408   NtClose  (308, ... ) == 0x0
 03562   408   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03563   408   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\clr.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03564   408   NtUnmapViewOfSection  (-1, 0x9b0000, ... ) == 0x0
 03565   408   NtClose  (304, ... ) == 0x0
 03566   408   NtClose  (300, ... ) == 0x0
 03567   408   NtQuerySection  (296, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03568   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clr.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03569   408   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 03570   408   NtOpenProcessToken  (-1, 0xa, ... 300, ) == 0x0
 03571   408   NtQueryInformationToken  (300, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 03572   408   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03573   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 304, ) }, ... 304, ) == 0x0
 03574   408   NtQueryValueKey  (304,  (304, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (304, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03575   408   NtQueryValueKey  (304,  (304, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (304, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03576   408   NtClose  (304, ... ) == 0x0
 03577   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 304, ) }, ... 304, ) == 0x0
 03578   408   NtQueryValueKey  (304,  (304, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03579   408   NtQueryValueKey  (304,  (304, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (304, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 03580   408   NtClose  (304, ... ) == 0x0
 03581   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03582   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 304, ) }, ... 304, ) == 0x0
 03583   408   NtQueryValueKey  (304,  (304, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03584   408   NtClose  (304, ... ) == 0x0
 03585   408   NtQueryDefaultLocale  (1, 1232876, ... ) == 0x0
 03586   408   NtQueryDefaultLocale  (1, 1232876, ... ) == 0x0
 03587   408   NtQueryDefaultLocale  (1, 1232876, ... ) == 0x0
 03588   408   NtQueryDefaultLocale  (1, 1232876, ... ) == 0x0
 03589   408   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ... 1429504, 4096, ) == 0x0
 03590   408   NtQueryDefaultLocale  (1, 1232876, ... ) == 0x0
 03591   408   NtQueryDefaultLocale  (1, 1232876, ... ) == 0x0
 03592   408   NtQueryDefaultLocale  (1, 1232876, ... ) == 0x0
 03593   408   NtQueryDefaultLocale  (1, 1232876, ... ) == 0x0
 03594   408   NtQueryDefaultLocale  (1, 1232876, ... ) == 0x0
 03595   408   NtQueryDefaultLocale  (1, 1232876, ... ) == 0x0
 03596   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 304, ) }, ... 304, ) == 0x0
 03597   408   NtEnumerateKey  (304, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (304, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 03598   408   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 308, ) }, ... 308, ) == 0x0
 03599   408   NtQueryValueKey  (308,  (308, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (308, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 03600   408   NtQueryValueKey  (308,  (308, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (308, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03601   408   NtClose  (308, ... ) == 0x0
 03602   408   NtEnumerateKey  (304, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 03603   408   NtClose  (304, ... ) == 0x0
 03604   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03605   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03606   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03607   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03608   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03609   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03610   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03611   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03612   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03613   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03614   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03615   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03616   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03617   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03618   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03619   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03620   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03621   408   NtClose  (304, ... ) == 0x0
 03622   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03623   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03624   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03625   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03626   408   NtClose  (304, ... ) == 0x0
 03627   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03628   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03629   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03630   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03631   408   NtClose  (304, ... ) == 0x0
 03632   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03633   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03634   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03635   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03636   408   NtClose  (304, ... ) == 0x0
 03637   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03638   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03639   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03640   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03641   408   NtClose  (304, ... ) == 0x0
 03642   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03643   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03644   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03645   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03646   408   NtClose  (304, ... ) == 0x0
 03647   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03648   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03649   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03650   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03651   408   NtClose  (304, ... ) == 0x0
 03652   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03653   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03654   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03655   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03656   408   NtClose  (304, ... ) == 0x0
 03657   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03658   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03659   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03660   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03661   408   NtClose  (304, ... ) == 0x0
 03662   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03663   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03664   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03665   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03666   408   NtClose  (304, ... ) == 0x0
 03667   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03668   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03669   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03670   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03671   408   NtClose  (304, ... ) == 0x0
 03672   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03673   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03674   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03675   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03676   408   NtClose  (304, ... ) == 0x0
 03677   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03678   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03679   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03680   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03681   408   NtClose  (304, ... ) == 0x0
 03682   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03683   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03684   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03685   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03686   408   NtClose  (304, ... ) == 0x0
 03687   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03688   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03689   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03690   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03691   408   NtClose  (304, ... ) == 0x0
 03692   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03693   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 304, ) }, ... 304, ) == 0x0
 03694   408   NtQueryValueKey  (304,  (304, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (304, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (304, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 03695   408   NtClose  (304, ... ) == 0x0
 03696   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03697   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 03698   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03699   408   NtClose  (304, ... ) == 0x0
 03700   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03701   408   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 03702   408   NtOpenProcessToken  (-1, 0xa, ... 304, ) == 0x0
 03703   408   NtDuplicateToken  (304, 0xc, {24, 0, 0x0, 0, 1233396, 0x0}, 0, 2, ... 308, ) == 0x0
 03704   408   NtClose  (304, ... ) == 0x0
 03705   408   NtAccessCheck  (1327344, 308, 0x1, 1233524, 1233468, 56, 1233552, ... (0x1), ) == 0x0
 03706   408   NtClose  (308, ... ) == 0x0
 03707   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 308, ) }, ... 308, ) == 0x0
 03708   408   NtQueryValueKey  (308,  (308, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (308, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03709   408   NtClose  (308, ... ) == 0x0
 03710   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 308, ) }, ... 308, ) == 0x0
 03711   408   NtQuerySymbolicLinkObject  (308, ...  (308, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 03712   408   NtClose  (308, ... ) == 0x0
 03713   408   NtQueryInformationFile  (292, 1231856, 528, Name, ... {status=0x0, info=124}, ) == 0x0
 03714   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03715   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03716   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\clr.exe"}, 1230536, ... ) }, 1230536, ... ) == 0x0
 03717   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 03718   408   NtQueryDirectoryFile  (308, 0, 0, 0, 1229896, 616, BothDirectory, 1,  (308, 0, 0, 0, 1229896, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03719   408   NtClose  (308, ... ) == 0x0
 03720   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 03721   408   NtQueryDirectoryFile  (308, 0, 0, 0, 1229896, 616, BothDirectory, 1,  (308, 0, 0, 0, 1229896, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 03722   408   NtClose  (308, ... ) == 0x0
 03723   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 03724   408   NtQueryDirectoryFile  (308, 0, 0, 0, 1229896, 616, BothDirectory, 1,  (308, 0, 0, 0, 1229896, 616, BothDirectory, 1, "clr.exe", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03725   408   NtClose  (308, ... ) == 0x0
 03726   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03727   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03728   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03729   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 308, ) == 0x0
 03730   408   NtQueryInformationToken  (308, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03731   408   NtClose  (308, ... ) == 0x0
 03732   408   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 308, ) }, ... 308, ) == 0x0
 03733   408   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 304, ) }, ... 304, ) == 0x0
 03734   408   NtClose  (308, ... ) == 0x0
 03735   408   NtQueryValueKey  (304,  (304, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03736   408   NtQueryValueKey  (304,  (304, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (304, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 03737   408   NtClose  (304, ... ) == 0x0
 03738   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10158080, 4096, ) == 0x0
 03739   408   NtAllocateVirtualMemory  (-1, 10158080, 0, 4096, 4096, 4, ... 10158080, 4096, ) == 0x0
 03740   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 304, ) }, ... 304, ) == 0x0
 03741   408   NtQueryValueKey  (304,  (304, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03742   408   NtClose  (304, ... ) == 0x0
 03743   408   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03744   408   NtQueryInformationToken  (300, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 03745   408   NtQueryInformationToken  (300, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 03746   408   NtClose  (300, ... ) == 0x0
 03747   408   NtCreateProcessEx  (1236132, 2035711, 0, -1, 0, 296, 0, 0, 0, ... ) == 0x0
 03748   408   NtSetInformationProcess  (300, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03749   408   NtQueryInformationProcess  (300, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=384,ParentPid=404,}, 0x0, ) == 0x0
 03750   408   NtReadVirtualMemory  (300, 0x7ffdf008, 4, ...  (300, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 03751   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\clr.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03752   408   NtAllocateVirtualMemory  (-1, 1433600, 0, 8192, 4096, 4, ... 1433600, 8192, ) == 0x0
 03753   408   NtReadVirtualMemory  (300, 0x400000, 4096, ...  (300, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\327\310\33L\223\251u\37\223\251u\37\223\251u\37\226\245*\37\265\251u\37\226\245z\37\230\251u\37i\212l\37\221\251u\37\20\241(\37\220\251u\37\223\251t\37\322\251u\37\226\245\25\37\220\251u\37\226\245/\37\222\251u\37Rich\223\251u\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\177U/F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0@\0\0\00\0\0\0\0\0\0\1\200\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\6\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\254\217\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0T\217\0\0\10\0\0\0\20Q\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0.text\0\0\0\0@\0\0\0\20\0\0\0&\0\0", 4096, ) , 4096, ) == 0x0
 03754   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03755   408   NtQueryInformationProcess  (300, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=384,ParentPid=404,}, 0x0, ) == 0x0
 03756   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1234196, ... ) }, 1234196, ... ) == 0x0
 03757   408   NtAllocateVirtualMemory  (-1, 0, 0, 1764, 4096, 4, ... 10223616, 4096, ) == 0x0
 03758   408   NtAllocateVirtualMemory  (300, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03759   408   NtWriteVirtualMemory  (300, 0x10000,  (300, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03760   408   NtAllocateVirtualMemory  (300, 0, 0, 1764, 4096, 4, ... 131072, 4096, ) == 0x0
 03761   408   NtWriteVirtualMemory  (300, 0x20000,  (300, 0x20000, "\0\20\0\0\344\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0T\0V\0\264\5\0\0Z\0\\0\14\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\11\0\0\0T\0V\0h\6\0\0\36\0 \0\300\6\0\0\0\0\2\0\340\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1764, ... 0x0, ) \0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0T\0V\0\264\5\0\0Z\0\\0\14\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\11\0\0\0T\0V\0h\6\0\0\36\0 \0\300\6\0\0\0\0\2\0\340\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1764, ... 0x0, ) == 0x0
 03762   408   NtWriteVirtualMemory  (300, 0x7ffdf010,  (300, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03763   408   NtWriteVirtualMemory  (300, 0x7ffdf1e8,  (300, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03764   408   NtFreeVirtualMemory  (-1, (0x9c0000), 0, 32768, ... (0x9c0000), 4096, ) == 0x0
 03765   408   NtAllocateVirtualMemory  (300, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03766   408   NtAllocateVirtualMemory  (300, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 03767   408   NtProtectVirtualMemory  (300, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 03768   408   NtCreateThread  (0x1f03ff, 0x0, 300, 1234396, 1235116, 1, ... 304, {384, 380}, ) == 0x0
 03769   408   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1236228, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1236228, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0/\1\0\00\1\0\0\200\1\0\0|\1\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\220\337\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 404, 408, 1503, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0,\1\0\00\1\0\0\200\1\0\0|\1\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\220\337\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 404, 408, 1503, 0}  (24, {168, 196, new_msg, 0, 0, 1236228, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0/\1\0\00\1\0\0\200\1\0\0|\1\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\220\337\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 404, 408, 1503, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0,\1\0\00\1\0\0\200\1\0\0|\1\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\220\337\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03770   408   NtResumeThread  (304, ... 1, ) == 0x0
 03771   408   NtClose  (292, ... ) == 0x0
 03772   408   NtClose  (296, ... ) == 0x0
 03773   408   NtClose  (278, ... ) == 0x0
 03774   408   NtClose  (290, ... ) == 0x0
 03775   408   NtClose  (286, ... ) == 0x0
 03776   408   NtClose  (300, ... ) == 0x0
 03777   408   NtClose  (304, ... ) == 0x0
 03778   408   NtGdiDeleteObjectApp  (419955716, ... ) == 0x1
 03779   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 03780   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 03781   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 03782   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 03783   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 03784   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 03785   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 03786   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 03787   408   NtUnmapViewOfSection  (-1, 0xb00000, ... ) == 0x0
 03788   408   NtClose  (240, ... ) == 0x0
 03789   408   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 03790   408   NtUserDestroyWindow  (131248, ...
 03791   408   NtUserRemoveProp  (131248, 43288, ... ) == 0xffffffff
 03792   408   NtUserRemoveProp  (131248, 43282, ... ) == 0x0
 03793   408   NtUserRemoveProp  (131248, 43287, ... ) == 0x0
 03790   408   NtUserDestroyWindow  ... ) == 0x1
 03794   408   NtUserUnregisterClass  (1239576, 1998258176, 1239564, ... ) == 0x1
 03795   408   NtClose  (144, ... ) == 0x0
 03796   408   NtClose  (136, ... ) == 0x0
 03797   408   NtClose  (140, ... ) == 0x0
 03798   408   NtClose  (108, ... ) == 0x0
 03799   408   NtClose  (132, ... ) == 0x0
 03800   408   NtClose  (164, ... ) == 0x0
 03801   408   NtClose  (168, ... ) == 0x0
 03802   408   NtClose  (160, ... ) == 0x0
 03803   408   NtClose  (152, ... ) == 0x0
 03804   408   NtClose  (156, ... ) == 0x0
 03805   408   NtClose  (180, ... ) == 0x0
 03806   408   NtClose  (184, ... ) == 0x0
 03807   408   NtClose  (172, ... ) == 0x0
 03808   408   NtClose  (176, ... ) == 0x0
 03809   408   NtClose  (204, ... ) == 0x0
 03810   408   NtClose  (196, ... ) == 0x0
 03811   408   NtClose  (200, ... ) == 0x0
 03812   408   NtClose  (188, ... ) == 0x0
 03813   408   NtClose  (192, ... ) == 0x0
 03814   408   NtClose  (208, ... ) == 0x0
 03815   408   NtClose  (212, ... ) == 0x0
 03816   408   NtClose  (224, ... ) == 0x0
 03817   408   NtClose  (228, ... ) == 0x0
 03818   408   NtClose  (216, ... ) == 0x0
 03819   408   NtClose  (220, ... ) == 0x0
 03820   408   NtQueryDefaultLocale  (1, 1243752, ... ) == 0x0
 03821   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243880,  (0xc0100080, {24, 0, 0x40, 0, 1243880, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hp.exe"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 03822   408   NtClose  (-2147482208, ... ) == 0x0
 03821   408   NtCreateFile  ... 220, {status=0x0, info=2}, ) == 0x0
 03823   408   NtWriteFile  (220, 0, 0, 0,  (220, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\267q\203\304\363\20\355\227\363\20\355\227\363\20\355\227p\30\260\227\360\20\355\227\363\20\354\227\347\20\355\227\366\34\215\227\366\20\355\227\366\34\267\227\362\20\355\227Rich\363\20\355\227\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\240\376)F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\10\0\0\0\10\0\0\0\0\0\0`\23\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0P\0\0\0\4\0\0\0\0\0\0\2\0\0\4\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0l2\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@0\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\0\0@\0\0\0\3001\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.test\0\0\0\337\3\0\0\0\20\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.tex", 5120, 0x0, 0, ... {status=0x0, info=5120}, ) , 5120, 0x0, 0, ... {status=0x0, info=5120}, ) == 0x0
 03824   408   NtClose  (220, ... ) == 0x0
 03825   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1237248, ... ) }, 1237248, ... ) == 0x0
 03826   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 220, {status=0x0, info=1}, ) }, 5, 96, ... 220, {status=0x0, info=1}, ) == 0x0
 03827   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 220, ... 216, ) == 0x0
 03828   408   NtClose  (220, ... ) == 0x0
 03829   408   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9c0000), 0x0, 262144, ) == 0x0
 03830   408   NtClose  (216, ... ) == 0x0
 03831   408   NtUnmapViewOfSection  (-1, 0x9c0000, ... ) == 0x0
 03832   408   NtUserRegisterClassExWOW  (1239332, 1239412, 1239396, 1239428, 0, 384, 0, ... ) == 0x810dc038
 03833   408   NtUserGetAtomName  (49208, 1238096, ... ) == 0x15
 03834   408   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 03835   408   NtUserMessageCall  (0x300b0, WM_NCCREATE, 0x0, 0x12e3fc, 0, 670, 0, ... ) == 0x1
 03836   408   NtUserMessageCall  (0x300b0, WM_NCCALCSIZE, 0x0, 0x12e424, 0, 670, 0, ... ) == 0x0
 03837   408   NtUserSetProp  (196784, 43288, -1, ... ) == 0x1
 03834   408   NtUserCreateWindowEx  ... ) == 0x300b0
 03838   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 216, ) }, ... 216, ) == 0x0
 03839   408   NtQueryValueKey  (216,  (216, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03840   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 220, ) }, ... 220, ) == 0x0
 03841   408   NtQueryValueKey  (220,  (220, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03842   408   NtClose  (220, ... ) == 0x0
 03843   408   NtClose  (216, ... ) == 0x0
 03844   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1237904, ... ) }, 1237904, ... ) == 0x0
 03845   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03846   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03847   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hp.exe"}, 1237724, ... ) }, 1237724, ... ) == 0x0
 03848   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03849   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03850   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 03851   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03852   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 216, ) }, ... 216, ) == 0x0
 03853   408   NtQueryKey  (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 03854   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03855   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 03856   408   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03857   408   NtClose  (220, ... ) == 0x0
 03858   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03859   408   NtEnumerateKey  (218, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (218, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 03860   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03861   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03862   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 220, ) }, ... 220, ) == 0x0
 03863   408   NtQueryKey  (222, Name, 392, ... {Name= (222, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 03864   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03865   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 228, ) == 0x0
 03866   408   NtQueryInformationToken  (228, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03867   408   NtClose  (228, ... ) == 0x0
 03868   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03869   408   NtQueryValueKey  (222,  (222, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (222, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 03870   408   NtClose  (222, ... ) == 0x0
 03871   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03872   408   NtEnumerateKey  (218, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03873   408   NtClose  (218, ... ) == 0x0
 03874   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace"}, ... 216, ) }, ... 216, ) == 0x0
 03875   408   NtEnumerateKey  (216, 0, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (216, 0, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="Controls"}, 32, ) }, 32, ) == 0x0
 03876   408   NtOpenKey  (0x20019, {24, 216, 0x40, 0, 0,  (0x20019, {24, 216, 0x40, 0, 0, "Controls"}, ... 220, ) }, ... 220, ) == 0x0
 03877   408   NtQueryValueKey  (220,  (220, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03878   408   NtQueryValueKey  (220, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (220, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\02\01\0E\0C\02\00\02\00\0-\03\0A\0E\0A\0-\01\00\06\09\0-\0A\02\0D\0D\0-\00\08\00\00\02\0B\03\00\03\00\09\0D\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 03879   408   NtClose  (220, ... ) == 0x0
 03880   408   NtEnumerateKey  (216, 1, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (216, 1, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="DelegateFolders6"}, 46, ) }, 46, ) == 0x0
 03881   408   NtOpenKey  (0x20019, {24, 216, 0x40, 0, 0,  (0x20019, {24, 216, 0x40, 0, 0, "DelegateFolders"}, ... 220, ) }, ... 220, ) == 0x0
 03882   408   NtQueryValueKey  (220,  (220, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03883   408   NtQueryValueKey  (220, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03884   408   NtClose  (220, ... ) == 0x0
 03885   408   NtEnumerateKey  (216, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03886   408   NtClose  (216, ... ) == 0x0
 03887   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace"}, ... 216, ) }, ... 216, ) == 0x0
 03888   408   NtEnumerateKey  (216, 0, Basic, 288, ... {LastWrite={0x9324a644,0x1c7399c}, TitleIdx=0, Name= (216, 0, Basic, 288, ... {LastWrite={0x9324a644,0x1c7399c}, TitleIdx=0, Name="{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"}, 92, ) }, 92, ) == 0x0
 03889   408   NtOpenKey  (0x20019, {24, 216, 0x40, 0, 0,  (0x20019, {24, 216, 0x40, 0, 0, "{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"}, ... 220, ) }, ... 220, ) == 0x0
 03890   408   NtQueryValueKey  (220,  (220, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03891   408   NtClose  (220, ... ) == 0x0
 03892   408   NtEnumerateKey  (216, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03893   408   NtClose  (216, ... ) == 0x0
 03894   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03895   408   NtOpenKey  (0x2000000, {24, 116, 0x40, 0, 0, ""}, ... 216, ) == 0x0
 03896   408   NtCreateKey  (0x20019, {24, 216, 0x40, 0, 0,  (0x20019, {24, 216, 0x40, 0, 0, "SessionInfo\00000000000091e5"}, 0, 0x0, 1, ... 220, 2, ) }, 0, 0x0, 1, ... 220, 2, ) == 0x0
 03897   408   NtClose  (216, ... ) == 0x0
 03898   408   NtOpenKey  (0x20019, {24, 220, 0x40, 0, 0,  (0x20019, {24, 220, 0x40, 0, 0, "MyComputer\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03899   408   NtClose  (220, ... ) == 0x0
 03900   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03901   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03902   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder"}, ... 220, ) }, ... 220, ) == 0x0
 03903   408   NtQueryKey  (222, Name, 392, ... {Name= (222, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 03904   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03905   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 03906   408   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03907   408   NtClose  (216, ... ) == 0x0
 03908   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03909   408   NtQueryValueKey  (222,  (222, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03910   408   NtClose  (222, ... ) == 0x0
 03911   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03912   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03913   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}\ShellFolder"}, ... 220, ) }, ... 220, ) == 0x0
 03914   408   NtQueryKey  (222, Name, 392, ... {Name= (222, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BDEADF00-C265-11d0-BCED-00A0C90AB50F}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 03915   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03916   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 03917   408   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03918   408   NtClose  (216, ... ) == 0x0
 03919   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{BDEADF00-C265-11d0-BCED-00A0C90AB50F}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03920   408   NtQueryValueKey  (222,  (222, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03921   408   NtClose  (222, ... ) == 0x0
 03922   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 220, ) }, ... 220, ) == 0x0
 03923   408   NtEnumerateKey  (220, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (220, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0
 03924   408   NtOpenKey  (0x20019, {24, 220, 0x40, 0, 0,  (0x20019, {24, 220, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 216, ) }, ... 216, ) == 0x0
 03925   408   NtQueryValueKey  (216,  (216, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03926   408   NtClose  (216, ... ) == 0x0
 03927   408   NtEnumerateKey  (220, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name= (220, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0
 03928   408   NtOpenKey  (0x20019, {24, 220, 0x40, 0, 0,  (0x20019, {24, 220, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 216, ) }, ... 216, ) == 0x0
 03929   408   NtQueryValueKey  (216,  (216, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03930   408   NtClose  (216, ... ) == 0x0
 03931   408   NtEnumerateKey  (220, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (220, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0
 03932   408   NtOpenKey  (0x20019, {24, 220, 0x40, 0, 0,  (0x20019, {24, 220, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 216, ) }, ... 216, ) == 0x0
 03933   408   NtQueryValueKey  (216,  (216, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03934   408   NtClose  (216, ... ) == 0x0
 03935   408   NtEnumerateKey  (220, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (220, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0
 03936   408   NtOpenKey  (0x20019, {24, 220, 0x40, 0, 0,  (0x20019, {24, 220, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 216, ) }, ... 216, ) == 0x0
 03937   408   NtQueryValueKey  (216,  (216, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03938   408   NtClose  (216, ... ) == 0x0
 03939   408   NtEnumerateKey  (220, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03940   408   NtClose  (220, ... ) == 0x0
 03941   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03942   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03943   408   NtOpenKey  (0x2000000, {24, 116, 0x40, 0, 0, ""}, ... 220, ) == 0x0
 03944   408   NtCreateKey  (0x20019, {24, 220, 0x40, 0, 0,  (0x20019, {24, 220, 0x40, 0, 0, "SessionInfo\00000000000091e5"}, 0, 0x0, 1, ... 216, 2, ) }, 0, 0x0, 1, ... 216, 2, ) == 0x0
 03945   408   NtClose  (220, ... ) == 0x0
 03946   408   NtOpenKey  (0x20019, {24, 216, 0x40, 0, 0,  (0x20019, {24, 216, 0x40, 0, 0, "Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03947   408   NtClose  (216, ... ) == 0x0
 03948   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03949   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03950   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... 216, ) }, ... 216, ) == 0x0
 03951   408   NtQueryKey  (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 03952   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03953   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 03954   408   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03955   408   NtClose  (220, ... ) == 0x0
 03956   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03957   408   NtQueryValueKey  (218,  (218, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03958   408   NtClose  (218, ... ) == 0x0
 03959   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03960   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03961   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... 216, ) }, ... 216, ) == 0x0
 03962   408   NtQueryKey  (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 03963   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03964   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 03965   408   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03966   408   NtClose  (220, ... ) == 0x0
 03967   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03968   408   NtQueryValueKey  (218,  (218, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03969   408   NtClose  (218, ... ) == 0x0
 03970   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03971   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03972   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... 216, ) }, ... 216, ) == 0x0
 03973   408   NtQueryKey  (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 03974   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03975   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 03976   408   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03977   408   NtClose  (220, ... ) == 0x0
 03978   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03979   408   NtQueryValueKey  (218,  (218, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (218, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03980   408   NtClose  (218, ... ) == 0x0
 03981   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03982   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 03983   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03984   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... 216, ) }, ... 216, ) == 0x0
 03985   408   NtQueryKey  (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 03986   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03987   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 03988   408   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03989   408   NtClose  (220, ... ) == 0x0
 03990   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03991   408   NtQueryValueKey  (218, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (218, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 03992   408   NtQueryKey  (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 03993   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03994   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 03995   408   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03996   408   NtClose  (220, ... ) == 0x0
 03997   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03998   408   NtQueryValueKey  (218,  (218, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03999   408   NtClose  (218, ... ) == 0x0
 04000   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 04001   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 04002   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32"}, ... 216, ) }, ... 216, ) == 0x0
 04003   408   NtQueryValueKey  (216, " (216, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, )  (216, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) %\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) == 0x0
 04004   408   NtClose  (216, ... ) == 0x0
 04005   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 216, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 216, {status=0x0, info=1}, ) == 0x0
 04006   408   NtQueryVolumeInformationFile  (216, 1238044, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04007   408   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 04008   408   NtQueryInformationFile  (216, 1238008, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 04009   408   NtQueryInformationFile  (216, 1238048, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04010   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04011   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 04012   408   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04013   408   NtClose  (220, ... ) == 0x0
 04014   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04015   408   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 04016   408   NtClose  (216, ... ) == 0x0
 04017   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 216, ) }, ... 216, ) == 0x0
 04018   408   NtQueryValueKey  (216,  (216, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (216, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04019   408   NtClose  (216, ... ) == 0x0
 04020   408   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 04021   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 216, ) }, ... 216, ) == 0x0
 04022   408   NtQueryValueKey  (216,  (216, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (216, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04023   408   NtClose  (216, ... ) == 0x0
 04024   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Classes"}, ... 216, ) }, ... 216, ) == 0x0
 04025   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 220, ) == 0x0
 04026   408   NtNotifyChangeKey  (216, 220, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 04027   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 228, ) }, ... 228, ) == 0x0
 04028   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 224, ) == 0x0
 04029   408   NtNotifyChangeKey  (228, 224, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 04030   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 212, ) == 0x0
 04031   408   NtNotifyChangeKey  (148, 212, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 04032   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Classes"}, ... 208, ) }, ... 208, ) == 0x0
 04033   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0
 04034   408   NtNotifyChangeKey  (208, 192, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 04035   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 188, ) == 0x0
 04036   408   NtNotifyChangeKey  (148, 188, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 04037   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 200, ) }, ... 200, ) == 0x0
 04038   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 196, ) == 0x0
 04039   408   NtNotifyChangeKey  (200, 196, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 04040   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 204, ) }, ... 204, ) == 0x0
 04041   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 04042   408   NtNotifyChangeKey  (204, 176, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 04043   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 172, ) }, ... 172, ) == 0x0
 04044   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0
 04045   408   NtNotifyChangeKey  (172, 184, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 04046   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Classes"}, ... 180, ) }, ... 180, ) == 0x0
 04047   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 156, ) == 0x0
 04048   408   NtNotifyChangeKey  (180, 156, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 04049   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 152, ) }, ... 152, ) == 0x0
 04050   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 04051   408   NtNotifyChangeKey  (152, 160, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 04052   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 168, ) == 0x0
 04053   408   NtNotifyChangeKey  (148, 168, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 04054   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 164, ) }, ... 164, ) == 0x0
 04055   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 132, ) == 0x0
 04056   408   NtNotifyChangeKey  (164, 132, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 04057   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 108, ) }, ... 108, ) == 0x0
 04058   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 140, ) == 0x0
 04059   408   NtNotifyChangeKey  (108, 140, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 04060   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 136, ) }, ... 136, ) == 0x0
 04061   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 144, ) == 0x0
 04062   408   NtNotifyChangeKey  (136, 144, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 04063   408   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04064   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 240, ) }, ... 240, ) == 0x0
 04065   408   NtQueryValueKey  (240,  (240, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (240, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 04066   408   NtClose  (240, ... ) == 0x0
 04067   408   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04068   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 240, ) }, ... 240, ) == 0x0
 04069   408   NtQueryValueKey  (240,  (240, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (240, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 04070   408   NtClose  (240, ... ) == 0x0
 04071   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04072   408   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04073   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 240, ) }, ... 240, ) == 0x0
 04074   408   NtQueryKey  (242, Name, 384, ... {Name= (242, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 04075   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04076   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 04077   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04078   408   NtClose  (304, ... ) == 0x0
 04079   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04080   408   NtOpenKey  (0x1, {24, 242, 0x40, 0, 0,  (0x1, {24, 242, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04081   408   NtClose  (242, ... ) == 0x0
 04082   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04083   408   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04084   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 240, ) }, ... 240, ) == 0x0
 04085   408   NtQueryKey  (242, Name, 384, ... {Name= (242, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 04086   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04087   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 04088   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04089   408   NtClose  (304, ... ) == 0x0
 04090   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04091   408   NtOpenKey  (0x2000000, {24, 242, 0x40, 0, 0,  (0x2000000, {24, 242, 0x40, 0, 0, "InprocServer32"}, ... 304, ) }, ... 304, ) == 0x0
 04092   408   NtQueryKey  (306, Name, 392, ... {Name= (306, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 04093   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04094   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04095   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04096   408   NtClose  (300, ... ) == 0x0
 04097   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04098   408   NtQueryValueKey  (306,  (306, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04099   408   NtClose  (306, ... ) == 0x0
 04100   408   NtQueryKey  (242, Name, 384, ... {Name= (242, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 04101   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04102   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 04103   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04104   408   NtClose  (304, ... ) == 0x0
 04105   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04106   408   NtOpenKey  (0x2000000, {24, 242, 0x40, 0, 0,  (0x2000000, {24, 242, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04107   408   NtQueryKey  (242, Name, 384, ... {Name= (242, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 04108   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04109   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 04110   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04111   408   NtClose  (304, ... ) == 0x0
 04112   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04113   408   NtOpenKey  (0x2000000, {24, 242, 0x40, 0, 0,  (0x2000000, {24, 242, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04114   408   NtQueryKey  (242, Name, 384, ... {Name= (242, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 04115   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04116   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 04117   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04118   408   NtClose  (304, ... ) == 0x0
 04119   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04120   408   NtOpenKey  (0x2000000, {24, 242, 0x40, 0, 0,  (0x2000000, {24, 242, 0x40, 0, 0, "InprocServer32"}, ... 304, ) }, ... 304, ) == 0x0
 04121   408   NtQueryKey  (306, Name, 392, ... {Name= (306, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 04122   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04123   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04124   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04125   408   NtClose  (300, ... ) == 0x0
 04126   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04127   408   NtQueryValueKey  (306, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (306, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 04128   408   NtClose  (306, ... ) == 0x0
 04129   408   NtQueryKey  (242, Name, 384, ... {Name= (242, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 04130   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04131   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 04132   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04133   408   NtClose  (304, ... ) == 0x0
 04134   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04135   408   NtOpenKey  (0x2000000, {24, 242, 0x40, 0, 0,  (0x2000000, {24, 242, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04136   408   NtQueryKey  (242, Name, 384, ... {Name= (242, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 04137   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04138   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 04139   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04140   408   NtClose  (304, ... ) == 0x0
 04141   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04142   408   NtOpenKey  (0x2000000, {24, 242, 0x40, 0, 0,  (0x2000000, {24, 242, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04143   408   NtQueryKey  (242, Name, 384, ... {Name= (242, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 04144   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04145   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 04146   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04147   408   NtClose  (304, ... ) == 0x0
 04148   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04149   408   NtOpenKey  (0x2000000, {24, 242, 0x40, 0, 0,  (0x2000000, {24, 242, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04150   408   NtQueryKey  (242, Name, 384, ... {Name= (242, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 04151   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04152   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 04153   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04154   408   NtClose  (304, ... ) == 0x0
 04155   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04156   408   NtOpenKey  (0x2000000, {24, 242, 0x40, 0, 0,  (0x2000000, {24, 242, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04157   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04158   408   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04159   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 304, ) }, ... 304, ) == 0x0
 04160   408   NtQueryKey  (306, Name, 392, ... {Name= (306, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 04161   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04162   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04163   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04164   408   NtClose  (300, ... ) == 0x0
 04165   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04166   408   NtQueryValueKey  (306,  (306, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04167   408   NtClose  (306, ... ) == 0x0
 04168   408   NtClose  (242, ... ) == 0x0
 04169   408   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {404, 0}, ... 240, ) == 0x0
 04170   408   NtQueryInformationProcess  (240, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 04171   408   NtClose  (240, ... ) == 0x0
 04172   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04173   408   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04174   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 240, ) }, ... 240, ) == 0x0
 04175   408   NtClose  (242, ... ) == 0x0
 04176   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES3"}, 138, ) }, 138, ) == 0x0
 04177   408   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04178   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 240, ) }, ... 240, ) == 0x0
 04179   408   NtQueryKey  (242, Name, 384, ... {Name= (242, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 04180   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04181   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 04182   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04183   408   NtClose  (304, ... ) == 0x0
 04184   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04185   408   NtOpenKey  (0x2000000, {24, 242, 0x40, 0, 0,  (0x2000000, {24, 242, 0x40, 0, 0, "InprocServer32"}, ... 304, ) }, ... 304, ) == 0x0
 04186   408   NtQueryKey  (306, Name, 392, ... {Name= (306, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 04187   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04188   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04189   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04190   408   NtClose  (300, ... ) == 0x0
 04191   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04192   408   NtQueryValueKey  (306,  (306, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (306, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 04193   408   NtClose  (306, ... ) == 0x0
 04194   408   NtClose  (242, ... ) == 0x0
 04195   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04196   408   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04197   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 240, ) }, ... 240, ) == 0x0
 04198   408   NtQueryKey  (242, Name, 384, ... {Name= (242, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 04199   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04200   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 04201   408   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04202   408   NtClose  (304, ... ) == 0x0
 04203   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04204   408   NtOpenKey  (0x1, {24, 242, 0x40, 0, 0,  (0x1, {24, 242, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04205   408   NtClose  (242, ... ) == 0x0
 04206   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1232216, ... ) }, 1232216, ... ) == 0x0
 04207   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 04208   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 240, ... 304, ) == 0x0
 04209   408   NtClose  (240, ... ) == 0x0
 04210   408   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9c0000), 0x0, 1339392, ) == 0x0
 04211   408   NtClose  (304, ... ) == 0x0
 04212   408   NtUnmapViewOfSection  (-1, 0x9c0000, ... ) == 0x0
 04213   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1232532, ... ) }, 1232532, ... ) == 0x0
 04214   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 304, {status=0x0, info=1}, ) }, 5, 96, ... 304, {status=0x0, info=1}, ) == 0x0
 04215   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 304, ... 240, ) == 0x0
 04216   408   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04217   408   NtClose  (304, ... ) == 0x0
 04218   408   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 1347584, ) == 0x0
 04219   408   NtClose  (240, ... ) == 0x0
 04220   408   NtQueryDefaultUILanguage  (1230896, ...
 04221   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04222   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 04223   408   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04224   408   NtClose  (-2147482208, ... ) == 0x0
 04225   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 04226   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04227   408   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 04228   408   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04229   408   NtClose  (-2147482196, ... ) == 0x0
 04230   408   NtClose  (-2147482208, ... ) == 0x0
 04220   408   NtQueryDefaultUILanguage  ... ) == 0x0
 04231   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04232   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1, 96, ... 240, {status=0x0, info=1}, ) }, 1, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 04233   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 240, ... 304, ) == 0x0
 04234   408   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x9c0000), 0x0, 1339392, ) == 0x0
 04235   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04236   408   NtQueryDefaultLocale  (1, 1228932, ... ) == 0x0
 04237   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04238   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1229788, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1229788, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\307\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\360\0\0\0\377\377\377\377\0\0\0\0\10\340\247\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\334\312\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1508, 0} " S\26\0\33\0\1\0\0\0\0\0\1\307\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\360\0\0\0\377\377\377\377\0\0\0\0\10\340\247\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\334\312\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 404, 408, 1508, 0}  (24, {128, 156, new_msg, 0, 1229788, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\307\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\360\0\0\0\377\377\377\377\0\0\0\0\10\340\247\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\334\312\22\0\0\0\0\0" ... {128, 156, reply, 0, 404, 408, 1508, 0} " S\26\0\33\0\1\0\0\0\0\0\1\307\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\360\0\0\0\377\377\377\377\0\0\0\0\10\340\247\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\334\312\22\0\0\0\0\0" )  ) == 0x0
 04239   408   NtClose  (240, ... ) == 0x0
 04240   408   NtClose  (304, ... ) == 0x0
 04241   408   NtUnmapViewOfSection  (-1, 0x9c0000, ... ) == 0x0
 04242   408   NtUnmapViewOfSection  (-1, 0x12cadc, ... ) == STATUS_NOT_MAPPED_VIEW
 04243   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04244   408   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04245   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04246   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04247   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1227472, ... ) }, 1227472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04248   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04249   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04250   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04251   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1228064, ... ) }, 1228064, ... ) == 0x0
 04252   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 304, {status=0x0, info=1}, ) }, 3, 33, ... 304, {status=0x0, info=1}, ) == 0x0
 04253   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04254   408   NtUserFindExistingCursorIcon  (1232016, 1232032, 1232600, ... ) == 0x10011
 04255   408   NtUserRegisterClassExWOW  (1232468, 1232548, 1232532, 1232564, 0, 384, 0, ... ) == 0x810d0000
 04256   408   NtUserGetClassInfo  (1905590272, 1232632, 1232584, 1232660, 0, ... ) == 0xc05f
 04257   408   NtGdiCreateHalftonePalette  (0, ... ) == 0x9080408
 04258   408   NtGdiDoPalette  (151520264, 0, 256, 1231724, 2, 0, ... ) == 0x100
 04259   408   NtGdiDeleteObjectApp  (151520264, ... ) == 0x1
 04260   408   NtGdiCreateCompatibleDC  (0, ... ) == 0xa010408
 04261   408   NtGdiCreatePaletteInternal  (1231720, 256, ... ) == 0x6080405
 04262   408   NtGdiDeleteObjectApp  (167838728, ... ) == 0x1
 04263   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESn"}, 138, ) }, 138, ) == 0x0
 04264   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04265   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 240, ) }, ... 240, ) == 0x0
 04266   408   NtQueryKey  (242, Name, 392, ... {Name= (242, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0
 04267   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04268   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04269   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04270   408   NtClose  (300, ... ) == 0x0
 04271   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04272   408   NtQueryValueKey  (242, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (242, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 04273   408   NtClose  (242, ... ) == 0x0
 04274   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04275   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04276   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 240, ) }, ... 240, ) == 0x0
 04277   408   NtQueryKey  (242, Name, 392, ... {Name= (242, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 04278   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04279   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04280   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04281   408   NtClose  (300, ... ) == 0x0
 04282   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04283   408   NtQueryValueKey  (242, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (242, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 04284   408   NtClose  (242, ... ) == 0x0
 04285   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04286   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04287   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 240, ) }, ... 240, ) == 0x0
 04288   408   NtQueryKey  (242, Name, 392, ... {Name= (242, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 04289   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04290   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04291   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04292   408   NtClose  (300, ... ) == 0x0
 04293   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04294   408   NtQueryValueKey  (242, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (242, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 04295   408   NtClose  (242, ... ) == 0x0
 04296   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04297   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04298   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 240, ) }, ... 240, ) == 0x0
 04299   408   NtQueryKey  (242, Name, 392, ... {Name= (242, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 04300   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04301   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04302   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04303   408   NtClose  (300, ... ) == 0x0
 04304   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04305   408   NtQueryValueKey  (242, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (242, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 04306   408   NtClose  (242, ... ) == 0x0
 04307   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04308   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04309   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 240, ) }, ... 240, ) == 0x0
 04310   408   NtQueryKey  (242, Name, 392, ... {Name= (242, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 04311   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04312   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04313   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04314   408   NtClose  (300, ... ) == 0x0
 04315   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04316   408   NtQueryValueKey  (242, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (242, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 04317   408   NtClose  (242, ... ) == 0x0
 04318   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04319   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 04320   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04321   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... 240, ) }, ... 240, ) == 0x0
 04322   408   NtQueryKey  (242, Name, 392, ... {Name= (242, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 04323   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04324   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04325   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04326   408   NtClose  (300, ... ) == 0x0
 04327   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04328   408   NtQueryValueKey  (242,  (242, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04329   408   NtClose  (242, ... ) == 0x0
 04330   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04331   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04332   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... 240, ) }, ... 240, ) == 0x0
 04333   408   NtQueryKey  (242, Name, 392, ... {Name= (242, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder6"}, 186, ) }, 186, ) == 0x0
 04334   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04335   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04336   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04337   408   NtClose  (300, ... ) == 0x0
 04338   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04339   408   NtQueryValueKey  (242,  (242, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04340   408   NtClose  (242, ... ) == 0x0
 04341   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04342   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04343   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... 240, ) }, ... 240, ) == 0x0
 04344   408   NtQueryKey  (242, Name, 392, ... {Name= (242, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder0"}, 186, ) }, 186, ) == 0x0
 04345   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04346   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04347   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04348   408   NtClose  (300, ... ) == 0x0
 04349   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04350   408   NtQueryValueKey  (242,  (242, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04351   408   NtClose  (242, ... ) == 0x0
 04352   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04353   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04354   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... 240, ) }, ... 240, ) == 0x0
 04355   408   NtQueryKey  (242, Name, 392, ... {Name= (242, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 04356   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04357   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04358   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04359   408   NtClose  (300, ... ) == 0x0
 04360   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04361   408   NtQueryValueKey  (242,  (242, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04362   408   NtClose  (242, ... ) == 0x0
 04363   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 240, ) }, ... 240, ) == 0x0
 04364   408   NtEnumerateValueKey  (240, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (240, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (240, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 04365   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 04366   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04367   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 300, ) }, ... 300, ) == 0x0
 04368   408   NtQueryKey  (302, Name, 392, ... {Name= (302, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 04369   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04370   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 04371   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04372   408   NtClose  (284, ... ) == 0x0
 04373   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04374   408   NtQueryValueKey  (302, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (302, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 04375   408   NtQueryKey  (302, Name, 392, ... {Name= (302, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 04376   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04377   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 04378   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04379   408   NtClose  (284, ... ) == 0x0
 04380   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04381   408   NtQueryValueKey  (302,  (302, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04382   408   NtClose  (302, ... ) == 0x0
 04383   408   NtEnumerateValueKey  (240, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 04384   408   NtClose  (240, ... ) == 0x0
 04385   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 04386   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 04387   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 04388   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 240, ) }, ... 240, ) == 0x0
 04389   408   NtOpenKey  (0x2000000, {24, 240, 0x40, 0, 0,  (0x2000000, {24, 240, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 300, ) }, ... 300, ) == 0x0
 04390   408   NtClose  (240, ... ) == 0x0
 04391   408   NtQueryValueKey  (300,  (300, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (300, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04392   408   NtClose  (300, ... ) == 0x0
 04393   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04394   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04395   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hp.exe"}, 1238300, ... ) }, 1238300, ... ) == 0x0
 04396   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04397   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04398   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 300, ) }, ... 300, ) == 0x0
 04399   408   NtQueryValueKey  (300,  (300, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (300, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (300, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 04400   408   NtClose  (300, ... ) == 0x0
 04401   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04402   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04403   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hp.exe"}, 1238204, ... ) }, 1238204, ... ) == 0x0
 04404   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04405   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04406   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04407   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 04408   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 04409   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 04410   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 04411   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 04412   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04413   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 300, ) }, ... 300, ) == 0x0
 04414   408   NtQueryKey  (302, Name, 392, ... {Name= (302, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 04415   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04416   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 04417   408   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04418   408   NtClose  (240, ... ) == 0x0
 04419   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04420   408   NtQueryValueKey  (302, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (302, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 04421   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1235548, ... ) }, 1235548, ... ) == 0x0
 04422   408   NtClose  (302, ... ) == 0x0
 04423   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 04424   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 04425   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 300, ) }, ... 300, ) == 0x0
 04426   408   NtOpenKey  (0x2000000, {24, 300, 0x40, 0, 0,  (0x2000000, {24, 300, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 240, ) }, ... 240, ) == 0x0
 04427   408   NtClose  (300, ... ) == 0x0
 04428   408   NtQueryValueKey  (240,  (240, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04429   408   NtClose  (240, ... ) == 0x0
 04430   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 04431   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04432   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 240, ) }, ... 240, ) == 0x0
 04433   408   NtQueryKey  (242, Name, 392, ... {Name= (242, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 04434   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04435   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04436   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04437   408   NtClose  (300, ... ) == 0x0
 04438   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04439   408   NtEnumerateKey  (242, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (242, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 04440   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04441   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04442   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 300, ) }, ... 300, ) == 0x0
 04443   408   NtQueryKey  (302, Name, 392, ... {Name= (302, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 04444   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04445   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 04446   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04447   408   NtClose  (284, ... ) == 0x0
 04448   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04449   408   NtQueryValueKey  (302,  (302, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (302, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 04450   408   NtClose  (302, ... ) == 0x0
 04451   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 04452   408   NtEnumerateKey  (242, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 04453   408   NtClose  (242, ... ) == 0x0
 04454   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 240, {status=0x0, info=1}, ) }, 3, 16417, ... 240, {status=0x0, info=1}, ) == 0x0
 04455   408   NtQueryDirectoryFile  (240, 0, 0, 0, 1237048, 616, BothDirectory, 1,  (240, 0, 0, 0, 1237048, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 04456   408   NtClose  (240, ... ) == 0x0
 04457   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 240, {status=0x0, info=1}, ) }, 3, 16417, ... 240, {status=0x0, info=1}, ) == 0x0
 04458   408   NtQueryDirectoryFile  (240, 0, 0, 0, 1236936, 616, BothDirectory, 1,  (240, 0, 0, 0, 1236936, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 04459   408   NtClose  (240, ... ) == 0x0
 04460   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 240, {status=0x0, info=1}, ) }, 3, 16417, ... 240, {status=0x0, info=1}, ) == 0x0
 04461   408   NtQueryDirectoryFile  (240, 0, 0, 0, 1236840, 616, BothDirectory, 1,  (240, 0, 0, 0, 1236840, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 04462   408   NtClose  (240, ... ) == 0x0
 04463   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 240, {status=0x0, info=1}, ) }, 3, 16417, ... 240, {status=0x0, info=1}, ) == 0x0
 04464   408   NtQueryDirectoryFile  (240, 0, 0, 0, 1236764, 616, BothDirectory, 1,  (240, 0, 0, 0, 1236764, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 04465   408   NtClose  (240, ... ) == 0x0
 04466   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\"}, 3, 16417, ... 240, {status=0x0, info=1}, ) }, 3, 16417, ... 240, {status=0x0, info=1}, ) == 0x0
 04467   408   NtQueryDirectoryFile  (240, 0, 0, 0, 1236696, 616, BothDirectory, 1,  (240, 0, 0, 0, 1236696, 616, BothDirectory, 1, "hp.exe", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0
 04468   408   NtClose  (240, ... ) == 0x0
 04469   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04470   408   NtOpenKey  (0x2000000, {24, 280, 0x40, 0, 0,  (0x2000000, {24, 280, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04471   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04472   408   NtOpenKey  (0x2000000, {24, 280, 0x40, 0, 0,  (0x2000000, {24, 280, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04473   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES\"}, 138, ) }, 138, ) == 0x0
 04474   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04475   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.exe"}, ... 240, ) }, ... 240, ) == 0x0
 04476   408   NtQueryKey  (242, Name, 392, ... {Name= (242, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.exeo"}, 82, ) }, 82, ) == 0x0
 04477   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04478   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04479   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04480   408   NtClose  (300, ... ) == 0x0
 04481   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04482   408   NtQueryValueKey  (242, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (242, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="e\0x\0e\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 04483   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04484   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04485   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\exefile"}, ... 300, ) }, ... 300, ) == 0x0
 04486   408   NtQueryKey  (302, Name, 384, ... {Name= (302, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 04487   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04488   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 04489   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04490   408   NtClose  (284, ... ) == 0x0
 04491   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04492   408   NtOpenKey  (0x1, {24, 302, 0x40, 0, 0,  (0x1, {24, 302, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04493   408   NtQueryKey  (302, Name, 384, ... {Name= (302, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 04494   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04495   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 04496   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04497   408   NtClose  (284, ... ) == 0x0
 04498   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04499   408   NtOpenKey  (0x2000000, {24, 302, 0x40, 0, 0, ""}, ... 284, ) == 0x0
 04500   408   NtClose  (302, ... ) == 0x0
 04501   408   NtQueryKey  (286, Name, 384, ... {Name= (286, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 04502   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04503   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04504   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04505   408   NtClose  (300, ... ) == 0x0
 04506   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04507   408   NtOpenKey  (0x1, {24, 286, 0x40, 0, 0,  (0x1, {24, 286, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04508   408   NtQueryKey  (242, Name, 384, ... {Name= (242, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.exeC"}, 82, ) }, 82, ) == 0x0
 04509   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04510   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 04511   408   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04512   408   NtClose  (300, ... ) == 0x0
 04513   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.exe\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04514   408   NtOpenKey  (0x1, {24, 242, 0x40, 0, 0,  (0x1, {24, 242, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04515   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04516   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "SystemFileAssociations\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04517   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04518   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 04519   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04520   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.exe"}, ... 300, ) }, ... 300, ) == 0x0
 04521   408   NtQueryKey  (302, Name, 392, ... {Name= (302, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.exeo"}, 82, ) }, 82, ) == 0x0
 04522   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04523   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 04524   408   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04525   408   NtClose  (288, ... ) == 0x0
 04526   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04527   408   NtQueryValueKey  (302,  (302, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04528   408   NtClose  (302, ... ) == 0x0
 04529   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04530   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04531   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 300, ) }, ... 300, ) == 0x0
 04532   408   NtQueryKey  (302, Name, 384, ... {Name= (302, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 04533   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04534   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 04535   408   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04536   408   NtClose  (288, ... ) == 0x0
 04537   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04538   408   NtOpenKey  (0x1, {24, 302, 0x40, 0, 0,  (0x1, {24, 302, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04539   408   NtClose  (242, ... ) == 0x0
 04540   408   NtClose  (286, ... ) == 0x0
 04541   408   NtClose  (302, ... ) == 0x0
 04542   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04543   408   NtOpenKey  (0x2000000, {24, 280, 0x40, 0, 0,  (0x2000000, {24, 280, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04544   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04545   408   NtOpenKey  (0x2000000, {24, 280, 0x40, 0, 0,  (0x2000000, {24, 280, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04546   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04547   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04548   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.exe"}, ... 300, ) }, ... 300, ) == 0x0
 04549   408   NtQueryKey  (302, Name, 392, ... {Name= (302, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.exeo"}, 82, ) }, 82, ) == 0x0
 04550   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04551   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 04552   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04553   408   NtClose  (284, ... ) == 0x0
 04554   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04555   408   NtQueryValueKey  (302, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (302, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="e\0x\0e\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 04556   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04557   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04558   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\exefile"}, ... 284, ) }, ... 284, ) == 0x0
 04559   408   NtQueryKey  (286, Name, 384, ... {Name= (286, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 04560   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04561   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 04562   408   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04563   408   NtClose  (240, ... ) == 0x0
 04564   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04565   408   NtOpenKey  (0x1, {24, 286, 0x40, 0, 0,  (0x1, {24, 286, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04566   408   NtQueryKey  (286, Name, 384, ... {Name= (286, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 04567   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04568   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 04569   408   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04570   408   NtClose  (240, ... ) == 0x0
 04571   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04572   408   NtOpenKey  (0x2000000, {24, 286, 0x40, 0, 0, ""}, ... 240, ) == 0x0
 04573   408   NtClose  (286, ... ) == 0x0
 04574   408   NtQueryKey  (242, Name, 384, ... {Name= (242, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 04575   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04576   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 04577   408   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04578   408   NtClose  (284, ... ) == 0x0
 04579   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04580   408   NtOpenKey  (0x2000000, {24, 242, 0x40, 0, 0,  (0x2000000, {24, 242, 0x40, 0, 0, "shell\open"}, ... 284, ) }, ... 284, ) == 0x0
 04581   408   NtQueryKey  (286, Name, 384, ... {Name= (286, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open3"}, 110, ) }, 110, ) == 0x0
 04582   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04583   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 04584   408   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04585   408   NtClose  (288, ... ) == 0x0
 04586   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04587   408   NtOpenKey  (0x1, {24, 286, 0x40, 0, 0,  (0x1, {24, 286, 0x40, 0, 0, "command"}, ... 288, ) }, ... 288, ) == 0x0
 04588   408   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04589   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04590   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 04591   408   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04592   408   NtClose  (276, ... ) == 0x0
 04593   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04594   408   NtQueryValueKey  (290, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (290, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 04595   408   NtClose  (290, ... ) == 0x0
 04596   408   NtQueryKey  (286, Name, 384, ... {Name= (286, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open3"}, 110, ) }, 110, ) == 0x0
 04597   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04598   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 04599   408   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04600   408   NtClose  (288, ... ) == 0x0
 04601   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04602   408   NtOpenKey  (0x1, {24, 286, 0x40, 0, 0,  (0x1, {24, 286, 0x40, 0, 0, "command"}, ... 288, ) }, ... 288, ) == 0x0
 04603   408   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04604   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04605   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 04606   408   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04607   408   NtClose  (276, ... ) == 0x0
 04608   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04609   408   NtQueryValueKey  (290,  (290, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04610   408   NtClose  (290, ... ) == 0x0
 04611   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\hp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04612   408   NtQueryKey  (286, Name, 384, ... {Name= (286, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\opent"}, 110, ) }, 110, ) == 0x0
 04613   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04614   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 04615   408   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04616   408   NtClose  (288, ... ) == 0x0
 04617   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04618   408   NtOpenKey  (0x1, {24, 286, 0x40, 0, 0,  (0x1, {24, 286, 0x40, 0, 0, "command"}, ... 288, ) }, ... 288, ) == 0x0
 04619   408   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04620   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04621   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 04622   408   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04623   408   NtClose  (276, ... ) == 0x0
 04624   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04625   408   NtQueryValueKey  (290, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (290, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 04626   408   NtClose  (290, ... ) == 0x0
 04627   408   NtQueryKey  (286, Name, 384, ... {Name= (286, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open3"}, 110, ) }, 110, ) == 0x0
 04628   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04629   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 04630   408   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04631   408   NtClose  (288, ... ) == 0x0
 04632   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04633   408   NtOpenKey  (0x1, {24, 286, 0x40, 0, 0,  (0x1, {24, 286, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04634   408   NtUserGetForegroundWindow  (... ) == 0x20064
 04635   408   NtQueryKey  (286, Name, 384, ... {Name= (286, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open3"}, 110, ) }, 110, ) == 0x0
 04636   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04637   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 04638   408   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04639   408   NtClose  (288, ... ) == 0x0
 04640   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04641   408   NtOpenKey  (0x1, {24, 286, 0x40, 0, 0,  (0x1, {24, 286, 0x40, 0, 0, "command"}, ... 288, ) }, ... 288, ) == 0x0
 04642   408   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04643   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04644   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 04645   408   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04646   408   NtClose  (276, ... ) == 0x0
 04647   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04648   408   NtQueryValueKey  (290, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (290, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 04649   408   NtClose  (290, ... ) == 0x0
 04650   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 04651   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 04652   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 04653   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 04654   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\hp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04655   408   NtCreateFile  (0x80100180, {24, 0, 0x40, 0, 1238664,  (0x80100180, {24, 0, 0x40, 0, 1238664, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hp.exe"}, 0x0, 0, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=1}, ) == 0x0
 04656   408   NtQueryInformationFile  (288, 1238680, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 04657   408   NtSetInformationFile  (288, 1238680, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04658   408   NtReadFile  (288, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64},  (288, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0", ) , ) == 0x0
 04659   408   NtSetInformationFile  (288, 1238720, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 04660   408   NtReadFile  (288, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64},  (288, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64}, "PE\0\0L\1\4\0\240\376)F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\10\0\0\0\10\0\0\0\0\0\0`\23\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0", ) , ) == 0x0
 04661   408   NtSetInformationFile  (288, 1238720, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 04662   408   NtReadFile  (288, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (288, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\4\0\0\0", ) , ) == 0x0
 04663   408   NtSetInformationFile  (288, 1238720, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 04664   408   NtReadFile  (288, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (288, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\2\0\0\4", ) , ) == 0x0
 04665   408   NtClose  (288, ... ) == 0x0
 04666   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps400"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04667   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\hp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04668   408   NtReleaseSemaphore  (124, 1, ... 0, ) == 0x0
 04669   408   NtWaitForSingleObject  (124, 0, {0, 0}, ... ) == 0x0
 04670   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\hp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04671   408   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 04672   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hp.exe"}, 1233504, ... ) }, 1233504, ... ) == 0x0
 04673   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hp.exe"}, 1234196, ... ) }, 1234196, ... ) == 0x0
 04674   408   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hp.exe"}, 5, 96, ... 288, {status=0x0, info=1}, ) }, 5, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 04675   408   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 288, ... 276, ) == 0x0
 04676   408   NtQueryVolumeInformationFile  (288, 1233504, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04677   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 296, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 296, {status=0x0, info=1}, ) == 0x0
 04678   408   NtQueryInformationFile  (296, 1232092, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04679   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 296, ... 292, ) == 0x0
 04680   408   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x9c0000), 0x0, 1028096, ) == 0x0
 04681   408   NtQueryInformationFile  (296, 1232188, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04682   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04683   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 04684   408   NtQueryDirectoryFile  (308, 0, 0, 0, 1229752, 616, BothDirectory, 1,  (308, 0, 0, 0, 1229752, 616, BothDirectory, 1, "hp.exe", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0
 04685   408   NtClose  (308, ... ) == 0x0
 04686   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04687   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04688   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hp.exe"}, 1229140, ... ) }, 1229140, ... ) == 0x0
 04689   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 04690   408   NtQueryDirectoryFile  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1,  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 04691   408   NtClose  (308, ... ) == 0x0
 04692   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 04693   408   NtQueryDirectoryFile  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1,  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 04694   408   NtClose  (308, ... ) == 0x0
 04695   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 04696   408   NtQueryDirectoryFile  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1,  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 04697   408   NtClose  (308, ... ) == 0x0
 04698   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 04699   408   NtQueryDirectoryFile  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1,  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 04700   408   NtClose  (308, ... ) == 0x0
 04701   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 04702   408   NtQueryDirectoryFile  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1,  (308, 0, 0, 0, 1228500, 616, BothDirectory, 1, "hp.exe", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0
 04703   408   NtClose  (308, ... ) == 0x0
 04704   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04705   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04706   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 04707   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04708   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 308, ) == 0x0
 04709   408   NtQueryInformationToken  (308, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04710   408   NtClose  (308, ... ) == 0x0
 04711   408   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04712   408   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\hp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04713   408   NtUnmapViewOfSection  (-1, 0x9c0000, ... ) == 0x0
 04714   408   NtClose  (292, ... ) == 0x0
 04715   408   NtClose  (296, ... ) == 0x0
 04716   408   NtQuerySection  (276, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04717   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04718   408   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 04719   408   NtOpenProcessToken  (-1, 0xa, ... 296, ) == 0x0
 04720   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 292, ) }, ... 292, ) == 0x0
 04721   408   NtQueryValueKey  (292,  (292, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 04722   408   NtQueryValueKey  (292,  (292, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (292, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 04723   408   NtClose  (292, ... ) == 0x0
 04724   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 292, ) }, ... 292, ) == 0x0
 04725   408   NtQuerySymbolicLinkObject  (292, ...  (292, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 04726   408   NtClose  (292, ... ) == 0x0
 04727   408   NtQueryInformationFile  (288, 1231856, 528, Name, ... {status=0x0, info=122}, ) == 0x0
 04728   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04729   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04730   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\hp.exe"}, 1230536, ... ) }, 1230536, ... ) == 0x0
 04731   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 292, {status=0x0, info=1}, ) }, 3, 16417, ... 292, {status=0x0, info=1}, ) == 0x0
 04732   408   NtQueryDirectoryFile  (292, 0, 0, 0, 1229896, 616, BothDirectory, 1,  (292, 0, 0, 0, 1229896, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 04733   408   NtClose  (292, ... ) == 0x0
 04734   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 292, {status=0x0, info=1}, ) }, 3, 16417, ... 292, {status=0x0, info=1}, ) == 0x0
 04735   408   NtQueryDirectoryFile  (292, 0, 0, 0, 1229896, 616, BothDirectory, 1,  (292, 0, 0, 0, 1229896, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 04736   408   NtClose  (292, ... ) == 0x0
 04737   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\"}, 3, 16417, ... 292, {status=0x0, info=1}, ) }, 3, 16417, ... 292, {status=0x0, info=1}, ) == 0x0
 04738   408   NtQueryDirectoryFile  (292, 0, 0, 0, 1229896, 616, BothDirectory, 1,  (292, 0, 0, 0, 1229896, 616, BothDirectory, 1, "hp.exe", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0
 04739   408   NtClose  (292, ... ) == 0x0
 04740   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04741   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04742   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 292, ) }, ... 292, ) == 0x0
 04743   408   NtQueryValueKey  (292,  (292, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04744   408   NtClose  (292, ... ) == 0x0
 04745   408   NtQueryInformationToken  (296, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 04746   408   NtQueryInformationToken  (296, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 04747   408   NtClose  (296, ... ) == 0x0
 04748   408   NtCreateProcessEx  (1236132, 2035711, 0, -1, 0, 276, 0, 0, 0, ... ) == 0x0
 04749   408   NtSetInformationProcess  (296, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04750   408   NtQueryInformationProcess  (296, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=568,ParentPid=404,}, 0x0, ) == 0x0
 04751   408   NtReadVirtualMemory  (296, 0x7ffdf008, 4, ...  (296, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 04752   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04753   408   NtReadVirtualMemory  (296, 0x400000, 4096, ...  (296, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\267q\203\304\363\20\355\227\363\20\355\227\363\20\355\227p\30\260\227\360\20\355\227\363\20\354\227\347\20\355\227\366\34\215\227\366\20\355\227\366\34\267\227\362\20\355\227Rich\363\20\355\227\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\240\376)F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\10\0\0\0\10\0\0\0\0\0\0`\23\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0P\0\0\0\4\0\0\0\0\0\0\2\0\0\4\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0l2\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@0\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\0\0@\0\0\0\3001\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.test\0\0\0\337\3\0\0\0\20\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.tex", 4096, ) , 4096, ) == 0x0
 04754   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04755   408   NtQueryInformationProcess  (296, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=568,ParentPid=404,}, 0x0, ) == 0x0
 04756   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1234196, ... ) }, 1234196, ... ) == 0x0
 04757   408   NtAllocateVirtualMemory  (-1, 0, 0, 1756, 4096, 4, ... 10223616, 4096, ) == 0x0
 04758   408   NtAllocateVirtualMemory  (296, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 04759   408   NtWriteVirtualMemory  (296, 0x10000,  (296, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 04760   408   NtAllocateVirtualMemory  (296, 0, 0, 1756, 4096, 4, ... 131072, 4096, ) == 0x0
 04761   408   NtWriteVirtualMemory  (296, 0x20000,  (296, 0x20000, "\0\20\0\0\334\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0R\0T\0\264\5\0\0X\0Z\0\10\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\11\0\0\0R\0T\0d\6\0\0\36\0 \0\270\6\0\0\0\0\2\0\330\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1756, ... 0x0, ) \0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0R\0T\0\264\5\0\0X\0Z\0\10\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\11\0\0\0R\0T\0d\6\0\0\36\0 \0\270\6\0\0\0\0\2\0\330\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1756, ... 0x0, ) == 0x0
 04762   408   NtWriteVirtualMemory  (296, 0x7ffdf010,  (296, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04763   408   NtWriteVirtualMemory  (296, 0x7ffdf1e8,  (296, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04764   408   NtFreeVirtualMemory  (-1, (0x9c0000), 0, 32768, ... (0x9c0000), 4096, ) == 0x0
 04765   408   NtAllocateVirtualMemory  (296, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 04766   408   NtAllocateVirtualMemory  (296, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 04767   408   NtProtectVirtualMemory  (296, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 04768   408   NtCreateThread  (0x1f03ff, 0x0, 296, 1234396, 1235116, 1, ... 292, {568, 580}, ) == 0x0
 04769   408   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1236228, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1236228, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0+\1\0\0$\1\0\08\2\0\0D\2\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\377\377\377\377\260x\347w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 404, 408, 1509, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0(\1\0\0$\1\0\08\2\0\0D\2\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\377\377\377\377\260x\347w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 404, 408, 1509, 0}  (24, {168, 196, new_msg, 0, 0, 1236228, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0+\1\0\0$\1\0\08\2\0\0D\2\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\377\377\377\377\260x\347w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 404, 408, 1509, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0(\1\0\0$\1\0\08\2\0\0D\2\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\377\377\377\377\260x\347w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04770   408   NtResumeThread  (292, ... 1, ) == 0x0
 04771   408   NtClose  (288, ... ) == 0x0
 04772   408   NtClose  (276, ... ) == 0x0
 04773   408   NtClose  (286, ... ) == 0x0
 04774   408   NtClose  (302, ... ) == 0x0
 04775   408   NtClose  (242, ... ) == 0x0
 04776   408   NtClose  (296, ... ) == 0x0
 04777   408   NtClose  (292, ... ) == 0x0
 04778   408   NtGdiDeleteObjectApp  (101188613, ... ) == 0x1
 04779   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 04780   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 04781   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 04782   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 04783   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 04784   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 04785   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 04786   408   NtUserGetClassInfo  (1989935104, 1238436, 1238388, 1238464, 0, ... ) == 0x0
 04787   408   NtUnmapViewOfSection  (-1, 0xb10000, ... ) == 0x0
 04788   408   NtClose  (304, ... ) == 0x0
 04789   408   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 04790   408   NtUserDestroyWindow  (196784, ...
 04791   408   NtUserRemoveProp  (196784, 43288, ... ) == 0xffffffff
 04792   408   NtUserRemoveProp  (196784, 43282, ... ) == 0x0
 04793   408   NtUserRemoveProp  (196784, 43287, ... ) == 0x0
 04790   408   NtUserDestroyWindow  ... ) == 0x1
 04794   408   NtUserUnregisterClass  (1239576, 1998258176, 1239564, ... ) == 0x1
 04795   408   NtClose  (212, ... ) == 0x0
 04796   408   NtClose  (228, ... ) == 0x0
 04797   408   NtClose  (224, ... ) == 0x0
 04798   408   NtClose  (216, ... ) == 0x0
 04799   408   NtClose  (220, ... ) == 0x0
 04800   408   NtClose  (200, ... ) == 0x0
 04801   408   NtClose  (196, ... ) == 0x0
 04802   408   NtClose  (188, ... ) == 0x0
 04803   408   NtClose  (208, ... ) == 0x0
 04804   408   NtClose  (192, ... ) == 0x0
 04805   408   NtClose  (172, ... ) == 0x0
 04806   408   NtClose  (184, ... ) == 0x0
 04807   408   NtClose  (204, ... ) == 0x0
 04808   408   NtClose  (176, ... ) == 0x0
 04809   408   NtClose  (168, ... ) == 0x0
 04810   408   NtClose  (152, ... ) == 0x0
 04811   408   NtClose  (160, ... ) == 0x0
 04812   408   NtClose  (180, ... ) == 0x0
 04813   408   NtClose  (156, ... ) == 0x0
 04814   408   NtClose  (164, ... ) == 0x0
 04815   408   NtClose  (132, ... ) == 0x0
 04816   408   NtClose  (136, ... ) == 0x0
 04817   408   NtClose  (144, ... ) == 0x0
 04818   408   NtClose  (108, ... ) == 0x0
 04819   408   NtClose  (140, ... ) == 0x0
 04820   408   NtQueryDefaultLocale  (1, 1243752, ... ) == 0x0
 04821   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243880,  (0xc0100080, {24, 0, 0x40, 0, 1243880, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ff.exe"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 04822   408   NtClose  (-2147482208, ... ) == 0x0
 04821   408   NtCreateFile  ... 140, {status=0x0, info=2}, ) == 0x0
 04823   408   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\10\0\31^B*\0\0\0\0\0\0\0\0\340\0\216\201\13\1\2\31\0*\0\0\0\16\0\0\0\0\0\0\2206\0\0\0\20\0\0\0@\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0@\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\314\3\0\0\0\240\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\0\0H\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 15360, 0x0, 0, ... {status=0x0, info=15360}, ) , 15360, 0x0, 0, ... {status=0x0, info=15360}, ) == 0x0
 04824   408   NtClose  (140, ... ) == 0x0
 04825   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1237248, ... ) }, 1237248, ... ) == 0x0
 04826   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 140, {status=0x0, info=1}, ) }, 5, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 04827   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 140, ... 108, ) == 0x0
 04828   408   NtClose  (140, ... ) == 0x0
 04829   408   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9c0000), 0x0, 262144, ) == 0x0
 04830   408   NtClose  (108, ... ) == 0x0
 04831   408   NtUnmapViewOfSection  (-1, 0x9c0000, ... ) == 0x0
 04832   408   NtUserRegisterClassExWOW  (1239332, 1239412, 1239396, 1239428, 0, 384, 0, ... ) == 0x810dc038
 04833   408   NtUserGetAtomName  (49208, 1238096, ... ) == 0x15
 04834   408   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 04835   408   NtUserMessageCall  (0x400b0, WM_NCCREATE, 0x0, 0x12e3fc, 0, 670, 0, ... ) == 0x1
 04836   408   NtUserMessageCall  (0x400b0, WM_NCCALCSIZE, 0x0, 0x12e424, 0, 670, 0, ... ) == 0x0
 04837   408   NtUserSetProp  (262320, 43288, -1, ... ) == 0x1
 04834   408   NtUserCreateWindowEx  ... ) == 0x400b0
 04838   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 108, ) }, ... 108, ) == 0x0
 04839   408   NtQueryValueKey  (108,  (108, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04840   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 140, ) }, ... 140, ) == 0x0
 04841   408   NtQueryValueKey  (140,  (140, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04842   408   NtClose  (140, ... ) == 0x0
 04843   408   NtClose  (108, ... ) == 0x0
 04844   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1237904, ... ) }, 1237904, ... ) == 0x0
 04845   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04846   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04847   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ff.exe"}, 1237724, ... ) }, 1237724, ... ) == 0x0
 04848   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04849   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04850   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 04851   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04852   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 108, ) }, ... 108, ) == 0x0
 04853   408   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 04854   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04855   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 140, ) == 0x0
 04856   408   NtQueryInformationToken  (140, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04857   408   NtClose  (140, ... ) == 0x0
 04858   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04859   408   NtEnumerateKey  (110, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (110, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 04860   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04861   408   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04862   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 140, ) }, ... 140, ) == 0x0
 04863   408   NtQueryKey  (142, Name, 392, ... {Name= (142, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 04864   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04865   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 04866   408   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04867   408   NtClose  (144, ... ) == 0x0
 04868   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04869   408   NtQueryValueKey  (142,  (142, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (142, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 04870   408   NtClose  (142, ... ) == 0x0
 04871   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 04872   408   NtEnumerateKey  (110, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 04873   408   NtClose  (110, ... ) == 0x0
 04874   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace"}, ... 108, ) }, ... 108, ) == 0x0
 04875   408   NtEnumerateKey  (108, 0, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (108, 0, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="Controls"}, 32, ) }, 32, ) == 0x0
 04876   408   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "Controls"}, ... 140, ) }, ... 140, ) == 0x0
 04877   408   NtQueryValueKey  (140,  (140, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04878   408   NtQueryValueKey  (140, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (140, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\02\01\0E\0C\02\00\02\00\0-\03\0A\0E\0A\0-\01\00\06\09\0-\0A\02\0D\0D\0-\00\08\00\00\02\0B\03\00\03\00\09\0D\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 04879   408   NtClose  (140, ... ) == 0x0
 04880   408   NtEnumerateKey  (108, 1, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (108, 1, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="DelegateFolders6"}, 46, ) }, 46, ) == 0x0
 04881   408   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "DelegateFolders"}, ... 140, ) }, ... 140, ) == 0x0
 04882   408   NtQueryValueKey  (140,  (140, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04883   408   NtQueryValueKey  (140, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04884   408   NtClose  (140, ... ) == 0x0
 04885   408   NtEnumerateKey  (108, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 04886   408   NtClose  (108, ... ) == 0x0
 04887   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace"}, ... 108, ) }, ... 108, ) == 0x0
 04888   408   NtEnumerateKey  (108, 0, Basic, 288, ... {LastWrite={0x9324a644,0x1c7399c}, TitleIdx=0, Name= (108, 0, Basic, 288, ... {LastWrite={0x9324a644,0x1c7399c}, TitleIdx=0, Name="{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"}, 92, ) }, 92, ) == 0x0
 04889   408   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"}, ... 140, ) }, ... 140, ) == 0x0
 04890   408   NtQueryValueKey  (140,  (140, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04891   408   NtClose  (140, ... ) == 0x0
 04892   408   NtEnumerateKey  (108, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 04893   408   NtClose  (108, ... ) == 0x0
 04894   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04895   408   NtOpenKey  (0x2000000, {24, 116, 0x40, 0, 0, ""}, ... 108, ) == 0x0
 04896   408   NtCreateKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "SessionInfo\00000000000091e5"}, 0, 0x0, 1, ... 140, 2, ) }, 0, 0x0, 1, ... 140, 2, ) == 0x0
 04897   408   NtClose  (108, ... ) == 0x0
 04898   408   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "MyComputer\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04899   408   NtClose  (140, ... ) == 0x0
 04900   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 04901   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04902   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder"}, ... 140, ) }, ... 140, ) == 0x0
 04903   408   NtQueryKey  (142, Name, 392, ... {Name= (142, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 04904   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04905   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 04906   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04907   408   NtClose  (108, ... ) == 0x0
 04908   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04909   408   NtQueryValueKey  (142,  (142, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04910   408   NtClose  (142, ... ) == 0x0
 04911   408   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04912   408   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "CLSID\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04913   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}\ShellFolder"}, ... 140, ) }, ... 140, ) == 0x0
 04914   408   NtQueryKey  (142, Name, 392, ... {Name= (142, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BDEADF00-C265-11d0-BCED-00A0C90AB50F}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 04915   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04916   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 04917   408   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04918   408   NtClose  (108, ... ) == 0x0
 04919   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{BDEADF00-C265-11d0-BCED-00A0C90AB50F}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04920   408   NtQueryValueKey  (142,  (142, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04921   408   NtClose  (142, ... ) == 0x0
 04922   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 140, ) }, ... 140, ) == 0x0
 04923   408   NtEnumerateKey  (140, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (140, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0
 04924   408   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 108, ) }, ... 108, ) == 0x0
 04925   408   NtQueryValueKey  (108,  (108, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04926   408   NtClose  (108, ... ) == 0x0
 04927   408   NtEnumerateKey  (140, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name= (140, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0
 04928   408   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 108, ) }, ... 108, ) == 0x0
 04929   408   NtQueryValueKey  (108,  (108, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04930   408   NtClose  (108, ... ) == 0x0
 04931   408   NtEnumerateKey  (140, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (140, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0
 04932   408   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 108, ) }, ... 108, ) == 0x0
 04933   408   NtQueryValueKey  (108,  (108, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04934   408   NtClose  (108, ... ) == 0x0
 04935   408   NtEnumerateKey  (140, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (140, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0
 04936   408   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 108, ) }, ... 108, ) == 0x0
 04937   408   NtQueryValueKey  (108,  (108, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04938   408   NtClose  (108, ... ) == 0x0
 04939   408   NtEnumerateKey  (140, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
NtAddAtom(>)	1	NtOpenMutant(>)	2	NtUserCallNoParam(>)	7	NtUnmapViewOfSection(>)	36
NtCallbackReturn(>)	1	NtQueryInformationJobObject(>)	2	NtOpenSymbolicLinkObject(>)	8	NtOpenSection(>)	37
NtConnectPort(>)	1	NtQueryInstallUILanguage(>)	2	NtQuerySymbolicLinkObject(>)	8	NtWaitForSingleObject(>)	39
NtDuplicateToken(>)	1	NtQueryPerformanceCounter(>)	2	NtWriteFile(>)	8	NtProtectVirtualMemory(>)	40
NtGdiCreateBitmap(>)	1	NtQueryVirtualMemory(>)	2	NtWriteVirtualMemory(>)	8	NtSetValueKey(>)	40
NtGdiCreatePatternBrushInternal(>)	1	NtResumeThread(>)	2	NtFsControlFile(>)	10	NtCreateEvent(>)	41
NtGdiInit(>)	1	NtUserGetDC(>)	2	NtOpenProcessToken(>)	10	NtEnumerateKey(>)	42
NtGdiQueryFontAssocInfo(>)	1	NtUserGetForegroundWindow(>)	2	NtUserGetWindowDC(>)	10	NtUserFindExistingCursorIcon(>)	52
NtGdiSelectBitmap(>)	1	NtUserGetProcessWindowStation(>)	2	NtQueryVolumeInformationFile(>)	11	NtSetInformationFile(>)	54
NtOpenKeyedEvent(>)	1	NtUserUnregisterClass(>)	2	NtReleaseMutant(>)	11	NtDeviceIoControlFile(>)	55
NtQueryObject(>)	1	NtCreateMutant(>)	3	NtUserSystemParametersInfo(>)	11	NtUserGetClassInfo(>)	55
NtQuerySystemTime(>)	1	NtDuplicateObject(>)	3	NtUserCallOneParam(>)	12	NtCreateKey(>)	56
NtRegisterThreadTerminatePort(>)	1	NtOpenProcess(>)	3	NtQuerySection(>)	13	NtMapViewOfSection(>)	56
NtSecureConnectPort(>)	1	NtUserGetAtomName(>)	3	NtRequestWaitReplyPort(>)	13	NtQueryInformationProcess(>)	61
NtTestAlert(>)	1	NtUserGetObjectInformation(>)	3	NtQueryDefaultUILanguage(>)	14	NtUserRegisterClassExWOW(>)	68
NtUserGetGUIThreadInfo(>)	1	NtUserSetProp(>)	3	NtSetInformationThread(>)	14	NtAllocateVirtualMemory(>)	74
NtUserGetThreadDesktop(>)	1	NtOpenEvent(>)	4	NtFreeVirtualMemory(>)	15	NtQueryAttributesFile(>)	84
NtAccessCheck(>)	2	NtReadVirtualMemory(>)	4	NtFlushInstructionCache(>)	19	NtQuerySystemInformation(>)	90
NtAdjustPrivilegesToken(>)	2	NtUserDestroyWindow(>)	4	NtQueryDefaultLocale(>)	23	NtOpenFile(>)	101
NtCreateIoCompletion(>)	2	NtContinue(>)	5	NtNotifyChangeKey(>)	28	NtQueryValueKey(>)	259
NtCreateProcessEx(>)	2	NtEnumerateValueKey(>)	5	NtSetInformationProcess(>)	28	NtOpenProcessTokenEx(>)	282
NtCreateSemaphore(>)	2	NtGdiCreateCompatibleDC(>)	5	NtOpenThreadToken(>)	30	NtOpenThreadTokenEx(>)	282
NtCreateThread(>)	2	NtGdiGetStockObject(>)	5	NtReadFile(>)	30	NtQueryInformationToken(>)	292
NtGdiCreateHalftonePalette(>)	2	NtSetInformationObject(>)	5	NtQueryDebugFilterState(>)	31	NtQueryKey(>)	344
NtGdiCreatePaletteInternal(>)	2	NtUserRegisterWindowMessage(>)	5	NtCreateSection(>)	32	NtClose(>)	878
NtGdiCreateSolidBrush(>)	2	NtGdiDeleteObjectApp(>)	6	NtQueryDirectoryFile(>)	32	NtOpenKey(>)	903
NtGdiDoPalette(>)	2	NtUserCreateWindowEx(>)	6	NtReleaseSemaphore(>)	32
NtGdiHfontCreate(>)	2	NtUserMessageCall(>)	6	NtCreateFile(>)	33
NtOpenDirectoryObject(>)	2