Summary:


NtAccessCheck(>)  1 
NtEnumerateKey(>)  2 
NtGdiGetStockObject(>)  5 
NtCreateKey(>)  22 

NtAddAtom(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryDefaultLocale(>)  5 
NtOpenThreadToken(>)  22 

NtCallbackReturn(>)  1 
NtGdiHfontCreate(>)  2 
NtCreateSemaphore(>)  6 
NtCreateSection(>)  26 

NtConnectPort(>)  1 
NtOpenDirectoryObject(>)  2 
NtOpenSymbolicLinkObject(>)  6 
NtQueryInformationFile(>)  27 

NtCreateProcessEx(>)  1 
NtOpenMutant(>)  2 
NtQuerySymbolicLinkObject(>)  6 
NtReleaseSemaphore(>)  31 

NtDeleteValueKey(>)  1 
NtQueryInstallUILanguage(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtSetInformationProcess(>)  31 

NtGdiCreateBitmap(>)  1 
NtReleaseMutant(>)  2 
NtWriteFile(>)  6 
NtWaitForSingleObject(>)  33 

NtGdiCreatePatternBrushInternal(>)  1 
NtResumeThread(>)  2 
NtUserCallNoParam(>)  7 
NtUnmapViewOfSection(>)  44 

NtGdiInit(>)  1 
NtTerminateProcess(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtOpenSection(>)  45 

NtGdiQueryFontAssocInfo(>)  1 
NtUserCloseDesktop(>)  2 
NtFlushInstructionCache(>)  9 
NtUserUnregisterClass(>)  46 

NtGdiSelectBitmap(>)  1 
NtUserCreateWindowEx(>)  2 
NtQuerySection(>)  9 
NtUserFindExistingCursorIcon(>)  48 

NtNotifyChangeKey(>)  1 
NtUserDestroyWindow(>)  2 
NtQueryVolumeInformationFile(>)  9 
NtQueryInformationProcess(>)  51 

NtOpenKeyedEvent(>)  1 
NtUserMessageCall(>)  2 
NtSetInformationFile(>)  10 
NtDeviceIoControlFile(>)  55 

NtQueryInformationJobObject(>)  1 
NtAdjustPrivilegesToken(>)  3 
NtUserGetWindowDC(>)  10 
NtWriteVirtualMemory(>)  58 

NtQueryObject(>)  1 
NtCreateMutant(>)  3 
NtUserCallOneParam(>)  11 
NtOpenProcessTokenEx(>)  60 

NtQueryPerformanceCounter(>)  1 
NtDuplicateObject(>)  3 
NtUserSystemParametersInfo(>)  11 
NtOpenThreadTokenEx(>)  60 

NtQuerySystemTime(>)  1 
NtEnumerateValueKey(>)  3 
NtRequestWaitReplyPort(>)  12 
NtQueryAttributesFile(>)  63 

NtRegisterThreadTerminatePort(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtFsControlFile(>)  13 
NtUserRegisterClassExWOW(>)  64 

NtSecureConnectPort(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtLockFile(>)  13 
NtQueryInformationToken(>)  72 

NtTestAlert(>)  1 
NtOpenEvent(>)  3 
NtUnlockFile(>)  13 
NtQueryKey(>)  73 

NtUserBuildNameList(>)  1 
NtQueryVirtualMemory(>)  3 
NtOpenProcessToken(>)  15 
NtQuerySystemInformation(>)  79 

NtUserGetAtomName(>)  1 
NtReadVirtualMemory(>)  3 
NtSetValueKey(>)  15 
NtUserGetClassInfo(>)  82 

NtUserGetDC(>)  1 
NtSetEvent(>)  3 
NtCreateEvent(>)  16 
NtAllocateVirtualMemory(>)  83 

NtUserGetForegroundWindow(>)  1 
NtUserGetObjectInformation(>)  3 
NtQueryDebugFilterState(>)  16 
NtMapViewOfSection(>)  87 

NtUserGetGUIThreadInfo(>)  1 
NtUserOpenDesktop(>)  3 
NtQueryDirectoryFile(>)  17 
NtOpenFile(>)  87 

NtUserGetThreadDesktop(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtOpenProcess(>)  18 
NtProtectVirtualMemory(>)  91 

NtUserSetProp(>)  1 
NtUserRemoveProp(>)  3 
NtReadFile(>)  18 
NtUserQueryWindow(>)  114 

NtContinue(>)  2 
NtWaitForMultipleObjects(>)  3 
NtCreateFile(>)  19 
NtQueryValueKey(>)  125 

NtCreateIoCompletion(>)  2 
NtSetInformationObject(>)  4 
NtFreeVirtualMemory(>)  19 
NtOpenKey(>)  282 

NtCreateThread(>)  2 
NtUserBuildHwndList(>)  4 
NtSetInformationThread(>)  19 
NtClose(>)  417 


Trace:
 00001   428   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   428   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   428   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   428   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   428   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   428   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   428   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   428   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   428   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   428   NtClose  (12, ... ) == 0x0
 00014   428   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   428   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   428   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   428   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   428   NtClose  (16, ... ) == 0x0
 00021   428   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   428   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   428   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   428   NtClose  (16, ... ) == 0x0
 00026   428   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   428   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   428   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   428   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   428   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 412, 428, 1473, 0} "\310\275\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 412, 428, 1473, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 412, 428, 1473, 0} "\310\275\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   428   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   428   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   428   NtClose  (16, ... ) == 0x0
 00036   428   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   428   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   428   NtClose  (28, ... ) == 0x0
 00041   428   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   428   NtClose  (28, ... ) == 0x0
 00045   428   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   428   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   428   NtClose  (28, ... ) == 0x0
 00049   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   428   NtClose  (28, ... ) == 0x0
 00052   428   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   428   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 412, 428, 1476, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 412, 428, 1476, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 412, 428, 1476, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   428   NtProtectVirtualMemory  (-1, (0x44f000), 163840, 4, ... (0x44f000), 163840, 128, ) == 0x0
 00057   428   NtProtectVirtualMemory  (-1, (0x44f000), 163840, 128, ... (0x44f000), 163840, 4, ) == 0x0
 00058   428   NtFlushInstructionCache  (-1, 4517888, 163840, ... ) == 0x0
 00059   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   428   NtClose  (28, ... ) == 0x0
 00062   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   428   NtClose  (28, ... ) == 0x0
 00065   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   428   NtClose  (28, ... ) == 0x0
 00068   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   428   NtClose  (28, ... ) == 0x0
 00071   428   NtProtectVirtualMemory  (-1, (0x44f000), 163840, 4, ... (0x44f000), 163840, 64, ) == 0x0
 00072   428   NtProtectVirtualMemory  (-1, (0x44f000), 163840, 64, ... (0x44f000), 163840, 4, ) == 0x0
 00073   428   NtFlushInstructionCache  (-1, 4517888, 163840, ... ) == 0x0
 00074   428   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   428   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   428   NtClose  (28, ... ) == 0x0
 00077   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   428   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   428   NtClose  (28, ... ) == 0x0
 00080   428   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00081   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   428   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   428   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   428   NtClose  (28, ... ) == 0x0
 00085   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   428   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   428   NtClose  (28, ... ) == 0x0
 00088   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   428   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   428   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 412, 428, 1478, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 412, 428, 1478, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 412, 428, 1478, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00093   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   428   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x480000), 0x0, 1060864, ) == 0x0
 00095   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   428   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   428   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00098   428   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   428   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   428   NtClose  (-2147482020, ... ) == 0x0
 00101   428   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5832704, 4096, ) == 0x0
 00102   428   NtFreeVirtualMemory  (-1, (0x590000), 4096, 32768, ... (0x590000), 4096, ) == 0x0
 00103   428   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   428   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00105   428   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   428   NtClose  (-2147482020, ... ) == 0x0
 00107   428   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00108   428   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   428   NtClose  (-2147482020, ... ) == 0x0
 00110   428   NtQueryDefaultLocale  (0, -104224244, ... ) == 0x0
 00111   428   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   428   NtUserCallNoParam  (24, ... ) == 0x0
 00113   428   NtGdiCreateCompatibleDC  (0, ...
 00114   428   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5832704, 4096, ) == 0x0
 00113   428   NtGdiCreateCompatibleDC  ... ) == 0x100103fb
 00115   428   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   428   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   428   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x1405031c
 00118   428   NtGdiCreateSolidBrush  (0, 0, ...
 00119   428   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9043968, 4096, ) == 0x0
 00118   428   NtGdiCreateSolidBrush  ... ) == 0x1310031d
 00120   428   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   428   NtGdiCreateCompatibleDC  (0, ... ) == 0x70010383
 00122   428   NtGdiSelectBitmap  (1879114627, 335872796, ... ) == 0x185000f
 00123   428   NtUserGetThreadDesktop  (428, 0, ... ) == 0x2c
 00124   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   428   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   428   NtClose  (52, ... ) == 0x0
 00127   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00141   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00143   428   NtAllocateVirtualMemory  (-1, 5992448, 0, 4096, 4096, 32, ... 5992448, 4096, ) == 0x0
 00142   428   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00144   428   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   428   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00146   428   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00147   428   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00148   428   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00149   428   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00150   428   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   428   NtCallbackReturn  (0, 0, 0, ...
 00152   428   NtGdiInit  (... ) == 0x1
 00153   428   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   428   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   428   NtAllocateVirtualMemory  (-1, 0, 0, 8878, 4096, 4, ... 9109504, 12288, ) == 0x0
 00156   428   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 12288, ) == 0x0
 00157   428   NtQueryVirtualMemory  (-1, 0x44acbe, Basic, 28, ... {BaseAddress=0x44a000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x5000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00158   428   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00159   428   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00160   428   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00161   428   NtProtectVirtualMemory  (-1, (0x400220), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00162   428   NtProtectVirtualMemory  (-1, (0x400220), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00163   428   NtProtectVirtualMemory  (-1, (0x400248), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00164   428   NtProtectVirtualMemory  (-1, (0x400248), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00165   428   NtProtectVirtualMemory  (-1, (0x400270), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00166   428   NtProtectVirtualMemory  (-1, (0x400270), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00167   428   NtProtectVirtualMemory  (-1, (0x400298), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00168   428   NtProtectVirtualMemory  (-1, (0x400298), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00169   428   NtProtectVirtualMemory  (-1, (0x4002c0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00170   428   NtProtectVirtualMemory  (-1, (0x4002c0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00171   428   NtProtectVirtualMemory  (-1, (0x4002e8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00172   428   NtProtectVirtualMemory  (-1, (0x4002e8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00173   428   NtProtectVirtualMemory  (-1, (0x400310), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00174   428   NtProtectVirtualMemory  (-1, (0x400310), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00175   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00176   428   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00177   428   NtClose  (52, ... ) == 0x0
 00178   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00179   428   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00180   428   NtClose  (52, ... ) == 0x0
 00181   428   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 52, ) == 0x0
 00182   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00183   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 60, ) }, ... 60, ) == 0x0
 00184   428   NtNotifyChangeKey  (60, 56, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00185   428   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00186   428   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 64, ) == 0x0
 00187   428   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 68, ) == 0x0
 00188   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00189   428   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00190   428   NtClose  (72, ... ) == 0x0
 00191   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00192   428   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00193   428   NtClose  (72, ... ) == 0x0
 00194   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00195   428   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00196   428   NtClose  (72, ... ) == 0x0
 00197   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00198   428   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 00199   428   NtAllocateVirtualMemory  (-1, 9109504, 0, 4096, 4096, 4, ... 9109504, 4096, ) == 0x0
 00200   428   NtAllocateVirtualMemory  (-1, 9113600, 0, 8192, 4096, 4, ... 9113600, 8192, ) == 0x0
 00201   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 72, ) }, ... 72, ) == 0x0
 00202   428   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8c0000), 0x0, 12288, ) == 0x0
 00203   428   NtClose  (72, ... ) == 0x0
 00204   428   NtAllocateVirtualMemory  (-1, 9121792, 0, 4096, 4096, 4, ... 9121792, 4096, ) == 0x0
 00205   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00206   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 72, ) }, ... 72, ) == 0x0
 00207   428   NtQueryValueKey  (72,  (72, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00208   428   NtClose  (72, ... ) == 0x0
 00209   428   NtQueryDefaultUILanguage  (1239840, ...
 00210   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00211   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00212   428   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00213   428   NtClose  (-2147482020, ... ) == 0x0
 00214   428   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00215   428   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00216   428   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00217   428   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00218   428   NtClose  (-2147482032, ... ) == 0x0
 00219   428   NtClose  (-2147482020, ... ) == 0x0
 00209   428   NtQueryDefaultUILanguage  ... ) == 0x0
 00220   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00221   428   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00222   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 72, {status=0x0, info=1}, ) }, 1, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00223   428   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 76, ) == 0x0
 00224   428   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8d0000), 0x0, 8323072, ) == 0x0
 00225   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00226   428   NtQueryDefaultUILanguage  (2013024600, ...
 00227   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00228   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00229   428   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00230   428   NtClose  (-2147482020, ... ) == 0x0
 00231   428   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00232   428   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   428   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00234   428   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235   428   NtClose  (-2147482032, ... ) == 0x0
 00236   428   NtClose  (-2147482020, ... ) == 0x0
 00226   428   NtQueryDefaultUILanguage  ... ) == 0x0
 00237   428   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00238   428   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00239   428   NtQueryDefaultLocale  (1, 1237876, ... ) == 0x0
 00240   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00241   428   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\20\311\304\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 428, 1489, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\20\311\304\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 428, 1489, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\20\311\304\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 428, 1489, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\20\311\304\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ) == 0x0
 00242   428   NtClose  (72, ... ) == 0x0
 00243   428   NtClose  (76, ... ) == 0x0
 00244   428   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 00245   428   NtUnmapViewOfSection  (-1, 0x12edcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00246   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00247   428   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00249   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00250   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236960, ... ) }, 1236960, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00252   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00253   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00254   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237552, ... ) }, 1237552, ... ) == 0x0
 00255   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 76, {status=0x0, info=1}, ) }, 3, 33, ... 76, {status=0x0, info=1}, ) == 0x0
 00256   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00257   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00258   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 72, ... 80, ) == 0x0
 00259   428   NtClose  (72, ... ) == 0x0
 00260   428   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8d0000), 0x0, 921600, ) == 0x0
 00261   428   NtClose  (80, ... ) == 0x0
 00262   428   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 00263   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00264   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 72, ) == 0x0
 00265   428   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00266   428   NtOpenProcessToken  (-1, 0x8, ... 84, ) == 0x0
 00267   428   NtQueryInformationToken  (84, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00268   428   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00269   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 88, ) }, ... 88, ) == 0x0
 00270   428   NtQueryValueKey  (88,  (88, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (88, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00271   428   NtClose  (88, ... ) == 0x0
 00272   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00273   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00274   428   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00275   428   NtClose  (88, ... ) == 0x0
 00276   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00277   428   NtClose  (84, ... ) == 0x0
 00278   428   NtClose  (80, ... ) == 0x0
 00279   428   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00280   428   NtClose  (72, ... ) == 0x0
 00281   428   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00282   428   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00283   428   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00284   428   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00285   428   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00286   428   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00287   428   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00288   428   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00289   428   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00290   428   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00291   428   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00292   428   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00293   428   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00294   428   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00295   428   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00296   428   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00297   428   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00298   428   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00299   428   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00300   428   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00301   428   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00302   428   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238736, ... ) , 42, 1238736, ... ) == 0x0
 00303   428   NtQueryDefaultUILanguage  (1237452, ...
 00304   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00305   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00306   428   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00307   428   NtClose  (-2147482020, ... ) == 0x0
 00308   428   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00309   428   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   428   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00311   428   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   428   NtClose  (-2147482032, ... ) == 0x0
 00313   428   NtClose  (-2147482020, ... ) == 0x0
 00303   428   NtQueryDefaultUILanguage  ... ) == 0x0
 00314   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236304, ... ) }, 1236304, ... ) == 0x0
 00316   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00317   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 72, ... 80, ) == 0x0
 00318   428   NtClose  (72, ... ) == 0x0
 00319   428   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8d0000), 0x0, 4096, ) == 0x0
 00320   428   NtClose  (80, ... ) == 0x0
 00321   428   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 00322   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235944, ... ) }, 1235944, ... ) == 0x0
 00323   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236644,  (0x80100080, {24, 0, 0x40, 0, 1236644, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0
 00324   428   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 80, ... 72, ) == 0x0
 00325   428   NtClose  (80, ... ) == 0x0
 00326   428   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8d0000), {0, 0}, 4096, ) == 0x0
 00327   428   NtClose  (72, ... ) == 0x0
 00328   428   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 00329   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 72, {status=0x0, info=1}, ) }, 1, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00330   428   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00331   428   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8d0000), 0x0, 4096, ) == 0x0
 00332   428   NtQueryInformationFile  (72, 1236264, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00333   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   428   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1H\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 428, 1490, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1H\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 428, 1490, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1H\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 428, 1490, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1H\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ) == 0x0
 00335   428   NtClose  (72, ... ) == 0x0
 00336   428   NtClose  (80, ... ) == 0x0
 00337   428   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 00338   428   NtUnmapViewOfSection  (-1, 0x12e478, ... ) == STATUS_NOT_MAPPED_VIEW
 00339   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00340   428   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00341   428   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00342   428   NtUserGetDC  (0, ... ) == 0x1010053
 00343   428   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00344   428   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00345   428   NtUserSystemParametersInfo  (66, 12, 1238756, 0, ... ) == 0x1
 00346   428   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00347   428   NtAccessCheck  (1396656, 80, 0x1, 1238160, 1238104, 56, 1238188, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00348   428   NtClose  (80, ... ) == 0x0
 00349   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00350   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00351   428   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00352   428   NtClose  (80, ... ) == 0x0
 00353   428   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 80, ) }, ... 80, ) == 0x0
 00354   428   NtSetInformationObject  (80, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00355   428   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Control Panel\Desktop"}, ... 72, ) }, ... 72, ) == 0x0
 00356   428   NtQueryValueKey  (72,  (72, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00357   428   NtClose  (72, ... ) == 0x0
 00358   428   NtUserSystemParametersInfo  (41, 500, 1238256, 0, ... ) == 0x1
 00359   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 72, ) }, ... 72, ) == 0x0
 00360   428   NtQueryValueKey  (72,  (72, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 84, ) }, ... 84, ) == 0x0
 00362   428   NtQueryValueKey  (84,  (84, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   428   NtClose  (84, ... ) == 0x0
 00364   428   NtClose  (72, ... ) == 0x0
 00365   428   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00366   428   NtUserSystemParametersInfo  (4130, 0, 1238780, 0, ... ) == 0x1
 00367   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 72, ) }, ... 72, ) == 0x0
 00368   428   NtEnumerateValueKey  (72, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00369   428   NtClose  (72, ... ) == 0x0
 00370   428   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00371   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03b
 00372   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03d
 00373   428   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00374   428   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc03f
 00375   428   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00376   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc041
 00377   428   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00378   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc043
 00379   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc045
 00380   428   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00381   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc047
 00382   428   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00383   428   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc049
 00384   428   NtUserGetClassInfo  (1905590272, 1238676, 1238628, 1238704, 0, ... ) == 0xc049
 00385   428   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00386   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04b
 00387   428   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00388   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04d
 00389   428   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00390   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04f
 00391   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc051
 00392   428   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00393   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc053
 00394   428   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00395   428   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc055
 00396   428   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc057
 00397   428   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00398   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc059
 00399   428   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10013
 00400   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05b
 00401   428   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00402   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05d
 00403   428   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00404   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05f
 00405   428   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00406   428   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc017
 00407   428   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00408   428   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc019
 00409   428   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10013
 00410   428   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc018
 00411   428   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00412   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01a
 00413   428   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00414   428   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc01c
 00415   428   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00416   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ...
 00417   428   NtAllocateVirtualMemory  (-1, 5996544, 0, 4096, 4096, 32, ... 5996544, 4096, ) == 0x0
 00416   428   NtUserRegisterClassExWOW  ... ) == 0x810dc01e
 00418   428   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00419   428   NtUserRegisterClassExWOW  (1238572, 1238652, 1238636, 1238668, 0, 384, 0, ... ) == 0x810dc01b
 00420   428   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00421   428   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc068
 00422   428   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00423   428   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc06a
 00424   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00425   428   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00426   428   NtClose  (72, ... ) == 0x0
 00427   428   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 72, ) == 0x0
 00428   428   NtQueryInformationProcess  (72, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00429   428   NtClose  (72, ... ) == 0x0
 00430   428   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00431   428   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00432   428   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00433   428   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Control Panel\Desktop"}, ... 72, ) }, ... 72, ) == 0x0
 00434   428   NtQueryValueKey  (72,  (72, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00435   428   NtClose  (72, ... ) == 0x0
 00436   428   NtUserSystemParametersInfo  (41, 500, 1239416, 0, ... ) == 0x1
 00437   428   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00438   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00439   428   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00440   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc03b
 00441   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00442   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc03d
 00443   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00444   428   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00445   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc03f
 00446   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00447   428   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00448   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc041
 00449   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00450   428   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00451   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc043
 00452   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00453   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc045
 00454   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00455   428   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00456   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc047
 00457   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00458   428   NtUserFindExistingCursorIcon  (1239204, 1239220, 1239788, ... ) == 0x10011
 00459   428   NtUserRegisterClassExWOW  (1239656, 1239736, 1239720, 1239752, 0, 384, 0, ... ) == 0x810dc049
 00460   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00461   428   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00462   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc04b
 00463   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00464   428   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00465   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc04d
 00466   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00467   428   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00468   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc04f
 00469   428   NtUserGetClassInfo  (1999896576, 1239828, 1239780, 1239856, 0, ... ) == 0x0
 00470   428   NtUserRegisterClassExWOW  (1239664, 1239744, 1239728, 1239760, 0, 384, 0, ... ) == 0x810dc051
 00471   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00472   428   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00473   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc053
 00474   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00475   428   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00476   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc055
 00477   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc057
 00478   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00479   428   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00480   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc059
 00481   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00482   428   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10013
 00483   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc05b
 00484   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00485   428   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00486   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc05d
 00487   428   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00488   428   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00489   428   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc05f
 00490   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03b
 00491   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03d
 00492   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03f
 00493   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc041
 00494   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc043
 00495   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc045
 00496   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc047
 00497   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc049
 00498   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04b
 00499   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04d
 00500   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04f
 00501   428   NtUserGetClassInfo  (1999896576, 1241580, 1241532, 1241608, 0, ... ) == 0xc051
 00502   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc053
 00503   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc055
 00504   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc059
 00505   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05b
 00506   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05d
 00507   428   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05f
 00508   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00509   428   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00510   428   NtClose  (72, ... ) == 0x0
 00511   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00512   428   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00513   428   NtClose  (72, ... ) == 0x0
 00514   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00515   428   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00516   428   NtClose  (72, ... ) == 0x0
 00517   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00518   428   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00519   428   NtClose  (72, ... ) == 0x0
 00520   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 72, ) }, ... 72, ) == 0x0
 00521   428   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00522   428   NtClose  (72, ... ) == 0x0
 00523   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00524   428   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00525   428   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00526   428   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00527   428   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00528   428   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 72, ) }, ... 72, ) == 0x0
 00529   428   NtCreateEvent  (0x1f0003, {24, 72, 0x80, 1241616, 0,  (0x1f0003, {24, 72, 0x80, 1241616, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00530   428   NtOpenEvent  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 84, ) }, ... 84, ) == 0x0
 00531   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00532   428   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00533   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 88, ) }, ... 88, ) == 0x0
 00534   428   NtQueryValueKey  (88,  (88, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00535   428   NtClose  (88, ... ) == 0x0
 00536   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00537   428   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00538   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00539   428   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00540   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 88, ) }, ... 88, ) == 0x0
 00541   428   NtQueryValueKey  (88,  (88, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00542   428   NtQueryValueKey  (88,  (88, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00543   428   NtQueryValueKey  (88,  (88, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00544   428   NtClose  (88, ... ) == 0x0
 00545   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 88, ) }, ... 88, ) == 0x0
 00546   428   NtQueryValueKey  (88,  (88, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00547   428   NtQueryValueKey  (88,  (88, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00548   428   NtClose  (88, ... ) == 0x0
 00549   428   NtOpenEvent  (0x1f0003, {24, 72, 0x0, 0, 0,  (0x1f0003, {24, 72, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00550   428   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00551   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00552   428   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00553   428   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00554   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555   428   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00556   428   NtCreateKey  (0xf003f, {24, 80, 0x40, 0, 0,  (0xf003f, {24, 80, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 88, 2, ) }, 0, 0x0, 0, ... 88, 2, ) == 0x0
 00557   428   NtQueryDefaultUILanguage  (1239852, ...
 00558   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00559   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00560   428   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00561   428   NtClose  (-2147482020, ... ) == 0x0
 00562   428   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00563   428   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00564   428   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00565   428   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00566   428   NtClose  (-2147482032, ... ) == 0x0
 00567   428   NtClose  (-2147482020, ... ) == 0x0
 00557   428   NtQueryDefaultUILanguage  ... ) == 0x0
 00568   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00569   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 92, {status=0x0, info=1}, ) }, 1, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00570   428   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 92, ... 96, ) == 0x0
 00571   428   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 593920, ) == 0x0
 00572   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   428   NtQueryDefaultLocale  (1, 1237888, ... ) == 0x0
 00574   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   428   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\226\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 428, 1491, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\226\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 428, 1491, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\226\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 428, 1491, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\226\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ) == 0x0
 00576   428   NtClose  (92, ... ) == 0x0
 00577   428   NtClose  (96, ... ) == 0x0
 00578   428   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00579   428   NtUnmapViewOfSection  (-1, 0x12edd8, ... ) == STATUS_NOT_MAPPED_VIEW
 00580   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00581   428   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00582   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00583   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00584   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236428, ... ) }, 1236428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00585   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00586   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00587   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00588   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237020, ... ) }, 1237020, ... ) == 0x0
 00589   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 96, {status=0x0, info=1}, ) }, 3, 33, ... 96, {status=0x0, info=1}, ) == 0x0
 00590   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00591   428   NtCreateKey  (0x2001f, {24, 80, 0x40, 0, 0,  (0x2001f, {24, 80, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 92, 2, ) }, 0, 0x0, 0, ... 92, 2, ) == 0x0
 00592   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00594   428   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00596   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00597   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 104, ) == 0x0
 00598   428   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00599   428   NtClose  (100, ... ) == 0x0
 00600   428   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00601   428   NtClose  (104, ... ) == 0x0
 00602   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00603   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604   428   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00605   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00606   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00607   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 100, ) == 0x0
 00608   428   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00609   428   NtClose  (104, ... ) == 0x0
 00610   428   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00611   428   NtClose  (100, ... ) == 0x0
 00612   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00613   428   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00614   428   NtTestAlert  (... ) == 0x0
 00615   428   NtContinue  (1244464, 1, ...
 00616   428   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x478000,}, 4, ... ) == 0x0
 00617   428   NtCreateEvent  (0x1f0003, {24, 72, 0x80, 1245092, 0,  (0x1f0003, {24, 72, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 100, ) }, 1, 0, ... 100, ) == 0x0
 00618   428   NtCreateSection  (0xf0007, {24, 72, 0x80, 1245092, 0,  (0xf0007, {24, 72, 0x80, 1245092, 0, "W32_Virtu"}, {22585, 0}, 4, 134217728, 0, ... 104, ) }, {22585, 0}, 4, 134217728, 0, ... 104, ) == 0x0
 00619   428   NtMapViewOfSection  (104, -1, (0x0), 0, 22585, 0x0, 22585, 2, 0, 4, ... (0x8f0000), 0x0, 24576, ) == 0x0
 00620   428   NtOpenProcessToken  (-1, 0x20, ... 108, ) == 0x0
 00621   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00622   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00623   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 112, ) }, ... 112, ) == 0x0
 00624   428   NtQueryValueKey  (112,  (112, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00625   428   NtClose  (112, ... ) == 0x0
 00626   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00627   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00628   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00629   428   NtQuerySystemTime  (... {424209132, 29873133}, ) == 0x0
 00630   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00631   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00632   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00633   428   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00634   428   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00635   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 00636   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 128, ) == 0x0
 00637   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00638   428   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "ActiveComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00639   428   NtQueryValueKey  (136,  (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00640   428   NtClose  (136, ... ) == 0x0
 00641   428   NtClose  (132, ... ) == 0x0
 00642   428   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 132, ) == 0x0
 00643   428   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 136, ) == 0x0
 00644   428   NtDuplicateObject  (-1, 132, -1, 0x0, 0, 2, ... 140, ) == 0x0
 00645   428   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 00646   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00647   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00648   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00649   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00650   428   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243268,  (0xc0100080, {24, 0, 0x40, 0, 1243268, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 00651   428   NtSetInformationFile  (148, 1243324, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00652   428   NtSetInformationFile  (148, 1243316, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00653   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00654   428   NtWriteFile  (148, 125, 0, 0,  (148, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00655   428   NtReadFile  (148, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (148, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20v\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00656   428   NtFsControlFile  (148, 125, 0x0, 0x0, 0x11c017,  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20v\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20v\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00657   428   NtFsControlFile  (148, 125, 0x0, 0x0, 0x11c017,  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0^8\354S\340?\334\21\261\310\0\14)\371\246\305 \0"\0H\254\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0^8\354S\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0H\254\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0^8\354S\340?\334\21\261\310\0\14)\371\246\305 \0"\0H\254\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0^8\354S\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0^8\354S\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 00658   428   NtFsControlFile  (148, 125, 0x0, 0x0, 0x11c017,  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0^8\354S\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0^8\354S\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00659   428   NtClose  (144, ... ) == 0x0
 00660   428   NtClose  (148, ... ) == 0x0
 00661   428   NtAdjustPrivilegesToken  (108, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00662   428   NtClose  (108, ... ) == 0x0
 00663   428   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 9437184, 65536, ) == 0x0
 00664   428   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00665   428   NtCreateSection  (0xf0007, 0x0, {11728, 0}, 4, 134217728, 0, ... 108, ) == 0x0
 00666   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x910000), {0, 0}, 12288, ) == 0x0
 00667   428   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00668   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x910000), {0, 0}, 12288, ) == 0x0
 00669   428   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 00670   428   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00671   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00672   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00673   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00674   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00675   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00676   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00677   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00678   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00679   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00680   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00681   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 148, ) == 0x0
 00682   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 144, ) }, ... 144, ) == 0x0
 00683   428   NtMapViewOfSection  (144, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 00684   428   NtClose  (144, ... ) == 0x0
 00685   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00686   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00687   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00688   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00689   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00690   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00691   428   NtAllocateVirtualMemory  (148, 0, 0, 1048576, 8192, 4, ... 22478848, 1048576, ) == 0x0
 00692   428   NtAllocateVirtualMemory  (148, 23519232, 0, 8192, 4096, 4, ... 23519232, 8192, ) == 0x0
 00693   428   NtProtectVirtualMemory  (148, (0x166e000), 4096, 260, ... (0x166e000), 4096, 4, ) == 0x0
 00694   428   NtCreateThread  (0x1f03ff, 0x0, 148, 1244008, 1244724, 1, ... 144, {616, 596}, ) == 0x0
 00695   428   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\25\0\0\0\0\0\220\0\0\0h\2\0\0T\2\0\0" ... {28, 56, reply, 0, 412, 428, 1492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\0\0\0h\2\0\0T\2\0\0" )  ... {28, 56, reply, 0, 412, 428, 1492, 0}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\25\0\0\0\0\0\220\0\0\0h\2\0\0T\2\0\0" ... {28, 56, reply, 0, 412, 428, 1492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\0\0\0h\2\0\0T\2\0\0" )  ) == 0x0
 00696   428   NtResumeThread  (144, ... 1, ) == 0x0
 00697   428   NtClose  (148, ... ) == 0x0
 00698   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00699   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00700   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {660, 0}, ... 148, ) == 0x0
 00701   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00702   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00703   428   NtClose  (152, ... ) == 0x0
 00704   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00705   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00706   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00707   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00708   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00709   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00710   428   NtClose  (148, ... ) == 0x0
 00711   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00712   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00713   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {672, 0}, ... 148, ) == 0x0
 00714   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00715   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 00716   428   NtClose  (152, ... ) == 0x0
 00717   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00718   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00719   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00720   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00721   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00722   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00723   428   NtClose  (148, ... ) == 0x0
 00724   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00725   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00726   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {844, 0}, ... 148, ) == 0x0
 00727   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00728   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00729   428   NtClose  (152, ... ) == 0x0
 00730   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00731   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00732   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00733   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00734   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00735   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00736   428   NtClose  (148, ... ) == 0x0
 00737   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00738   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00739   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {972, 0}, ... 148, ) == 0x0
 00740   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00741   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff70000), 0x0, 24576, ) == 0x0
 00742   428   NtClose  (152, ... ) == 0x0
 00743   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00744   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00745   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00746   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00747   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00748   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00749   428   NtClose  (148, ... ) == 0x0
 00750   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00751   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00752   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1036, 0}, ... 148, ) == 0x0
 00753   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00754   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00755   428   NtClose  (152, ... ) == 0x0
 00756   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00757   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00758   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00759   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00760   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00761   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00762   428   NtClose  (148, ... ) == 0x0
 00763   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00764   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00765   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1064, 0}, ... 148, ) == 0x0
 00766   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00767   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00768   428   NtClose  (152, ... ) == 0x0
 00769   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00770   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00771   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00772   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00773   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00774   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00775   428   NtClose  (148, ... ) == 0x0
 00776   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00777   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00778   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1404, 0}, ... 148, ) == 0x0
 00779   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00780   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00781   428   NtClose  (152, ... ) == 0x0
 00782   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00783   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00784   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00785   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00786   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00787   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00788   428   NtClose  (148, ... ) == 0x0
 00789   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00790   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00791   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1640, 0}, ... 148, ) == 0x0
 00792   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00793   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00794   428   NtClose  (152, ... ) == 0x0
 00795   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00796   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00797   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00798   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00799   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00800   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00801   428   NtClose  (148, ... ) == 0x0
 00802   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00803   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00804   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1860, 0}, ... 148, ) == 0x0
 00805   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00806   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00807   428   NtClose  (152, ... ) == 0x0
 00808   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00809   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00810   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00811   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00812   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00813   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00814   428   NtClose  (148, ... ) == 0x0
 00815   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00816   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00817   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1912, 0}, ... 148, ) == 0x0
 00818   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00819   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00820   428   NtClose  (152, ... ) == 0x0
 00821   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00822   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00823   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00824   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00825   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00826   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00827   428   NtClose  (148, ... ) == 0x0
 00828   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00829   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00830   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2008, 0}, ... 148, ) == 0x0
 00831   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00832   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00833   428   NtClose  (152, ... ) == 0x0
 00834   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00835   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00836   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00837   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00838   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00839   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00840   428   NtClose  (148, ... ) == 0x0
 00841   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00842   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00843   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2016, 0}, ... 148, ) == 0x0
 00844   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00845   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00846   428   NtClose  (152, ... ) == 0x0
 00847   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00848   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00849   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00850   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00851   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00852   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00853   428   NtClose  (148, ... ) == 0x0
 00854   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00855   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00856   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2028, 0}, ... 148, ) == 0x0
 00857   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00858   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00859   428   NtClose  (152, ... ) == 0x0
 00860   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00861   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00862   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00863   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00864   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00865   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00866   428   NtClose  (148, ... ) == 0x0
 00867   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00868   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00869   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2040, 0}, ... 148, ) == 0x0
 00870   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00871   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00872   428   NtClose  (152, ... ) == 0x0
 00873   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00874   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00875   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00876   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00877   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00878   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00879   428   NtClose  (148, ... ) == 0x0
 00880   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00881   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00882   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {212, 0}, ... 148, ) == 0x0
 00883   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00884   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00885   428   NtClose  (152, ... ) == 0x0
 00886   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00887   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00888   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00889   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00890   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00891   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00892   428   NtClose  (148, ... ) == 0x0
 00893   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00894   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00895   428   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 148, ) == 0x0
 00896   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00897   428   NtMapViewOfSection  (152, 148, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00898   428   NtClose  (152, ... ) == 0x0
 00899   428   NtProtectVirtualMemory  (148, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00900   428   NtWriteVirtualMemory  (148, 0x77f7e603,  (148, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00901   428   NtProtectVirtualMemory  (148, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00902   428   NtWriteVirtualMemory  (148, 0x77f7e6a3,  (148, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00903   428   NtProtectVirtualMemory  (148, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00904   428   NtWriteVirtualMemory  (148, 0x77f7e6b3,  (148, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00905   428   NtClose  (148, ... ) == 0x0
 00906   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 12288, ) == 0x0
 00907   428   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00908   428   NtClose  (108, ... ) == 0x0
 00909   428   NtClose  (100, ... ) == 0x0
 00910   428   NtQueryPerformanceCounter  (... {91966016, 0}, {3579545, 0}, ) == 0x0
 00911   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00912   428   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 00913   428   NtAllocateVirtualMemory  (-1, 9437184, 0, 4096, 4096, 4, ... 9437184, 4096, ) == 0x0
 00914   428   NtAllocateVirtualMemory  (-1, 9441280, 0, 8192, 4096, 4, ... 9441280, 8192, ) == 0x0
 00915   428   NtAllocateVirtualMemory  (-1, 9449472, 0, 4096, 4096, 4, ... 9449472, 4096, ) == 0x0
 00916   428   NtAllocateVirtualMemory  (-1, 9453568, 0, 4096, 4096, 4, ... 9453568, 4096, ) == 0x0
 00917   428   NtAllocateVirtualMemory  (-1, 0, 0, 6, 12288, 64, ... 9502720, 4096, ) == 0x0
 00918   428   NtProtectVirtualMemory  (-1, (0x910000), 6, 64, ...
 00919   428   NtContinue  (-104227028, 0, ...
 00918   428   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 00920   428   NtFreeVirtualMemory  (-1, (0x910000), 0, 32768, ... (0x910000), 4096, ) == 0x0
 00921   428   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 100, 2, ) }, 0, 0x0, 0, ... 100, 2, ) == 0x0
 00922   428   NtDeleteValueKey  (100,  (100, "Skype Startup", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   428   NtClose  (100, ... ) == 0x0
 00924   428   NtCreateFile  (0x40100080, {24, 0, 0x42, 0, 1241352,  (0x40100080, {24, 0, 0x42, 0, 1241352, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 0x0, 128, 3, 5, 96, 0, 0, ... }, 0x0, 128, 3, 5, 96, 0, 0, ...
 00925   428   NtClose  (-2147482020, ... ) == 0x0
 00924   428   NtCreateFile  ... 100, {status=0x0, info=2}, ) == 0x0
 00926   428   NtQueryVolumeInformationFile  (100, 1241456, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00927   428   NtAllocateVirtualMemory  (-1, 9457664, 0, 8192, 4096, 4, ... 9457664, 8192, ) == 0x0
 00928   428   NtWriteFile  (100, 0, 0, 0,  (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) u:\work\packed.exe (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) u:\work\packed.exe (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) %0 (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) , 94, 0x0, 0, ... {status=0x0, info=94}, ) == 0x0
 00929   428   NtClose  (100, ... ) == 0x0
 00930   428   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1235052, ... ) }, 1235052, ... ) == 0x0
 00932   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00933   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 108, ) == 0x0
 00934   428   NtClose  (100, ... ) == 0x0
 00935   428   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x910000), 0x0, 262144, ) == 0x0
 00936   428   NtClose  (108, ... ) == 0x0
 00937   428   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00938   428   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ... 1429504, 4096, ) == 0x0
 00939   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00940   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00941   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00942   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 108, {status=0x0, info=0}, ) }, 7, 16, ... 108, {status=0x0, info=0}, ) == 0x0
 00943   428   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, "\327G0\27;d\245x\315\235\312\7z"\316X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \316X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 00944   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00945   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00946   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00947   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00948   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00949   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00950   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00951   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00952   428   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "d\300pjY\4\1\373\333\211<|\212\322\325\5\303\324\376\240ho\376\177\362\313v\326\33\20wv\236W\4\240\222uN5_\304%\375.i\W,\377\255\301ryh\7\17 \21J\354\362T0\372\304k\277+a\11%\317's\15\272\235\317", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "d\300pjY\4\1\373\333\211<|\212\322\325\5\303\324\376\240ho\376\177\362\313v\326\33\20wv\236W\4\240\222uN5_\304%\375.i\W,\377\255\301ryh\7\17 \21J\354\362T0\372\304k\277+a\11%\317's\15\272\235\317", 80, ... ) , 80, ... ) == 0x0
 00953   428   NtClose  (-2147482020, ... ) == 0x0
 00943   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "T\352\314\277G_\347\305\330*\177\304a\301\300'y\30\4:6\30\221\342,\364\3435k\320\265\2074Y\215CF\225\213\203V\220\236\324CH\361\33\15ox\325\222\256`]\22\10\35\265\24\325\243C\253\224\373\272\21\225\252S2\31\203\227,\324\177\204y\317\326\367G\231\363W\343\334\335\325\0J[+\251,\202\356\222\6r\31\306\177\353\255\347a;-\270\363s\36\225n\10A\363'\270T\334\272U\337\237\34a\376\274\232H\337 p\5\301\32\254\362\212\225\37\30[Q>\357O2\256/\232\205\3524\276\376\342\305\374\363\225nN\30\366\374\25\244\355\307n\32\201\206\305xl]\346\232*\15D\301k\2\17QL\331\314a u\275^HCWA\245pn\17\33\303\211\361}\5\17\265\37\264\204\276\2r\333\310W\302\313\377\177\30\230f\24@(w\23+y7%\34\243\200\264\36\202\221a\2\247\267g\2078", ) , ) == 0x0
 00954   428   NtAllocateVirtualMemory  (-1, 1433600, 0, 16384, 4096, 4, ... 1433600, 16384, ) == 0x0
 00955   428   NtUserRegisterClassExWOW  (1237136, 1237216, 1237200, 1237232, 0, 384, 0, ... ) == 0x810dc038
 00956   428   NtUserGetAtomName  (49208, 1235900, ... ) == 0x15
 00957   428   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 00958   428   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00959   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1233424, ... ) }, 1233424, ... ) == 0x0
 00960   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00961   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 148, ) == 0x0
 00962   428   NtClose  (100, ... ) == 0x0
 00963   428   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x910000), 0x0, 204800, ) == 0x0
 00964   428   NtClose  (148, ... ) == 0x0
 00965   428   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00966   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1233740, ... ) }, 1233740, ... ) == 0x0
 00967   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 00968   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 148, ... 100, ) == 0x0
 00969   428   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00970   428   NtClose  (148, ... ) == 0x0
 00971   428   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00972   428   NtClose  (100, ... ) == 0x0
 00973   428   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00974   428   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00975   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00976   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00977   428   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00978   428   NtClose  (100, ... ) == 0x0
 00979   428   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00980   428   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 148, ) }, ... 148, ) == 0x0
 00981   428   NtQueryValueKey  (148,  (148, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00982   428   NtClose  (148, ... ) == 0x0
 00983   428   NtClose  (100, ... ) == 0x0
 00984   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00985   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00986   428   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00987   428   NtClose  (100, ... ) == 0x0
 00988   428   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00989   428   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Control Panel\Desktop"}, ... 148, ) }, ... 148, ) == 0x0
 00990   428   NtQueryValueKey  (148,  (148, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991   428   NtClose  (148, ... ) == 0x0
 00992   428   NtClose  (100, ... ) == 0x0
 00993   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1233240, ... ) }, 1233240, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994   428   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1233240, ... ) }, 1233240, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00995   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1233240, ... ) }, 1233240, ... ) == 0x0
 00996   428   NtUserGetProcessWindowStation  (... ) == 0x28
 00997   428   NtUserGetObjectInformation  (40, 2, 0, 0, 1235536, ... ) == 0x0
 00998   428   NtUserGetObjectInformation  (40, 2, 1448904, 16, 1235536, ... ) == 0x1
 00999   428   NtUserGetGUIThreadInfo  (428, 1235492, ... ) == 0x1
 01000   428   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1235312, 64, ... 100, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1235312, 64, ... 100, 0x0, 0x0, 0x0, 64, ) == 0x0
 01001   428   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 428, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 412, 428, 1507, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 428, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01002   428   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 428, 1508, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 412, 428, 1508, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 428, 1508, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01003   428   NtUserCallNoParam  (29, ...
 01004   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232784, ... ) }, 1232784, ... ) == 0x0
 01003   428   NtUserCallNoParam  ... ) == 0x0
 01005   428   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01006   428   NtGdiHfontCreate  (1234864, 356, 0, 0, 1412928, ... ) == 0x170a0381
 01007   428   NtGdiHfontCreate  (1234864, 356, 0, 0, 1412920, ... ) == 0x130a0321
 01008   428   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 428, 1509, 0} "\0\0\0\0\0\0\0\0\224\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 412, 428, 1509, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 428, 1509, 0} "\0\0\0\0\0\0\0\0\224\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01009   428   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x910000), {0, 0}, 331776, ) == 0x0
 01010   428   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01011   428   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01012   428   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01013   428   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01014   428   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01015   428   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01016   428   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01017   428   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01018   428   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01019   428   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01020   428   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01021   428   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01022   428   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01023   428   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01024   428   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01025   428   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01026   428   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01027   428   NtGdiCreatePatternBrushInternal  (59048377, 0, 0, ... ) == 0x33100337
 01028   428   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01029   428   NtUserCallNoParam  (29, ...
 01030   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232228, ... ) }, 1232228, ... ) == 0x0
 01029   428   NtUserCallNoParam  ... ) == 0x0
 01031   428   NtUserCallNoParam  (29, ...
 01032   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232224, ... ) }, 1232224, ... ) == 0x0
 01031   428   NtUserCallNoParam  ... ) == 0x0
 01033   428   NtUserMessageCall  (0x200ae, WM_NCCREATE, 0x0, 0x12db68, 0, 670, 0, ... ) == 0x1
 01034   428   NtUserMessageCall  (0x200ae, WM_NCCALCSIZE, 0x0, 0x12db90, 0, 670, 0, ... ) == 0x0
 01035   428   NtUserSetProp  (131246, 43288, -1, ... ) == 0x1
 00957   428   NtUserCreateWindowEx  ... ) == 0x200ae
 01036   428   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, "\327G0\27;d\245\222b\2677/\223\213eZ\266\214\7\222\271\360\267\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01037   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01038   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01039   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01040   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01041   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01042   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01043   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01044   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01045   428   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "NmVJBsl~\222\203<\255\325\330\363\366G\276\300&\220\243\5\343j\225\241e\341\242Yz;=\333\13\256\323\264\332\330\217`\362\356\354L,\306\14\233\333n\27\230\2609\271\4'\324\227R\351eC.\206\37\273\347\230\342\30\300IV\310{\27", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "NmVJBsl~\222\203<\255\325\330\363\366G\276\300&\220\243\5\343j\225\241e\341\242Yz;=\333\13\256\323\264\332\330\217`\362\356\354L,\306\14\233\333n\27\230\2609\271\4'\324\227R\351eC.\206\37\273\347\230\342\30\300IV\310{\27", 80, ... ) , 80, ... ) == 0x0
 01046   428   NtClose  (-2147482020, ... ) == 0x0
 01036   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\250\330y\252\364\352zh9_W\216\373 \264\223\305u\353\276`RV\236A\374\376\244\254\325\242\344\341\20d\265ek\243\327\354}\15\257q\322\11\363\3\357CZ\243\233T\343M\2405\360\224\302\220\255\7}x\301\254\346\243\210\333\22Q\302Ox\267\243\262\231-\362\371y\363b\224\322I\270jH\35\362\21w<\310\2275\336\251\32\3125\307g\3106\17,\203\355\321d\35\351\374\216L ]\326~o\242\230;]\3266\207\200_TF\370r\15\327\23m\364xq\62\313\210\202\2762\377m\364\363I\213\310\334k\371\4\276\6\347\256\245Pj\0\214\2111\4EQ\331\0\263\240=!@\260\0\240o\324\253\376\340\222%\240~\316\233X\356\307\354,\362-8\341\2508V\223&", ) , ) == 0x0
 01047   428   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, "\327G0\27;d\245\222b\2677/\223\213\217\365\234q/{\20[\265\266\214\7\222\271\360\267\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01048   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01049   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01050   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01051   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01052   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01053   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01054   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01055   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01056   428   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "3\351\256\216\221\267\234S\305\247\277\262\35\237\317\12\273\0\257\\217\357\270\210\11\35%i\342\33Y\363\222.\260\377\315|\212\36\310\233\5\317\235\216\261l]>4\203<\0\226R;\247[\35?\3\24\16g\301\23\300|L\316\352\236\4\267\271\210\307%\333", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "3\351\256\216\221\267\234S\305\247\277\262\35\237\317\12\273\0\257\\217\357\270\210\11\35%i\342\33Y\363\222.\260\377\315|\212\36\310\233\5\317\235\216\261l]>4\203<\0\226R;\247[\35?\3\24\16g\301\23\300|L\316\352\236\4\267\271\210\307%\333", 80, ... ) , 80, ... ) == 0x0
 01057   428   NtClose  (-2147482020, ... ) == 0x0
 01047   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\210\0;\323\1778\202\314p\362\30\267\2\215*\2467\332c\30Z\275S\213\251:"\246\370\227\211~G\331j\265SK+<\211\347o#\303\256\302(cA\345\224\320h5U\5\225\267\342WW\332\327V;}\7\26[a\231n\240q\246\204.|EDn\22\216\316\2204\371_X\221\17\344\337&\261#\275\212\202\376,S\272]A\353\22\364\35@\310\211{\325\356\325\375p\230\272#\23+&._\362\271\317\2457\350\20\237\262P\377\351v\267\213:b\317\275d$\252\315\366\361\257%/\273\357\330\350\241\317\277\271+\\306|h\365\323\222\346:\215\231-\365\351Gi_-Y\16H\370\367\332X\333>\251?\315\271\33K\364v\367\327\373\324\3233\20\2\236\306\177\266f\14\200c\251\270\345\315B\226T[\15\362\32\300_\265\357[\360\316r\331\357\266a\314\274\234e\241\332E\274%a\340\316\262\230\271\223A", ) \246\370\227\211~G\331j\265SK+<\211\347o#\303\256\302(cA\345\224\320h5U\5\225\267\342WW\332\327V;}\7\26[a\231n\240q\246\204.|EDn\22\216\316\2204\371_X\221\17\344\337&\261#\275\212\202\376,S\272]A\353\22\364\35@\310\211{\325\356\325\375p\230\272#\23+&._\362\271\317\2457\350\20\237\262P\377\351v\267\213:b\317\275d$\252\315\366\361\257%/\273\357\330\350\241\317\277\271+\\306|h\365\323\222\346:\215\231-\365\351Gi_-Y\16H\370\367\332X\333>\251?\315\271\33K\364v\367\327\373\324\3233\20\2\236\306\177\266f\14\200c\251\270\345\315B\226T[\15\362\32\300_\265\357[\360\316r\331\357\266a\314\274\234e\241\332E\274%a\340\316\262\230\271\223A", ) == 0x0
 01058   428   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, "\327G0\27;d\245\222b\2677/\223\213\217\365\234q/{\20\261\32\234q/{\20[\265\266\214\7\222\271\360\267\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01059   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01060   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01061   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01062   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01063   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01064   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01065   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01066   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01067   428   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\201\265\365o\354\342\244\303\240\305\321+\301bZ\277\324\314\22W<\310\340ZUQ\315-\235lQg1[\271\250\222\325\213l\246h\260\233l\7\201zy\212\20\356\320\22\362c\371G\311E)*e\253\177`FV\35S\345\336g\270\253\12K(@\235", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\201\265\365o\354\342\244\303\240\305\321+\301bZ\277\324\314\22W<\310\340ZUQ\315-\235lQg1[\271\250\222\325\213l\246h\260\233l\7\201zy\212\20\356\320\22\362c\371G\311E)*e\253\177`FV\35S\345\336g\270\253\12K(@\235", 80, ... ) , 80, ... ) == 0x0
 01068   428   NtClose  (-2147482020, ... ) == 0x0
 01058   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "3\304\241\206\177\350]\267\35Z#\216\10\34\367A\262\275\203\225|\365\211N\302\310Vkg\272f\247\244\337V{\2319#R\315\231\216!\333\375<\7[\234\201yM\213\253Y9j?\14\274\330\360\177\6\212\371s\15\255\313\343\373\372\313u\240\346>z\21\341\244\300OL#\276c\372\217wN'\366\332\210\312\313B\307\17\320\255\233\20\310k`,\323\17jN$\2674\261\17\272\324\244\12}*\5\353\31/\347/s\3417\300\4=\351\304\4\2067\376U\11\224\254f\273C\31u\236\343Z\322\334b\377\325'\331Vp\2417\202\204j\251\327YI\377\342f\7\256x\315\202\303\315\177\30\373?\27q_\252\0\321\340w\3316\236\245\325\313\305\212\2073\360D\337e\311\231:\261\35\11\24\357l\17M\350h\300\236\243_\263\254\342\2\275\241\212\322\27\366@\365&`\233\347\220\225\201\203w\343\215\210\353\344Z\320`\256", ) , ) == 0x0
 01069   428   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, "\327G0\27;d\245\222b\2677/\223\213\217\365\234q/{\20\261\32\234q/{\20\261\32\234q/{\20[\265\266\214\7\222\271\360\267\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01070   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01071   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01072   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01073   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01074   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01075   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01076   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01077   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01078   428   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\11$\240\374qy,\256\346(\24\2433\22\230<=|`6E\331h\236\317\271w4\204/\237\20\24\321\26\255\323\27\322\375\244\7\327\33\21\316\3017c\11G\347\1\305\23\214\362\350=\204\231kZ$\13\314\355n\234\354\376$\33\252.\303H<\210\36", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\11$\240\374qy,\256\346(\24\2433\22\230<=|`6E\331h\236\317\271w4\204/\237\20\24\321\26\255\323\27\322\375\244\7\327\33\21\316\3017c\11G\347\1\305\23\214\362\350=\204\231kZ$\13\314\355n\234\354\376$\33\252.\303H<\210\36", 80, ... ) , 80, ... ) == 0x0
 01079   428   NtClose  (-2147482020, ... ) == 0x0
 01069   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, ";\2452\7\350\307\253T\314\234\372\250j\353]\374\14x\216\207\37\233\212\354*0\234\345A\276\362\272\271J\22\25\24\\366\351&\272\255\245\330\376\324k\3037\254\326\301\247\331\235\335\340\23'\260U\337zv,\200\4!\27\22\377\272+X7\236P@\20R\12\23\342\260qZT\255"\364\270d\262\2533mz\376\373l\332h\367\227\325\256>4\316\353\304\271\26\253g\237W\271\22[\33\30\10\320\325O\365\363\233\350T\361\375tY\237\327r\242F\272R`6\347\235\230\356Kk\2537\354\302]<#\270^\236\24\32$\202E\256\364\211\33\233\25\240\314\254\256\227\215\22\17\211#a%i+\266sr7\27\310S\324\327\35\5\262\260\232*d\307\30B\301\262\366M\252o\262dz%r\274\322gP\22\370\242\212\347\331\21\333\12\310\312L$]\34TRza\221\225H\2N\361\177\22E%\243\246\211\11G\357", ) \364\270d\262\2533mz\376\373l\332h\367\227\325\256>4\316\353\304\271\26\253g\237W\271\22[\33\30\10\320\325O\365\363\233\350T\361\375tY\237\327r\242F\272R`6\347\235\230\356Kk\2537\354\302]<#\270^\236\24\32$\202E\256\364\211\33\233\25\240\314\254\256\227\215\22\17\211#a%i+\266sr7\27\310S\324\327\35\5\262\260\232*d\307\30B\301\262\366M\252o\262dz%r\274\322gP\22\370\242\212\347\331\21\333\12\310\312L$]\34TRza\221\225H\2N\361\177\22E%\243\246\211\11G\357", ) == 0x0
 01080   428   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, "\327G0\27;d\245\222b\2677/\223\213\217\365\234q/{\20\261\32\234q/{\20\261\32\234q/{\20\261\32\234q/{\20[\265\266\214\7\222\271\360\267\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01081   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01082   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01083   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01084   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01085   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01086   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01087   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01088   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01089   428   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\332\317\371&\275\4-F\2219\2\351\327yv\225\11\250GW\361\233\10-w\3249)y\206\350\257\266+\32\375\332\226Z\214\354\346\21v\2767D\273?J\252N\320\316\207\10\254\245\370\262\351C\255\205\262\204\256rU\362Y\377\23\7y\23#\252\21", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\332\317\371&\275\4-F\2219\2\351\327yv\225\11\250GW\361\233\10-w\3249)y\206\350\257\266+\32\375\332\226Z\214\354\346\21v\2767D\273?J\252N\320\316\207\10\254\245\370\262\351C\255\205\262\204\256rU\362Y\377\23\7y\23#\252\21", 80, ... ) , 80, ... ) == 0x0
 01090   428   NtClose  (-2147482020, ... ) == 0x0
 01080   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\363\231@X\211\6R6\212\3\16\370\200\242L*Z\273{\265\354\246]b%g \307\312\35\266\10\343!F\246n\233\270\305\335\245kAQ\331HV\16\304O\3\235w\200\260\347p\233\344W\370.4\220\316\362\5\21G\230O\340^\213\6\4\336iC\0\314!\262S\7\225c\303\333\327\372Hr\21\31\312\263\350\10d\215\201\347\374\320\275\372q\253"\336F\206D C;\257r\306w\33\5\14\3\273!me\343oe\215\14@s\204\223\256I\355\366\206\223\231\334O$2\256\357\260y\315tl\262pjl\2727-\214S\14O9\215V\231", ) \336F\206D C;\257r\306w\33\5\14\3\273!me\343oe\215\14@s\204\223\256I\355\366\206\223\231\334O$2\256\357\260y\315tl\262pjl\2727-\214S\14O90\236\245\360\31\3759\34\12)t\262\334z\363\317\215E\23;\370\375\35c\217\351\227\212+\376^[;\273\212\325\11\364\36\14I\3F\375]\276Hl\326R\261S/4\257\226\30513\25\377\332]\314w\261[s\0\227\205\321\222\1\366>\215V\231", ) == 0x0
 01091   428   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, "\327G0\27;d\245\222b\2677/\223\213\217\365\234q/{\20\261\32\234q/{\20\261\32\234q/{\20\261\32\234q/{\20\261\32\234q/{\20[\265\266\214\7\222\271\360\267\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01092   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01093   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01094   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01095   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01096   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01097   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01098   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01099   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01100   428   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\340v\244|\343\305\265\244\367\216\356\31o\204\344T\246\247\376T\177\270'x\277\205!\267\344Ft\236\222eN\2h\201%\204\327\355\244\300M3\223acG\335\201^\204\344\344\232hZ1\2459U\35\326E\26\235bp\33\377 \225\264\324\327\232\245", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\340v\244|\343\305\265\244\367\216\356\31o\204\344T\246\247\376T\177\270'x\277\205!\267\344Ft\236\222eN\2h\201%\204\327\355\244\300M3\223acG\335\201^\204\344\344\232hZ1\2459U\35\326E\26\235bp\33\377 \225\264\324\327\232\245", 80, ... ) , 80, ... ) == 0x0
 01101   428   NtClose  (-2147482020, ... ) == 0x0
 01091   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "+E1\216\17\210\337m\265~\302>\310\326\227\3702\253\231\360s\225\255\233 H\200\223(\11gn'\235\202@E\344$a\214\300\300\34\255\245\16\263\31\317\17\234\354\277\376O\241\276\375\377k\312j\323\33\266\26\14O\264\250=\340\272Z\252%\0\330\30\361\213 bM\317\302,\332\240n\3I\305K\317\231\235$\363\324\370_\15q\271b\3531m0\273\340T\315zY\33\314{\216lrz|\4\350\116\270\204&F3\2241\23\215Fuy?N\266\362u\33\234\26\333\17`r\4\23\352XO\310gBg\341\375\27\215\311\324\353\231{$f\213\324\224\7\3346\22p]\206\342\14?\313\300\23\14\273]\320\302\216\36F\276?\360\213`\326\217\211gz\343`]\210.j\356\3.\3036\310OT!\2370"\232\245\13\304\355*N`i\245\304(\350\214\270`\10\317\177{RN\12\233\214\314Yf0", ) \232\245\13\304\355*N`i\245\304(\350\214\270`\10\317\177{RN\12\233\214\314Yf0", ) == 0x0
 01102   428   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, "\327G0\27;d\245\222b\2677/\223\213\217\365\234q/{\20\261\32\234q/{\20\261\32\234q/{\20\261\32\234q/{\20\261\32\234q/{\20\261\32\234q/{\20[\265\266\214\7\222\271\360\267\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01103   428   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01104   428   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01105   428   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01106   428   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01107   428   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01108   428   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01109   428   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01110   428   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01111   428   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\207\325_G${\361\254\332OG\245\373\227Aw\215\232E\11Se\3t\305\66\264\323?\35t\275\273S\327\21w\6\315\334^}\277,\26Y\271\347\261U\217Q\230\234\36X\311\246\246 \346\373\365\35\361\177\177\334\325\357m\307Y\3\32\34M\16\226", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\207\325_G${\361\254\332OG\245\373\227Aw\215\232E\11Se\3t\305\66\264\323?\35t\275\273S\327\21w\6\315\334^}\277,\26Y\271\347\261U\217Q\230\234\36X\311\246\246 \346\373\365\35\361\177\177\334\325\357m\307Y\3\32\34M\16\226", 80, ... ) , 80, ... ) == 0x0
 01112   428   NtClose  (-2147482020, ... ) == 0x0
 01102   428   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\220.xE\206\6\213dE?\375\264\0\31G\11\210z,\316s\304;\320U\272\210>\204\327\366c\203\255a\366\347\6\304\241\250\334\272\267\326T\336X.,T\255\314\213\332P\}\254.\232\247\327I\25I\253(\2\227\366\21\322\245R01\267\346\354\2776\326\376\2539n\244\325"@\2134\357i\373\3367\374\345\\265d\37\261gk1*@\360\333a\336\36I\211\242\222\215\266\303\340\2\24\15\262\5\357?\306>0\374\370\215\366\376\255\14\306DV\23\30\243\357\302\371\331\177\11\262\227\322\261@\2012X8b\342=I\354\266^\305\355 o\220\302E\267f\377\223\344k\363\374f\261P\350jn\\274\205+\323\21\11\312{\262\26w\362_\316\270\351\342Tb@>\354\374)\256\211\321\372!\373\1R\65\251\344\372*\316\2057\256;\275\301\200\20\336\374\231\222j\305I\363\217I6uE\222BK\210", ) @\2134\357i\373\3367\374\345\\265d\37\261gk1*@\360\333a\336\36I\211\242\222\215\266\303\340\2\24\15\262\5\357?\306>0\374\370\215\366\376\255\14\306DV\23\30\243\357\302\371\331\177\11\262\227\322\261@\2012X8b\342=I\354\266^\305\355 o\220\302E\267f\377\223\344k\363\374f\261P\350jn\\274\205+\323\21\11\312{\262\26w\362_\316\270\351\342Tb@>\354\374)\256\211\321\372!\373\1R\65\251\344\372*\316\2057\256;\275\301\200\20\336\374\231\222j\305I\363\217I6uE\222BK\210", ) == 0x0
 01113   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 152, ) }, ... 152, ) == 0x0
 01114   428   NtQueryValueKey  (152,  (152, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 156, ) }, ... 156, ) == 0x0
 01116   428   NtQueryValueKey  (156,  (156, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   428   NtClose  (156, ... ) == 0x0
 01118   428   NtClose  (152, ... ) == 0x0
 01119   428   NtAllocateVirtualMemory  (-1, 1449984, 0, 24576, 4096, 4, ... 1449984, 24576, ) == 0x0
 01120   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01121   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1235296, ... ) }, 1235296, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   428   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1235296, ... ) }, 1235296, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01123   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1235296, ... ) }, 1235296, ... ) == 0x0
 01124   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01125   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 152, ... 156, ) == 0x0
 01126   428   NtQuerySection  (156, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01127   428   NtClose  (152, ... ) == 0x0
 01128   428   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01129   428   NtClose  (156, ... ) == 0x0
 01130   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01131   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 01132   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01133   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01134   428   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235664,  (0xc0100080, {24, 0, 0x40, 0, 1235664, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01135   428   NtSetInformationFile  (152, 1235720, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01136   428   NtSetInformationFile  (152, 1235712, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01137   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01138   428   NtWriteFile  (152, 125, 0, 0,  (152, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01139   428   NtReadFile  (152, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\265"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 01140   428   NtFsControlFile  (152, 125, 0x0, 0x0, 0x11c017,  (152, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\265"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (152, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\265"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01141   428   NtClose  (156, ... ) == 0x0
 01142   428   NtClose  (152, ... ) == 0x0
 01143   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1235708, ... ) }, 1235708, ... ) == 0x0
 01144   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01145   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01146   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1235528, ... ) }, 1235528, ... ) == 0x0
 01147   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01148   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01149   428   NtAllocateVirtualMemory  (-1, 1474560, 0, 4096, 4096, 4, ... 1474560, 4096, ) == 0x0
 01150   428   NtCreateSemaphore  (0x1f0003, {24, 72, 0x80, 1474920, 0,  (0x1f0003, {24, 72, 0x80, 1474920, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 152, ) }, 0, 2147483647, ... 152, ) == STATUS_OBJECT_NAME_EXISTS
 01151   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01152   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01153   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01154   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 156, ) }, ... 156, ) == 0x0
 01155   428   NtQueryValueKey  (156,  (156, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01156   428   NtClose  (156, ... ) == 0x0
 01157   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01158   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01159   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01160   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 156, ) }, ... 156, ) == 0x0
 01161   428   NtQueryValueKey  (156,  (156, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01162   428   NtClose  (156, ... ) == 0x0
 01163   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01164   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01165   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01166   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 156, ) }, ... 156, ) == 0x0
 01167   428   NtQueryValueKey  (156,  (156, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   428   NtClose  (156, ... ) == 0x0
 01169   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01170   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01171   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 156, ) }, ... 156, ) == 0x0
 01173   428   NtQueryValueKey  (156,  (156, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174   428   NtClose  (156, ... ) == 0x0
 01175   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01177   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01178   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01179   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 156, ) }, ... 156, ) == 0x0
 01180   428   NtQueryValueKey  (156,  (156, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01181   428   NtClose  (156, ... ) == 0x0
 01182   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01183   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01184   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01185   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 156, ) }, ... 156, ) == 0x0
 01186   428   NtQueryValueKey  (156,  (156, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   428   NtClose  (156, ... ) == 0x0
 01188   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01189   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01190   428   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01191   428   NtClose  (156, ... ) == 0x0
 01192   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 156, ) }, ... 156, ) == 0x0
 01193   428   NtSetInformationObject  (158, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01194   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01195   428   NtOpenKey  (0x1, {24, 158, 0x40, 0, 0,  (0x1, {24, 158, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01196   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 160, ) }, ... 160, ) == 0x0
 01197   428   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01198   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01199   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01200   428   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01201   428   NtClose  (164, ... ) == 0x0
 01202   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01203   428   NtQueryValueKey  (162, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (162, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01204   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1233436, ... ) }, 1233436, ... ) == 0x0
 01205   428   NtClose  (162, ... ) == 0x0
 01206   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01207   428   NtOpenKey  (0x2000000, {24, 158, 0x40, 0, 0,  (0x2000000, {24, 158, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 160, ) }, ... 160, ) == 0x0
 01209   428   NtAllocateVirtualMemory  (-1, 1478656, 0, 4096, 4096, 4, ... 1478656, 4096, ) == 0x0
 01210   428   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 01211   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01212   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01213   428   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01214   428   NtClose  (164, ... ) == 0x0
 01215   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01216   428   NtEnumerateKey  (162, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (162, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 01217   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01218   428   NtOpenKey  (0x1, {24, 158, 0x40, 0, 0,  (0x1, {24, 158, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 164, ) }, ... 164, ) == 0x0
 01220   428   NtQueryKey  (166, Name, 392, ... {Name= (166, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 01221   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01222   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01223   428   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01224   428   NtClose  (168, ... ) == 0x0
 01225   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01226   428   NtQueryValueKey  (166,  (166, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (166, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01227   428   NtClose  (166, ... ) == 0x0
 01228   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01229   428   NtEnumerateKey  (162, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01230   428   NtClose  (162, ... ) == 0x0
 01231   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01232   428   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 160, ) }, ... 160, ) == 0x0
 01233   428   NtOpenKey  (0x2000000, {24, 160, 0x40, 0, 0,  (0x2000000, {24, 160, 0x40, 0, 0, "FileExts"}, ... 164, ) }, ... 164, ) == 0x0
 01234   428   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01236   428   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01238   428   NtOpenKey  (0x2000000, {24, 158, 0x40, 0, 0,  (0x2000000, {24, 158, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01239   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 168, ) }, ... 168, ) == 0x0
 01240   428   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01241   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01242   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01243   428   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01244   428   NtClose  (172, ... ) == 0x0
 01245   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01246   428   NtQueryValueKey  (170, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (170, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 01247   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01248   428   NtOpenKey  (0x2000000, {24, 158, 0x40, 0, 0,  (0x2000000, {24, 158, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 172, ) }, ... 172, ) == 0x0
 01250   428   NtQueryKey  (174, Name, 384, ... {Name= (174, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01251   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01252   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01253   428   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01254   428   NtClose  (176, ... ) == 0x0
 01255   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01256   428   NtOpenKey  (0x1, {24, 174, 0x40, 0, 0,  (0x1, {24, 174, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   428   NtQueryKey  (174, Name, 384, ... {Name= (174, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01258   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01259   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01260   428   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01261   428   NtClose  (176, ... ) == 0x0
 01262   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263   428   NtOpenKey  (0x2000000, {24, 174, 0x40, 0, 0, ""}, ... 176, ) == 0x0
 01264   428   NtClose  (174, ... ) == 0x0
 01265   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01266   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01267   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01268   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 172, ) }, ... 172, ) == 0x0
 01269   428   NtQueryValueKey  (172,  (172, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01270   428   NtClose  (172, ... ) == 0x0
 01271   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01272   428   NtOpenKey  (0x2000000, {24, 160, 0x40, 0, 0, ""}, ... 172, ) == 0x0
 01273   428   NtQueryValueKey  (172,  (172, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (172, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01274   428   NtQueryValueKey  (172,  (172, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (172, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01275   428   NtClose  (172, ... ) == 0x0
 01276   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01277   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01278   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01279   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 172, ) }, ... 172, ) == 0x0
 01280   428   NtQueryValueKey  (172,  (172, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   428   NtClose  (172, ... ) == 0x0
 01282   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01283   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01284   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01285   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 172, ) }, ... 172, ) == 0x0
 01286   428   NtQueryValueKey  (172,  (172, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01287   428   NtClose  (172, ... ) == 0x0
 01288   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01289   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01290   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01291   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 172, ) }, ... 172, ) == 0x0
 01292   428   NtQueryValueKey  (172,  (172, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01293   428   NtClose  (172, ... ) == 0x0
 01294   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01295   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01296   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01297   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 172, ) }, ... 172, ) == 0x0
 01298   428   NtQueryValueKey  (172,  (172, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01299   428   NtClose  (172, ... ) == 0x0
 01300   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01301   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01302   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01303   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01304   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01305   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 172, ) }, ... 172, ) == 0x0
 01306   428   NtQueryValueKey  (172,  (172, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307   428   NtClose  (172, ... ) == 0x0
 01308   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01309   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01310   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01311   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 172, ) }, ... 172, ) == 0x0
 01312   428   NtQueryValueKey  (172,  (172, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01313   428   NtClose  (172, ... ) == 0x0
 01314   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01315   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01316   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01317   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 172, ) }, ... 172, ) == 0x0
 01318   428   NtQueryValueKey  (172,  (172, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01319   428   NtClose  (172, ... ) == 0x0
 01320   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01321   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01322   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01323   428   NtOpenKey  (0x2000000, {24, 160, 0x40, 0, 0,  (0x2000000, {24, 160, 0x40, 0, 0, "Advanced"}, ... 172, ) }, ... 172, ) == 0x0
 01324   428   NtQueryValueKey  (172,  (172, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 01325   428   NtQueryValueKey  (172,  (172, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01326   428   NtQueryValueKey  (172,  (172, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01327   428   NtQueryValueKey  (172,  (172, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01328   428   NtQueryValueKey  (172,  (172, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01329   428   NtQueryValueKey  (172,  (172, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01330   428   NtQueryValueKey  (172,  (172, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01331   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01332   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01333   428   NtQueryValueKey  (172,  (172, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01334   428   NtQueryValueKey  (172,  (172, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01335   428   NtQueryValueKey  (172,  (172, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01336   428   NtQueryValueKey  (172,  (172, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01337   428   NtQueryValueKey  (172,  (172, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01338   428   NtClose  (172, ... ) == 0x0
 01339   428   NtCreateSemaphore  (0x1f0003, {24, 72, 0x80, 1474920, 0,  (0x1f0003, {24, 72, 0x80, 1474920, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 172, ) }, 0, 2147483647, ... 172, ) == STATUS_OBJECT_NAME_EXISTS
 01340   428   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01341   428   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01342   428   NtQueryKey  (178, Name, 384, ... {Name= (178, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01343   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01344   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01345   428   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01346   428   NtClose  (180, ... ) == 0x0
 01347   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348   428   NtOpenKey  (0x1, {24, 178, 0x40, 0, 0,  (0x1, {24, 178, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01350   428   NtOpenKey  (0x2000000, {24, 158, 0x40, 0, 0,  (0x2000000, {24, 158, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01351   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01352   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 01353   428   NtOpenKey  (0x1, {24, 158, 0x40, 0, 0,  (0x1, {24, 158, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01354   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 180, ) }, ... 180, ) == 0x0
 01355   428   NtQueryKey  (182, Name, 392, ... {Name= (182, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01356   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01357   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01358   428   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01359   428   NtClose  (184, ... ) == 0x0
 01360   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01361   428   NtQueryValueKey  (182,  (182, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01362   428   NtClose  (182, ... ) == 0x0
 01363   428   NtQueryKey  (178, Name, 392, ... {Name= (178, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01364   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01365   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01366   428   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01367   428   NtClose  (180, ... ) == 0x0
 01368   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01369   428   NtQueryValueKey  (178,  (178, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01370   428   NtQueryKey  (178, Name, 392, ... {Name= (178, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01371   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01372   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01373   428   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01374   428   NtClose  (180, ... ) == 0x0
 01375   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01376   428   NtQueryValueKey  (178,  (178, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01377   428   NtQueryKey  (178, Name, 384, ... {Name= (178, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01378   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01379   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01380   428   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01381   428   NtClose  (180, ... ) == 0x0
 01382   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01383   428   NtOpenKey  (0x1, {24, 178, 0x40, 0, 0,  (0x1, {24, 178, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01384   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01385   428   NtOpenKey  (0x2000000, {24, 158, 0x40, 0, 0,  (0x2000000, {24, 158, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01386   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 180, ) }, ... 180, ) == 0x0
 01387   428   NtQueryKey  (182, Name, 384, ... {Name= (182, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 01388   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01389   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01390   428   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01391   428   NtClose  (184, ... ) == 0x0
 01392   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01393   428   NtOpenKey  (0x1, {24, 182, 0x40, 0, 0,  (0x1, {24, 182, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01394   428   NtQueryKey  (178, Name, 392, ... {Name= (178, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01395   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01396   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01397   428   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01398   428   NtClose  (184, ... ) == 0x0
 01399   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01400   428   NtQueryValueKey  (178,  (178, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01401   428   NtQueryKey  (178, Name, 392, ... {Name= (178, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01402   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01403   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01404   428   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01405   428   NtClose  (184, ... ) == 0x0
 01406   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01407   428   NtQueryValueKey  (178,  (178, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01408   428   NtQueryKey  (178, Name, 392, ... {Name= (178, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01409   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01410   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01411   428   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01412   428   NtClose  (184, ... ) == 0x0
 01413   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01414   428   NtQueryValueKey  (178,  (178, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415   428   NtClose  (170, ... ) == 0x0
 01416   428   NtClose  (178, ... ) == 0x0
 01417   428   NtClose  (182, ... ) == 0x0
 01418   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01419   428   NtCreateSemaphore  (0x1f0003, {24, 72, 0x80, 1474920, 0,  (0x1f0003, {24, 72, 0x80, 1474920, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 180, ) }, 0, 2147483647, ... 180, ) == STATUS_OBJECT_NAME_EXISTS
 01420   428   NtReleaseSemaphore  (180, 1, ... 0, ) == 0x0
 01421   428   NtWaitForSingleObject  (180, 0, {0, 0}, ... ) == 0x0
 01422   428   NtReleaseSemaphore  (180, 1, ... 0, ) == 0x0
 01423   428   NtWaitForSingleObject  (180, 0, {0, 0}, ... ) == 0x0
 01424   428   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 176, 2, ) }, 0, 0x0, 0, ... 176, 2, ) == 0x0
 01425   428   NtQueryValueKey  (176,  (176, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (176, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01426   428   NtClose  (176, ... ) == 0x0
 01427   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01428   428   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 176, 2, ) }, 0, 0x0, 0, ... 176, 2, ) == 0x0
 01429   428   NtSetValueKey  (176,  (176, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 0, 1,  (176, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 96, ... ) == 0x0
 01430   428   NtClose  (176, ... ) == 0x0
 01431   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01432   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 176, {status=0x0, info=1}, ) }, 5, 96, ... 176, {status=0x0, info=1}, ) == 0x0
 01433   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 176, ... 168, ) == 0x0
 01434   428   NtClose  (176, ... ) == 0x0
 01435   428   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x970000), 0x0, 262144, ) == 0x0
 01436   428   NtClose  (168, ... ) == 0x0
 01437   428   NtUnmapViewOfSection  (-1, 0x970000, ... ) == 0x0
 01438   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01439   428   NtOpenEvent  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "_fCanRegisterWithShellService"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1233648, ... ) }, 1233648, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   428   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1233648, ... ) }, 1233648, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1233648, ... ) }, 1233648, ... ) == 0x0
 01444   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01445   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 168, ... 176, ) == 0x0
 01446   428   NtQuerySection  (176, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01447   428   NtClose  (168, ... ) == 0x0
 01448   428   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01449   428   NtClose  (176, ... ) == 0x0
 01450   428   NtAllocateVirtualMemory  (-1, 9125888, 0, 4096, 4096, 4, ... 9125888, 4096, ) == 0x0
 01451   428   NtQueryDefaultLocale  (1, 1233480, ... ) == 0x0
 01452   428   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01453   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 176, ) }, ... 176, ) == 0x0
 01454   428   NtQueryValueKey  (176,  (176, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01455   428   NtClose  (176, ... ) == 0x0
 01456   428   NtUserGetProcessWindowStation  (... ) == 0x28
 01457   428   NtUserGetObjectInformation  (40, 1, 1233152, 12, 1233164, ... ) == 0x1
 01458   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 176, ) }, ... 176, ) == 0x0
 01459   428   NtQueryValueKey  (176,  (176, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 01460   428   NtClose  (176, ... ) == 0x0
 01461   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 176, ) }, ... 176, ) == 0x0
 01462   428   NtQueryValueKey  (176,  (176, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01463   428   NtQueryValueKey  (176,  (176, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01464   428   NtClose  (176, ... ) == 0x0
 01465   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 176, ) }, ... 176, ) == 0x0
 01466   428   NtQueryValueKey  (176,  (176, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01467   428   NtQueryValueKey  (176,  (176, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01468   428   NtClose  (176, ... ) == 0x0
 01469   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 176, ) }, ... 176, ) == 0x0
 01470   428   NtQueryValueKey  (176,  (176, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01471   428   NtQueryValueKey  (176,  (176, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01472   428   NtClose  (176, ... ) == 0x0
 01473   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 176, ) }, ... 176, ) == 0x0
 01474   428   NtQueryValueKey  (176,  (176, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01475   428   NtQueryValueKey  (176,  (176, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01476   428   NtClose  (176, ... ) == 0x0
 01477   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 176, ) }, ... 176, ) == 0x0
 01478   428   NtQueryValueKey  (176,  (176, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (176, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01479   428   NtQueryValueKey  (176,  (176, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (176, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01480   428   NtClose  (176, ... ) == 0x0
 01481   428   NtAllocateVirtualMemory  (-1, 1482752, 0, 4096, 4096, 4, ... 1482752, 4096, ) == 0x0
 01482   428   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 176, ) }, ... 176, ) == 0x0
 01483   428   NtQueryValueKey  (176,  (176, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (176, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 01484   428   NtClose  (176, ... ) == 0x0
 01485   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01486   428   NtCreateMutant  (0x1f0001, 0x0, 0, ... 168, ) == 0x0
 01487   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0
 01488   428   NtCreateMutant  (0x1f0001, 0x0, 0, ... 188, ) == 0x0
 01489   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0
 01490   428   NtCreateMutant  (0x1f0001, 0x0, 0, ... 196, ) == 0x0
 01491   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 200, ) }, ... 200, ) == 0x0
 01492   428   NtQueryValueKey  (200,  (200, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493   428   NtQueryValueKey  (200,  (200, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494   428   NtOpenKey  (0x1, {24, 200, 0x40, 0, 0,  (0x1, {24, 200, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01495   428   NtClose  (200, ... ) == 0x0
 01496   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1233072, ... ) }, 1233072, ... ) == 0x0
 01497   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 200, ) }, ... 200, ) == 0x0
 01498   428   NtQueryValueKey  (200,  (200, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (200, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (200, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01499   428   NtClose  (200, ... ) == 0x0
 01500   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 200, ) }, ... 200, ) == 0x0
 01501   428   NtQueryValueKey  (200,  (200, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (200, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (200, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01502   428   NtClose  (200, ... ) == 0x0
 01503   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 200, ) }, ... 200, ) == 0x0
 01505   428   NtQueryValueKey  (200,  (200, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (200, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (200, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01506   428   NtClose  (200, ... ) == 0x0
 01507   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01508   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 200, ) == 0x0
 01509   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01510   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01511   428   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233852,  (0xc0100080, {24, 0, 0x40, 0, 1233852, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 204, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 204, {status=0x0, info=1}, ) == 0x0
 01512   428   NtSetInformationFile  (204, 1233908, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01513   428   NtSetInformationFile  (204, 1233900, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01514   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01515   428   NtWriteFile  (204, 125, 0, 0,  (204, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01516   428   NtReadFile  (204, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (204, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20w\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01517   428   NtFsControlFile  (204, 125, 0x0, 0x0, 0x11c017,  (204, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20w\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (204, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20w\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01518   428   NtFsControlFile  (204, 125, 0x0, 0x0, 0x11c017,  (204, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0`8\354S\340?\334\21\261\310\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0`8\354S\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 106, 1024, ... {status=0x103, info=48},  (204, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0`8\354S\340?\334\21\261\310\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0`8\354S\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01519   428   NtFsControlFile  (204, 125, 0x0, 0x0, 0x11c017,  (204, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0`8\354S\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (204, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0`8\354S\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01520   428   NtClose  (200, ... ) == 0x0
 01521   428   NtClose  (204, ... ) == 0x0
 01522   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01523   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 204, ) == 0x0
 01524   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01525   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01526   428   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233852,  (0xc0100080, {24, 0, 0x40, 0, 1233852, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 200, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 200, {status=0x0, info=1}, ) == 0x0
 01527   428   NtSetInformationFile  (200, 1233908, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01528   428   NtSetInformationFile  (200, 1233900, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01529   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01530   428   NtWriteFile  (200, 125, 0, 0,  (200, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01531   428   NtReadFile  (200, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (200, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20x\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01532   428   NtFsControlFile  (200, 125, 0x0, 0x0, 0x11c017,  (200, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20x\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (200, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20x\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01533   428   NtFsControlFile  (200, 125, 0x0, 0x0, 0x11c017,  (200, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0a8\354S\340?\334\21\261\310\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0a8\354S\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (200, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0a8\354S\340?\334\21\261\310\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0a8\354S\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0a8\354S\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01534   428   NtFsControlFile  (200, 125, 0x0, 0x0, 0x11c017,  (200, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0a8\354S\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (200, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0a8\354S\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01535   428   NtClose  (204, ... ) == 0x0
 01536   428   NtClose  (200, ... ) == 0x0
 01537   428   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01538   428   NtOpenProcessToken  (-1, 0x20, ... 200, ) == 0x0
 01539   428   NtAdjustPrivilegesToken  (200, 0, 1482368, 0, 0, 0, ... ) == 0x0
 01540   428   NtClose  (200, ... ) == 0x0
 01541   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01542   428   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 200, ) == 0x0
 01543   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01544   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01545   428   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234092,  (0xc0100080, {24, 0, 0x40, 0, 1234092, "\??\PIPE\ntsvcs"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 204, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 204, {status=0x0, info=1}, ) == 0x0
 01546   428   NtSetInformationFile  (204, 1234148, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01547   428   NtSetInformationFile  (204, 1234140, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01548   428   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01549   428   NtWriteFile  (204, 125, 0, 0,  (204, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01550   428   NtReadFile  (204, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (204, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20H!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01551   428   NtFsControlFile  (204, 125, 0x0, 0x0, 0x11c017,  (204, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20H!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (204, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20H!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01552   428   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01553   428   NtOpenProcessToken  (-1, 0x20, ... 208, ) == 0x0
 01554   428   NtAdjustPrivilegesToken  (208, 0, 1482760, 0, 0, 0, ... ) == 0x0
 01555   428   NtClose  (208, ... ) == 0x0
 01556   428   NtFsControlFile  (204, 125, 0x0, 0x0, 0x11c017,  (204, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x103, info=32},  (204, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , ) == 0x103
 01557   428   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 208, {status=0x0, info=1}, ) }, 3, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01558   428   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 212, ) }, ... 212, ) == 0x0
 01559   428   NtQuerySymbolicLinkObject  (212, ...  (212, ... "\Device\FloppyPDO0", 38, ) , 38, ) == 0x0
 01560   428   NtClose  (212, ... ) == 0x0
 01561   428   NtQueryVolumeInformationFile  (208, 1234552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01562   428   NtClose  (208, ... ) == 0x0
 01563   428   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 208, {status=0x0, info=1}, ) }, 3, 16, ... 208, {status=0x0, info=1}, ) == 0x0
 01564   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32},  (208, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32}, "\36\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", ) , ) == 0x0
 01565   428   NtClose  (208, ... ) == 0x0
 01566   428   NtQueryInformationFile  (-1, 1234552, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01567   428   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234504,  (0x100080, {24, 0, 0x40, 0, 1234504, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) == 0x0
 01568   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0008,  (208, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 32, ... , 54, 32, ...
 01569   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01570   428   NtClose  (-2147482020, ... ) == 0x0
 01568   428   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01571   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0008,  (208, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 374, ... , 54, 374, ...
 01572   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01573   428   NtClose  (-2147482020, ... ) == 0x0
 01571   428   NtDeviceIoControlFile  ... {status=0x0, info=374},  ... {status=0x0, info=374}, "v\1\0\0\2\0\0\0\372\0\0\0`\0\0\08\0\0\0\244\0\0\0\334\0\0\0\36\0v\0Z\1\0\0\34\0\\08\0\0\0\244\0p\0\334\0\0\0\36\0\0\0\\0?\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0A\0:\0", ) , ) == 0x0
 01574   428   NtClose  (208, ... ) == 0x0
 01575   428   NtAllocateVirtualMemory  (-1, 1486848, 0, 4096, 4096, 4, ... 1486848, 4096, ) == 0x0
 01576   428   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 208, ) }, ... 208, ) == 0x0
 01577   428   NtOpenKey  (0x2000000, {24, 208, 0x40, 0, 0,  (0x2000000, {24, 208, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 212, ) }, ... 212, ) == 0x0
 01578   428   NtClose  (208, ... ) == 0x0
 01579   428   NtQueryValueKey  (212,  (212, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01580   428   NtQueryValueKey  (212,  (212, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0-\6\0\0\234\1\0\0\254\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\324\0\0\0-\6\0\0\234\1\0\0\254\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\6\0\0\234\1\0\0\254\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (212, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0-\6\0\0\234\1\0\0\254\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\324\0\0\0-\6\0\0\234\1\0\0\254\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\6\0\0\234\1\0\0\254\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01581   428   NtClose  (212, ... ) == 0x0
 01582   428   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 212, ) }, ... 212, ) == 0x0
 01583   428   NtOpenKey  (0x2000000, {24, 212, 0x40, 0, 0,  (0x2000000, {24, 212, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 208, ) }, ... 208, ) == 0x0
 01584   428   NtClose  (212, ... ) == 0x0
 01585   428   NtQueryValueKey  (208,  (208, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01586   428   NtClose  (208, ... ) == 0x0
 01587   428   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 208, {status=0x0, info=0}, ) }, 3, 96, ... 208, {status=0x0, info=0}, ) == 0x0
 01588   428   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 212, ) }, ... 212, ) == 0x0
 01589   428   NtQuerySymbolicLinkObject  (212, ...  (212, ... "\Device\Ide\IdeDeviceP1T0L0-e", 60, ) , 60, ) == 0x0
 01590   428   NtClose  (212, ... ) == 0x0
 01591   428   NtQueryVolumeInformationFile  (208, 1234552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01592   428   NtClose  (208, ... ) == 0x0
 01593   428   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 208, {status=0x0, info=0}, ) }, 3, 16, ... 208, {status=0x0, info=0}, ) == 0x0
 01594   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30},  (208, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30}, "\34\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", ) , ) == 0x0
 01595   428   NtClose  (208, ... ) == 0x0
 01596   428   NtQueryInformationFile  (-1, 1234552, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01597   428   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234504,  (0x100080, {24, 0, 0x40, 0, 1234504, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) == 0x0
 01598   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0008,  (208, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 32, ... , 52, 32, ...
 01599   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01600   428   NtClose  (-2147482020, ... ) == 0x0
 01598   428   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01601   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0008,  (208, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 490, ... , 52, 490, ...
 01602   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01603   428   NtClose  (-2147482020, ... ) == 0x0
 01601   428   NtDeviceIoControlFile  ... {status=0x0, info=490},  ... {status=0x0, info=490}, "\352\1\0\0\2\0\0\0n\1\0\0`\0\0\08\0\0\0\32\1\0\0R\1\0\0\34\0v\0\316\1\0\0\34\0\\08\0\0\0\32\1o\0R\1\0\0\34\0\0\0\\0?\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0D\0:\0", ) , ) == 0x0
 01604   428   NtClose  (208, ... ) == 0x0
 01605   428   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 208, ) }, ... 208, ) == 0x0
 01606   428   NtOpenKey  (0x2000000, {24, 208, 0x40, 0, 0,  (0x2000000, {24, 208, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 212, ) }, ... 212, ) == 0x0
 01607   428   NtClose  (208, ... ) == 0x0
 01608   428   NtQueryValueKey  (212,  (212, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01609   428   NtQueryValueKey  (212,  (212, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0J\6\0\0\234\1\0\0\254\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\324\0\0\0J\6\0\0\234\1\0\0\254\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\6\0\0\234\1\0\0\254\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (212, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0J\6\0\0\234\1\0\0\254\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\324\0\0\0J\6\0\0\234\1\0\0\254\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\6\0\0\234\1\0\0\254\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01610   428   NtClose  (212, ... ) == 0x0
 01611   428   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 212, ) }, ... 212, ) == 0x0
 01612   428   NtOpenKey  (0x2000000, {24, 212, 0x40, 0, 0,  (0x2000000, {24, 212, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 208, ) }, ... 208, ) == 0x0
 01613   428   NtClose  (212, ... ) == 0x0
 01614   428   NtQueryValueKey  (208,  (208, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01615   428   NtClose  (208, ... ) == 0x0
 01616   428   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 208, {status=0x0, info=0}, ) }, 3, 96, ... 208, {status=0x0, info=0}, ) == 0x0
 01617   428   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 212, ) }, ... 212, ) == 0x0
 01618   428   NtQuerySymbolicLinkObject  (212, ...  (212, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01619   428   NtClose  (212, ... ) == 0x0
 01620   428   NtQueryVolumeInformationFile  (208, 1234552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01621   428   NtClose  (208, ... ) == 0x0
 01622   428   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 208, {status=0x0, info=0}, ) }, 3, 16, ... 208, {status=0x0, info=0}, ) == 0x0
 01623   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48},  (208, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48}, ".\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", ) , ) == 0x0
 01624   428   NtClose  (208, ... ) == 0x0
 01625   428   NtQueryInformationFile  (-1, 1234552, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01626   428   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234504,  (0x100080, {24, 0, 0x40, 0, 1234504, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) == 0x0
 01627   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0008,  (208, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 32, ... , 70, 32, ...
 01628   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01629   428   NtClose  (-2147482020, ... ) == 0x0
 01627   428   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01630   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0008,  (208, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 238, ... , 70, 238, ...
 01631   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01632   428   NtClose  (-2147482020, ... ) == 0x0
 01630   428   NtDeviceIoControlFile  ... {status=0x0, info=238},  ... {status=0x0, info=238}, "\356\0\0\0\2\0\0\0r\0\0\0`\0\0\08\0\0\0\14\0\0\0D\0\0\0.\0v\0\322\0\0\0\34\0\\08\0\0\0\14\0d\0D\0\0\0.\0k\0;\357;\357\0~\0\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0C\0:\0", ) , ) == 0x0
 01633   428   NtClose  (208, ... ) == 0x0
 01634   428   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 208, ) }, ... 208, ) == 0x0
 01635   428   NtOpenKey  (0x2000000, {24, 208, 0x40, 0, 0,  (0x2000000, {24, 208, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 212, ) }, ... 212, ) == 0x0
 01636   428   NtClose  (208, ... ) == 0x0
 01637   428   NtQueryValueKey  (212,  (212, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01638   428   NtQueryValueKey  (212,  (212, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0g\6\0\0\234\1\0\0\254\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\324\0\0\0g\6\0\0\234\1\0\0\254\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\6\0\0\234\1\0\0\254\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (212, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0g\6\0\0\234\1\0\0\254\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\324\0\0\0g\6\0\0\234\1\0\0\254\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\6\0\0\234\1\0\0\254\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01639   428   NtClose  (212, ... ) == 0x0
 01640   428   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 212, ) }, ... 212, ) == 0x0
 01641   428   NtOpenKey  (0x2000000, {24, 212, 0x40, 0, 0,  (0x2000000, {24, 212, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 208, ) }, ... 208, ) == 0x0
 01642   428   NtClose  (212, ... ) == 0x0
 01643   428   NtQueryValueKey  (208,  (208, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01644   428   NtClose  (208, ... ) == 0x0
 01645   428   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01646   428   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) == 0x0
 01647   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0034,  (208, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01648   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01649   428   NtClose  (-2147482020, ... ) == 0x0
 01647   428   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01650   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0034,  (208, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01651   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01652   428   NtClose  (-2147482020, ... ) == 0x0
 01650   428   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01653   428   NtClose  (208, ... ) == 0x0
 01654   428   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01655   428   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) == 0x0
 01656   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0034,  (208, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01657   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01658   428   NtClose  (-2147482020, ... ) == 0x0
 01656   428   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01659   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0034,  (208, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01660   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01661   428   NtClose  (-2147482020, ... ) == 0x0
 01659   428   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01662   428   NtClose  (208, ... ) == 0x0
 01663   428   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 208, 2, ) }, 0, 0x0, 0, ... 208, 2, ) == 0x0
 01664   428   NtSetValueKey  (208,  (208, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (208, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01665   428   NtClose  (208, ... ) == 0x0
 01666   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01667   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01668   428   NtOpenKey  (0x1, {24, 158, 0x40, 0, 0,  (0x1, {24, 158, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01669   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01670   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01671   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01672   428   NtOpenKey  (0x1, {24, 158, 0x40, 0, 0,  (0x1, {24, 158, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01673   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01674   428   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01675   428   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) == 0x0
 01676   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0034,  (208, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01677   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01678   428   NtClose  (-2147482020, ... ) == 0x0
 01676   428   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01679   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0034,  (208, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01680   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01681   428   NtClose  (-2147482020, ... ) == 0x0
 01679   428   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01682   428   NtClose  (208, ... ) == 0x0
 01683   428   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01684   428   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) == 0x0
 01685   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0034,  (208, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01686   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01687   428   NtClose  (-2147482020, ... ) == 0x0
 01685   428   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01688   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0034,  (208, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01689   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01690   428   NtClose  (-2147482020, ... ) == 0x0
 01688   428   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01691   428   NtClose  (208, ... ) == 0x0
 01692   428   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 208, 2, ) }, 0, 0x0, 0, ... 208, 2, ) == 0x0
 01693   428   NtSetValueKey  (208,  (208, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (208, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01694   428   NtClose  (208, ... ) == 0x0
 01695   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01696   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01697   428   NtOpenKey  (0x1, {24, 158, 0x40, 0, 0,  (0x1, {24, 158, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01698   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01699   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01700   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01701   428   NtOpenKey  (0x1, {24, 158, 0x40, 0, 0,  (0x1, {24, 158, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01702   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01703   428   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01704   428   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) == 0x0
 01705   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0034,  (208, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01706   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01707   428   NtClose  (-2147482020, ... ) == 0x0
 01705   428   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01708   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0034,  (208, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01709   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01710   428   NtClose  (-2147482020, ... ) == 0x0
 01708   428   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01711   428   NtClose  (208, ... ) == 0x0
 01712   428   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01713   428   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 208, {status=0x0, info=0}, ) == 0x0
 01714   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0034,  (208, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01715   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01716   428   NtClose  (-2147482020, ... ) == 0x0
 01714   428   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01717   428   NtDeviceIoControlFile  (208, 0, 0x0, 0x0, 0x6d0034,  (208, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01718   428   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01719   428   NtClose  (-2147482020, ... ) == 0x0
 01717   428   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01720   428   NtClose  (208, ... ) == 0x0
 01721   428   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 208, 2, ) }, 0, 0x0, 0, ... 208, 2, ) == 0x0
 01722   428   NtSetValueKey  (208,  (208, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (208, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01723   428   NtClose  (208, ... ) == 0x0
 01724   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01725   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01726   428   NtOpenKey  (0x1, {24, 158, 0x40, 0, 0,  (0x1, {24, 158, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01727   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01728   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01729   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01730   428   NtOpenKey  (0x1, {24, 158, 0x40, 0, 0,  (0x1, {24, 158, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01731   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01732   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01733   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01734   428   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\F:"}, 3, 96, ... 208, {status=0x0, info=1}, ) }, 3, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01735   428   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\F:"}, ... 212, ) }, ... 212, ) == 0x0
 01736   428   NtQuerySymbolicLinkObject  (212, ...  (212, ... "\Device\WinDfs\F:0000000000009278", 66, ) , 66, ) == 0x0
 01737   428   NtClose  (212, ... ) == 0x0
 01738   428   NtQueryVolumeInformationFile  (208, 1235800, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01739   428   NtClose  (208, ... ) == 0x0
 01740   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01741   428   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 208, {status=0x0, info=1}, ) }, 3, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01742   428   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 212, ) }, ... 212, ) == 0x0
 01743   428   NtQuerySymbolicLinkObject  (212, ...  (212, ... "\Device\WinDfs\U:0000000000009278", 66, ) , 66, ) == 0x0
 01744   428   NtClose  (212, ... ) == 0x0
 01745   428   NtQueryVolumeInformationFile  (208, 1235800, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01746   428   NtClose  (208, ... ) == 0x0
 01747   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01748   428   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 208, ) }, ... 208, ) == 0x0
 01749   428   NtOpenKey  (0x2000000, {24, 208, 0x40, 0, 0,  (0x2000000, {24, 208, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 212, ) }, ... 212, ) == 0x0
 01750   428   NtClose  (208, ... ) == 0x0
 01751   428   NtQueryValueKey  (212,  (212, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01752   428   NtClose  (212, ... ) == 0x0
 01753   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01754   428   NtQueryDirectoryFile  (212, 0, 0, 0, 1233988, 616, BothDirectory, 1,  (212, 0, 0, 0, 1233988, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01755   428   NtClose  (212, ... ) == 0x0
 01756   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01757   428   NtOpenKey  (0x2000000, {24, 158, 0x40, 0, 0,  (0x2000000, {24, 158, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01758   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 212, ) }, ... 212, ) == 0x0
 01759   428   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01760   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01761   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01762   428   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01763   428   NtClose  (208, ... ) == 0x0
 01764   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01765   428   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01766   428   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01767   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01768   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01769   428   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01770   428   NtClose  (208, ... ) == 0x0
 01771   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01772   428   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0, ""}, ... 208, ) == 0x0
 01773   428   NtClose  (214, ... ) == 0x0
 01774   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01775   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01776   428   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01777   428   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01778   428   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01779   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01780   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01781   428   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01782   428   NtClose  (212, ... ) == 0x0
 01783   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01784   428   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01785   428   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01786   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01787   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01788   428   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01789   428   NtClose  (212, ... ) == 0x0
 01790   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01791   428   NtQueryValueKey  (210,  (210, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01792   428   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01793   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01794   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01795   428   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01796   428   NtClose  (212, ... ) == 0x0
 01797   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   428   NtQueryValueKey  (210,  (210, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01799   428   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01800   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01801   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01802   428   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01803   428   NtClose  (212, ... ) == 0x0
 01804   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01805   428   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01806   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01807   428   NtOpenKey  (0x2000000, {24, 158, 0x40, 0, 0,  (0x2000000, {24, 158, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01808   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 212, ) }, ... 212, ) == 0x0
 01809   428   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 01810   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01811   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01812   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01813   428   NtClose  (216, ... ) == 0x0
 01814   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01815   428   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01816   428   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01817   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01818   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01819   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01820   428   NtClose  (216, ... ) == 0x0
 01821   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01822   428   NtQueryValueKey  (210,  (210, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01823   428   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01824   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01825   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01826   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01827   428   NtClose  (216, ... ) == 0x0
 01828   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01829   428   NtQueryValueKey  (210,  (210, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (210, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01830   428   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01831   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01832   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 01833   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01834   428   NtClose  (216, ... ) == 0x0
 01835   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01836   428   NtQueryValueKey  (210,  (210, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01837   428   NtClose  (210, ... ) == 0x0
 01838   428   NtClose  (214, ... ) == 0x0
 01839   428   NtAllocateVirtualMemory  (-1, 1490944, 0, 4096, 4096, 4, ... 1490944, 4096, ) == 0x0
 01840   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01841   428   NtQueryDirectoryFile  (212, 0, 0, 0, 1233892, 616, BothDirectory, 1,  (212, 0, 0, 0, 1233892, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01842   428   NtClose  (212, ... ) == 0x0
 01843   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01844   428   NtQueryDirectoryFile  (212, 0, 0, 0, 1233812, 616, BothDirectory, 1,  (212, 0, 0, 0, 1233812, 616, BothDirectory, 1, "My Documents", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01845   428   NtClose  (212, ... ) == 0x0
 01846   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01847   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01848   428   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01849   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229184, ... ) }, 1229184, ... ) == 0x0
 01850   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01851   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01852   428   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 212, {status=0x0, info=1}, ) }, 7, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01853   428   NtLockFile  (212, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01854   428   NtQueryInformationFile  (212, 1483448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01855   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9895936, 1052672, ) == 0x0
 01856   428   NtAllocateVirtualMemory  (-1, 9895936, 0, 83, 4096, 4, ... 9895936, 4096, ) == 0x0
 01857   428   NtReadFile  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01858   428   NtFreeVirtualMemory  (-1, (0x970000), 1052672, 32768, ... (0x970000), 1052672, ) == 0x0
 01859   428   NtUnlockFile  (212, {0, 0}, {-1, -1}, 428, ... ) == STATUS_RANGE_NOT_LOCKED
 01860   428   NtClose  (212, ... ) == 0x0
 01861   428   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 212, {status=0x0, info=1}, ) }, 7, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01862   428   NtLockFile  (212, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01863   428   NtQueryInformationFile  (212, 1483448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01864   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9895936, 1052672, ) == 0x0
 01865   428   NtAllocateVirtualMemory  (-1, 9895936, 0, 83, 4096, 4, ... 9895936, 4096, ) == 0x0
 01866   428   NtReadFile  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01867   428   NtFreeVirtualMemory  (-1, (0x970000), 1052672, 32768, ... (0x970000), 1052672, ) == 0x0
 01868   428   NtUnlockFile  (212, {0, 0}, {-1, -1}, 428, ... ) == STATUS_RANGE_NOT_LOCKED
 01869   428   NtClose  (212, ... ) == 0x0
 01870   428   NtOpenProcessToken  (-1, 0x8, ... 212, ) == 0x0
 01871   428   NtQueryInformationToken  (212, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01872   428   NtClose  (212, ... ) == 0x0
 01873   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01874   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01875   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229184, ... ) }, 1229184, ... ) == 0x0
 01876   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01877   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01878   428   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 212, {status=0x0, info=1}, ) }, 7, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01879   428   NtLockFile  (212, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01880   428   NtQueryInformationFile  (212, 1483448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01881   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9895936, 1052672, ) == 0x0
 01882   428   NtAllocateVirtualMemory  (-1, 9895936, 0, 83, 4096, 4, ... 9895936, 4096, ) == 0x0
 01883   428   NtReadFile  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01884   428   NtFreeVirtualMemory  (-1, (0x970000), 1052672, 32768, ... (0x970000), 1052672, ) == 0x0
 01885   428   NtUnlockFile  (212, {0, 0}, {-1, -1}, 428, ... ) == STATUS_RANGE_NOT_LOCKED
 01886   428   NtClose  (212, ... ) == 0x0
 01887   428   NtAllocateVirtualMemory  (-1, 1495040, 0, 4096, 4096, 4, ... 1495040, 4096, ) == 0x0
 01888   428   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 212, {status=0x0, info=1}, ) }, 7, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01889   428   NtLockFile  (212, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01890   428   NtQueryInformationFile  (212, 1483448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01891   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9895936, 1052672, ) == 0x0
 01892   428   NtAllocateVirtualMemory  (-1, 9895936, 0, 83, 4096, 4, ... 9895936, 4096, ) == 0x0
 01893   428   NtReadFile  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01894   428   NtFreeVirtualMemory  (-1, (0x970000), 1052672, 32768, ... (0x970000), 1052672, ) == 0x0
 01895   428   NtUnlockFile  (212, {0, 0}, {-1, -1}, 428, ... ) == STATUS_RANGE_NOT_LOCKED
 01896   428   NtClose  (212, ... ) == 0x0
 01897   428   NtOpenProcessToken  (-1, 0x8, ... 212, ) == 0x0
 01898   428   NtQueryInformationToken  (212, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01899   428   NtClose  (212, ... ) == 0x0
 01900   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01901   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01902   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1231240, ... ) }, 1231240, ... ) == 0x0
 01903   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01904   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01905   428   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 212, {status=0x0, info=1}, ) }, 7, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01906   428   NtLockFile  (212, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01907   428   NtQueryInformationFile  (212, 1483448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01908   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9895936, 1052672, ) == 0x0
 01909   428   NtAllocateVirtualMemory  (-1, 9895936, 0, 83, 4096, 4, ... 9895936, 4096, ) == 0x0
 01910   428   NtReadFile  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01911   428   NtFreeVirtualMemory  (-1, (0x970000), 1052672, 32768, ... (0x970000), 1052672, ) == 0x0
 01912   428   NtUnlockFile  (212, {0, 0}, {-1, -1}, 428, ... ) == STATUS_RANGE_NOT_LOCKED
 01913   428   NtClose  (212, ... ) == 0x0
 01914   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01915   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01916   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 01917   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01918   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01919   428   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 212, {status=0x0, info=1}, ) }, 7, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01920   428   NtLockFile  (212, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01921   428   NtQueryInformationFile  (212, 1483448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01922   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9895936, 1052672, ) == 0x0
 01923   428   NtAllocateVirtualMemory  (-1, 9895936, 0, 83, 4096, 4, ... 9895936, 4096, ) == 0x0
 01924   428   NtReadFile  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01925   428   NtFreeVirtualMemory  (-1, (0x970000), 1052672, 32768, ... (0x970000), 1052672, ) == 0x0
 01926   428   NtUnlockFile  (212, {0, 0}, {-1, -1}, 428, ... ) == STATUS_RANGE_NOT_LOCKED
 01927   428   NtClose  (212, ... ) == 0x0
 01928   428   NtOpenProcessToken  (-1, 0x8, ... 212, ) == 0x0
 01929   428   NtQueryInformationToken  (212, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01930   428   NtClose  (212, ... ) == 0x0
 01931   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01932   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01933   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 01934   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01935   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01936   428   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 212, {status=0x0, info=1}, ) }, 7, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01937   428   NtLockFile  (212, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01938   428   NtQueryInformationFile  (212, 1483448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01939   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9895936, 1052672, ) == 0x0
 01940   428   NtAllocateVirtualMemory  (-1, 9895936, 0, 83, 4096, 4, ... 9895936, 4096, ) == 0x0
 01941   428   NtReadFile  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01942   428   NtFreeVirtualMemory  (-1, (0x970000), 1052672, 32768, ... (0x970000), 1052672, ) == 0x0
 01943   428   NtUnlockFile  (212, {0, 0}, {-1, -1}, 428, ... ) == STATUS_RANGE_NOT_LOCKED
 01944   428   NtClose  (212, ... ) == 0x0
 01945   428   NtOpenProcessToken  (-1, 0x8, ... 212, ) == 0x0
 01946   428   NtQueryInformationToken  (212, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01947   428   NtClose  (212, ... ) == 0x0
 01948   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01949   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01950   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 01951   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01952   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01953   428   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 212, {status=0x0, info=1}, ) }, 7, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01954   428   NtLockFile  (212, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01955   428   NtQueryInformationFile  (212, 1483448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01956   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9895936, 1052672, ) == 0x0
 01957   428   NtAllocateVirtualMemory  (-1, 9895936, 0, 83, 4096, 4, ... 9895936, 4096, ) == 0x0
 01958   428   NtReadFile  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (212, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01959   428   NtFreeVirtualMemory  (-1, (0x970000), 1052672, 32768, ... (0x970000), 1052672, ) == 0x0
 01960   428   NtUnlockFile  (212, {0, 0}, {-1, -1}, 428, ... ) == STATUS_RANGE_NOT_LOCKED
 01961   428   NtClose  (212, ... ) == 0x0
 01962   428   NtOpenProcessToken  (-1, 0x8, ... 212, ) == 0x0
 01963   428   NtQueryInformationToken  (212, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01964   428   NtClose  (212, ... ) == 0x0
 01965   428   NtReleaseSemaphore  (180, 1, ... 0, ) == 0x0
 01966   428   NtWaitForSingleObject  (180, 0, {0, 0}, ... ) == 0x0
 01967   428   NtReleaseSemaphore  (180, 1, ... 0, ) == 0x0
 01968   428   NtWaitForSingleObject  (180, 0, {0, 0}, ... ) == 0x0
 01969   428   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 212, 2, ) }, 0, 0x0, 0, ... 212, 2, ) == 0x0
 01970   428   NtQueryValueKey  (212,  (212, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (212, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 01971   428   NtClose  (212, ... ) == 0x0
 01972   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01973   428   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 212, 2, ) }, 0, 0x0, 0, ... 212, 2, ) == 0x0
 01974   428   NtSetValueKey  (212,  (212, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 0, 1,  (212, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 92, ... ) == 0x0
 01975   428   NtClose  (212, ... ) == 0x0
 01976   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01977   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01978   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 212, ... 208, ) == 0x0
 01979   428   NtClose  (212, ... ) == 0x0
 01980   428   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x970000), 0x0, 262144, ) == 0x0
 01981   428   NtClose  (208, ... ) == 0x0
 01982   428   NtUnmapViewOfSection  (-1, 0x970000, ... ) == 0x0
 01983   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01984   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01985   428   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 208, ) }, ... 208, ) == 0x0
 01986   428   NtOpenKey  (0x2000000, {24, 208, 0x40, 0, 0,  (0x2000000, {24, 208, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 212, ) }, ... 212, ) == 0x0
 01987   428   NtClose  (208, ... ) == 0x0
 01988   428   NtQueryValueKey  (212,  (212, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01989   428   NtClose  (212, ... ) == 0x0
 01990   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01991   428   NtQueryDirectoryFile  (212, 0, 0, 0, 1233992, 616, BothDirectory, 1,  (212, 0, 0, 0, 1233992, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01992   428   NtClose  (212, ... ) == 0x0
 01993   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01994   428   NtQueryDirectoryFile  (212, 0, 0, 0, 1233900, 616, BothDirectory, 1,  (212, 0, 0, 0, 1233900, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01995   428   NtClose  (212, ... ) == 0x0
 01996   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 01997   428   NtQueryDirectoryFile  (212, 0, 0, 0, 1233828, 616, BothDirectory, 1,  (212, 0, 0, 0, 1233828, 616, BothDirectory, 1, "Documents", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01998   428   NtClose  (212, ... ) == 0x0
 01999   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02000   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02001   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229200, ... ) }, 1229200, ... ) == 0x0
 02002   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02003   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02004   428   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 212, {status=0x0, info=1}, ) }, 7, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 02005   428   NtLockFile  (212, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02006   428   NtQueryInformationFile  (212, 1483448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02007   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 9895936, 1052672, ) == 0x0
 02008   428   NtAllocateVirtualMemory  (-1, 9895936, 0, 142, 4096, 4, ... 9895936, 4096, ) == 0x0
 02009   428   NtReadFile  (212, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (212, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 02010   428   NtFreeVirtualMemory  (-1, (0x970000), 1052672, 32768, ... (0x970000), 1052672, ) == 0x0
 02011   428   NtUnlockFile  (212, {0, 0}, {-1, -1}, 428, ... ) == STATUS_RANGE_NOT_LOCKED
 02012   428   NtClose  (212, ... ) == 0x0
 02013   428   NtOpenProcessToken  (-1, 0x8, ... 212, ) == 0x0
 02014   428   NtQueryInformationToken  (212, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02015   428   NtClose  (212, ... ) == 0x0
 02016   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02017   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02018   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229172, ... ) }, 1229172, ... ) == 0x0
 02019   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02020   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02021   428   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 212, {status=0x0, info=1}, ) }, 7, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 02022   428   NtLockFile  (212, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02023   428   NtQueryInformationFile  (212, 1483448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02024   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 9895936, 1052672, ) == 0x0
 02025   428   NtAllocateVirtualMemory  (-1, 9895936, 0, 142, 4096, 4, ... 9895936, 4096, ) == 0x0
 02026   428   NtReadFile  (212, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (212, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 02027   428   NtFreeVirtualMemory  (-1, (0x970000), 1052672, 32768, ... (0x970000), 1052672, ) == 0x0
 02028   428   NtUnlockFile  (212, {0, 0}, {-1, -1}, 428, ... ) == STATUS_RANGE_NOT_LOCKED
 02029   428   NtClose  (212, ... ) == 0x0
 02030   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02031   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02032   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229536, ... ) }, 1229536, ... ) == 0x0
 02033   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02034   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02035   428   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 212, {status=0x0, info=1}, ) }, 7, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 02036   428   NtLockFile  (212, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02037   428   NtQueryInformationFile  (212, 1483448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02038   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 9895936, 1052672, ) == 0x0
 02039   428   NtAllocateVirtualMemory  (-1, 9895936, 0, 142, 4096, 4, ... 9895936, 4096, ) == 0x0
 02040   428   NtReadFile  (212, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (212, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 02041   428   NtFreeVirtualMemory  (-1, (0x970000), 1052672, 32768, ... (0x970000), 1052672, ) == 0x0
 02042   428   NtUnlockFile  (212, {0, 0}, {-1, -1}, 428, ... ) == STATUS_RANGE_NOT_LOCKED
 02043   428   NtClose  (212, ... ) == 0x0
 02044   428   NtOpenProcessToken  (-1, 0x8, ... 212, ) == 0x0
 02045   428   NtQueryInformationToken  (212, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02046   428   NtClose  (212, ... ) == 0x0
 02047   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02048   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02049   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229536, ... ) }, 1229536, ... ) == 0x0
 02050   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02051   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02052   428   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 212, {status=0x0, info=1}, ) }, 7, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 02053   428   NtLockFile  (212, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02054   428   NtQueryInformationFile  (212, 1483448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02055   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 9895936, 1052672, ) == 0x0
 02056   428   NtAllocateVirtualMemory  (-1, 9895936, 0, 142, 4096, 4, ... 9895936, 4096, ) == 0x0
 02057   428   NtReadFile  (212, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (212, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 02058   428   NtFreeVirtualMemory  (-1, (0x970000), 1052672, 32768, ... (0x970000), 1052672, ) == 0x0
 02059   428   NtUnlockFile  (212, {0, 0}, {-1, -1}, 428, ... ) == STATUS_RANGE_NOT_LOCKED
 02060   428   NtClose  (212, ... ) == 0x0
 02061   428   NtOpenProcessToken  (-1, 0x8, ... 212, ) == 0x0
 02062   428   NtQueryInformationToken  (212, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02063   428   NtClose  (212, ... ) == 0x0
 02064   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02065   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02066   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229536, ... ) }, 1229536, ... ) == 0x0
 02067   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02068   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02069   428   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 212, {status=0x0, info=1}, ) }, 7, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 02070   428   NtLockFile  (212, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02071   428   NtQueryInformationFile  (212, 1483448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02072   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 9895936, 1052672, ) == 0x0
 02073   428   NtAllocateVirtualMemory  (-1, 9895936, 0, 142, 4096, 4, ... 9895936, 4096, ) == 0x0
 02074   428   NtReadFile  (212, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (212, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 02075   428   NtFreeVirtualMemory  (-1, (0x970000), 1052672, 32768, ... (0x970000), 1052672, ) == 0x0
 02076   428   NtUnlockFile  (212, {0, 0}, {-1, -1}, 428, ... ) == STATUS_RANGE_NOT_LOCKED
 02077   428   NtClose  (212, ... ) == 0x0
 02078   428   NtOpenProcessToken  (-1, 0x8, ... 212, ) == 0x0
 02079   428   NtQueryInformationToken  (212, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02080   428   NtClose  (212, ... ) == 0x0
 02081   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02082   428   NtReleaseSemaphore  (180, 1, ... 0, ) == 0x0
 02083   428   NtWaitForSingleObject  (180, 0, {0, 0}, ... ) == 0x0
 02084   428   NtReleaseSemaphore  (180, 1, ... 0, ) == 0x0
 02085   428   NtWaitForSingleObject  (180, 0, {0, 0}, ... ) == 0x0
 02086   428   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 212, 2, ) }, 0, 0x0, 0, ... 212, 2, ) == 0x0
 02087   428   NtQueryValueKey  (212,  (212, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (212, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) }, 56, ) == 0x0
 02088   428   NtClose  (212, ... ) == 0x0
 02089   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Desktop"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 02090   428   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 212, 2, ) }, 0, 0x0, 0, ... 212, 2, ) == 0x0
 02091   428   NtSetValueKey  (212,  (212, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 0, 1,  (212, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 86, ... ) == 0x0
 02092   428   NtClose  (212, ... ) == 0x0
 02093   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 02094   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 02095   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 212, ... 208, ) == 0x0
 02096   428   NtClose  (212, ... ) == 0x0
 02097   428   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x970000), 0x0, 262144, ) == 0x0
 02098   428   NtClose  (208, ... ) == 0x0
 02099   428   NtUnmapViewOfSection  (-1, 0x970000, ... ) == 0x0
 02100   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02101   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02102   428   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 208, ) }, ... 208, ) == 0x0
 02103   428   NtOpenKey  (0x2000000, {24, 208, 0x40, 0, 0,  (0x2000000, {24, 208, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 212, ) }, ... 212, ) == 0x0
 02104   428   NtClose  (208, ... ) == 0x0
 02105   428   NtQueryValueKey  (212,  (212, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02106   428   NtClose  (212, ... ) == 0x0
 02107   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 02108   428   NtQueryDirectoryFile  (212, 0, 0, 0, 1234000, 616, BothDirectory, 1,  (212, 0, 0, 0, 1234000, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02109   428   NtClose  (212, ... ) == 0x0
 02110   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 02111   428   NtQueryDirectoryFile  (212, 0, 0, 0, 1233912, 616, BothDirectory, 1,  (212, 0, 0, 0, 1233912, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02112   428   NtClose  (212, ... ) == 0x0
 02113   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 02114   428   NtQueryDirectoryFile  (212, 0, 0, 0, 1233844, 616, BothDirectory, 1,  (212, 0, 0, 0, 1233844, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02115   428   NtClose  (212, ... ) == 0x0
 02116   428   NtAllocateVirtualMemory  (-1, 1499136, 0, 4096, 4096, 4, ... 1499136, 4096, ) == 0x0
 02117   428   NtReleaseSemaphore  (180, 1, ... 0, ) == 0x0
 02118   428   NtWaitForSingleObject  (180, 0, {0, 0}, ... ) == 0x0
 02119   428   NtReleaseSemaphore  (180, 1, ... 0, ) == 0x0
 02120   428   NtWaitForSingleObject  (180, 0, {0, 0}, ... ) == 0x0
 02121   428   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 212, 2, ) }, 0, 0x0, 0, ... 212, 2, ) == 0x0
 02122   428   NtQueryValueKey  (212,  (212, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (212, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) }, 64, ) == 0x0
 02123   428   NtClose  (212, ... ) == 0x0
 02124   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Desktop"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 02125   428   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 212, 2, ) }, 0, 0x0, 0, ... 212, 2, ) == 0x0
 02126   428   NtSetValueKey  (212,  (212, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 0, 1,  (212, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 88, ... ) == 0x0
 02127   428   NtClose  (212, ... ) == 0x0
 02128   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 02129   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 02130   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 212, ... 208, ) == 0x0
 02131   428   NtClose  (212, ... ) == 0x0
 02132   428   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x970000), 0x0, 262144, ) == 0x0
 02133   428   NtClose  (208, ... ) == 0x0
 02134   428   NtUnmapViewOfSection  (-1, 0x970000, ... ) == 0x0
 02135   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02136   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02137   428   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 208, ) }, ... 208, ) == 0x0
 02138   428   NtOpenKey  (0x2000000, {24, 208, 0x40, 0, 0,  (0x2000000, {24, 208, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 212, ) }, ... 212, ) == 0x0
 02139   428   NtClose  (208, ... ) == 0x0
 02140   428   NtQueryValueKey  (212,  (212, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02141   428   NtClose  (212, ... ) == 0x0
 02142   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 02143   428   NtQueryDirectoryFile  (212, 0, 0, 0, 1233996, 616, BothDirectory, 1,  (212, 0, 0, 0, 1233996, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02144   428   NtClose  (212, ... ) == 0x0
 02145   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 02146   428   NtQueryDirectoryFile  (212, 0, 0, 0, 1233908, 616, BothDirectory, 1,  (212, 0, 0, 0, 1233908, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02147   428   NtClose  (212, ... ) == 0x0
 02148   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 212, {status=0x0, info=1}, ) }, 3, 16417, ... 212, {status=0x0, info=1}, ) == 0x0
 02149   428   NtQueryDirectoryFile  (212, 0, 0, 0, 1233840, 616, BothDirectory, 1,  (212, 0, 0, 0, 1233840, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02150   428   NtClose  (212, ... ) == 0x0
 02151   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 212, ) }, ... 212, ) == 0x0
 02152   428   NtEnumerateValueKey  (212, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (212, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (212, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 02153   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02154   428   NtOpenKey  (0x1, {24, 158, 0x40, 0, 0,  (0x1, {24, 158, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02155   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 208, ) }, ... 208, ) == 0x0
 02156   428   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02157   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02158   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02159   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02160   428   NtClose  (216, ... ) == 0x0
 02161   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02162   428   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 02163   428   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02164   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02165   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02166   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02167   428   NtClose  (216, ... ) == 0x0
 02168   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02169   428   NtQueryValueKey  (210,  (210, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02170   428   NtClose  (210, ... ) == 0x0
 02171   428   NtEnumerateValueKey  (212, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02172   428   NtClose  (212, ... ) == 0x0
 02173   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 212, ) }, ... 212, ) == 0x0
 02174   428   NtQueryValueKey  (212,  (212, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (212, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (212, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 02175   428   NtClose  (212, ... ) == 0x0
 02176   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02177   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02178   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1236008, ... ) }, 1236008, ... ) == 0x0
 02179   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02180   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02181   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 212, ) }, ... 212, ) == 0x0
 02182   428   NtQueryValueKey  (212,  (212, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02183   428   NtQueryValueKey  (212,  (212, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (212, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 02184   428   NtClose  (212, ... ) == 0x0
 02185   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02186   428   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02187   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02188   428   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02189   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESD"}, 138, ) }, 138, ) == 0x0
 02190   428   NtOpenKey  (0x2000000, {24, 158, 0x40, 0, 0,  (0x2000000, {24, 158, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02191   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 212, ) }, ... 212, ) == 0x0
 02192   428   NtQueryKey  (214, Name, 392, ... {Name= (214, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02193   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02194   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02195   428   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02196   428   NtClose  (208, ... ) == 0x0
 02197   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02198   428   NtQueryValueKey  (214, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (214, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 02199   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02200   428   NtOpenKey  (0x2000000, {24, 158, 0x40, 0, 0,  (0x2000000, {24, 158, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02201   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 208, ) }, ... 208, ) == 0x0
 02202   428   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02203   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02204   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02205   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02206   428   NtClose  (216, ... ) == 0x0
 02207   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02208   428   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02209   428   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02210   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02211   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02212   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02213   428   NtClose  (216, ... ) == 0x0
 02214   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02215   428   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0, ""}, ... 216, ) == 0x0
 02216   428   NtClose  (210, ... ) == 0x0
 02217   428   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02218   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02219   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02220   428   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02221   428   NtClose  (208, ... ) == 0x0
 02222   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02223   428   NtOpenKey  (0x1, {24, 218, 0x40, 0, 0,  (0x1, {24, 218, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02224   428   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 02225   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02226   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02227   428   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02228   428   NtClose  (208, ... ) == 0x0
 02229   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02230   428   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02231   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02232   428   NtOpenKey  (0x2000000, {24, 158, 0x40, 0, 0,  (0x2000000, {24, 158, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02233   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02234   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 02235   428   NtOpenKey  (0x1, {24, 158, 0x40, 0, 0,  (0x1, {24, 158, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02236   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 208, ) }, ... 208, ) == 0x0
 02237   428   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02238   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02239   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 02240   428   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02241   428   NtClose  (220, ... ) == 0x0
 02242   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02243   428   NtQueryValueKey  (210,  (210, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02244   428   NtClose  (210, ... ) == 0x0
 02245   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02246   428   NtOpenKey  (0x2000000, {24, 158, 0x40, 0, 0,  (0x2000000, {24, 158, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02247   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 208, ) }, ... 208, ) == 0x0
 02248   428   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 02249   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02250   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 02251   428   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02252   428   NtClose  (220, ... ) == 0x0
 02253   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02254   428   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02255   428   NtClose  (214, ... ) == 0x0
 02256   428   NtClose  (218, ... ) == 0x0
 02257   428   NtClose  (210, ... ) == 0x0
 02258   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02259   428   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02260   428   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02261   428   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02262   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02263   428   NtOpenKey  (0x2000000, {24, 158, 0x40, 0, 0,  (0x2000000, {24, 158, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02264   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 208, ) }, ... 208, ) == 0x0
 02265   428   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02266   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02267   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02268   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02269   428   NtClose  (216, ... ) == 0x0
 02270   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02271   428   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 02272   428   NtQueryKey  (158, Name, 384, ... {Name= (158, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02273   428   NtOpenKey  (0x2000000, {24, 158, 0x40, 0, 0,  (0x2000000, {24, 158, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02274   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 216, ) }, ... 216, ) == 0x0
 02275   428   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02276   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02277   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02278   428   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02279   428   NtClose  (212, ... ) == 0x0
 02280   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02281   428   NtOpenKey  (0x1, {24, 218, 0x40, 0, 0,  (0x1, {24, 218, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02282   428   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02283   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02284   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02285   428   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02286   428   NtClose  (212, ... ) == 0x0
 02287   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02288   428   NtOpenKey  (0x2000000, {24, 218, 0x40, 0, 0, ""}, ... 212, ) == 0x0
 02289   428   NtClose  (218, ... ) == 0x0
 02290   428   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02291   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02292   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02293   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02294   428   NtClose  (216, ... ) == 0x0
 02295   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02296   428   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "shell"}, ... 216, ) }, ... 216, ) == 0x0
 02297   428   NtQueryKey  (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell"}, 100, ) }, 100, ) == 0x0
 02298   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02299   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 02300   428   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02301   428   NtClose  (220, ... ) == 0x0
 02302   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02303   428   NtQueryValueKey  (218, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02304   428   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell"}, 100, ) }, 100, ) == 0x0
 02305   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02306   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 02307   428   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02308   428   NtClose  (220, ... ) == 0x0
 02309   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02310   428   NtOpenKey  (0x2000000, {24, 218, 0x40, 0, 0,  (0x2000000, {24, 218, 0x40, 0, 0, "open"}, ... 220, ) }, ... 220, ) == 0x0
 02311   428   NtClose  (218, ... ) == 0x0
 02312   428   NtQueryKey  (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02313   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02314   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02315   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02316   428   NtClose  (216, ... ) == 0x0
 02317   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02318   428   NtOpenKey  (0x1, {24, 222, 0x40, 0, 0,  (0x1, {24, 222, 0x40, 0, 0, "command"}, ... 216, ) }, ... 216, ) == 0x0
 02319   428   NtQueryKey  (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02320   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02321   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 224, ) == 0x0
 02322   428   NtQueryInformationToken  (224, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02323   428   NtClose  (224, ... ) == 0x0
 02324   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02325   428   NtQueryValueKey  (218, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (218, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02326   428   NtClose  (218, ... ) == 0x0
 02327   428   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02328   428   NtQueryKey  (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 02329   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02330   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02331   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02332   428   NtClose  (216, ... ) == 0x0
 02333   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02334   428   NtOpenKey  (0x1, {24, 222, 0x40, 0, 0,  (0x1, {24, 222, 0x40, 0, 0, "command"}, ... 216, ) }, ... 216, ) == 0x0
 02335   428   NtQueryKey  (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02336   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02337   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 224, ) == 0x0
 02338   428   NtQueryInformationToken  (224, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02339   428   NtClose  (224, ... ) == 0x0
 02340   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02341   428   NtQueryValueKey  (218,  (218, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02342   428   NtClose  (218, ... ) == 0x0
 02343   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02344   428   NtQueryKey  (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 02345   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02346   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02347   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02348   428   NtClose  (216, ... ) == 0x0
 02349   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02350   428   NtOpenKey  (0x1, {24, 222, 0x40, 0, 0,  (0x1, {24, 222, 0x40, 0, 0, "command"}, ... 216, ) }, ... 216, ) == 0x0
 02351   428   NtQueryKey  (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02352   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02353   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 224, ) == 0x0
 02354   428   NtQueryInformationToken  (224, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02355   428   NtClose  (224, ... ) == 0x0
 02356   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02357   428   NtQueryValueKey  (218, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (218, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02358   428   NtClose  (218, ... ) == 0x0
 02359   428   NtQueryKey  (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02360   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02361   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02362   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02363   428   NtClose  (216, ... ) == 0x0
 02364   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02365   428   NtOpenKey  (0x1, {24, 222, 0x40, 0, 0,  (0x1, {24, 222, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02366   428   NtUserGetForegroundWindow  (... ) == 0x20064
 02367   428   NtQueryKey  (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02368   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02369   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02370   428   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02371   428   NtClose  (216, ... ) == 0x0
 02372   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02373   428   NtOpenKey  (0x1, {24, 222, 0x40, 0, 0,  (0x1, {24, 222, 0x40, 0, 0, "command"}, ... 216, ) }, ... 216, ) == 0x0
 02374   428   NtQueryKey  (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02375   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02376   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 224, ) == 0x0
 02377   428   NtQueryInformationToken  (224, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02378   428   NtClose  (224, ... ) == 0x0
 02379   428   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02380   428   NtQueryValueKey  (218, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (218, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02381   428   NtClose  (218, ... ) == 0x0
 02382   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02383   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02384   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02385   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 216, ) }, ... 216, ) == 0x0
 02386   428   NtQueryValueKey  (216,  (216, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02387   428   NtClose  (216, ... ) == 0x0
 02388   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02389   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02390   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02391   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 216, ) }, ... 216, ) == 0x0
 02392   428   NtQueryValueKey  (216,  (216, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02393   428   NtClose  (216, ... ) == 0x0
 02394   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02395   428   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02396   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02397   428   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02398   428   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02399   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02400   428   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 216, ) }, ... 216, ) == 0x0
 02401   428   NtQueryValueKey  (216,  (216, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02402   428   NtClose  (216, ... ) == 0x0
 02403   428   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02404   428   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02405   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1231308, ... ) }, 1231308, ... ) == 0x0
 02406   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 02407   428   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 02408   428   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 216, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 02409   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 224, ) }, ... 224, ) == 0x0
 02410   428   NtQueryValueKey  (224,  (224, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02411   428   NtClose  (224, ... ) == 0x0
 02412   428   NtQueryVolumeInformationFile  (216, 1231308, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02413   428   NtOpenMutant  (0x120001, {24, 72, 0x0, 0, 0,  (0x120001, {24, 72, 0x0, 0, 0, "ShimCacheMutex"}, ... 224, ) }, ... 224, ) == 0x0
 02414   428   NtWaitForSingleObject  (224, 0, {-1000000, -1}, ... ) == 0x0
 02415   428   NtOpenSection  (0x2, {24, 72, 0x0, 0, 0,  (0x2, {24, 72, 0x0, 0, 0, "ShimSharedMemory"}, ... 228, ) }, ... 228, ) == 0x0
 02416   428   NtMapViewOfSection  (228, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x970000), {0, 0}, 57344, ) == 0x0
 02417   428   NtReleaseMutant  (224, ... 0x0, ) == 0x0
 02418   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229292, ... ) }, 1229292, ... ) == 0x0
 02419   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 232, {status=0x0, info=1}, ) }, 5, 96, ... 232, {status=0x0, info=1}, ) == 0x0
 02420   428   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 232, ... 236, ) == 0x0
 02421   428   NtClose  (232, ... ) == 0x0
 02422   428   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x980000), 0x0, 106496, ) == 0x0
 02423   428   NtClose  (236, ... ) == 0x0
 02424   428   NtUnmapViewOfSection  (-1, 0x980000, ... ) == 0x0
 02425   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229608, ... ) }, 1229608, ... ) == 0x0
 02426   428   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 02427   428   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 232, ) == 0x0
 02428   428   NtQuerySection  (232, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02429   428   NtClose  (236, ... ) == 0x0
 02430   428   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 02431   428   NtClose  (232, ... ) == 0x0
 02432   428   NtAllocateVirtualMemory  (-1, 1503232, 0, 4096, 4096, 4, ... 1503232, 4096, ) == 0x0
 02433   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 232, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 232, {status=0x0, info=1}, ) == 0x0
 02434   428   NtQueryInformationFile  (232, 1229896, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02435   428   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 232, ... 236, ) == 0x0
 02436   428   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x980000), 0x0, 1028096, ) == 0x0
 02437   428   NtQueryInformationFile  (232, 1229992, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02438   428   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02439   428   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02440   428   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02441   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 240, {status=0x0, info=1}, ) }, 3, 16417, ... 240, {status=0x0, info=1}, ) == 0x0
 02442   428   NtQueryDirectoryFile  (240, 0, 0, 0, 1227556, 616, BothDirectory, 1,  (240, 0, 0, 0, 1227556, 616, BothDirectory, 1, "tmp-490-wlr.bat", 0, ... {status=0x0, info=124}, ) , 0, ... {status=0x0, info=124}, ) == 0x0
 02443   428   NtClose  (240, ... ) == 0x0
 02444   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02445   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02446   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1226944, ... ) }, 1226944, ... ) == 0x0
 02447   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 240, {status=0x0, info=1}, ) }, 3, 16417, ... 240, {status=0x0, info=1}, ) == 0x0
 02448   428   NtQueryDirectoryFile  (240, 0, 0, 0, 1226304, 616, BothDirectory, 1,  (240, 0, 0, 0, 1226304, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02449   428   NtClose  (240, ... ) == 0x0
 02450   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 240, {status=0x0, info=1}, ) }, 3, 16417, ... 240, {status=0x0, info=1}, ) == 0x0
 02451   428   NtQueryDirectoryFile  (240, 0, 0, 0, 1226304, 616, BothDirectory, 1,  (240, 0, 0, 0, 1226304, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02452   428   NtClose  (240, ... ) == 0x0
 02453   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02454   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02455   428   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02456   428   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02457   428   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02458   428   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02459   428   NtClose  (240, ... ) == 0x0
 02460   428   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02461   428   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02462   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02463   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02464   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1229224, ... ) }, 1229224, ... ) == 0x0
 02465   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 240, {status=0x0, info=1}, ) }, 3, 16417, ... 240, {status=0x0, info=1}, ) == 0x0
 02466   428   NtQueryDirectoryFile  (240, 0, 0, 0, 1228584, 616, BothDirectory, 1,  (240, 0, 0, 0, 1228584, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02467   428   NtClose  (240, ... ) == 0x0
 02468   428   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 240, {status=0x0, info=1}, ) }, 3, 16417, ... 240, {status=0x0, info=1}, ) == 0x0
 02469   428   NtQueryDirectoryFile  (240, 0, 0, 0, 1228584, 616, BothDirectory, 1,  (240, 0, 0, 0, 1228584, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02470   428   NtClose  (240, ... ) == 0x0
 02471   428   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02472   428   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02473   428   NtWaitForSingleObject  (224, 0, {-1000000, -1}, ... ) == 0x0
 02474   428   NtQueryVolumeInformationFile  (216, 1229868, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02475   428   NtQueryInformationFile  (216, 1229848, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02476   428   NtQueryInformationFile  (216, 1229888, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02477   428   NtReleaseMutant  (224, ... 0x0, ) == 0x0
 02478   428   NtUnmapViewOfSection  (-1, 0x980000, ... ) == 0x0
 02479   428   NtClose  (236, ... ) == 0x0
 02480   428   NtClose  (232, ... ) == 0x0
 02481   428   NtClose  (216, ... ) == 0x0
 02482   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1231284, ... ) }, 1231284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02483   428   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "cmd.exe"}, 1231284, ... ) }, 1231284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02484   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1231284, ... ) }, 1231284, ... ) == 0x0
 02485   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 02486   428   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 02487   428   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 216, ... 232, ) == 0x0
 02488   428   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02489   428   NtQuerySection  (232, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02490   428   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02491   428   NtCreateProcessEx  (1233936, 2035711, 0, -1, 0, 232, 0, 0, 0, ... ) == 0x0
 02492   428   NtOpenSection  (0x6, {24, 72, 0x0, 0, 0,  (0x6, {24, 72, 0x0, 0, 0, "W32_Virtu"}, ... 240, ) }, ... 240, ) == 0x0
 02493   428   NtMapViewOfSection  (240, 236, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 02494   428   NtClose  (240, ... ) == 0x0
 02495   428   NtProtectVirtualMemory  (236, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 02496   428   NtWriteVirtualMemory  (236, 0x77f7e603,  (236, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 02497   428   NtProtectVirtualMemory  (236, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 02498   428   NtWriteVirtualMemory  (236, 0x77f7e6a3,  (236, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 02499   428   NtProtectVirtualMemory  (236, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 02500   428   NtWriteVirtualMemory  (236, 0x77f7e6b3,  (236, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 02501   428   NtSetInformationProcess  (236, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02502   428   NtQueryInformationProcess  (236, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=716,ParentPid=412,}, 0x0, ) == 0x0
 02503   428   NtReadVirtualMemory  (236, 0x7ffdf008, 4, ...  (236, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 02504   428   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02505   428   NtAllocateVirtualMemory  (-1, 1507328, 0, 8192, 4096, 4, ... 1507328, 8192, ) == 0x0
 02506   428   NtReadVirtualMemory  (236, 0x4ad00000, 4096, ...  (236, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02507   428   NtReadVirtualMemory  (236, 0x4ad3b000, 256, ...  (236, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 02508   428   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02509   428   NtQueryInformationProcess  (236, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=716,ParentPid=412,}, 0x0, ) == 0x0
 02510   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 02511   428   NtAllocateVirtualMemory  (-1, 0, 0, 1676, 4096, 4, ... 9961472, 4096, ) == 0x0
 02512   428   NtAllocateVirtualMemory  (236, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 02513   428   NtWriteVirtualMemory  (236, 0x10000,  (236, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 02514   428   NtAllocateVirtualMemory  (236, 0, 0, 1676, 4096, 4, ... 131072, 4096, ) == 0x0
 02515   428   NtWriteVirtualMemory  (236, 0x20000,  (236, 0x20000, "\0\20\0\0\214\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0^\0`\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\00\6\0\0\36\0 \0h\6\0\0\0\0\2\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1676, ... 0x0, ) \0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0^\0`\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\00\6\0\0\36\0 \0h\6\0\0\0\0\2\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1676, ... 0x0, ) == 0x0
 02516   428   NtWriteVirtualMemory  (236, 0x7ffdf010,  (236, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02517   428   NtWriteVirtualMemory  (236, 0x7ffdf1e8,  (236, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02518   428   NtFreeVirtualMemory  (-1, (0x980000), 0, 32768, ... (0x980000), 4096, ) == 0x0
 02519   428   NtAllocateVirtualMemory  (236, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02520   428   NtAllocateVirtualMemory  (236, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 02521   428   NtCreateThread  (0x1f03ff, 0x0, 236, 1232200, 1232920, 1, ... 240, {716, 836}, ) == 0x0
 02522   428   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1234032, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1234032, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\354\0\0\0\360\0\0\0\314\2\0\0D\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 412, 428, 1510, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\354\0\0\0\360\0\0\0\314\2\0\0D\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 412, 428, 1510, 0}  (24, {168, 196, new_msg, 0, 0, 1234032, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\354\0\0\0\360\0\0\0\314\2\0\0D\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 412, 428, 1510, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\354\0\0\0\360\0\0\0\314\2\0\0D\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02523   428   NtResumeThread  (240, ... 1, ) == 0x0
 02524   428   NtClose  (216, ... ) == 0x0
 02525   428   NtClose  (232, ... ) == 0x0
 02526   428   NtClose  (222, ... ) == 0x0
 02527   428   NtClose  (210, ... ) == 0x0
 02528   428   NtClose  (214, ... ) == 0x0
 02529   428   NtClose  (236, ... ) == 0x0
 02530   428   NtClose  (240, ... ) == 0x0
 02531   428   NtUserDestroyWindow  (131246, ...
 02532   428   NtUserRemoveProp  (131246, 43288, ... ) == 0xffffffff
 02533   428   NtUserRemoveProp  (131246, 43282, ... ) == 0x0
 02534   428   NtUserRemoveProp  (131246, 43287, ... ) == 0x0
 02531   428   NtUserDestroyWindow  ... ) == 0x1
 02535   428   NtUserUnregisterClass  (1237380, 1998258176, 1237368, ... ) == 0x1
 02536   428   NtTerminateProcess  (0, 0, ... ) == 0x0
 02537   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 02538   428   NtWaitForMultipleObjects  (2, (176, 168, ), 1, 0, 0x0, ... ) == 0x1
 02539   428   NtClose  (168, ... ) == 0x0
 02540   428   NtSetEvent  (176, ... 0x0, ) == 0x0
 02541   428   NtClose  (176, ... ) == 0x0
 02542   428   NtWaitForMultipleObjects  (2, (184, 188, ), 1, 0, 0x0, ... ) == 0x1
 02543   428   NtClose  (188, ... ) == 0x0
 02544   428   NtSetEvent  (184, ... 0x0, ) == 0x0
 02545   428   NtClose  (184, ... ) == 0x0
 02546   428   NtWaitForMultipleObjects  (2, (192, 196, ), 1, 0, 0x0, ... ) == 0x1
 02547   428   NtClose  (196, ... ) == 0x0
 02548   428   NtSetEvent  (192, ... 0x0, ) == 0x0
 02549   428   NtClose  (192, ... ) == 0x0
 02550   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 02551   428   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 02552   428   NtClose  (148, ... ) == 0x0
 02553   428   NtGdiDeleteObjectApp  (856687415, ... ) == 0x1
 02554   428   NtUserGetProcessWindowStation  (... ) == 0x28
 02555   428   NtUserBuildNameList  (40, 256, 1419936, 1241844, ... ) == 0x0
 02556   428   NtUserGetProcessWindowStation  (... ) == 0x28
 02557   428   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x94
 02558   428   NtUserBuildHwndList  (148, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x300ae, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 35, ) == 0x0
 02559   428   NtUserQueryWindow  (65706, 0, ... ) == 0x7e0
 02560   428   NtUserQueryWindow  (65706, 1, ... ) == 0x7e4
 02561   428   NtUserQueryWindow  (65704, 0, ... ) == 0x7e0
 02562   428   NtUserQueryWindow  (65704, 1, ... ) == 0x7e4
 02563   428   NtUserQueryWindow  (65702, 0, ... ) == 0x7e0
 02564   428   NtUserQueryWindow  (65702, 1, ... ) == 0x7e4
 02565   428   NtUserQueryWindow  (131168, 0, ... ) == 0x7e0
 02566   428   NtUserQueryWindow  (131168, 1, ... ) == 0x7e4
 02567   428   NtUserQueryWindow  (65696, 0, ... ) == 0x778
 02568   428   NtUserQueryWindow  (65696, 1, ... ) == 0x788
 02569   428   NtUserQueryWindow  (65662, 0, ... ) == 0x778
 02570   428   NtUserQueryWindow  (65662, 1, ... ) == 0x788
 02571   428   NtUserBuildHwndList  (0, 65662, 1, 0, 64, ... (0x10080, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0
 02572   428   NtUserQueryWindow  (65664, 0, ... ) == 0x778
 02573   428   NtUserQueryWindow  (65664, 1, ... ) == 0x788
 02574   428   NtUserQueryWindow  (65670, 0, ... ) == 0x778
 02575   428   NtUserQueryWindow  (65670, 1, ... ) == 0x788
 02576   428   NtUserQueryWindow  (65672, 0, ... ) == 0x778
 02577   428   NtUserQueryWindow  (65672, 1, ... ) == 0x788
 02578   428   NtUserQueryWindow  (65674, 0, ... ) == 0x778
 02579   428   NtUserQueryWindow  (65674, 1, ... ) == 0x788
 02580   428   NtUserQueryWindow  (65678, 0, ... ) == 0x778
 02581   428   NtUserQueryWindow  (65678, 1, ... ) == 0x788
 02582   428   NtUserQueryWindow  (65680, 0, ... ) == 0x778
 02583   428   NtUserQueryWindow  (65680, 1, ... ) == 0x788
 02584   428   NtUserQueryWindow  (65682, 0, ... ) == 0x778
 02585   428   NtUserQueryWindow  (65682, 1, ... ) == 0x788
 02586   428   NtUserQueryWindow  (65684, 0, ... ) == 0x778
 02587   428   NtUserQueryWindow  (65684, 1, ... ) == 0x788
 02588   428   NtUserQueryWindow  (65686, 0, ... ) == 0x778
 02589   428   NtUserQueryWindow  (65686, 1, ... ) == 0x788
 02590   428   NtUserQueryWindow  (65690, 0, ... ) == 0x778
 02591   428   NtUserQueryWindow  (65690, 1, ... ) == 0x788
 02592   428   NtUserQueryWindow  (65692, 0, ... ) == 0x778
 02593   428   NtUserQueryWindow  (65692, 1, ... ) == 0x788
 02594   428   NtUserQueryWindow  (65694, 0, ... ) == 0x778
 02595   428   NtUserQueryWindow  (65694, 1, ... ) == 0x788
 02596   428   NtUserQueryWindow  (65652, 0, ... ) == 0x778
 02597   428   NtUserQueryWindow  (65652, 1, ... ) == 0x788
 02598   428   NtUserQueryWindow  (65640, 0, ... ) == 0x778
 02599   428   NtUserQueryWindow  (65640, 1, ... ) == 0x788
 02600   428   NtUserQueryWindow  (196682, 0, ... ) == 0x778
 02601   428   NtUserQueryWindow  (196682, 1, ... ) == 0x788
 02602   428   NtUserQueryWindow  (65638, 0, ... ) == 0x778
 02603   428   NtUserQueryWindow  (65638, 1, ... ) == 0x788
 02604   428   NtUserQueryWindow  (196684, 0, ... ) == 0x778
 02605   428   NtUserQueryWindow  (196684, 1, ... ) == 0x788
 02606   428   NtUserQueryWindow  (196668, 0, ... ) == 0x778
 02607   428   NtUserQueryWindow  (196668, 1, ... ) == 0x788
 02608   428   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 02609   428   NtUserQueryWindow  (196670, 0, ... ) == 0x778
 02610   428   NtUserQueryWindow  (196670, 1, ... ) == 0x788
 02611   428   NtUserQueryWindow  (196674, 0, ... ) == 0x778
 02612   428   NtUserQueryWindow  (196674, 1, ... ) == 0x788
 02613   428   NtUserQueryWindow  (196672, 0, ... ) == 0x778
 02614   428   NtUserQueryWindow  (196672, 1, ... ) == 0x788
 02615   428   NtUserQueryWindow  (196676, 0, ... ) == 0x778
 02616   428   NtUserQueryWindow  (196676, 1, ... ) == 0x788
 02617   428   NtUserQueryWindow  (196678, 0, ... ) == 0x778
 02618   428   NtUserQueryWindow  (196678, 1, ... ) == 0x788
 02619   428   NtUserQueryWindow  (196680, 0, ... ) == 0x778
 02620   428   NtUserQueryWindow  (196680, 1, ... ) == 0x788
 02621   428   NtUserQueryWindow  (65642, 0, ... ) == 0x778
 02622   428   NtUserQueryWindow  (65642, 1, ... ) == 0x788
 02623   428   NtUserQueryWindow  (65646, 0, ... ) == 0x778
 02624   428   NtUserQueryWindow  (65646, 1, ... ) == 0x788
 02625   428   NtUserQueryWindow  (65650, 0, ... ) == 0x778
 02626   428   NtUserQueryWindow  (65650, 1, ... ) == 0x788
 02627   428   NtUserQueryWindow  (65688, 0, ... ) == 0x778
 02628   428   NtUserQueryWindow  (65688, 1, ... ) == 0x788
 02629   428   NtUserQueryWindow  (65676, 0, ... ) == 0x778
 02630   428   NtUserQueryWindow  (65676, 1, ... ) == 0x788
 02631   428   NtUserQueryWindow  (65660, 0, ... ) == 0x778
 02632   428   NtUserQueryWindow  (65660, 1, ... ) == 0x77c
 02633   428   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 02634   428   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 02635   428   NtUserQueryWindow  (196782, 0, ... ) == 0x2cc
 02636   428   NtUserQueryWindow  (196782, 1, ... ) == 0x344
 02637   428   NtUserQueryWindow  (65726, 0, ... ) == 0x7ec
 02638   428   NtUserQueryWindow  (65726, 1, ... ) == 0x7f0
 02639   428   NtUserQueryWindow  (65724, 0, ... ) == 0x7ec
 02640   428   NtUserQueryWindow  (65724, 1, ... ) == 0x7f0
 02641   428   NtUserQueryWindow  (65722, 0, ... ) == 0x7ec
 02642   428   NtUserQueryWindow  (65722, 1, ... ) == 0x7f0
 02643   428   NtUserQueryWindow  (65720, 0, ... ) == 0x7ec
 02644   428   NtUserQueryWindow  (65720, 1, ... ) == 0x7f0
 02645   428   NtUserQueryWindow  (65718, 0, ... ) == 0x7ec
 02646   428   NtUserQueryWindow  (65718, 1, ... ) == 0x7f0
 02647   428   NtUserQueryWindow  (65716, 0, ... ) == 0x7ec
 02648   428   NtUserQueryWindow  (65716, 1, ... ) == 0x7f0
 02649   428   NtUserQueryWindow  (65714, 0, ... ) == 0x7ec
 02650   428   NtUserQueryWindow  (65714, 1, ... ) == 0x7f0
 02651   428   NtUserQueryWindow  (65712, 0, ... ) == 0x7ec
 02652   428   NtUserQueryWindow  (65712, 1, ... ) == 0x7f0
 02653   428   NtUserQueryWindow  (131172, 0, ... ) == 0x7f8
 02654   428   NtUserQueryWindow  (131172, 1, ... ) == 0x7fc
 02655   428   NtUserQueryWindow  (65708, 0, ... ) == 0x7e0
 02656   428   NtUserQueryWindow  (65708, 1, ... ) == 0x7e4
 02657   428   NtUserQueryWindow  (131170, 0, ... ) == 0x7d8
 02658   428   NtUserQueryWindow  (131170, 1, ... ) == 0x7dc
 02659   428   NtUserQueryWindow  (65644, 0, ... ) == 0x778
 02660   428   NtUserQueryWindow  (65644, 1, ... ) == 0x7b4
 02661   428   NtUserQueryWindow  (327760, 0, ... ) == 0x778
 02662   428   NtUserQueryWindow  (327760, 1, ... ) == 0x77c
 02663   428   NtUserQueryWindow  (262228, 0, ... ) == 0x778
 02664   428   NtUserQueryWindow  (262228, 1, ... ) == 0x77c
 02665   428   NtUserQueryWindow  (327758, 0, ... ) == 0x778
 02666   428   NtUserQueryWindow  (327758, 1, ... ) == 0x77c
 02667   428   NtUserQueryWindow  (65666, 0, ... ) == 0x778
 02668   428   NtUserQueryWindow  (65666, 1, ... ) == 0x77c
 02669   428   NtUserQueryWindow  (65654, 0, ... ) == 0x778
 02670   428   NtUserQueryWindow  (65654, 1, ... ) == 0x77c
 02671   428   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 02672   428   NtUserQueryWindow  (65656, 0, ... ) == 0x778
 02673   428   NtUserQueryWindow  (65656, 1, ... ) == 0x77c
 02674   428   NtUserQueryWindow  (65658, 0, ... ) == 0x778
 02675   428   NtUserQueryWindow  (65658, 1, ... ) == 0x77c
 02676   428   NtUserCloseDesktop  (148, ...
 02677   428   NtClose  (148, ... ) == 0x0
 02676   428   NtUserCloseDesktop  ... ) == 0x1
 02678   428   NtUserGetProcessWindowStation  (... ) == 0x28
 02679   428   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02680   428   NtUserGetProcessWindowStation  (... ) == 0x28
 02681   428   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02682   428   NtGdiDeleteObjectApp  (386532225, ... ) == 0x1
 02683   428   NtGdiDeleteObjectApp  (319423265, ... ) == 0x1
 02684   428   NtClose  (100, ... ) == 0x0
 02685   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02686   428   NtClose  (92, ... ) == 0x0
 02687   428   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 02688   428   NtClose  (96, ... ) == 0x0
 02689   428   NtClose  (88, ... ) == 0x0
 02690   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 02691   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc03b
 02692   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02693   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc03d
 02694   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02695   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc03f
 02696   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02697   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc041
 02698   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02699   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc043
 02700   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02701   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc045
 02702   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02703   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc047
 02704   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02705   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc049
 02706   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02707   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc04b
 02708   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02709   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc04d
 02710   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02711   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc04f
 02712   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02713   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc051
 02714   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02715   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc053
 02716   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02717   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc057
 02718   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02719   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc059
 02720   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02721   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc05b
 02722   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02723   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc05d
 02724   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02725   428   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc05f
 02726   428   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02727   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc03b
 02728   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02729   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc03d
 02730   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02731   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc03f
 02732   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02733   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc041
 02734   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02735   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc043
 02736   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02737   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc045
 02738   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02739   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc047
 02740   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02741   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc049
 02742   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02743   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc04b
 02744   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02745   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc04d
 02746   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02747   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc04f
 02748   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02749   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc051
 02750   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02751   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc053
 02752   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02753   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc057
 02754   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02755   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc059
 02756   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02757   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc05b
 02758   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02759   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc05d
 02760   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02761   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc05f
 02762   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02763   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc017
 02764   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02765   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc019
 02766   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02767   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc018
 02768   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02769   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01a
 02770   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02771   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01c
 02772   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02773   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01e
 02774   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02775   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01b
 02776   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02777   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc068
 02778   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02779   428   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc06a
 02780   428   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02781   428   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 02782   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02783   428   NtClose  (180, ... ) == 0x0
 02784   428   NtClose  (152, ... ) == 0x0
 02785   428   NtClose  (172, ... ) == 0x0
 02786   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 02787   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 02788   428   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02789   428   NtClose  (160, ... ) == 0x0
 02790   428   NtClose  (164, ... ) == 0x0
 02791   428   NtClose  (108, ... ) == 0x0
 02792   428   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 02793   428   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 412, 428, 1535, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 412, 428, 1535, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 412, 428, 1535, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02794   428   NtTerminateProcess  (-1, 0, ...
 02795   428   NtClose  (44, ... ) == 0x0
NtAccessCheck(>)	1	NtEnumerateKey(>)	2	NtGdiGetStockObject(>)	5	NtCreateKey(>)	22
NtAddAtom(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryDefaultLocale(>)	5	NtOpenThreadToken(>)	22
NtCallbackReturn(>)	1	NtGdiHfontCreate(>)	2	NtCreateSemaphore(>)	6	NtCreateSection(>)	26
NtConnectPort(>)	1	NtOpenDirectoryObject(>)	2	NtOpenSymbolicLinkObject(>)	6	NtQueryInformationFile(>)	27
NtCreateProcessEx(>)	1	NtOpenMutant(>)	2	NtQuerySymbolicLinkObject(>)	6	NtReleaseSemaphore(>)	31
NtDeleteValueKey(>)	1	NtQueryInstallUILanguage(>)	2	NtUserGetProcessWindowStation(>)	6	NtSetInformationProcess(>)	31
NtGdiCreateBitmap(>)	1	NtReleaseMutant(>)	2	NtWriteFile(>)	6	NtWaitForSingleObject(>)	33
NtGdiCreatePatternBrushInternal(>)	1	NtResumeThread(>)	2	NtUserCallNoParam(>)	7	NtUnmapViewOfSection(>)	44
NtGdiInit(>)	1	NtTerminateProcess(>)	2	NtQueryDefaultUILanguage(>)	8	NtOpenSection(>)	45
NtGdiQueryFontAssocInfo(>)	1	NtUserCloseDesktop(>)	2	NtFlushInstructionCache(>)	9	NtUserUnregisterClass(>)	46
NtGdiSelectBitmap(>)	1	NtUserCreateWindowEx(>)	2	NtQuerySection(>)	9	NtUserFindExistingCursorIcon(>)	48
NtNotifyChangeKey(>)	1	NtUserDestroyWindow(>)	2	NtQueryVolumeInformationFile(>)	9	NtQueryInformationProcess(>)	51
NtOpenKeyedEvent(>)	1	NtUserMessageCall(>)	2	NtSetInformationFile(>)	10	NtDeviceIoControlFile(>)	55
NtQueryInformationJobObject(>)	1	NtAdjustPrivilegesToken(>)	3	NtUserGetWindowDC(>)	10	NtWriteVirtualMemory(>)	58
NtQueryObject(>)	1	NtCreateMutant(>)	3	NtUserCallOneParam(>)	11	NtOpenProcessTokenEx(>)	60
NtQueryPerformanceCounter(>)	1	NtDuplicateObject(>)	3	NtUserSystemParametersInfo(>)	11	NtOpenThreadTokenEx(>)	60
NtQuerySystemTime(>)	1	NtEnumerateValueKey(>)	3	NtRequestWaitReplyPort(>)	12	NtQueryAttributesFile(>)	63
NtRegisterThreadTerminatePort(>)	1	NtGdiCreateCompatibleDC(>)	3	NtFsControlFile(>)	13	NtUserRegisterClassExWOW(>)	64
NtSecureConnectPort(>)	1	NtGdiDeleteObjectApp(>)	3	NtLockFile(>)	13	NtQueryInformationToken(>)	72
NtTestAlert(>)	1	NtOpenEvent(>)	3	NtUnlockFile(>)	13	NtQueryKey(>)	73
NtUserBuildNameList(>)	1	NtQueryVirtualMemory(>)	3	NtOpenProcessToken(>)	15	NtQuerySystemInformation(>)	79
NtUserGetAtomName(>)	1	NtReadVirtualMemory(>)	3	NtSetValueKey(>)	15	NtUserGetClassInfo(>)	82
NtUserGetDC(>)	1	NtSetEvent(>)	3	NtCreateEvent(>)	16	NtAllocateVirtualMemory(>)	83
NtUserGetForegroundWindow(>)	1	NtUserGetObjectInformation(>)	3	NtQueryDebugFilterState(>)	16	NtMapViewOfSection(>)	87
NtUserGetGUIThreadInfo(>)	1	NtUserOpenDesktop(>)	3	NtQueryDirectoryFile(>)	17	NtOpenFile(>)	87
NtUserGetThreadDesktop(>)	1	NtUserRegisterWindowMessage(>)	3	NtOpenProcess(>)	18	NtProtectVirtualMemory(>)	91
NtUserSetProp(>)	1	NtUserRemoveProp(>)	3	NtReadFile(>)	18	NtUserQueryWindow(>)	114
NtContinue(>)	2	NtWaitForMultipleObjects(>)	3	NtCreateFile(>)	19	NtQueryValueKey(>)	125
NtCreateIoCompletion(>)	2	NtSetInformationObject(>)	4	NtFreeVirtualMemory(>)	19	NtOpenKey(>)	282
NtCreateThread(>)	2	NtUserBuildHwndList(>)	4	NtSetInformationThread(>)	19	NtClose(>)	417