Summary:


NtAddAtom(>)  1 
NtUserGetThreadDesktop(>)  1 
NtQueryVirtualMemory(>)  5 
NtQueryInformationProcess(>)  18 

NtCallbackReturn(>)  1 
NtAdjustPrivilegesToken(>)  2 
NtSetInformationProcess(>)  5 
NtUserRegisterWindowMessage(>)  18 

NtClearEvent(>)  1 
NtContinue(>)  2 
NtSetInformationThread(>)  5 
NtOpenSection(>)  22 

NtConnectPort(>)  1 
NtCreateIoCompletion(>)  2 
NtOpenThreadToken(>)  6 
NtQueryAttributesFile(>)  22 

NtCreateSemaphore(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtOpenProcessTokenEx(>)  27 

NtEnumerateValueKey(>)  1 
NtOpenDirectoryObject(>)  2 
NtFsControlFile(>)  7 
NtOpenThreadTokenEx(>)  27 

NtFreeVirtualMemory(>)  1 
NtOpenEvent(>)  2 
NtQueryDefaultLocale(>)  7 
NtQueryKey(>)  28 

NtGdiCreateBitmap(>)  1 
NtReadFile(>)  2 
NtQueryDirectoryFile(>)  7 
NtMapViewOfSection(>)  31 

NtGdiInit(>)  1 
NtSetEvent(>)  2 
NtQuerySection(>)  7 
NtQueryInformationToken(>)  31 

NtGdiQueryFontAssocInfo(>)  1 
NtSetThreadExecutionState(>)  2 
NtOpenProcessToken(>)  8 
NtDeviceIoControlFile(>)  42 

NtGdiSelectBitmap(>)  1 
NtUserGetDC(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtAllocateVirtualMemory(>)  45 

NtOpenKeyedEvent(>)  1 
NtUserQueryWindow(>)  2 
NtQueryInformationFile(>)  8 
NtOpenFile(>)  47 

NtOpenProcess(>)  1 
NtWriteFile(>)  2 
NtUnmapViewOfSection(>)  8 
NtUserFindExistingCursorIcon(>)  52 

NtQueryInstallUILanguage(>)  1 
NtAccessCheck(>)  3 
NtCreateFile(>)  9 
NtUserRegisterClassExWOW(>)  61 

NtQueryObject(>)  1 
NtDuplicateObject(>)  3 
NtQueryDebugFilterState(>)  9 
NtQuerySystemInformation(>)  73 

NtQuerySystemTime(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtRequestWaitReplyPort(>)  11 
NtFlushInstructionCache(>)  78 

NtRegisterThreadTerminatePort(>)  1 
NtUserCallOneParam(>)  3 
NtUserSystemParametersInfo(>)  11 
NtDelayExecution(>)  84 

NtSecureConnectPort(>)  1 
NtCreateMutant(>)  4 
NtCreateEvent(>)  13 
NtQueryValueKey(>)  98 

NtTestAlert(>)  1 
NtSetInformationObject(>)  4 
NtSetInformationFile(>)  14 
NtOpenKey(>)  147 

NtUserCallNoParam(>)  1 
NtGdiGetStockObject(>)  5 
NtCreateKey(>)  15 
NtProtectVirtualMemory(>)  158 

NtUserGetObjectInformation(>)  1 
NtOpenSymbolicLinkObject(>)  5 
NtCreateSection(>)  15 
NtClose(>)  213 

NtUserGetProcessWindowStation(>)  1 
NtQuerySymbolicLinkObject(>)  5 
NtSetValueKey(>)  17 

Trace:
 00001  1736   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1736   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1736   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1736   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1736   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1736   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1736   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1736   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1736   NtClose  (12, ... ) == 0x0
 00015  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1736   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1736   NtClose  (16, ... ) == 0x0
 00021  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1736   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1736   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1736   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1736   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1736   NtClose  (16, ... ) == 0x0
 00030  1736   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1736   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1736   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1736   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75469, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1736   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1736   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1736   NtClose  (16, ... ) == 0x0
 00041  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1736   NtClose  (16, ... ) == 0x0
 00044  1736   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1736   NtClose  (16, ... ) == 0x0
 00048  1736   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1736   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1736   NtClose  (16, ... ) == 0x0
 00052  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1736   NtClose  (16, ... ) == 0x0
 00055  1736   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1736   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1736   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1636, 1736, 75470, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75471, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 8, ) == 0x0
 00062  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 8, ... (0x43f000), 4096, 4, ) == 0x0
 00063  1736   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00064  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00065  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00066  1736   NtClose  (16, ... ) == 0x0
 00067  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00068  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00069  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00070  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00071  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00072  1736   NtClose  (16, ... ) == 0x0
 00073  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00074  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00075  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00076  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00077  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00078  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00079  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00080  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00081  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00082  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00083  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00084  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00085  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00086  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00087  1736   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00088  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MFC42.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00089  1736   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00090  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MFC42.DLL"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091  1736   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00092  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MFC42.DLL"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00093  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MFC42.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00094  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00095  1736   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00096  1736   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00097  1736   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00098  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00099  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00100  1736   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00101  1736   NtClose  (36, ... ) == 0x0
 00102  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00103  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00104  1736   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00105  1736   NtClose  (36, ... ) == 0x0
 00106  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107  1736   NtClose  (32, ... ) == 0x0
 00108  1736   NtClose  (16, ... ) == 0x0
 00109  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73dd0000), 0x0, 1040384, ) == 0x0
 00110  1736   NtClose  (28, ... ) == 0x0
 00111  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00112  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00113  1736   NtClose  (28, ... ) == 0x0
 00114  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00115  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00116  1736   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00117  1736   NtProtectVirtualMemory  (-1, (0x73e76000), 2112, 4, ... (0x73e76000), 4096, 2, ) == 0x0
 00118  1736   NtProtectVirtualMemory  (-1, (0x73e76000), 4096, 2, ... (0x73e76000), 4096, 4, ) == 0x0
 00119  1736   NtFlushInstructionCache  (-1, 1944543232, 2112, ... ) == 0x0
 00120  1736   NtProtectVirtualMemory  (-1, (0x73e76000), 2112, 4, ... (0x73e76000), 4096, 2, ) == 0x0
 00121  1736   NtProtectVirtualMemory  (-1, (0x73e76000), 4096, 2, ... (0x73e76000), 4096, 4, ) == 0x0
 00122  1736   NtFlushInstructionCache  (-1, 1944543232, 2112, ... ) == 0x0
 00123  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00124  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00125  1736   NtClose  (28, ... ) == 0x0
 00126  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00127  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00128  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00129  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00130  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00131  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00132  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00133  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00134  1736   NtClose  (28, ... ) == 0x0
 00135  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00136  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00137  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00138  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00139  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00140  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00141  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00142  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00143  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00144  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00145  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00146  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00147  1736   NtProtectVirtualMemory  (-1, (0x73e76000), 2112, 4, ... (0x73e76000), 4096, 2, ) == 0x0
 00148  1736   NtProtectVirtualMemory  (-1, (0x73e76000), 4096, 2, ... (0x73e76000), 4096, 4, ) == 0x0
 00149  1736   NtFlushInstructionCache  (-1, 1944543232, 2112, ... ) == 0x0
 00150  1736   NtProtectVirtualMemory  (-1, (0x73e76000), 2112, 4, ... (0x73e76000), 4096, 2, ) == 0x0
 00151  1736   NtProtectVirtualMemory  (-1, (0x73e76000), 4096, 2, ... (0x73e76000), 4096, 4, ) == 0x0
 00152  1736   NtFlushInstructionCache  (-1, 1944543232, 2112, ... ) == 0x0
 00153  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00154  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00155  1736   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00156  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCIRT.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00157  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSVCIRT.dll"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00158  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVCIRT.dll"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00159  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVCIRT.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00160  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 16, ) == 0x0
 00161  1736   NtQuerySection  (16, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00162  1736   NtClose  (28, ... ) == 0x0
 00163  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x400000), 0x0, 69632, ) == 0x0
 00164  1736   NtClose  (16, ... ) == 0x0
 00165  1736   NtProtectVirtualMemory  (-1, (0x401000), 228, 4, ... (0x401000), 4096, 32, ) == 0x0
 00166  1736   NtProtectVirtualMemory  (-1, (0x401000), 4096, 32, ... (0x401000), 4096, 4, ) == 0x0
 00167  1736   NtFlushInstructionCache  (-1, 4198400, 228, ... ) == 0x0
 00168  1736   NtProtectVirtualMemory  (-1, (0x401000), 228, 4, ... (0x401000), 4096, 32, ) == 0x0
 00169  1736   NtProtectVirtualMemory  (-1, (0x401000), 4096, 32, ... (0x401000), 4096, 4, ) == 0x0
 00170  1736   NtFlushInstructionCache  (-1, 4198400, 228, ... ) == 0x0
 00171  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00172  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00173  1736   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00174  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCP60.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSVCP60.dll"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVCP60.dll"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00177  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVCP60.dll"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00178  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00179  1736   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00180  1736   NtClose  (16, ... ) == 0x0
 00181  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76080000), 0x0, 413696, ) == 0x0
 00182  1736   NtClose  (28, ... ) == 0x0
 00183  1736   NtProtectVirtualMemory  (-1, (0x760ac000), 392, 4, ... (0x760ac000), 4096, 2, ) == 0x0
 00184  1736   NtProtectVirtualMemory  (-1, (0x760ac000), 4096, 2, ... (0x760ac000), 4096, 4, ) == 0x0
 00185  1736   NtFlushInstructionCache  (-1, 1980416000, 392, ... ) == 0x0
 00186  1736   NtProtectVirtualMemory  (-1, (0x760ac000), 392, 4, ... (0x760ac000), 4096, 2, ) == 0x0
 00187  1736   NtProtectVirtualMemory  (-1, (0x760ac000), 4096, 2, ... (0x760ac000), 4096, 4, ) == 0x0
 00188  1736   NtFlushInstructionCache  (-1, 1980416000, 392, ... ) == 0x0
 00189  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00190  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00191  1736   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00192  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00193  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00194  1736   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00195  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00196  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00197  1736   NtClose  (28, ... ) == 0x0
 00198  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00199  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00200  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00201  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00202  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00203  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00204  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00205  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00206  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00207  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00208  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00209  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00210  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00211  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00212  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00213  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00214  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00215  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00216  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00217  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00218  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00219  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00220  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00221  1736   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00222  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00223  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00224  1736   NtClose  (28, ... ) == 0x0
 00225  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00226  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00227  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00228  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00229  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00230  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00231  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00232  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00233  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00234  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00235  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00236  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00237  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00238  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00239  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00240  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00241  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00242  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00243  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00244  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00245  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00246  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00247  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00248  1736   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00249  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00250  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 00251  1736   NtClose  (28, ... ) == 0x0
 00252  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00253  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00254  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00255  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00256  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00257  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00258  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00259  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00260  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00261  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00262  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00263  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00264  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00265  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00266  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00267  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00268  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00269  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00270  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00271  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00272  1736   NtClose  (28, ... ) == 0x0
 00273  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00274  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00275  1736   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00276  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00277  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00278  1736   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00279  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00280  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00281  1736   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00282  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00283  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00284  1736   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00285  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00286  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00287  1736   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00288  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00289  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00290  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00291  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00292  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00293  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00294  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00295  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00296  1736   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00297  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00298  1736   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00299  1736   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00300  1736   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00301  1736   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00302  1736   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00303  1736   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00304  1736   NtClose  (28, ... ) == 0x0
 00305  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00306  1736   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00307  1736   NtClose  (28, ... ) == 0x0
 00308  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00311  1736   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00312  1736   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00313  1736   NtClose  (28, ... ) == 0x0
 00314  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00315  1736   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316  1736   NtClose  (28, ... ) == 0x0
 00317  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00318  1736   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00319  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00320  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00321  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00322  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00323  1736   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00324  1736   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00325  1736   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00326  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 16, ) }, ... 16, ) == 0x0
 00327  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00328  1736   NtClose  (16, ... ) == 0x0
 00329  1736   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00330  1736   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00331  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00332  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00333  1736   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00334  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00335  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00336  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6$\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75479, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75479, 0}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6$\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75479, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00337  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00338  1736   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00339  1736   NtClose  (16, ... ) == 0x0
 00340  1736   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00341  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00342  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00343  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 32, ) == 0x0
 00344  1736   NtClose  (16, ... ) == 0x0
 00345  1736   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00346  1736   NtClose  (32, ... ) == 0x0
 00347  1736   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00348  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00349  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00350  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 16, ) == 0x0
 00351  1736   NtClose  (32, ... ) == 0x0
 00352  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00353  1736   NtClose  (16, ... ) == 0x0
 00354  1736   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00355  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00356  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00357  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 32, ) == 0x0
 00358  1736   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00359  1736   NtClose  (16, ... ) == 0x0
 00360  1736   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00361  1736   NtClose  (32, ... ) == 0x0
 00362  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00363  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00364  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00365  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00366  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00367  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00368  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00369  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00370  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00371  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00372  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00373  1736   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00374  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00375  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00376  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00377  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00378  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MFC42.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00379  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCIRT.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00380  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCP60.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00381  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00384  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00386  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00387  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00388  1736   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00389  1736   NtClose  (32, ... ) == 0x0
 00390  1736   NtMapViewOfSection  (-2147482576, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x510000), 0x0, 1060864, ) == 0x0
 00391  1736   NtClose  (-2147482576, ... ) == 0x0
 00392  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00393  1736   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00394  1736   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482576, ) == 0x0
 00395  1736   NtQueryInformationToken  (-2147482576, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00396  1736   NtQueryInformationToken  (-2147482576, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00397  1736   NtClose  (-2147482576, ... ) == 0x0
 00398  1736   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00399  1736   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00400  1736   NtDuplicateObject  (-1, 16, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00401  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00402  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403  1736   NtClose  (-2147482576, ... ) == 0x0
 00404  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00405  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406  1736   NtClose  (-2147482576, ... ) == 0x0
 00407  1736   NtQueryDefaultLocale  (0, -134731444, ... ) == 0x0
 00408  1736   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00409  1736   NtUserCallNoParam  (24, ... ) == 0x0
 00410  1736   NtGdiCreateCompatibleDC  (0, ...
 00411  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00410  1736   NtGdiCreateCompatibleDC  ... ) == 0xf2010663
 00412  1736   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00413  1736   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00414  1736   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00415  1736   NtGdiCreateSolidBrush  (0, 0, ...
 00416  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00415  1736   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00417  1736   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00418  1736   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00419  1736   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00420  1736   NtUserGetThreadDesktop  (1736, 0, ... ) == 0x24
 00421  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00422  1736   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00423  1736   NtClose  (44, ... ) == 0x0
 00424  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00425  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x8173c017
 00426  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00427  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x8173c01c
 00428  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00429  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x8173c01e
 00430  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00431  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x81738002
 00432  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00433  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x8173c018
 00434  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00435  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x8173c01a
 00436  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00437  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x8173c01d
 00438  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00439  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x8173c026
 00440  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00441  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x8173c019
 00442  1736   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8173c020
 00443  1736   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8173c022
 00444  1736   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8173c023
 00445  1736   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8173c024
 00446  1736   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8173c025
 00447  1736   NtCallbackReturn  (0, 0, 0, ...
 00448  1736   NtGdiInit  (... ) == 0x1
 00449  1736   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00450  1736   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00451  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00452  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00453  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00454  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00455  1736   NtAllocateVirtualMemory  (-1, 1331200, 0, 12288, 4096, 4, ... 1331200, 12288, ) == 0x0
 00456  1736   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 3538944, 524288, ) == 0x0
 00457  1736   NtAllocateVirtualMemory  (-1, 3538944, 0, 4096, 4096, 4, ... 3538944, 4096, ) == 0x0
 00458  1736   NtUserRegisterWindowMessage  ( ("commctrl_DragListMsg", ... ) , ... ) == 0xc0d0
 00459  1736   NtUserGetDC  (0, ... ) == 0x1010053
 00460  1736   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 00461  1736   NtUserFindExistingCursorIcon  (1242880, 1242896, 1242944, ... ) == 0x10015
 00462  1736   NtUserFindExistingCursorIcon  (1242880, 1242896, 1242944, ... ) == 0x10011
 00463  1736   NtUserRegisterWindowMessage  ( ("commdlg_FindReplace", ... ) , ... ) == 0xc0d1
 00464  1736   NtUserRegisterWindowMessage  ( ("Native", ... ) , ... ) == 0xc004
 00465  1736   NtUserRegisterWindowMessage  ( ("OwnerLink", ... ) , ... ) == 0xc003
 00466  1736   NtUserRegisterWindowMessage  ( ("ObjectLink", ... ) , ... ) == 0xc002
 00467  1736   NtUserRegisterWindowMessage  ( ("Embedded Object", ... ) , ... ) == 0xc00a
 00468  1736   NtUserRegisterWindowMessage  ( ("Embed Source", ... ) , ... ) == 0xc00b
 00469  1736   NtUserRegisterWindowMessage  ( ("Link Source", ... ) , ... ) == 0xc00d
 00470  1736   NtUserRegisterWindowMessage  ( ("Object Descriptor", ... ) , ... ) == 0xc00e
 00471  1736   NtUserRegisterWindowMessage  ( ("Link Source Descriptor", ... ) , ... ) == 0xc00f
 00472  1736   NtUserRegisterWindowMessage  ( ("FileName", ... ) , ... ) == 0xc006
 00473  1736   NtUserRegisterWindowMessage  ( ("FileNameW", ... ) , ... ) == 0xc007
 00474  1736   NtUserRegisterWindowMessage  ( ("Rich Text Format", ... ) , ... ) == 0xc0d2
 00475  1736   NtUserRegisterWindowMessage  ( ("RichEdit Text and Objects", ... ) , ... ) == 0xc0d3
 00476  1736   NtUserRegisterWindowMessage  ( ("commdlg_FindReplace", ... ) , ... ) == 0xc0d1
 00477  1736   NtUserCallOneParam  (1944782608, 38, ... ) == 0x1
 00478  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00479  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00480  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00481  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00482  1736   NtQueryDefaultUILanguage  (2090319928, ...
 00483  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00484  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00485  1736   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00486  1736   NtClose  (-2147482576, ... ) == 0x0
 00487  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00488  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00489  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00490  1736   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00491  1736   NtClose  (-2147481400, ... ) == 0x0
 00492  1736   NtClose  (-2147482576, ... ) == 0x0
 00482  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 00493  1736   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00494  1736   NtQueryDefaultLocale  (1, 1242264, ... ) == 0x0
 00495  1736   NtQueryDefaultLocale  (1, 1242188, ... ) == 0x0
 00496  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MFC42LOC.DLL"}, 1240908, ... ) }, 1240908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00497  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MFC42LOC.DLL"}, 1241216, ... ) }, 1241216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00498  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 44, {status=0x0, info=0}, ) }, 7, 16, ... 44, {status=0x0, info=0}, ) == 0x0
 00499  1736   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\254\314\11=\246\323\211\21\264u2\264\311\16N\313\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00500  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00501  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00502  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00503  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00504  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00505  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00506  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00507  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 00508  1736   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "j\347{&\21\272\344\323\24\233\360\225\350\314\256\347*f\360d\336\274\30+~*\221"\375\372\356=(\177c{\355$\365\243X\320\232l\207\203\271\373\341p0, 3,  (-2147482576, "Seed", 0, 3, "j\347{&\21\272\344\323\24\233\360\225\350\314\256\347*f\360d\336\274\30+~*\221"\375\372\356=(\177c{\355$\365\243X\320\232l\207\203\271\373\341p375\372\356=(\177c{\355$\365\243X\320\232l\207\203\271\373\341p362\313btad\275&\213Vd\302\23\300o\310\326k$\17\372\200=\330\334\232H", 80, ... ) == 0x0
 00509  1736   NtClose  (-2147482576, ... ) == 0x0
 00499  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\271z\244N\334\177\342\216>Fj\300\271\375\241i\377\24\375\377\351\31\23\27\256o\306\346\341\356\263\302x7h\336\311t\211\224\35\224+\37U]`IR\214\13U\370FB\274\254l\202v<<\3734\204b\236\250EpN\275\314\317\276I\224Q270L\231\207\306?zu4\305*\32~\305\177h\3175E\213S7v\242!\340\350\224\220\314\324\274SW\206I\220\366\1\210\305\26\237'\32\11S\327J\178\3404W'\5\273\261Z\223\23\237\237D\274\204\324\271\264\331~|gS\224Y\174\261X\211+\244$\260c)\253\340\275whH\207\232\254\340\26o\1\22\253\260E\221\214\254:\222\347\270\374o\24\276\232\306r\3&\256F\311\220\351\357:\303vJ/X\7\201\372C\213\230\232\0\306\203\242\3A\343\202\6\307\301\275\331B+0\220m8\260\273\355!\206Q\213\260\372}\376\256\327\3343r", ) , ) == 0x0
 00510  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00511  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00512  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 48, ) }, ... 48, ) == 0x0
 00513  1736   NtQueryValueKey  (48,  (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00514  1736   NtClose  (48, ... ) == 0x0
 00515  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 48, ) }, ... 48, ) == 0x0
 00516  1736   NtQueryValueKey  (48,  (48, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00517  1736   NtClose  (48, ... ) == 0x0
 00518  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00519  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00520  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00521  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00522  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 48, ) }, ... 48, ) == 0x0
 00523  1736   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00524  1736   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00525  1736   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00526  1736   NtClose  (48, ... ) == 0x0
 00527  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 48, ) }, ... 48, ) == 0x0
 00528  1736   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00529  1736   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530  1736   NtClose  (48, ... ) == 0x0
 00531  1736   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 48, ) }, ... 48, ) == 0x0
 00532  1736   NtOpenEvent  (0x1f0003, {24, 48, 0x0, 0, 0,  (0x1f0003, {24, 48, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00533  1736   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 00534  1736   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00535  1736   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00536  1736   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00537  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538  1736   NtCreateSemaphore  (0x1f0003, {24, 48, 0x80, 1339720, 0,  (0x1f0003, {24, 48, 0x80, 1339720, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 52, ) }, 0, 2147483647, ... 52, ) == STATUS_OBJECT_NAME_EXISTS
 00539  1736   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 56, ) }, ... 56, ) == 0x0
 00540  1736   NtQueryValueKey  (56,  (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00541  1736   NtClose  (56, ... ) == 0x0
 00542  1736   NtQueryDefaultUILanguage  (1241692, ...
 00543  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00544  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00545  1736   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00546  1736   NtClose  (-2147482576, ... ) == 0x0
 00547  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00548  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00550  1736   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00551  1736   NtClose  (-2147481400, ... ) == 0x0
 00552  1736   NtClose  (-2147482576, ... ) == 0x0
 00542  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 00553  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00554  1736   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 60, ) == 0x0
 00555  1736   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x920000), 0x0, 8462336, ) == 0x0
 00556  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00557  1736   NtQueryDefaultLocale  (1, 1239788, ... ) == 0x0
 00558  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00559  1736   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240824, 1179817, 1240548}  (24, {128, 156, new_msg, 0, 2088850039, 1240824, 1179817, 1240548} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\0\0\0\377\377\377\377\0\0\0\0@ \265\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\354\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75480, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\0\0\0\377\377\377\377\0\0\0\0@ \265\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\354\362\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1636, 1736, 75480, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240824, 1179817, 1240548} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\0\0\0\377\377\377\377\0\0\0\0@ \265\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\354\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75480, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\0\0\0\377\377\377\377\0\0\0\0@ \265\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\354\362\22\0\0\0\0\0" )  ) == 0x0
 00560  1736   NtClose  (56, ... ) == 0x0
 00561  1736   NtClose  (60, ... ) == 0x0
 00562  1736   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00563  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00564  1736   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00565  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00566  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00567  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238980, ... ) }, 1238980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00568  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00569  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00570  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00571  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1239044, ... ) }, 1239044, ... ) == 0x0
 00572  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 60, {status=0x0, info=1}, ) }, 3, 33, ... 60, {status=0x0, info=1}, ) == 0x0
 00573  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00574  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00575  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00576  1736   NtClose  (56, ... ) == 0x0
 00577  1736   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x920000), 0x0, 1056768, ) == 0x0
 00578  1736   NtClose  (64, ... ) == 0x0
 00579  1736   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00580  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00581  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 56, ) == 0x0
 00582  1736   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00583  1736   NtClose  (64, ... ) == 0x0
 00584  1736   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 00585  1736   NtClose  (56, ... ) == 0x0
 00586  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00587  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00588  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00589  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00590  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00591  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00592  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00593  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00594  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00595  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00596  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00597  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00598  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00599  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00600  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00601  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00602  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00603  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00604  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00605  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00606  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00607  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00608  1736   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240524, ... ) , 42, 1240524, ... ) == 0x0
 00609  1736   NtQueryDefaultUILanguage  (1239208, ...
 00610  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00611  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00612  1736   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00613  1736   NtClose  (-2147482576, ... ) == 0x0
 00614  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00615  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00616  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00617  1736   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00618  1736   NtClose  (-2147481400, ... ) == 0x0
 00619  1736   NtClose  (-2147482576, ... ) == 0x0
 00609  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 00620  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238048, ... ) }, 1238048, ... ) == 0x0
 00621  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00622  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00623  1736   NtClose  (56, ... ) == 0x0
 00624  1736   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3f0000), 0x0, 4096, ) == 0x0
 00625  1736   NtClose  (64, ... ) == 0x0
 00626  1736   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00627  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237644, ... ) }, 1237644, ... ) == 0x0
 00628  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238388,  (0x80100080, {24, 0, 0x40, 0, 1238388, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00629  1736   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00630  1736   NtClose  (64, ... ) == 0x0
 00631  1736   NtMapViewOfSection  (56, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3f0000), {0, 0}, 4096, ) == 0x0
 00632  1736   NtClose  (56, ... ) == 0x0
 00633  1736   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00634  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00635  1736   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 64, ) == 0x0
 00636  1736   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3f0000), 0x0, 4096, ) == 0x0
 00637  1736   NtQueryInformationFile  (56, 1238040, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00638  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00639  1736   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238340, 1179817, 1238064}  (24, {128, 156, new_msg, 0, 2088850039, 1238340, 1179817, 1238064} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75491, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1636, 1736, 75491, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238340, 1179817, 1238064} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75491, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" )  ) == 0x0
 00640  1736   NtClose  (56, ... ) == 0x0
 00641  1736   NtClose  (64, ... ) == 0x0
 00642  1736   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00643  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00644  1736   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00645  1736   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 00646  1736   NtUserGetDC  (0, ... ) == 0x1010053
 00647  1736   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 00648  1736   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 00649  1736   NtUserSystemParametersInfo  (66, 12, 1240040, 0, ... ) == 0x1
 00650  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00651  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00652  1736   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00653  1736   NtClose  (64, ... ) == 0x0
 00654  1736   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00655  1736   NtOpenProcessToken  (-1, 0x8, ... 56, ) == 0x0
 00656  1736   NtAccessCheck  (1338872, 56, 0x1, 1239872, 1239924, 56, 1239904, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00657  1736   NtClose  (56, ... ) == 0x0
 00658  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00659  1736   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00660  1736   NtClose  (56, ... ) == 0x0
 00661  1736   NtUserSystemParametersInfo  (41, 500, 1240068, 0, ... ) == 0x1
 00662  1736   NtOpenProcessToken  (-1, 0x8, ... 56, ) == 0x0
 00663  1736   NtAccessCheck  (1338872, 56, 0x1, 1239872, 1239924, 56, 1239904, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00664  1736   NtClose  (56, ... ) == 0x0
 00665  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 56, ) }, ... 56, ) == 0x0
 00666  1736   NtQueryValueKey  (56,  (56, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667  1736   NtClose  (56, ... ) == 0x0
 00668  1736   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 00669  1736   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 00670  1736   NtClose  (64, ... ) == 0x0
 00671  1736   NtUserSystemParametersInfo  (4130, 0, 1240572, 0, ... ) == 0x1
 00672  1736   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 64, ) }, ... 64, ) == 0x0
 00673  1736   NtEnumerateValueKey  (64, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00674  1736   NtClose  (64, ... ) == 0x0
 00675  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00676  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c03b
 00677  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c03d
 00678  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00679  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c03f
 00680  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00681  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c041
 00682  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00683  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c043
 00684  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c045
 00685  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00686  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c047
 00687  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00688  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c049
 00689  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00690  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c04b
 00691  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00692  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c04d
 00693  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00694  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c04f
 00695  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c051
 00696  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00697  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c053
 00698  1736   NtUserFindExistingCursorIcon  (1239816, 1239832, 1239880, ... ) == 0x10011
 00699  1736   NtUserRegisterClassExWOW  (1239760, 1239828, 1239844, 1239860, 0, 384, 0, ... ) == 0x8173c055
 00700  1736   NtUserFindExistingCursorIcon  (1239816, 1239832, 1239880, ... ) == 0x10011
 00701  1736   NtUserRegisterClassExWOW  (1239760, 1239828, 1239844, 1239860, 0, 384, 0, ... ) == 0x8173c057
 00702  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00703  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c059
 00704  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10013
 00705  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c05b
 00706  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00707  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c05d
 00708  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00709  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c05f
 00710  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00711  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c017
 00712  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00713  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c019
 00714  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10013
 00715  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c018
 00716  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00717  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c01a
 00718  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00719  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c01c
 00720  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00721  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c01e
 00722  1736   NtUserFindExistingCursorIcon  (1239812, 1239828, 1239876, ... ) == 0x10011
 00723  1736   NtUserRegisterClassExWOW  (1239812, 1239880, 1239896, 1239912, 0, 384, 0, ... ) == 0x8173c01b
 00724  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00725  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c068
 00726  1736   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00727  1736   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8173c06a
 00728  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00729  1736   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 00730  1736   NtClose  (64, ... ) == 0x0
 00731  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00732  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00733  1736   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00734  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00735  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00736  1736   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00737  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00738  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00739  1736   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00740  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00741  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00742  1736   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00743  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00744  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00745  1736   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00746  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00747  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00748  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4128768, 65536, ) == 0x0
 00749  1736   NtAllocateVirtualMemory  (-1, 4128768, 0, 4096, 4096, 4, ... 4128768, 4096, ) == 0x0
 00750  1736   NtAllocateVirtualMemory  (-1, 4132864, 0, 8192, 4096, 4, ... 4132864, 8192, ) == 0x0
 00751  1736   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00752  1736   NtAllocateVirtualMemory  (-1, 4141056, 0, 4096, 4096, 4, ... 4141056, 4096, ) == 0x0
 00753  1736   NtAllocateVirtualMemory  (-1, 4145152, 0, 4096, 4096, 4, ... 4145152, 4096, ) == 0x0
 00754  1736   NtQueryDefaultUILanguage  (1239820, ...
 00755  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00756  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00757  1736   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00758  1736   NtClose  (-2147482576, ... ) == 0x0
 00759  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00760  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00762  1736   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00763  1736   NtClose  (-2147481400, ... ) == 0x0
 00764  1736   NtClose  (-2147482576, ... ) == 0x0
 00754  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 00765  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll"}, 1, 96, ... 64, {status=0x0, info=1}, ) }, 1, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00766  1736   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00767  1736   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x930000), 0x0, 618496, ) == 0x0
 00768  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00769  1736   NtQueryDefaultLocale  (1, 1237916, ... ) == 0x0
 00770  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00771  1736   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238952, 1179817, 1238676}  (24, {128, 156, new_msg, 0, 2088850039, 1238952, 1179817, 1238676} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1@\0\0\0\377\377\377\377\0\0\0\0\340q\232\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\234\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75492, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1@\0\0\0\377\377\377\377\0\0\0\0\340q\232\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\234\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1636, 1736, 75492, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238952, 1179817, 1238676} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1@\0\0\0\377\377\377\377\0\0\0\0\340q\232\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\234\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75492, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1@\0\0\0\377\377\377\377\0\0\0\0\340q\232\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\234\353\22\0\0\0\0\0" )  ) == 0x0
 00772  1736   NtClose  (64, ... ) == 0x0
 00773  1736   NtClose  (56, ... ) == 0x0
 00774  1736   NtUnmapViewOfSection  (-1, 0x930000, ... ) == 0x0
 00775  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00776  1736   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1636, 0}, ... 56, ) == 0x0
 00777  1736   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00778  1736   NtClose  (56, ... ) == 0x0
 00779  1736   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00780  1736   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 00781  1736   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 00782  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00783  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00784  1736   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00785  1736   NtClose  (56, ... ) == 0x0
 00786  1736   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00787  1736   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00788  1736   NtAccessCheck  (1338872, 64, 0x1, 1241012, 1241064, 56, 1241044, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00789  1736   NtClose  (64, ... ) == 0x0
 00790  1736   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 64, ) }, ... 64, ) == 0x0
 00791  1736   NtQueryValueKey  (64,  (64, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00792  1736   NtClose  (64, ... ) == 0x0
 00793  1736   NtUserSystemParametersInfo  (41, 500, 1241192, 0, ... ) == 0x1
 00794  1736   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 00795  1736   NtClose  (56, ... ) == 0x0
 00796  1736   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00797  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c03b
 00798  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c03d
 00799  1736   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00800  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c03f
 00801  1736   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00802  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c041
 00803  1736   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00804  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c043
 00805  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c045
 00806  1736   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00807  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c047
 00808  1736   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00809  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c049
 00810  1736   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00811  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c04b
 00812  1736   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00813  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c04d
 00814  1736   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00815  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c04f
 00816  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c051
 00817  1736   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00818  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c053
 00819  1736   NtUserFindExistingCursorIcon  (1240940, 1240956, 1241004, ... ) == 0x10011
 00820  1736   NtUserRegisterClassExWOW  (1240884, 1240952, 1240968, 1240984, 0, 384, 0, ... ) == 0x8173c055
 00821  1736   NtUserFindExistingCursorIcon  (1240940, 1240956, 1241004, ... ) == 0x10011
 00822  1736   NtUserRegisterClassExWOW  (1240884, 1240952, 1240968, 1240984, 0, 384, 0, ... ) == 0x8173c057
 00823  1736   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00824  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c059
 00825  1736   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10013
 00826  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c05b
 00827  1736   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00828  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c05d
 00829  1736   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00830  1736   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8173c05f
 00831  1736   NtTestAlert  (... ) == 0x0
 00832  1736   NtContinue  (1244464, 1, ...
 00833  1736   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x43eb2d,}, 4, ... ) == 0x0
 00834  1736   NtProtectVirtualMemory  (-1, (0x420000), 4096, 4, ... (0x420000), 4096, 2, ) == 0x0
 00835  1736   NtProtectVirtualMemory  (-1, (0x420000), 4096, 2, ... (0x420000), 4096, 4, ) == 0x0
 00836  1736   NtAllocateVirtualMemory  (-1, 3297280, 0, 8192, 4096, 4, ... 3297280, 8192, ) == 0x0
 00837  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 00838  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 00839  1736   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00840  1736   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00841  1736   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 00842  1736   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 00843  1736   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 00844  1736   NtDelayExecution  (0, {-990000, -1}, ... ) == 0x0
 00845  1736   NtAllocateVirtualMemory  (-1, 1208320, 0, 4096, 4096, 260, ... 1208320, 4096, ) == 0x0
 00846  1736   NtAllocateVirtualMemory  (-1, 1204224, 0, 4096, 4096, 260, ... 1204224, 4096, ) == 0x0
 00847  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00848  1736   NtDelayExecution  (0, {-990000, -1}, ... ) == 0x0
 00849  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00850  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00851  1736   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00852  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 56, {status=0x0, info=1}, ) }, 3, 16417, ... 56, {status=0x0, info=1}, ) == 0x0
 00853  1736   NtQueryInformationFile  (56, 1242372, 528, Name, ... {status=0x0, info=6}, ) == 0x0
 00854  1736   NtQueryVolumeInformationFile  (56, 1340616, 284, Volume, ... {status=0x0, info=18}, ) == 0x0
 00855  1736   NtClose  (56, ... ) == 0x0
 00856  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00857  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00858  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00859  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00860  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00861  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00862  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00863  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00864  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00865  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00866  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00867  1736   NtDelayExecution  (0, {-70000, -1}, ... ) == 0x0
 00868  1736   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00869  1736   NtDelayExecution  (0, {-990000, -1}, ... ) == 0x0
 00870  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 00871  1736   NtDelayExecution  (0, {-990000, -1}, ... ) == 0x0
 00872  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "HARDWARE\DESCRIPTION\System\CentralProcessor\0"}, ... 56, ) }, ... 56, ) == 0x0
 00873  1736   NtQueryValueKey  (56,  (56, "~Mhz", Partial, 144, ... TitleIdx=0, Type=4, Data="\177\14\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "~Mhz", Partial, 144, ... TitleIdx=0, Type=4, Data="\177\14\0\0"}, 16, ) }, 16, ) == 0x0
 00874  1736   NtClose  (56, ... ) == 0x0
 00875  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "HARDWARE\DESCRIPTION\System\CentralProcessor\0"}, ... 56, ) }, ... 56, ) == 0x0
 00876  1736   NtQueryValueKey  (56,  (56, "~Mhz", Partial, 144, ... TitleIdx=0, Type=4, Data="\177\14\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "~Mhz", Partial, 144, ... TitleIdx=0, Type=4, Data="\177\14\0\0"}, 16, ) }, 16, ) == 0x0
 00877  1736   NtClose  (56, ... ) == 0x0
 00878  1736   NtDelayExecution  (0, {-990000, -1}, ... ) == 0x0
 00879  1736   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00880  1736   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00881  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00882  1736   NtDelayExecution  (0, {-990000, -1}, ... ) == 0x0
 00883  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00884  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "HARDWARE\DESCRIPTION\System"}, ... 56, ) }, ... 56, ) == 0x0
 00885  1736   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00886  1736   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00887  1736   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00888  1736   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00889  1736   NtClose  (56, ... ) == 0x0
 00890  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "HARDWARE\DESCRIPTION\System"}, ... 56, ) }, ... 56, ) == 0x0
 00891  1736   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00892  1736   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00893  1736   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00894  1736   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00895  1736   NtClose  (56, ... ) == 0x0
 00896  1736   NtDelayExecution  (0, {-330000, -1}, ... ) == 0x0
 00897  1736   NtDelayExecution  (0, {-990000, -1}, ... ) == 0x0
 00898  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "HARDWARE\DESCRIPTION\System"}, ... 56, ) }, ... 56, ) == 0x0
 00899  1736   NtQueryValueKey  (56,  (56, "VideoBiosDate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900  1736   NtQueryValueKey  (56,  (56, "VideoBiosDate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00901  1736   NtClose  (56, ... ) == 0x0
 00902  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "HARDWARE\DESCRIPTION\System"}, ... 56, ) }, ... 56, ) == 0x0
 00903  1736   NtQueryValueKey  (56,  (56, "VideoBiosDate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904  1736   NtQueryValueKey  (56,  (56, "VideoBiosDate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905  1736   NtClose  (56, ... ) == 0x0
 00906  1736   NtQueryVirtualMemory  (-1, 0x7c80be30, Basic, 28, ... {BaseAddress=0x7c80b000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x79000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00907  1736   NtContinue  (1241388, 0, ...
 00908  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00909  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00910  1736   NtOpenProcessToken  (-1, 0x8, ... 56, ) == 0x0
 00911  1736   NtQueryInformationToken  (56, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00912  1736   NtClose  (56, ... ) == 0x0
 00913  1736   NtDelayExecution  (0, {-370000, -1}, ... ) == 0x0
 00914  1736   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00915  1736   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00916  1736   NtDelayExecution  (0, {-360000, -1}, ... ) == 0x0
 00917  1736   NtDelayExecution  (0, {-360000, -1}, ... ) == 0x0
 00918  1736   NtDelayExecution  (0, {-370000, -1}, ... ) == 0x0
 00919  1736   NtAllocateVirtualMemory  (-1, 3305472, 0, 12288, 4096, 4, ... 3305472, 12288, ) == 0x0
 00920  1736   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "398815EBC0F6501A36863825758F0CE3C6832B0F329F39516FF917E3C2832212339B385673B416E2"}, 0, ... 56, ) }, 0, ... 56, ) == 0x0
 00921  1736   NtDelayExecution  (0, {-370000, -1}, ... ) == 0x0
 00922  1736   NtDelayExecution  (0, {-300000, -1}, ... ) == 0x0
 00923  1736   NtDelayExecution  (0, {-33040000, -1}, ... ) == 0x0
 00924  1736   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00925  1736   NtAllocateVirtualMemory  (-1, 1200128, 0, 4096, 4096, 260, ... 1200128, 4096, ) == 0x0
 00926  1736   NtAllocateVirtualMemory  (-1, 1196032, 0, 4096, 4096, 260, ... 1196032, 4096, ) == 0x0
 00927  1736   NtAllocateVirtualMemory  (-1, 1191936, 0, 4096, 4096, 260, ... 1191936, 4096, ) == 0x0
 00928  1736   NtAllocateVirtualMemory  (-1, 1187840, 0, 4096, 4096, 260, ... 1187840, 4096, ) == 0x0
 00929  1736   NtAllocateVirtualMemory  (-1, 1183744, 0, 4096, 4096, 260, ... 1183744, 4096, ) == 0x0
 00930  1736   NtAllocateVirtualMemory  (-1, 1179648, 0, 4096, 4096, 260, ... 1179648, 4096, ) == 0x0
 00931  1736   NtDelayExecution  (0, {-990000, -1}, ... ) == 0x0
 00932  1736   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00933  1736   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00934  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 00935  1736   NtDelayExecution  (0, {-330000, -1}, ... ) == 0x0
 00936  1736   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00937  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 00938  1736   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00939  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 00940  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 00941  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 00942  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 64, ) }, ... 64, ) == 0x0
 00943  1736   NtQueryValueKey  (64,  (64, "runner1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944  1736   NtQueryValueKey  (64,  (64, "runner1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945  1736   NtClose  (64, ... ) == 0x0
 00946  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 64, ) }, ... 64, ) == 0x0
 00947  1736   NtQueryValueKey  (64,  (64, "runner1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948  1736   NtQueryValueKey  (64,  (64, "runner1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949  1736   NtClose  (64, ... ) == 0x0
 00950  1736   NtCreateKey  (0x20006, {24, 28, 0x40, 0, 0,  (0x20006, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, "", 0, ... 64, 2, ) }, 0, "", 0, ... 64, 2, ) == 0x0
 00951  1736   NtSetValueKey  (64,  (64, "runner1", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0m\0r\0o\0f\0i\0n\0u\0.\0e\0x\0e\0 \0\0\0", 48, ... , 0, 1,  (64, "runner1", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0m\0r\0o\0f\0i\0n\0u\0.\0e\0x\0e\0 \0\0\0", 48, ... , 48, ...
 00952  1736   NtSetInformationFile  (-2147482448, -134731984, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00953  1736   NtSetInformationFile  (-2147482448, -134732020, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00954  1736   NtSetInformationFile  (-2147482448, -134732076, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00955  1736   NtSetInformationFile  (-2147482448, -134732384, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00951  1736   NtSetValueKey  ... ) == 0x0
 00956  1736   NtClose  (64, ... ) == 0x0
 00957  1736   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00958  1736   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00959  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 00960  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00961  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00962  1736   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00963  1736   NtClose  (64, ... ) == 0x0
 00964  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes"}, ... 64, ) }, ... 64, ) == 0x0
 00965  1736   NtSetInformationObject  (66, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00966  1736   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 00967  1736   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00968  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969  1736   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 00970  1736   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00972  1736   NtQueryKey  (66, Name, 382, ... {Name= (66, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 00973  1736   NtOpenKey  (0x2000000, {24, 66, 0x40, 0, 0,  (0x2000000, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 68, ) }, ... 68, ) == 0x0
 00975  1736   NtCreateKey  (0x20006, {24, 68, 0x40, 0, 0,  (0x20006, {24, 68, 0x40, 0, 0, "WR"}, 0, "", 0, ... }, 0, "", 0, ...
 00976  1736   NtSetInformationFile  (-2147482448, -134733068, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00977  1736   NtSetInformationFile  (-2147482448, -134732888, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00978  1736   NtSetInformationFile  (-2147482448, -134732880, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00975  1736   NtCreateKey  ... 72, 1, ) == 0x0
 00979  1736   NtClose  (68, ... ) == 0x0
 00980  1736   NtQueryKey  (74, Name, 392, ... {Name= (74, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 00981  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00982  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00983  1736   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00984  1736   NtClose  (68, ... ) == 0x0
 00985  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986  1736   NtSetValueKey  (74,  (74, "cmd", 0, 1, "\0\0", 2, ... ) , 0, 1,  (74, "cmd", 0, 1, "\0\0", 2, ... ) , 2, ... ) == 0x0
 00987  1736   NtClose  (74, ... ) == 0x0
 00988  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 72, {status=0x0, info=1}, ) }, 3, 16417, ... 72, {status=0x0, info=1}, ) == 0x0
 00989  1736   NtQueryDirectoryFile  (72, 0, 0, 0, 1243096, 616, BothDirectory, 1,  (72, 0, 0, 0, 1243096, 616, BothDirectory, 1, "mrofinu.exe.tmp", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 00990  1736   NtClose  (72, ... ) == 0x0
 00991  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 72, {status=0x0, info=1}, ) }, 3, 16417, ... 72, {status=0x0, info=1}, ) == 0x0
 00992  1736   NtQueryDirectoryFile  (72, 0, 0, 0, 1243096, 616, BothDirectory, 1,  (72, 0, 0, 0, 1243096, 616, BothDirectory, 1, "mrofinu.exe", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 00993  1736   NtClose  (72, ... ) == 0x0
 00994  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 72, {status=0x0, info=1}, ) }, 3, 16417, ... 72, {status=0x0, info=1}, ) == 0x0
 00995  1736   NtQueryDirectoryFile  (72, 0, 0, 0, 1242512, 616, BothDirectory, 1,  (72, 0, 0, 0, 1242512, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 00996  1736   NtClose  (72, ... ) == 0x0
 00997  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00998  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 72, ) == 0x0
 00999  1736   NtQueryInformationToken  (72, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01000  1736   NtClose  (72, ... ) == 0x0
 01001  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 72, ) }, ... 72, ) == 0x0
 01002  1736   NtSetInformationObject  (72, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01003  1736   NtOpenKey  (0x1, {24, 72, 0x40, 0, 0,  (0x1, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 68, ) }, ... 68, ) == 0x0
 01004  1736   NtQueryValueKey  (68,  (68, "NoFileFolderConnection", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01005  1736   NtClose  (68, ... ) == 0x0
 01006  1736   NtSetThreadExecutionState  (-2147483647, 1244004, ... ) == 0x0
 01007  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01008  1736   NtCreateEvent  (0x1f0003, {24, 48, 0x80, 1339720, 0,  (0x1f0003, {24, 48, 0x80, 1339720, 0, "ShellCopyEngineRunning"}, 0, 0, ... 68, ) }, 0, 0, ... 68, ) == 0x0
 01009  1736   NtSetEvent  (68, ... 0x0, ) == 0x0
 01010  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 76, {status=0x0, info=1}, ) }, 3, 16417, ... 76, {status=0x0, info=1}, ) == 0x0
 01011  1736   NtQueryDirectoryFile  (76, 0, 0, 0, 1238540, 616, BothDirectory, 1,  (76, 0, 0, 0, 1238540, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=100}, ) , 0, ... {status=0x0, info=100}, ) == 0x0
 01012  1736   NtClose  (76, ... ) == 0x0
 01013  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 76, {status=0x0, info=1}, ) }, 3, 16417, ... 76, {status=0x0, info=1}, ) == 0x0
 01014  1736   NtQueryDirectoryFile  (76, 0, 0, 0, 1240288, 616, BothDirectory, 1,  (76, 0, 0, 0, 1240288, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 01015  1736   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 01016  1736   NtQueryDirectoryFile  (76, 0, 0, 0, 1346120, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01017  1736   NtClose  (76, ... ) == 0x0
 01018  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 76, {status=0x0, info=1}, ) }, 3, 16417, ... 76, {status=0x0, info=1}, ) == 0x0
 01019  1736   NtQueryDirectoryFile  (76, 0, 0, 0, 1239128, 616, BothDirectory, 1,  (76, 0, 0, 0, 1239128, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01020  1736   NtClose  (76, ... ) == 0x0
 01021  1736   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01022  1736   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01023  1736   NtOpenEvent  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "_fCanRegisterWithShellService"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024  1736   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 01025  1736   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 01026  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1238040, ... ) }, 1238040, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01028  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 1238040, ... ) }, 1238040, ... ) == 0x0
 01029  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 01030  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 80, ) == 0x0
 01031  1736   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01032  1736   NtClose  (76, ... ) == 0x0
 01033  1736   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 01034  1736   NtClose  (80, ... ) == 0x0
 01035  1736   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01036  1736   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01037  1736   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01038  1736   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01039  1736   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01040  1736   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01041  1736   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01042  1736   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01043  1736   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01044  1736   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01045  1736   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01046  1736   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01047  1736   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01048  1736   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01049  1736   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01050  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01051  1736   NtQueryDefaultLocale  (1, 1237944, ... ) == 0x0
 01052  1736   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01053  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 01054  1736   NtQueryValueKey  (80,  (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01055  1736   NtClose  (80, ... ) == 0x0
 01056  1736   NtUserGetProcessWindowStation  (... ) == 0x10
 01057  1736   NtUserGetObjectInformation  (16, 1, 1237540, 12, 1237552, ... ) == 0x1
 01058  1736   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01059  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\WPA\PnP"}, ... 80, ) }, ... 80, ) == 0x0
 01060  1736   NtQueryValueKey  (80,  (80, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 01061  1736   NtClose  (80, ... ) == 0x0
 01062  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 01063  1736   NtQueryValueKey  (80,  (80, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01064  1736   NtQueryValueKey  (80,  (80, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01065  1736   NtClose  (80, ... ) == 0x0
 01066  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 01067  1736   NtQueryValueKey  (80,  (80, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01068  1736   NtQueryValueKey  (80,  (80, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01069  1736   NtClose  (80, ... ) == 0x0
 01070  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 01071  1736   NtQueryValueKey  (80,  (80, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01072  1736   NtQueryValueKey  (80,  (80, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01073  1736   NtClose  (80, ... ) == 0x0
 01074  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 01075  1736   NtQueryValueKey  (80,  (80, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01076  1736   NtQueryValueKey  (80,  (80, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01077  1736   NtClose  (80, ... ) == 0x0
 01078  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 01079  1736   NtQueryValueKey  (80,  (80, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 01080  1736   NtQueryValueKey  (80,  (80, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 01081  1736   NtClose  (80, ... ) == 0x0
 01082  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 01083  1736   NtQueryValueKey  (80,  (80, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (80, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01084  1736   NtQueryValueKey  (80,  (80, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (80, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01085  1736   NtClose  (80, ... ) == 0x0
 01086  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 80, ) }, ... 80, ) == 0x0
 01087  1736   NtQueryValueKey  (80,  (80, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01088  1736   NtQueryValueKey  (80,  (80, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (80, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 01089  1736   NtClose  (80, ... ) == 0x0
 01090  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 80, ) == 0x0
 01091  1736   NtCreateMutant  (0x1f0001, 0x0, 0, ... 76, ) == 0x0
 01092  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 01093  1736   NtCreateMutant  (0x1f0001, 0x0, 0, ... 88, ) == 0x0
 01094  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 01095  1736   NtCreateMutant  (0x1f0001, 0x0, 0, ... 96, ) == 0x0
 01096  1736   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 100, ) }, ... 100, ) == 0x0
 01097  1736   NtQueryValueKey  (100,  (100, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01098  1736   NtQueryValueKey  (100,  (100, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01099  1736   NtQueryValueKey  (100,  (100, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01100  1736   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01101  1736   NtClose  (100, ... ) == 0x0
 01102  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 01103  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 100, ) }, ... 100, ) == 0x0
 01104  1736   NtQueryValueKey  (100,  (100, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (100, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (100, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01105  1736   NtClose  (100, ... ) == 0x0
 01106  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 100, ) }, ... 100, ) == 0x0
 01107  1736   NtQueryValueKey  (100,  (100, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (100, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (100, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 01108  1736   NtClose  (100, ... ) == 0x0
 01109  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01110  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 100, ) }, ... 100, ) == 0x0
 01111  1736   NtQueryValueKey  (100,  (100, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (100, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (100, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01112  1736   NtClose  (100, ... ) == 0x0
 01113  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01114  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 100, ) }, ... 100, ) == 0x0
 01116  1736   NtQueryValueKey  (100,  (100, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117  1736   NtClose  (100, ... ) == 0x0
 01118  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01119  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 100, ) == 0x0
 01120  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 104, ) == 0x0
 01121  1736   NtQuerySystemTime  (... {-100683252, 29926086}, ) == 0x0
 01122  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 108, ) == 0x0
 01123  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01125  1736   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01126  1736   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01127  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 01128  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 116, ) == 0x0
 01129  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 120, ) }, ... 120, ) == 0x0
 01130  1736   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "ActiveComputerName"}, ... 124, ) }, ... 124, ) == 0x0
 01131  1736   NtQueryValueKey  (124,  (124, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (124, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (124, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01132  1736   NtClose  (124, ... ) == 0x0
 01133  1736   NtClose  (120, ... ) == 0x0
 01134  1736   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 120, ) == 0x0
 01135  1736   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 124, ) == 0x0
 01136  1736   NtDuplicateObject  (-1, 120, -1, 0x0, 0, 2, ... 128, ) == 0x0
 01137  1736   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01138  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0
 01139  1736   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01140  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01141  1736   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238296,  (0xc0100080, {24, 0, 0x40, 0, 1238296, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0
 01142  1736   NtSetInformationFile  (136, 1238352, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01143  1736   NtSetInformationFile  (136, 1238340, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01144  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01145  1736   NtWriteFile  (136, 113, 0, 0,  (136, 113, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01146  1736   NtReadFile  (136, 113, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (136, 113, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01147  1736   NtFsControlFile  (136, 113, 0x0, 0x0, 0x11c017,  (136, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (136, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01148  1736   NtFsControlFile  (136, 113, 0x0, 0x0, 0x11c017,  (136, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340*\0,\0\374\217\222w\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) , 106, 1024, ... {status=0x103, info=48},  (136, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340*\0,\0\374\217\222w\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) , ) == 0x103
 01149  1736   NtFsControlFile  (136, 113, 0x0, 0x0, 0x11c017,  (136, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (136, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01150  1736   NtClose  (132, ... ) == 0x0
 01151  1736   NtClose  (136, ... ) == 0x0
 01152  1736   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01153  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 136, ) == 0x0
 01154  1736   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01155  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01156  1736   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238296,  (0xc0100080, {24, 0, 0x40, 0, 1238296, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01157  1736   NtSetInformationFile  (132, 1238352, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01158  1736   NtSetInformationFile  (132, 1238340, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01159  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01160  1736   NtWriteFile  (132, 113, 0, 0,  (132, 113, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01161  1736   NtReadFile  (132, 113, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (132, 113, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20O+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01162  1736   NtFsControlFile  (132, 113, 0x0, 0x0, 0x11c017,  (132, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20O+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (132, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20O+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01163  1736   NtFsControlFile  (132, 113, 0x0, 0x0, 0x11c017,  (132, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\210oap\245}d@\240\5u8poe8"\0$\0\0\217\222w\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\210oap\245}d@\240\5u8poe8\0\0\0\0", ) \0$\0\0\217\222w\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (132, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\210oap\245}d@\240\5u8poe8"\0$\0\0\217\222w\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\210oap\245}d@\240\5u8poe8\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\210oap\245}d@\240\5u8poe8\0\0\0\0", ) == 0x103
 01164  1736   NtFsControlFile  (132, 113, 0x0, 0x0, 0x11c017,  (132, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\210oap\245}d@\240\5u8poe8", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (132, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\210oap\245}d@\240\5u8poe8", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01165  1736   NtClose  (136, ... ) == 0x0
 01166  1736   NtClose  (132, ... ) == 0x0
 01167  1736   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01168  1736   NtOpenProcessToken  (-1, 0x20, ... 132, ) == 0x0
 01169  1736   NtAdjustPrivilegesToken  (132, 0, 1351864, 0, 0, 0, ... ) == 0x0
 01170  1736   NtClose  (132, ... ) == 0x0
 01171  1736   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\254\314\11=\246\323\211\250~\367\356\360\204\257\263K\263\377\22\257w(\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01172  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01173  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01174  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01175  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01176  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01177  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01178  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01179  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482128, 2, ) }, 0, 0x0, 0, ... -2147482128, 2, ) == 0x0
 01180  1736   NtSetValueKey  (-2147482128,  (-2147482128, "Seed", 0, 3, "\244\3122\340\214\222\340\354L\244\373P$[N\31\33\233\336\24\364\367\264\227q^\210?\236+:!\22&\5E\347z\217'K,\271\367\346\344H\2207\25406\337\305M\277X*\377\206X\331f\244\205[-pc\332\352\240\317\10R\265\264\227\14\301", 80, ... , 0, 3,  (-2147482128, "Seed", 0, 3, "\244\3122\340\214\222\340\354L\244\373P$[N\31\33\233\336\24\364\367\264\227q^\210?\236+:!\22&\5E\347z\217'K,\271\367\346\344H\2207\25406\337\305M\277X*\377\206X\331f\244\205[-pc\332\352\240\317\10R\265\264\227\14\301", 80, ... , 80, ...
 01181  1736   NtSetInformationFile  (-2147482448, -134734244, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01182  1736   NtSetInformationFile  (-2147482448, -134734312, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01180  1736   NtSetValueKey  ... ) == 0x0
 01183  1736   NtClose  (-2147482128, ... ) == 0x0
 01171  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\363\245\3713\20P*\301\337\251Q\244\354\270|r\345V\202\1\23l\37\221\0\236\213.\267\273\237\3127mn\32\321\326P\362X\217\264\254\322f\33Rd-\325\225\37\334\223\36\351\2643qW\321.\304\345B|#\265<0Q)\344\216\216.\371I\301\367\376\306.N8\242\3554S\7\230\3146D\2070\262\22-\327P*\226\7f\257\177\345\217\305\270\204+\6\36\267\362\344\303\253\346\343Q~\306\373#\31^\310F\355\3760~n\242`\222\301|V\225\271\250$\12-\3329~t\2\365\201R\132Q\302\374\204\246\206l\311\267\2\303\361\315\3\214\12g1\211\322@f!\243+F\306\211>\246\341\224\200C\303Z`<3,\25G\3138, ) , ) == 0x0
 01184  1736   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\254\314\11=\246\323\211\250~\367\356\360\204\257\12\2011#V\342\326\325\205\263\377\22\257w(\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01185  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01186  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01187  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01188  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01189  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01190  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01191  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01192  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482128, 2, ) }, 0, 0x0, 0, ... -2147482128, 2, ) == 0x0
 01193  1736   NtSetValueKey  (-2147482128,  (-2147482128, "Seed", 0, 3, "\264\177\370\226c\254'S<\267\315\237\363@\0\277\301\21bF\355\15\5\13g&\371vw\31\333et\356*\354\240\\232\275\261\247[\264\231M\14&\207a\207\277:\306\25\328\232@\233\245-GQ\274 WK\335\316v\204\2262/\5\277\17Z\23", 80, ... ) , 0, 3,  (-2147482128, "Seed", 0, 3, "\264\177\370\226c\254'S<\267\315\237\363@\0\277\301\21bF\355\15\5\13g&\371vw\31\333et\356*\354\240\\232\275\261\247[\264\231M\14&\207a\207\277:\306\25\328\232@\233\245-GQ\274 WK\335\316v\204\2262/\5\277\17Z\23", 80, ... ) , 80, ... ) == 0x0
 01194  1736   NtClose  (-2147482128, ... ) == 0x0
 01184  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\304U^\271]\13\250@\302\23\246^^\335\275\211H[\265\33\377\242\22\10\4V\274\12\27\26\336\5\1`f\225\27\376\247\256}\341J*By\216\241\362T\4@^\340\306n\256\275\232\6T\253\33\341\20\37\341\300y\204\35\275\253\(\362\377~O)\324\352N\341\343\362\345uf\262\10\3061.\226\32\3460\347n\310\32\21\15\217\246\33\5\312$\315\375\330a\34 ~\211\3713*\215\16B\2\323\11%\327\246\202z|\320\346/*\341\2012N\322\243.0Lp\324\340\347\305\240\263\213\367\247\336\10\317\263\374\376\37\355S\271\236\360\263F\25xpI\265\265<\266\25\357\205\30\5\336\205`\270\221\324\3626H\352\201\23M_\24\300\37\208Bg\330I\7E\33aU\227\356\325P\36_qn\20\4\305\337\273\15\304\322\21g\227G*\350!\310 H\334zG\375\10\322t\252\345\35q\37qC@*\277", ) , ) == 0x0
 01195  1736   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\254\314\11=\246\323\211\250~\367\356\360\204\257\12\2011#V\342\326lO1#V\342\326\325\205\263\377\22\257w(\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01196  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01197  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01198  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01199  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01200  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01201  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01202  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01203  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482128, 2, ) }, 0, 0x0, 0, ... -2147482128, 2, ) == 0x0
 01204  1736   NtSetValueKey  (-2147482128,  (-2147482128, "Seed", 0, 3, "\251\353\367\266k9c\322\307l7\201\264z\215X\324UC\206\257\223\225$\264\300\12\36\263\331\314\220x\304\214\340\367D\23\374\340\16\205\352\232 \224%\365\202a\262l\315\222\232G\255\2003\267\272{#E\352_\201~\371\213\337\256-\233\5\7\201q", 80, ... ) , 0, 3,  (-2147482128, "Seed", 0, 3, "\251\353\367\266k9c\322\307l7\201\264z\215X\324UC\206\257\223\225$\264\300\12\36\263\331\314\220x\304\214\340\367D\23\374\340\16\205\352\232 \224%\365\202a\262l\315\222\232G\255\2003\267\272{#E\352_\201~\371\213\337\256-\233\5\7\201q", 80, ... ) , 80, ... ) == 0x0
 01205  1736   NtClose  (-2147482128, ... ) == 0x0
 01195  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\273Q\321\35^\207w:\226\374\264-\16\221*\224\371\221\247\350=\272\205\\303\36\312\213\275\217\275\32\350\11\250+\345\16\303\322\247\331\260,i\2727\234t\330&\32)\10i\227<\251\32\334-\371\326#\336\364\330^\363\360\240\200\351#\300^\13\325vP\250\312\244Z~QIX\374\36\310Xi\213(\211[\236\4%\373Dp\266\352\15\337o\371\315\223n\306)\242)\371\302&+\6"Z\2466\1\375"\320\217G\202\0,6\312\21\362\242\352\0\335\262\315\215J\312\33\13\352\267E#\321;\12\177\331\317\207\247F&\214\352\201\234\327?\16\360\265\337\357!M\34\301)s+k\222\254-\347+a\271\210\224`\335\222P""\225\247\21J\341b\231b\203t\260e, ) Z\2466\1\375 ... {status=0x0, info=256}, "\273Q\321\35^\207w:\226\374\264-\16\221*\224\371\221\247\350=\272\205\\303\36\312\213\275\217\275\32\350\11\250+\345\16\303\322\247\331\260,i\2727\234t\330&\32)\10i\227<\251\32\334-\371\326#\336\364\330^\363\360\240\200\351#\300^\13\325vP\250\312\244Z~QIX\374\36\310Xi\213(\211[\236\4%\373Dp\266\352\15\337o\371\315\223n\306)\242)\371\302&+\6"Z\2466\1\375"\320\217G\202\0,6\312\21\362\242\352\0\335\262\315\215J\312\33\13\352\267E#\321;\12\177\331\317\207\247F&\214\352\201\234\327?\16\360\265\337\357!M\34\301)s+k\222\254-\347+a\271\210\224`\335\222P""\225\247\21J\341b\231b\203t\260e, )  ... {status=0x0, info=256}, "\273Q\321\35^\207w:\226\374\264-\16\221*\224\371\221\247\350=\272\205\\303\36\312\213\275\217\275\32\350\11\250+\345\16\303\322\247\331\260,i\2727\234t\330&\32)\10i\227<\251\32\334-\371\326#\336\364\330^\363\360\240\200\351#\300^\13\325vP\250\312\244Z~QIX\374\36\310Xi\213(\211[\236\4%\373Dp\266\352\15\337o\371\315\223n\306)\242)\371\302&+\6"Z\2466\1\375"\320\217G\202\0,6\312\21\362\242\352\0\335\262\315\215J\312\33\13\352\267E#\321;\12\177\331\317\207\247F&\214\352\201\234\327?\16\360\265\337\357!M\34\301)s+k\222\254-\347+a\271\210\224`\335\222P""\225\247\21J\341b\231b\203t\260e, ) , ) == 0x0
 01206  1736   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\254\314\11=\246\323\211\250~\367\356\360\204\257\12\2011#V\342\326lO1#V\342\326lO1#V\342\326\325\205\263\377\22\257w(\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01207  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01208  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01209  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01210  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01211  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01212  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01213  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01214  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482128, 2, ) }, 0, 0x0, 0, ... -2147482128, 2, ) == 0x0
 01215  1736   NtSetValueKey  (-2147482128,  (-2147482128, "Seed", 0, 3, "\34}\372\336\257\240\2\305&\2\363\341\361K\246\300\341\377F\376\241o,\253\2002\304-\326\220\25\24\232\36623\234\265X\214\251'\207\23*\253\275\350\22\335\272\242@LbW\304\330H\376\223\22M\305\315\317<"\2430\202\214r\365\2\312UP", 80, ... ) , 0, 3,  (-2147482128, "Seed", 0, 3, "\34}\372\336\257\240\2\305&\2\363\341\361K\246\300\341\377F\376\241o,\253\2002\304-\326\220\25\24\232\36623\234\265X\214\251'\207\23*\253\275\350\22\335\272\242@LbW\304\330H\376\223\22M\305\315\317<"\2430\202\214r\365\2\312UP", 80, ... ) \2430\202\214r\365\2\312UP", 80, ... ) == 0x0
 01216  1736   NtClose  (-2147482128, ... ) == 0x0
 01206  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\273\10\26B\236\327\367)\231\274(\311^\274\204<\217ZQ=\23\270=4\224w)\236\230\347\20(Kt\204\317l\355\206\227\T|B\372\221&\327\301+\215lY\375'\321\27\367\301,O\25,\327\276\356\23;\237\267\22\1i\314Q\14\270)\24sKQ\205\307\251\242\22\13t\366\31jRw]b", ) , ) == 0x0
 01217  1736   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\254\314\11=\246\323\211\250~\367\356\360\204\257\12\2011#V\342\326lO1#V\342\326lO1#V\342\326lO1#V\342\326\325\205\263\377\22\257w(\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01218  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01219  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01220  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01221  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01222  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01223  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01224  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01225  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482128, 2, ) }, 0, 0x0, 0, ... -2147482128, 2, ) == 0x0
 01226  1736   NtSetValueKey  (-2147482128,  (-2147482128, "Seed", 0, 3, "\177\16Vw\13\241\220P\316\37;Fc\30f\224\17\210\36\14\330<\264\322\271\341\36\343aX\237!\32\30\204\247\250D\277\360E\226H\231\215\256\337\211sI/\255\322\232H4#\36\212\235\273ZS\376j+\340'0\310\2g\2\362\221\370|\374\216\341", 80, ... ) , 0, 3,  (-2147482128, "Seed", 0, 3, "\177\16Vw\13\241\220P\316\37;Fc\30f\224\17\210\36\14\330<\264\322\271\341\36\343aX\237!\32\30\204\247\250D\277\360E\226H\231\215\256\337\211sI/\255\322\232H4#\36\212\235\273ZS\376j+\340'0\310\2g\2\362\221\370|\374\216\341", 80, ... ) , 80, ... ) == 0x0
 01227  1736   NtClose  (-2147482128, ... ) == 0x0
 01217  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\275:\313~\327O\311\263\216}$qy*?\214\27o_\350f\203\22;\260\231@\30\264\253\250):\224Zh\235z\265\3269\312\212\343l\13v\333\304b8\212\353\221\206\262Z\35f\255\274[q\6\6hx2W>\335w\344\10\20;\20%\271\257\214\375e\341\2428\217W\364\376\304\320\30714\265\230"\245\211ss\7\342\353\\251\315a\263\12\363\365\365\252\6\31\11\365\12\275K(\214\333V[QWo\211o\340\322\33p\10\210\11#>\34H\274\252?@B\373\302\341\14Z\223j[\323a\17d\253\261E\215\16{\24\227i\303\37\237*\326\316\215P", ) \245\211ss\7\342\353\\251\315a\263\12\363\365\365\252\6\31\11\365\12\275K(\214\333V[371\202\224\366\225\347\220\314\330\327@\260\2407\355\220\17is\333\264\326\3043|\361\2575^O\270\240\251\37RJ\200s\257\370\354s\260[\273\246\21\267\254\256\336\23=\10\207\347\314Z\25\34E\2166u\332]RM1$D\227'\3>QWo\211o\340\322\33p\10\210\11#>\34H\274\252?@B\373\302\341\14Z\223j[\323a\17d\253\261E\215\16{\24\227i\303\37\237*\326\316\215P", ) == 0x0
 01228  1736   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\254\314\11=\246\323\211\250~\367\356\360\204\257\12\2011#V\342\326lO1#V\342\326lO1#V\342\326lO1#V\342\326lO1#V\342\326\325\205\263\377\22\257w(\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01229  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01230  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01231  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01232  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01233  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01234  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01235  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01236  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482128, 2, ) }, 0, 0x0, 0, ... -2147482128, 2, ) == 0x0
 01237  1736   NtSetValueKey  (-2147482128,  (-2147482128, "Seed", 0, 3, "\344\260\252\17\214\306\327B\313\22\354#z\201M\366\263\4%V\3170\216k\214YQ\32\357M\210/\263>\272\14\226\326\213\272\365\300;\336;\332\257\264\322\216\353\366\321I\356\211^\364\301\30\226\207\371\253\267\37\14,#\215\244\355=\236\311\255\320\327\33i", 80, ... ) , 0, 3,  (-2147482128, "Seed", 0, 3, "\344\260\252\17\214\306\327B\313\22\354#z\201M\366\263\4%V\3170\216k\214YQ\32\357M\210/\263>\272\14\226\326\213\272\365\300;\336;\332\257\264\322\216\353\366\321I\356\211^\364\301\30\226\207\371\253\267\37\14,#\215\244\355=\236\311\255\320\327\33i", 80, ... ) , 80, ... ) == 0x0
 01238  1736   NtClose  (-2147482128, ... ) == 0x0
 01228  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\210\216f\334\211\221P_\230\314+\235\26{c\254\344X\325\34\204\376\321;\353\214Q\315/!\15\340j\25<\3312\220\12=a\355\316\326\227\211\24\230\352\11\212(\22T \26\346\35\22\22%Co\313a\240\201\324\213\307Z\317u\222\13l\351%\337\307\17\332\37\27zqX\252\331t\317\311\306\30\272)I\323\247\243\333r\264\337\227\212f&2M\227\35\211\206|\332\350f\304\32P\267&|\6\224XL\1\2352\206\271`w\13J!w\322\301\2425\13w\327\315)$F\342\15\235\314bcxEc\304H\322\363\2720\256\204\13^\307\326\34'\340E\220\16\215\365\36\275&\250q\5\256\377\213+\35\243^.\2\23\264\205\17\36\337\317]\224\11f{\367g\220m\254\314\31a\221o\212A\350\608z\346\24K\26e*\327F\35\245\274\346\356aI\263\2421dIKR\2\350\224\333\32j^\16\274\316\232", ) , ) == 0x0
 01239  1736   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\254\314\11=\246\323\211\250~\367\356\360\204\257\12\2011#V\342\326lO1#V\342\326lO1#V\342\326lO1#V\342\326lO1#V\342\326lO1#V\342\326\325\205\263\377\22\257w(\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01240  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01241  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01242  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01243  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01244  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01245  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01246  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01247  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482128, 2, ) }, 0, 0x0, 0, ... -2147482128, 2, ) == 0x0
 01248  1736   NtSetValueKey  (-2147482128,  (-2147482128, "Seed", 0, 3, "\37\243\377\223\263L\223\346/\0\317\232\203\274r\20\316\3\273\332@\366\371\307\322Q\217/\252G\233\237G\344\3773X\224#\252h\221\36\314\263\300?t\326\306\206%\253|\273$U\255<'\364\27"\267\34\361l\345M\16\24\305>W\307\26\227\3476\24", 80, ... ) , 0, 3,  (-2147482128, "Seed", 0, 3, "\37\243\377\223\263L\223\346/\0\317\232\203\274r\20\316\3\273\332@\366\371\307\322Q\217/\252G\233\237G\344\3773X\224#\252h\221\36\314\263\300?t\326\306\206%\253|\273$U\255<'\364\27"\267\34\361l\345M\16\24\305>W\307\26\227\3476\24", 80, ... ) \267\34\361l\345M\16\24\305>W\307\26\227\3476\24", 80, ... ) == 0x0
 01249  1736   NtClose  (-2147482128, ... ) == 0x0
 01239  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "eo\357\232\275\21\367\5U\27\300^-/\325\33?\321\370\352\254OUu\310E\356T\3043z\315`\216\37\367\347&\307 Jc\37Y\356hjh\327\306\324\202.\212.\206`S[\300>\332\341\11\347\225\314\2456q\356"\274\364C\237\220\361\234\272\24\347\375;\247H\230^\216'Q\35\375w\213\324`g\305\177\263\35`\367\246\261\375\372e\320\346\214\224k\200"\367\32\255\217\365;\362ER\22\371g\201)b\340\243cl4/\275\37\323}\333\266!k\35\12\241\246\24H?\303\227#\24\241w\266\353\257\206\273\307\234\37\227w\231&\316?{\211\36\320\273\6\363c\6\221\242\26\265+O\257\247(I\345\357] \276\303;W>\302\3551\370\367\230\304\266\254\\304\240x\377d)\256t\232\326\251\275\31?r\216k]\11\305\330"E\24\317$\328\347\4\261h\234\345\351\207\36(\246\247\3561\21A", ) \274\364C\237\220\361\234\272\24\347\375;\247H\230^\216'Q\35\375w\213\324`g\305\177\263\35`\367\246\261\375\372e\320\346\214\224k\200 ... {status=0x0, info=256}, "eo\357\232\275\21\367\5U\27\300^-/\325\33?\321\370\352\254OUu\310E\356T\3043z\315`\216\37\367\347&\307 Jc\37Y\356hjh\327\306\324\202.\212.\206`S[\300>\332\341\11\347\225\314\2456q\356"\274\364C\237\220\361\234\272\24\347\375;\247H\230^\216'Q\35\375w\213\324`g\305\177\263\35`\367\246\261\375\372e\320\346\214\224k\200"\367\32\255\217\365;\362ER\22\371g\201)b\340\243cl4/\275\37\323}\333\266!k\35\12\241\246\24H?\303\227#\24\241w\266\353\257\206\273\307\234\37\227w\231&\316?{\211\36\320\273\6\363c\6\221\242\26\265+O\257\247(I\345\357] \276\303;W>\302\3551\370\367\230\304\266\254\\304\240x\377d)\256t\232\326\251\275\31?r\216k]\11\305\330"E\24\317$\328\347\4\261h\234\345\351\207\36(\246\247\3561\21A", ) E\24\317$\328\347\4\261h\234\345\351\207\36(\246\247\3561\21A", ) == 0x0
 01250  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0
 01251  1736   NtConnectPort  ( ("\RPC Control\ntsvcs", {12, 2, 1, 1}, 0x0, 0x0, 1238540, 188, ... 136, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238540, 188, ... 136, 0x0, 0x0, 0x0, 188, ) == 0x0
 01252  1736   NtRequestWaitReplyPort  (136, {200, 224, new_msg, 0, 1355632, 12, 2, 257}  (136, {200, 224, new_msg, 0, 1355632, 12, 2, 257} "\0\0\0\0\274\0\0\0\3443\24\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\1\0\0\0`\2\24\0\4\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\351\26L\225\374\315\37\260`\227\24\0`\2\24\0\12\0\0\0\0\0\0\0\0\0\0 (\0\0\0h\227\24\0\312\207e\207\240\1\24\0\30\257\24\0\\1\24\0\0\0\0\0\0\0\0\0\30\257\24\0P\0\0\0 \257\24\0\360\6\221|`\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\214\344\22\0\372\31\221| \354\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1636, 1736, 75512, 0} "\7\0\0\0\274\0\0\0\3443\24\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\351\26L\225\374\315\37\260`\227\24\0`\2\24\0\12\0\0\0\0\0\0\0\0\0\0 (\0\0\0h\227\24\0\312\207e\207\240\1\24\0\30\257\24\0\\1\24\0\0\0\0\0\0\0\0\0\30\257\24\0P\0\0\0 \257\24\0\360\6\221|`\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\214\344\22\0\372\31\221| \354\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1636, 1736, 75512, 0}  (136, {200, 224, new_msg, 0, 1355632, 12, 2, 257} "\0\0\0\0\274\0\0\0\3443\24\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\1\0\0\0`\2\24\0\4\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\351\26L\225\374\315\37\260`\227\24\0`\2\24\0\12\0\0\0\0\0\0\0\0\0\0 (\0\0\0h\227\24\0\312\207e\207\240\1\24\0\30\257\24\0\\1\24\0\0\0\0\0\0\0\0\0\30\257\24\0P\0\0\0 \257\24\0\360\6\221|`\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\214\344\22\0\372\31\221| \354\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1636, 1736, 75512, 0} "\7\0\0\0\274\0\0\0\3443\24\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\351\26L\225\374\315\37\260`\227\24\0`\2\24\0\12\0\0\0\0\0\0\0\0\0\0 (\0\0\0h\227\24\0\312\207e\207\240\1\24\0\30\257\24\0\\1\24\0\0\0\0\0\0\0\0\0\30\257\24\0P\0\0\0 \257\24\0\360\6\221|`\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\214\344\22\0\372\31\221| \354\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01253  1736   NtRequestWaitReplyPort  (136, {112, 136, new_msg, 0, 44, 3, 20, 0}  (136, {112, 136, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\27\0\245}d@\240\5u8poe8"\0$\0\377\377\377\377\22\0\0\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0P\0r\0i\0v\0i\0l\0e\0g\0e\0l\0e\0g\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {68, 92, reply, 0, 1636, 1736, 75513, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\306\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) \0$\0\377\377\377\377\22\0\0\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0P\0r\0i\0v\0i\0l\0e\0g\0e\0l\0e\0g\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 (136, {112, 136, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\27\0\245}d@\240\5u8poe8"\0$\0\377\377\377\377\22\0\0\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0P\0r\0i\0v\0i\0l\0e\0g\0e\0l\0e\0g\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {68, 92, reply, 0, 1636, 1736, 75513, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\306\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) \2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\306\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) == 0x0
 01254  1736   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01255  1736   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01256  1736   NtOpenProcessToken  (-1, 0x20, ... 140, ) == 0x0
 01257  1736   NtAdjustPrivilegesToken  (140, 0, 1352496, 0, 0, 0, ... ) == 0x0
 01258  1736   NtClose  (140, ... ) == 0x0
 01259  1736   NtRequestWaitReplyPort  (136, {140, 164, new_msg, 0, 1636, 1736, 75513, 0}  (136, {140, 164, new_msg, 0, 1636, 1736, 75513, 0} "\1\0\0\0A\2\26\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\306\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0e\0g\0e\0l\0e\0g\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1636, 1736, 75514, 0} "\2\314\274\201\4\0[\200\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367U&\\200d=\266\367\274\1\0\0\360>\11\0" )  ... {40, 64, reply, 0, 1636, 1736, 75514, 0}  (136, {140, 164, new_msg, 0, 1636, 1736, 75513, 0} "\1\0\0\0A\2\26\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\306\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0e\0g\0e\0l\0e\0g\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1636, 1736, 75514, 0} "\2\314\274\201\4\0[\200\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367U&\\200d=\266\367\274\1\0\0\360>\11\0" )  ) == 0x0
 01260  1736   NtRequestWaitReplyPort  (136, {64, 88, new_msg, 56, 1354664, 1239044, 1239144, 0}  (136, {64, 88, new_msg, 56, 1354664, 1239044, 1239144, 0} "\10\350\22\0@\0\24\0\346\277\347wh\350\22\0\4\350\22\0\20\0\0\0\300j\222w\34\254\24\0\1\0\0\08\261\24\0\274\1\0\0\274\1\0\0\360>\11\0\0\0\0\0\0\0\0\0\20\257\24\0" ... {64, 88, reply, 56, 1636, 1736, 75515, 0} "\10\350\22\0@\0\24\0\346\277\347wh\350\22\0\4\350\22\0\20\0\0\0\300j\222w\34\254\24\0\1\0\0\08\261\24\0\274\1\0\0\274\1\0\0\360>\11\0\0\0\0\0\0\0\0\0\20\257\24\0" )  ... {64, 88, reply, 56, 1636, 1736, 75515, 0}  (136, {64, 88, new_msg, 56, 1354664, 1239044, 1239144, 0} "\10\350\22\0@\0\24\0\346\277\347wh\350\22\0\4\350\22\0\20\0\0\0\300j\222w\34\254\24\0\1\0\0\08\261\24\0\274\1\0\0\274\1\0\0\360>\11\0\0\0\0\0\0\0\0\0\20\257\24\0" ... {64, 88, reply, 56, 1636, 1736, 75515, 0} "\10\350\22\0@\0\24\0\346\277\347wh\350\22\0\4\350\22\0\20\0\0\0\300j\222w\34\254\24\0\1\0\0\08\261\24\0\274\1\0\0\274\1\0\0\360>\11\0\0\0\0\0\0\0\0\0\20\257\24\0" )  ) == 0x0
 01261  1736   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 140, {status=0x0, info=1}, ) }, 3, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 01262  1736   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 144, ) }, ... 144, ) == 0x0
 01263  1736   NtQuerySymbolicLinkObject  (144, ...  (144, ... "\Device\FloppyPDO0", 38, ) , 38, ) == 0x0
 01264  1736   NtClose  (144, ... ) == 0x0
 01265  1736   NtQueryVolumeInformationFile  (140, 1237816, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01266  1736   NtClose  (140, ... ) == 0x0
 01267  1736   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 140, {status=0x0, info=1}, ) }, 3, 16, ... 140, {status=0x0, info=1}, ) == 0x0
 01268  1736   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32},  (140, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32}, "\36\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", ) , ) == 0x0
 01269  1736   NtClose  (140, ... ) == 0x0
 01270  1736   NtQueryInformationFile  (-1, 1238868, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01271  1736   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1238820,  (0x100080, {24, 0, 0x40, 0, 1238820, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) == 0x0
 01272  1736   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0008,  (140, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 32, ... , 54, 32, ...
 01273  1736   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482128, {status=0x0, info=1}, ) }, 0, 64, ... -2147482128, {status=0x0, info=1}, ) == 0x0
 01274  1736   NtClose  (-2147482128, ... ) == 0x0
 01272  1736   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01275  1736   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0008,  (140, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 374, ... , 54, 374, ...
 01276  1736   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482128, {status=0x0, info=1}, ) }, 0, 64, ... -2147482128, {status=0x0, info=1}, ) == 0x0
 01277  1736   NtClose  (-2147482128, ... ) == 0x0
 01275  1736   NtDeviceIoControlFile  ... {status=0x0, info=374},  ... {status=0x0, info=374}, "v\1\0\0\2\0\0\0\372\0\0\0`\0\0\08\0\0\0\244\0\0\0\334\0\0\0\36\0v\0Z\1\0\0\34\0\\08\0\0\0\244\0p\0\334\0\0\0\36\0\0\0\\0?\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\00\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0A\0:\0", ) , ) == 0x0
 01278  1736   NtClose  (140, ... ) == 0x0
 01279  1736   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01280  1736   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 140, ) }, ... 140, ) == 0x0
 01281  1736   NtOpenKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "{ac53e7d0-b96f-11db-a488-806d6172696f}\"}, ... 144, ) }, ... 144, ) == 0x0
 01282  1736   NtClose  (140, ... ) == 0x0
 01283  1736   NtQueryValueKey  (144,  (144, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01284  1736   NtQueryValueKey  (144,  (144, "Data", Partial, 710, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\00\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\0\0\0\0\0\306\2\0\0\5\5\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\220\0\0\0\5\5\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\6\5\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0H\0\0\0P\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\214\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0"}, 710, ) , Partial, 710, ... TitleIdx=0, Type=3, Data= (144, "Data", Partial, 710, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\00\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\0\0\0\0\0\306\2\0\0\5\5\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\220\0\0\0\5\5\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\6\5\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0H\0\0\0P\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\214\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0"}, 710, ) }, 710, ) == 0x0
 01285  1736   NtClose  (144, ... ) == 0x0
 01286  1736   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 144, ) }, ... 144, ) == 0x0
 01287  1736   NtOpenKey  (0x2000000, {24, 144, 0x40, 0, 0,  (0x2000000, {24, 144, 0x40, 0, 0, "{ac53e7d0-b96f-11db-a488-806d6172696f}\"}, ... 140, ) }, ... 140, ) == 0x0
 01288  1736   NtClose  (144, ... ) == 0x0
 01289  1736   NtQueryValueKey  (140,  (140, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (140, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01290  1736   NtClose  (140, ... ) == 0x0
 01291  1736   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&Signature14C814C8Offset7E00Length1FF582800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 140, {status=0x0, info=0}, ) }, 3, 96, ... 140, {status=0x0, info=0}, ) == 0x0
 01292  1736   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&Signature14C814C8Offset7E00Length1FF582800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 144, ) }, ... 144, ) == 0x0
 01293  1736   NtQuerySymbolicLinkObject  (144, ...  (144, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01294  1736   NtClose  (144, ... ) == 0x0
 01295  1736   NtQueryVolumeInformationFile  (140, 1237816, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01296  1736   NtClose  (140, ... ) == 0x0
 01297  1736   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&Signature14C814C8Offset7E00Length1FF582800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 140, {status=0x0, info=0}, ) }, 3, 16, ... 140, {status=0x0, info=0}, ) == 0x0
 01298  1736   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48},  (140, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48}, ".\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", ) , ) == 0x0
 01299  1736   NtClose  (140, ... ) == 0x0
 01300  1736   NtQueryInformationFile  (-1, 1238868, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01301  1736   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1238820,  (0x100080, {24, 0, 0x40, 0, 1238820, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) == 0x0
 01302  1736   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0008,  (140, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 32, ... , 70, 32, ...
 01303  1736   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482128, {status=0x0, info=0}, ) }, 0, 64, ... -2147482128, {status=0x0, info=0}, ) == 0x0
 01304  1736   NtClose  (-2147482128, ... ) == 0x0
 01302  1736   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01305  1736   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0008,  (140, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 238, ... , 70, 238, ...
 01306  1736   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482128, {status=0x0, info=0}, ) }, 0, 64, ... -2147482128, {status=0x0, info=0}, ) == 0x0
 01307  1736   NtClose  (-2147482128, ... ) == 0x0
 01305  1736   NtDeviceIoControlFile  ... {status=0x0, info=238},  ... {status=0x0, info=238}, "\356\0\0\0\2\0\0\0r\0\0\0`\0\0\08\0\0\0\14\0\0\0D\0\0\0.\0v\0\322\0\0\0\34\0\\08\0\0\0\14\0d\0D\0\0\0.\0k\0\310\24\310\24\0~\0\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0C\0:\0", ) , ) == 0x0
 01308  1736   NtClose  (140, ... ) == 0x0
 01309  1736   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 140, ) }, ... 140, ) == 0x0
 01310  1736   NtOpenKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "{ac53e7d3-b96f-11db-a488-806d6172696f}\"}, ... 144, ) }, ... 144, ) == 0x0
 01311  1736   NtClose  (140, ... ) == 0x0
 01312  1736   NtQueryValueKey  (144,  (144, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01313  1736   NtQueryValueKey  (144,  (144, "Data", Partial, 710, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\01\04\0C\08\01\04\0C\08\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\01\0F\0F\05\08\02\08\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\0\0\0\0\0\306\2\0\0"\5\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\220\0\0\0"\5\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\5\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0H\0\0\0P\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\214\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0"}, 710, ) , Partial, 710, ... TitleIdx=0, Type=3, Data= (144, "Data", Partial, 710, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\01\04\0C\08\01\04\0C\08\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\01\0F\0F\05\08\02\08\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\0\0\0\0\0\306\2\0\0"\5\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\220\0\0\0"\5\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\5\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0H\0\0\0P\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\214\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0"}, 710, ) \5\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\220\0\0\0 (144, "Data", Partial, 710, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\01\04\0C\08\01\04\0C\08\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\01\0F\0F\05\08\02\08\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\0\0\0\0\0\306\2\0\0"\5\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\220\0\0\0"\5\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\5\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0H\0\0\0P\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\214\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0"}, 710, ) }, 710, ) == 0x0
 01314  1736   NtClose  (144, ... ) == 0x0
 01315  1736   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 144, ) }, ... 144, ) == 0x0
 01316  1736   NtOpenKey  (0x2000000, {24, 144, 0x40, 0, 0,  (0x2000000, {24, 144, 0x40, 0, 0, "{ac53e7d3-b96f-11db-a488-806d6172696f}\"}, ... 140, ) }, ... 140, ) == 0x0
 01317  1736   NtClose  (144, ... ) == 0x0
 01318  1736   NtQueryValueKey  (140,  (140, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (140, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01319  1736   NtClose  (140, ... ) == 0x0
 01320  1736   NtQueryInformationFile  (-1, 1240208, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01321  1736   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1240160,  (0x100080, {24, 0, 0x40, 0, 1240160, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) == 0x0
 01322  1736   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01323  1736   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d3-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=0}, ) }, 0, 64, ... -2147482128, {status=0x0, info=0}, ) == 0x0
 01324  1736   NtClose  (-2147482128, ... ) == 0x0
 01322  1736   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01325  1736   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01326  1736   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d3-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=0}, ) }, 0, 64, ... -2147482128, {status=0x0, info=0}, ) == 0x0
 01327  1736   NtClose  (-2147482128, ... ) == 0x0
 01325  1736   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01328  1736   NtClose  (140, ... ) == 0x0
 01329  1736   NtQueryInformationFile  (-1, 1240208, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01330  1736   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1240160,  (0x100080, {24, 0, 0x40, 0, 1240160, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) == 0x0
 01331  1736   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01332  1736   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d3-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=0}, ) }, 0, 64, ... -2147482128, {status=0x0, info=0}, ) == 0x0
 01333  1736   NtClose  (-2147482128, ... ) == 0x0
 01331  1736   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01334  1736   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01335  1736   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d3-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=0}, ) }, 0, 64, ... -2147482128, {status=0x0, info=0}, ) == 0x0
 01336  1736   NtClose  (-2147482128, ... ) == 0x0
 01334  1736   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01337  1736   NtClose  (140, ... ) == 0x0
 01338  1736   NtCreateKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ac53e7d3-b96f-11db-a488-806d6172696f}\"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01339  1736   NtSetValueKey  (140,  (140, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (140, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01340  1736   NtClose  (140, ... ) == 0x0
 01341  1736   NtQueryInformationFile  (-1, 1240208, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01342  1736   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1240160,  (0x100080, {24, 0, 0x40, 0, 1240160, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) == 0x0
 01343  1736   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\00\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01344  1736   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d0-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=1}, ) }, 0, 64, ... -2147482128, {status=0x0, info=1}, ) == 0x0
 01345  1736   NtClose  (-2147482128, ... ) == 0x0
 01343  1736   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01346  1736   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\00\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01347  1736   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d0-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=1}, ) }, 0, 64, ... -2147482128, {status=0x0, info=1}, ) == 0x0
 01348  1736   NtClose  (-2147482128, ... ) == 0x0
 01346  1736   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01349  1736   NtClose  (140, ... ) == 0x0
 01350  1736   NtQueryInformationFile  (-1, 1240208, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01351  1736   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1240160,  (0x100080, {24, 0, 0x40, 0, 1240160, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) == 0x0
 01352  1736   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\00\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01353  1736   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d0-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=1}, ) }, 0, 64, ... -2147482128, {status=0x0, info=1}, ) == 0x0
 01354  1736   NtClose  (-2147482128, ... ) == 0x0
 01352  1736   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01355  1736   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\00\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01356  1736   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d0-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=1}, ) }, 0, 64, ... -2147482128, {status=0x0, info=1}, ) == 0x0
 01357  1736   NtClose  (-2147482128, ... ) == 0x0
 01355  1736   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01358  1736   NtClose  (140, ... ) == 0x0
 01359  1736   NtCreateKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ac53e7d0-b96f-11db-a488-806d6172696f}\"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01360  1736   NtSetValueKey  (140,  (140, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (140, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01361  1736   NtClose  (140, ... ) == 0x0
 01362  1736   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01363  1736   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01364  1736   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 140, {status=0x0, info=1}, ) }, 3, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 01365  1736   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 144, ) }, ... 144, ) == 0x0
 01366  1736   NtQuerySymbolicLinkObject  (144, ...  (144, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0
 01367  1736   NtClose  (144, ... ) == 0x0
 01368  1736   NtQueryVolumeInformationFile  (140, 1239204, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01369  1736   NtClose  (140, ... ) == 0x0
 01370  1736   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01371  1736   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 140, ) }, ... 140, ) == 0x0
 01372  1736   NtOpenKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "{ac53e7d3-b96f-11db-a488-806d6172696f}\"}, ... 144, ) }, ... 144, ) == 0x0
 01373  1736   NtClose  (140, ... ) == 0x0
 01374  1736   NtQueryValueKey  (144,  (144, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (144, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01375  1736   NtClose  (144, ... ) == 0x0
 01376  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\Volume{ac53e7d3-b96f-11db-a488-806d6172696f}\"}, 1240336, ... ) }, 1240336, ... ) == 0x0
 01377  1736   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01378  1736   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 144, {status=0x0, info=1}, ) }, 3, 96, ... 144, {status=0x0, info=1}, ) == 0x0
 01379  1736   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 140, ) }, ... 140, ) == 0x0
 01380  1736   NtQuerySymbolicLinkObject  (140, ...  (140, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0
 01381  1736   NtClose  (140, ... ) == 0x0
 01382  1736   NtQueryVolumeInformationFile  (144, 1241076, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01383  1736   NtClose  (144, ... ) == 0x0
 01384  1736   NtCreateEvent  (0x1f0003, {24, 48, 0x80, 1339720, 0,  (0x1f0003, {24, 48, 0x80, 1339720, 0, "ShellCopyEngineFinished"}, 0, 0, ... 144, ) }, 0, 0, ... 144, ) == 0x0
 01385  1736   NtSetEvent  (144, ... 0x0, ) == 0x0
 01386  1736   NtClose  (144, ... ) == 0x0
 01387  1736   NtClearEvent  (68, ... ) == 0x0
 01388  1736   NtClose  (68, ... ) == 0x0
 01389  1736   NtSetThreadExecutionState  (-2147483648, 1244004, ... ) == 0x0
 01390  1736   NtDelayExecution  (0, {-990000, -1}, ... ) == 0x0
 01391  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion"}, ... 68, ) }, ... 68, ) == 0x0
 01392  1736   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01393  1736   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01394  1736   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01395  1736   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01396  1736   NtClose  (68, ... ) == 0x0
 01397  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 01398  1736   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01399  1736   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01400  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... 68, ) }, ... 68, ) == 0x0
 01401  1736   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01402  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01403  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01404  1736   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01405  1736   NtClose  (144, ... ) == 0x0
 01406  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01407  1736   NtQueryValueKey  (70,  (70, "version", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01408  1736   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01409  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01410  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01411  1736   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01412  1736   NtClose  (144, ... ) == 0x0
 01413  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01414  1736   NtQueryValueKey  (70,  (70, "version", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415  1736   NtClose  (70, ... ) == 0x0
 01416  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion"}, ... 68, ) }, ... 68, ) == 0x0
 01417  1736   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01418  1736   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01419  1736   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01420  1736   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01421  1736   NtClose  (68, ... ) == 0x0
 01422  1736   NtDelayExecution  (0, {-420000, -1}, ... ) == 0x0
 01423  1736   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01424  1736   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01425  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... 68, ) }, ... 68, ) == 0x0
 01426  1736   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01427  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01428  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01429  1736   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01430  1736   NtClose  (144, ... ) == 0x0
 01431  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432  1736   NtQueryValueKey  (70,  (70, "version", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01433  1736   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01434  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01435  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01436  1736   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01437  1736   NtClose  (144, ... ) == 0x0
 01438  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439  1736   NtQueryValueKey  (70,  (70, "version", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440  1736   NtClose  (70, ... ) == 0x0
 01441  1736   NtQueryKey  (66, Name, 382, ... {Name= (66, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01442  1736   NtOpenKey  (0x2000000, {24, 66, 0x40, 0, 0,  (0x2000000, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 68, ) }, ... 68, ) == 0x0
 01444  1736   NtCreateKey  (0x20006, {24, 68, 0x40, 0, 0,  (0x20006, {24, 68, 0x40, 0, 0, "WR"}, 0, "", 0, ... 144, 2, ) }, 0, "", 0, ... 144, 2, ) == 0x0
 01445  1736   NtClose  (68, ... ) == 0x0
 01446  1736   NtQueryKey  (146, Name, 392, ... {Name= (146, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01447  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01448  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 01449  1736   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01450  1736   NtClose  (68, ... ) == 0x0
 01451  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452  1736   NtSetValueKey  (146,  (146, "version", 0, 1, "7\01\0\0\0", 6, ... , 0, 1,  (146, "version", 0, 1, "7\01\0\0\0", 6, ... , 6, ...
 01453  1736   NtSetInformationFile  (-2147482448, -134732432, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01452  1736   NtSetValueKey  ... ) == 0x0
 01454  1736   NtClose  (146, ... ) == 0x0
 01455  1736   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 01456  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 01457  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 01458  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 01459  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 01460  1736   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01461  1736   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01462  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... 144, ) }, ... 144, ) == 0x0
 01463  1736   NtQueryKey  (146, Name, 392, ... {Name= (146, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01464  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01465  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 01466  1736   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01467  1736   NtClose  (68, ... ) == 0x0
 01468  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469  1736   NtQueryValueKey  (146,  (146, "nextupdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01470  1736   NtClose  (146, ... ) == 0x0
 01471  1736   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01472  1736   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... 144, ) }, ... 144, ) == 0x0
 01474  1736   NtQueryKey  (146, Name, 392, ... {Name= (146, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01475  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01476  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 01477  1736   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01478  1736   NtClose  (68, ... ) == 0x0
 01479  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480  1736   NtQueryValueKey  (146,  (146, "nextupdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481  1736   NtClose  (146, ... ) == 0x0
 01482  1736   NtQueryKey  (66, Name, 382, ... {Name= (66, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01483  1736   NtOpenKey  (0x2000000, {24, 66, 0x40, 0, 0,  (0x2000000, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 144, ) }, ... 144, ) == 0x0
 01485  1736   NtCreateKey  (0x20006, {24, 144, 0x40, 0, 0,  (0x20006, {24, 144, 0x40, 0, 0, "WR"}, 0, "", 0, ... 68, 2, ) }, 0, "", 0, ... 68, 2, ) == 0x0
 01486  1736   NtClose  (144, ... ) == 0x0
 01487  1736   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01488  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01489  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01490  1736   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01491  1736   NtClose  (144, ... ) == 0x0
 01492  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493  1736   NtSetValueKey  (70,  (70, "nextupdate", 0, 4, ":\12\13H", 4, ... ) , 0, 4,  (70, "nextupdate", 0, 4, ":\12\13H", 4, ... ) , 4, ... ) == 0x0
 01494  1736   NtClose  (70, ... ) == 0x0
 01495  1736   NtDelayExecution  (0, {-360000, -1}, ... ) == 0x0
 01496  1736   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 01497  1736   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 01498  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 01499  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 01500  1736   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 01501  1736   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01502  1736   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... 68, ) }, ... 68, ) == 0x0
 01504  1736   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01505  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01506  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01507  1736   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01508  1736   NtClose  (144, ... ) == 0x0
 01509  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01510  1736   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01511  1736   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01512  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01513  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01514  1736   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01515  1736   NtClose  (144, ... ) == 0x0
 01516  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01517  1736   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01518  1736   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01519  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01520  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01521  1736   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01522  1736   NtClose  (144, ... ) == 0x0
 01523  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524  1736   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01525  1736   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01526  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01527  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01528  1736   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01529  1736   NtClose  (144, ... ) == 0x0
 01530  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01531  1736   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01532  1736   NtClose  (70, ... ) == 0x0
 01533  1736   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01534  1736   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... 68, ) }, ... 68, ) == 0x0
 01536  1736   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01537  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01538  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01539  1736   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01540  1736   NtClose  (144, ... ) == 0x0
 01541  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01542  1736   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01543  1736   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01544  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01545  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01546  1736   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01547  1736   NtClose  (144, ... ) == 0x0
 01548  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01549  1736   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01550  1736   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01551  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01552  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01553  1736   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01554  1736   NtClose  (144, ... ) == 0x0
 01555  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01556  1736   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01557  1736   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01558  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01559  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01560  1736   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01561  1736   NtClose  (144, ... ) == 0x0
 01562  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01563  1736   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01564  1736   NtClose  (70, ... ) == 0x0
 01565  1736   NtDelayExecution  (0, {-990000, -1}, ... ) == 0x0
 01566  1736   NtDelayExecution  (0, {-21370000, -1}, ... ) == 0x0
 01567  1736   NtDelayExecution  (0, {-21370000, -1}, ... ) == 0x0
 01568  1736   NtDelayExecution  (0, {-21370000, -1}, ... ) == 0x0
 01569  1736   NtDelayExecution  (0, {-21370000, -1}, ... ) == 0x0
 01570  1736   NtDelayExecution  (0, {-21370000, -1}, ... ) == 0x0
 01571  1736   NtDelayExecution  (0, {-21370000, -1}, ... ) == 0x0
 01572  1736   NtDelayExecution  (0, {-21370000, -1}, ... ) == 0x0
 01573  1736   NtDelayExecution  (0, {-21370000, -1}, ... ) == 0x0
 01574  1736   NtDelayExecution  (0, {-21370000, -1}, ... ) == 0x0
 01575  1736   NtDelayExecution  (0, {-21370000, -1}, ...
NtAddAtom(>)	1	NtUserGetThreadDesktop(>)	1	NtQueryVirtualMemory(>)	5	NtQueryInformationProcess(>)	18
NtCallbackReturn(>)	1	NtAdjustPrivilegesToken(>)	2	NtSetInformationProcess(>)	5	NtUserRegisterWindowMessage(>)	18
NtClearEvent(>)	1	NtContinue(>)	2	NtSetInformationThread(>)	5	NtOpenSection(>)	22
NtConnectPort(>)	1	NtCreateIoCompletion(>)	2	NtOpenThreadToken(>)	6	NtQueryAttributesFile(>)	22
NtCreateSemaphore(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryVolumeInformationFile(>)	6	NtOpenProcessTokenEx(>)	27
NtEnumerateValueKey(>)	1	NtOpenDirectoryObject(>)	2	NtFsControlFile(>)	7	NtOpenThreadTokenEx(>)	27
NtFreeVirtualMemory(>)	1	NtOpenEvent(>)	2	NtQueryDefaultLocale(>)	7	NtQueryKey(>)	28
NtGdiCreateBitmap(>)	1	NtReadFile(>)	2	NtQueryDirectoryFile(>)	7	NtMapViewOfSection(>)	31
NtGdiInit(>)	1	NtSetEvent(>)	2	NtQuerySection(>)	7	NtQueryInformationToken(>)	31
NtGdiQueryFontAssocInfo(>)	1	NtSetThreadExecutionState(>)	2	NtOpenProcessToken(>)	8	NtDeviceIoControlFile(>)	42
NtGdiSelectBitmap(>)	1	NtUserGetDC(>)	2	NtQueryDefaultUILanguage(>)	8	NtAllocateVirtualMemory(>)	45
NtOpenKeyedEvent(>)	1	NtUserQueryWindow(>)	2	NtQueryInformationFile(>)	8	NtOpenFile(>)	47
NtOpenProcess(>)	1	NtWriteFile(>)	2	NtUnmapViewOfSection(>)	8	NtUserFindExistingCursorIcon(>)	52
NtQueryInstallUILanguage(>)	1	NtAccessCheck(>)	3	NtCreateFile(>)	9	NtUserRegisterClassExWOW(>)	61
NtQueryObject(>)	1	NtDuplicateObject(>)	3	NtQueryDebugFilterState(>)	9	NtQuerySystemInformation(>)	73
NtQuerySystemTime(>)	1	NtGdiCreateCompatibleDC(>)	3	NtRequestWaitReplyPort(>)	11	NtFlushInstructionCache(>)	78
NtRegisterThreadTerminatePort(>)	1	NtUserCallOneParam(>)	3	NtUserSystemParametersInfo(>)	11	NtDelayExecution(>)	84
NtSecureConnectPort(>)	1	NtCreateMutant(>)	4	NtCreateEvent(>)	13	NtQueryValueKey(>)	98
NtTestAlert(>)	1	NtSetInformationObject(>)	4	NtSetInformationFile(>)	14	NtOpenKey(>)	147
NtUserCallNoParam(>)	1	NtGdiGetStockObject(>)	5	NtCreateKey(>)	15	NtProtectVirtualMemory(>)	158
NtUserGetObjectInformation(>)	1	NtOpenSymbolicLinkObject(>)	5	NtCreateSection(>)	15	NtClose(>)	213
NtUserGetProcessWindowStation(>)	1	NtQuerySymbolicLinkObject(>)	5	NtSetValueKey(>)	17