Summary:


NtAccessCheck(>)  1 
NtAdjustPrivilegesToken(>)  2 
NtUserBuildHwndList(>)  4 
NtFreeVirtualMemory(>)  18 

NtAddAtom(>)  1 
NtContinue(>)  2 
NtWriteVirtualMemory(>)  4 
NtOpenThreadToken(>)  20 

NtCallbackReturn(>)  1 
NtCreateIoCompletion(>)  2 
NtGdiGetStockObject(>)  5 
NtUnmapViewOfSection(>)  20 

NtConnectPort(>)  1 
NtEnumerateKey(>)  2 
NtQueryDefaultLocale(>)  5 
NtCreateKey(>)  22 

NtCreateProcessEx(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtWriteFile(>)  5 
NtCreateSection(>)  24 

NtCreateThread(>)  1 
NtGdiHfontCreate(>)  2 
NtCreateSemaphore(>)  6 
NtOpenSection(>)  27 

NtDeleteValueKey(>)  1 
NtOpenDirectoryObject(>)  2 
NtOpenSymbolicLinkObject(>)  6 
NtQueryInformationFile(>)  27 

NtGdiCreateBitmap(>)  1 
NtOpenMutant(>)  2 
NtQuerySymbolicLinkObject(>)  6 
NtReleaseSemaphore(>)  31 

NtGdiCreatePatternBrushInternal(>)  1 
NtQueryInstallUILanguage(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtSetInformationProcess(>)  31 

NtGdiInit(>)  1 
NtReleaseMutant(>)  2 
NtUserCallNoParam(>)  7 
NtWaitForSingleObject(>)  33 

NtGdiQueryFontAssocInfo(>)  1 
NtTerminateProcess(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtProtectVirtualMemory(>)  36 

NtGdiSelectBitmap(>)  1 
NtUserCloseDesktop(>)  2 
NtSetInformationFile(>)  8 
NtMapViewOfSection(>)  44 

NtNotifyChangeKey(>)  1 
NtUserCreateWindowEx(>)  2 
NtFlushInstructionCache(>)  9 
NtUserUnregisterClass(>)  46 

NtOpenKeyedEvent(>)  1 
NtUserDestroyWindow(>)  2 
NtQuerySection(>)  9 
NtUserFindExistingCursorIcon(>)  48 

NtOpenProcess(>)  1 
NtUserMessageCall(>)  2 
NtQueryVolumeInformationFile(>)  9 
NtQueryInformationProcess(>)  51 

NtQueryInformationJobObject(>)  1 
NtCreateMutant(>)  3 
NtFsControlFile(>)  10 
NtDeviceIoControlFile(>)  55 

NtQueryObject(>)  1 
NtDuplicateObject(>)  3 
NtUserGetWindowDC(>)  10 
NtOpenProcessTokenEx(>)  60 

NtQueryPerformanceCounter(>)  1 
NtEnumerateValueKey(>)  3 
NtRequestWaitReplyPort(>)  11 
NtOpenThreadTokenEx(>)  60 

NtQuerySystemTime(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUserCallOneParam(>)  11 
NtQueryAttributesFile(>)  63 

NtRegisterThreadTerminatePort(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtUserSystemParametersInfo(>)  11 
NtUserRegisterClassExWOW(>)  64 

NtResumeThread(>)  1 
NtOpenEvent(>)  3 
NtLockFile(>)  13 
NtQueryInformationToken(>)  72 

NtSecureConnectPort(>)  1 
NtQueryVirtualMemory(>)  3 
NtUnlockFile(>)  13 
NtQueryKey(>)  73 

NtTestAlert(>)  1 
NtReadVirtualMemory(>)  3 
NtCreateEvent(>)  14 
NtQuerySystemInformation(>)  78 

NtUserBuildNameList(>)  1 
NtSetEvent(>)  3 
NtOpenProcessToken(>)  14 
NtAllocateVirtualMemory(>)  80 

NtUserGetAtomName(>)  1 
NtUserGetObjectInformation(>)  3 
NtSetValueKey(>)  15 
NtUserGetClassInfo(>)  82 

NtUserGetDC(>)  1 
NtUserOpenDesktop(>)  3 
NtQueryDebugFilterState(>)  16 
NtOpenFile(>)  87 

NtUserGetForegroundWindow(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtQueryDirectoryFile(>)  17 
NtUserQueryWindow(>)  114 

NtUserGetGUIThreadInfo(>)  1 
NtUserRemoveProp(>)  3 
NtReadFile(>)  17 
NtQueryValueKey(>)  125 

NtUserGetThreadDesktop(>)  1 
NtWaitForMultipleObjects(>)  3 
NtSetInformationThread(>)  17 
NtOpenKey(>)  282 

NtUserSetProp(>)  1 
NtSetInformationObject(>)  4 
NtCreateFile(>)  18 
NtClose(>)  377 


Trace:
 00001   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   408   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   408   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   408   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   408   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   408   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   408   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   408   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   408   NtClose  (12, ... ) == 0x0
 00014   408   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   408   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   408   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   408   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   408   NtClose  (16, ... ) == 0x0
 00021   408   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   408   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   408   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   408   NtClose  (16, ... ) == 0x0
 00026   408   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   408   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   408   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   408   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 396, 408, 1478, 0} "8@\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 396, 408, 1478, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 396, 408, 1478, 0} "8@\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   408   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   408   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   408   NtClose  (16, ... ) == 0x0
 00036   408   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   408   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   408   NtClose  (28, ... ) == 0x0
 00041   408   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   408   NtClose  (28, ... ) == 0x0
 00045   408   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   408   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   408   NtClose  (28, ... ) == 0x0
 00049   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   408   NtClose  (28, ... ) == 0x0
 00052   408   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 396, 408, 1479, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 396, 408, 1479, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 396, 408, 1479, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   408   NtProtectVirtualMemory  (-1, (0x44f000), 163840, 4, ... (0x44f000), 163840, 128, ) == 0x0
 00057   408   NtProtectVirtualMemory  (-1, (0x44f000), 163840, 128, ... (0x44f000), 163840, 4, ) == 0x0
 00058   408   NtFlushInstructionCache  (-1, 4517888, 163840, ... ) == 0x0
 00059   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   408   NtClose  (28, ... ) == 0x0
 00062   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   408   NtClose  (28, ... ) == 0x0
 00065   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   408   NtClose  (28, ... ) == 0x0
 00068   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   408   NtClose  (28, ... ) == 0x0
 00071   408   NtProtectVirtualMemory  (-1, (0x44f000), 163840, 4, ... (0x44f000), 163840, 64, ) == 0x0
 00072   408   NtProtectVirtualMemory  (-1, (0x44f000), 163840, 64, ... (0x44f000), 163840, 4, ) == 0x0
 00073   408   NtFlushInstructionCache  (-1, 4517888, 163840, ... ) == 0x0
 00074   408   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   408   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   408   NtClose  (28, ... ) == 0x0
 00077   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   408   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   408   NtClose  (28, ... ) == 0x0
 00080   408   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00081   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   408   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   408   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   408   NtClose  (28, ... ) == 0x0
 00085   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   408   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   408   NtClose  (28, ... ) == 0x0
 00088   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   408   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 396, 408, 1482, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 396, 408, 1482, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 396, 408, 1482, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00093   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x480000), 0x0, 1060864, ) == 0x0
 00095   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   408   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   408   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00098   408   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   408   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   408   NtClose  (-2147482020, ... ) == 0x0
 00101   408   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5832704, 4096, ) == 0x0
 00102   408   NtFreeVirtualMemory  (-1, (0x590000), 4096, 32768, ... (0x590000), 4096, ) == 0x0
 00103   408   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   408   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00105   408   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   408   NtClose  (-2147482020, ... ) == 0x0
 00107   408   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00108   408   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   408   NtClose  (-2147482020, ... ) == 0x0
 00110   408   NtQueryDefaultLocale  (0, -136377844, ... ) == 0x0
 00111   408   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   408   NtUserCallNoParam  (24, ... ) == 0x0
 00113   408   NtGdiCreateCompatibleDC  (0, ...
 00114   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5832704, 4096, ) == 0x0
 00113   408   NtGdiCreateCompatibleDC  ... ) == 0x1f010337
 00115   408   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   408   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   408   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x170503ca
 00118   408   NtGdiCreateSolidBrush  (0, 0, ...
 00119   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9043968, 4096, ) == 0x0
 00118   408   NtGdiCreateSolidBrush  ... ) == 0x131003d6
 00120   408   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   408   NtGdiCreateCompatibleDC  (0, ... ) == 0x3c010330
 00122   408   NtGdiSelectBitmap  (1006699312, 386204618, ... ) == 0x185000f
 00123   408   NtUserGetThreadDesktop  (408, 0, ... ) == 0x2c
 00124   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   408   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   408   NtClose  (52, ... ) == 0x0
 00127   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00141   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00143   408   NtAllocateVirtualMemory  (-1, 5992448, 0, 4096, 4096, 32, ... 5992448, 4096, ) == 0x0
 00142   408   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00144   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00146   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00147   408   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00148   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00149   408   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00150   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   408   NtCallbackReturn  (0, 0, 0, ...
 00152   408   NtGdiInit  (... ) == 0x1
 00153   408   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   408   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   408   NtAllocateVirtualMemory  (-1, 0, 0, 8878, 4096, 4, ... 9109504, 12288, ) == 0x0
 00156   408   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 12288, ) == 0x0
 00157   408   NtQueryVirtualMemory  (-1, 0x44acbe, Basic, 28, ... {BaseAddress=0x44a000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x5000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00158   408   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00159   408   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00160   408   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00161   408   NtProtectVirtualMemory  (-1, (0x400220), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00162   408   NtProtectVirtualMemory  (-1, (0x400220), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00163   408   NtProtectVirtualMemory  (-1, (0x400248), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00164   408   NtProtectVirtualMemory  (-1, (0x400248), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00165   408   NtProtectVirtualMemory  (-1, (0x400270), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00166   408   NtProtectVirtualMemory  (-1, (0x400270), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00167   408   NtProtectVirtualMemory  (-1, (0x400298), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00168   408   NtProtectVirtualMemory  (-1, (0x400298), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00169   408   NtProtectVirtualMemory  (-1, (0x4002c0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00170   408   NtProtectVirtualMemory  (-1, (0x4002c0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00171   408   NtProtectVirtualMemory  (-1, (0x4002e8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00172   408   NtProtectVirtualMemory  (-1, (0x4002e8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00173   408   NtProtectVirtualMemory  (-1, (0x400310), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00174   408   NtProtectVirtualMemory  (-1, (0x400310), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00175   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00176   408   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00177   408   NtClose  (52, ... ) == 0x0
 00178   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00179   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00180   408   NtClose  (52, ... ) == 0x0
 00181   408   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 52, ) == 0x0
 00182   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00183   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 60, ) }, ... 60, ) == 0x0
 00184   408   NtNotifyChangeKey  (60, 56, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00185   408   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00186   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 64, ) == 0x0
 00187   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 68, ) == 0x0
 00188   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00189   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00190   408   NtClose  (72, ... ) == 0x0
 00191   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00192   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00193   408   NtClose  (72, ... ) == 0x0
 00194   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00195   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00196   408   NtClose  (72, ... ) == 0x0
 00197   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00198   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 00199   408   NtAllocateVirtualMemory  (-1, 9109504, 0, 4096, 4096, 4, ... 9109504, 4096, ) == 0x0
 00200   408   NtAllocateVirtualMemory  (-1, 9113600, 0, 8192, 4096, 4, ... 9113600, 8192, ) == 0x0
 00201   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 72, ) }, ... 72, ) == 0x0
 00202   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8c0000), 0x0, 12288, ) == 0x0
 00203   408   NtClose  (72, ... ) == 0x0
 00204   408   NtAllocateVirtualMemory  (-1, 9121792, 0, 4096, 4096, 4, ... 9121792, 4096, ) == 0x0
 00205   408   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00206   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 72, ) }, ... 72, ) == 0x0
 00207   408   NtQueryValueKey  (72,  (72, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00208   408   NtClose  (72, ... ) == 0x0
 00209   408   NtQueryDefaultUILanguage  (1239840, ...
 00210   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00211   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482024, ) == 0x0
 00212   408   NtQueryInformationToken  (-2147482024, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00213   408   NtClose  (-2147482024, ... ) == 0x0
 00214   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00215   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00216   408   NtOpenKey  (0x80000000, {24, -2147482024, 0x640, 0, 0,  (0x80000000, {24, -2147482024, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 00217   408   NtQueryValueKey  (-2147482028,  (-2147482028, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00218   408   NtClose  (-2147482028, ... ) == 0x0
 00219   408   NtClose  (-2147482024, ... ) == 0x0
 00209   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00220   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00221   408   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00222   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 72, {status=0x0, info=1}, ) }, 1, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00223   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 76, ) == 0x0
 00224   408   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8d0000), 0x0, 8323072, ) == 0x0
 00225   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00226   408   NtQueryDefaultUILanguage  (2013024600, ...
 00227   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00228   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00229   408   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00230   408   NtClose  (-2147482020, ... ) == 0x0
 00231   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00232   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   408   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00234   408   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235   408   NtClose  (-2147482032, ... ) == 0x0
 00236   408   NtClose  (-2147482020, ... ) == 0x0
 00226   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00237   408   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00238   408   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00239   408   NtQueryDefaultLocale  (1, 1237876, ... ) == 0x0
 00240   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00241   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\20\311\304\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 408, 1494, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\20\311\304\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 396, 408, 1494, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\20\311\304\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 408, 1494, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\20\311\304\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ) == 0x0
 00242   408   NtClose  (72, ... ) == 0x0
 00243   408   NtClose  (76, ... ) == 0x0
 00244   408   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 00245   408   NtUnmapViewOfSection  (-1, 0x12edcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00246   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00247   408   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00249   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00250   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236960, ... ) }, 1236960, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00252   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00253   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00254   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237552, ... ) }, 1237552, ... ) == 0x0
 00255   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 76, {status=0x0, info=1}, ) }, 3, 33, ... 76, {status=0x0, info=1}, ) == 0x0
 00256   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00257   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00258   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 72, ... 80, ) == 0x0
 00259   408   NtClose  (72, ... ) == 0x0
 00260   408   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8d0000), 0x0, 921600, ) == 0x0
 00261   408   NtClose  (80, ... ) == 0x0
 00262   408   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 00263   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00264   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 72, ) == 0x0
 00265   408   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00266   408   NtOpenProcessToken  (-1, 0x8, ... 84, ) == 0x0
 00267   408   NtQueryInformationToken  (84, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00268   408   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00269   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 88, ) }, ... 88, ) == 0x0
 00270   408   NtQueryValueKey  (88,  (88, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (88, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00271   408   NtClose  (88, ... ) == 0x0
 00272   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00273   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00274   408   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00275   408   NtClose  (88, ... ) == 0x0
 00276   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00277   408   NtClose  (84, ... ) == 0x0
 00278   408   NtClose  (80, ... ) == 0x0
 00279   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00280   408   NtClose  (72, ... ) == 0x0
 00281   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00282   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00283   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00284   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00285   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00286   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00287   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00288   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00289   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00290   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00291   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00292   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00293   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00294   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00295   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00296   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00297   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00298   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00299   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00300   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00301   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00302   408   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238736, ... ) , 42, 1238736, ... ) == 0x0
 00303   408   NtQueryDefaultUILanguage  (1237452, ...
 00304   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00305   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00306   408   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00307   408   NtClose  (-2147482020, ... ) == 0x0
 00308   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00309   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   408   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00311   408   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   408   NtClose  (-2147482032, ... ) == 0x0
 00313   408   NtClose  (-2147482020, ... ) == 0x0
 00303   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00314   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236304, ... ) }, 1236304, ... ) == 0x0
 00316   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00317   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 72, ... 80, ) == 0x0
 00318   408   NtClose  (72, ... ) == 0x0
 00319   408   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8d0000), 0x0, 4096, ) == 0x0
 00320   408   NtClose  (80, ... ) == 0x0
 00321   408   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 00322   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235944, ... ) }, 1235944, ... ) == 0x0
 00323   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236644,  (0x80100080, {24, 0, 0x40, 0, 1236644, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0
 00324   408   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 80, ... 72, ) == 0x0
 00325   408   NtClose  (80, ... ) == 0x0
 00326   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8d0000), {0, 0}, 4096, ) == 0x0
 00327   408   NtClose  (72, ... ) == 0x0
 00328   408   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 00329   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 72, {status=0x0, info=1}, ) }, 1, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00330   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00331   408   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8d0000), 0x0, 4096, ) == 0x0
 00332   408   NtQueryInformationFile  (72, 1236264, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00333   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1H\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 408, 1495, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1H\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 396, 408, 1495, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1H\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 408, 1495, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1H\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ) == 0x0
 00335   408   NtClose  (72, ... ) == 0x0
 00336   408   NtClose  (80, ... ) == 0x0
 00337   408   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 00338   408   NtUnmapViewOfSection  (-1, 0x12e478, ... ) == STATUS_NOT_MAPPED_VIEW
 00339   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00340   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00341   408   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00342   408   NtUserGetDC  (0, ... ) == 0x1010054
 00343   408   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00344   408   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00345   408   NtUserSystemParametersInfo  (66, 12, 1238756, 0, ... ) == 0x1
 00346   408   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00347   408   NtAccessCheck  (1396656, 80, 0x1, 1238160, 1238104, 56, 1238188, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00348   408   NtClose  (80, ... ) == 0x0
 00349   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00350   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00351   408   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00352   408   NtClose  (80, ... ) == 0x0
 00353   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 80, ) }, ... 80, ) == 0x0
 00354   408   NtSetInformationObject  (80, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00355   408   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Control Panel\Desktop"}, ... 72, ) }, ... 72, ) == 0x0
 00356   408   NtQueryValueKey  (72,  (72, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00357   408   NtClose  (72, ... ) == 0x0
 00358   408   NtUserSystemParametersInfo  (41, 500, 1238256, 0, ... ) == 0x1
 00359   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 72, ) }, ... 72, ) == 0x0
 00360   408   NtQueryValueKey  (72,  (72, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 84, ) }, ... 84, ) == 0x0
 00362   408   NtQueryValueKey  (84,  (84, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   408   NtClose  (84, ... ) == 0x0
 00364   408   NtClose  (72, ... ) == 0x0
 00365   408   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00366   408   NtUserSystemParametersInfo  (4130, 0, 1238780, 0, ... ) == 0x1
 00367   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 72, ) }, ... 72, ) == 0x0
 00368   408   NtEnumerateValueKey  (72, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00369   408   NtClose  (72, ... ) == 0x0
 00370   408   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00371   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03b
 00372   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc03d
 00373   408   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00374   408   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc03f
 00375   408   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00376   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc041
 00377   408   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00378   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc043
 00379   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc045
 00380   408   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00381   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc047
 00382   408   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00383   408   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc049
 00384   408   NtUserGetClassInfo  (1905590272, 1238676, 1238628, 1238704, 0, ... ) == 0xc049
 00385   408   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00386   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04b
 00387   408   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00388   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04d
 00389   408   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00390   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc04f
 00391   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc051
 00392   408   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00393   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc053
 00394   408   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00395   408   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc055
 00396   408   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc057
 00397   408   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00398   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc059
 00399   408   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10013
 00400   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05b
 00401   408   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00402   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05d
 00403   408   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00404   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc05f
 00405   408   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00406   408   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc017
 00407   408   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00408   408   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc019
 00409   408   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10013
 00410   408   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc018
 00411   408   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00412   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc01a
 00413   408   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00414   408   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810dc01c
 00415   408   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00416   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ...
 00417   408   NtAllocateVirtualMemory  (-1, 5996544, 0, 4096, 4096, 32, ... 5996544, 4096, ) == 0x0
 00416   408   NtUserRegisterClassExWOW  ... ) == 0x810dc01e
 00418   408   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00419   408   NtUserRegisterClassExWOW  (1238572, 1238652, 1238636, 1238668, 0, 384, 0, ... ) == 0x810dc01b
 00420   408   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00421   408   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc068
 00422   408   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00423   408   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810dc06a
 00424   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00425   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00426   408   NtClose  (72, ... ) == 0x0
 00427   408   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {396, 0}, ... 72, ) == 0x0
 00428   408   NtQueryInformationProcess  (72, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00429   408   NtClose  (72, ... ) == 0x0
 00430   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00431   408   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00432   408   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00433   408   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Control Panel\Desktop"}, ... 72, ) }, ... 72, ) == 0x0
 00434   408   NtQueryValueKey  (72,  (72, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00435   408   NtClose  (72, ... ) == 0x0
 00436   408   NtUserSystemParametersInfo  (41, 500, 1239416, 0, ... ) == 0x1
 00437   408   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00438   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00439   408   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00440   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc03b
 00441   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00442   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc03d
 00443   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00444   408   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00445   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc03f
 00446   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00447   408   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00448   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc041
 00449   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00450   408   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00451   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc043
 00452   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00453   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc045
 00454   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00455   408   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00456   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc047
 00457   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00458   408   NtUserFindExistingCursorIcon  (1239204, 1239220, 1239788, ... ) == 0x10011
 00459   408   NtUserRegisterClassExWOW  (1239656, 1239736, 1239720, 1239752, 0, 384, 0, ... ) == 0x810dc049
 00460   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00461   408   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00462   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc04b
 00463   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00464   408   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00465   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc04d
 00466   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00467   408   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00468   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc04f
 00469   408   NtUserGetClassInfo  (1999896576, 1239828, 1239780, 1239856, 0, ... ) == 0x0
 00470   408   NtUserRegisterClassExWOW  (1239664, 1239744, 1239728, 1239760, 0, 384, 0, ... ) == 0x810dc051
 00471   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00472   408   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00473   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc053
 00474   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00475   408   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00476   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc055
 00477   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc057
 00478   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00479   408   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00480   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc059
 00481   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00482   408   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10013
 00483   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc05b
 00484   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00485   408   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00486   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc05d
 00487   408   NtUserGetClassInfo  (1999896576, 1239824, 1239776, 1239852, 0, ... ) == 0x0
 00488   408   NtUserFindExistingCursorIcon  (1239208, 1239224, 1239792, ... ) == 0x10011
 00489   408   NtUserRegisterClassExWOW  (1239660, 1239740, 1239724, 1239756, 0, 384, 0, ... ) == 0x810dc05f
 00490   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03b
 00491   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03d
 00492   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03f
 00493   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc041
 00494   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc043
 00495   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc045
 00496   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc047
 00497   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc049
 00498   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04b
 00499   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04d
 00500   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04f
 00501   408   NtUserGetClassInfo  (1999896576, 1241580, 1241532, 1241608, 0, ... ) == 0xc051
 00502   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc053
 00503   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc055
 00504   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc059
 00505   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05b
 00506   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05d
 00507   408   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05f
 00508   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00509   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00510   408   NtClose  (72, ... ) == 0x0
 00511   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00512   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00513   408   NtClose  (72, ... ) == 0x0
 00514   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00515   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00516   408   NtClose  (72, ... ) == 0x0
 00517   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00518   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00519   408   NtClose  (72, ... ) == 0x0
 00520   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 72, ) }, ... 72, ) == 0x0
 00521   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00522   408   NtClose  (72, ... ) == 0x0
 00523   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00524   408   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00525   408   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00526   408   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00527   408   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00528   408   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 72, ) }, ... 72, ) == 0x0
 00529   408   NtCreateEvent  (0x1f0003, {24, 72, 0x80, 1241616, 0,  (0x1f0003, {24, 72, 0x80, 1241616, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00530   408   NtOpenEvent  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 84, ) }, ... 84, ) == 0x0
 00531   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00532   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00533   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 88, ) }, ... 88, ) == 0x0
 00534   408   NtQueryValueKey  (88,  (88, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00535   408   NtClose  (88, ... ) == 0x0
 00536   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00537   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00538   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00539   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00540   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 88, ) }, ... 88, ) == 0x0
 00541   408   NtQueryValueKey  (88,  (88, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00542   408   NtQueryValueKey  (88,  (88, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00543   408   NtQueryValueKey  (88,  (88, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00544   408   NtClose  (88, ... ) == 0x0
 00545   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 88, ) }, ... 88, ) == 0x0
 00546   408   NtQueryValueKey  (88,  (88, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00547   408   NtQueryValueKey  (88,  (88, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00548   408   NtClose  (88, ... ) == 0x0
 00549   408   NtOpenEvent  (0x1f0003, {24, 72, 0x0, 0, 0,  (0x1f0003, {24, 72, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00550   408   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00551   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00552   408   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00553   408   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00554   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555   408   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00556   408   NtCreateKey  (0xf003f, {24, 80, 0x40, 0, 0,  (0xf003f, {24, 80, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 88, 2, ) }, 0, 0x0, 0, ... 88, 2, ) == 0x0
 00557   408   NtQueryDefaultUILanguage  (1239852, ...
 00558   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00559   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00560   408   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00561   408   NtClose  (-2147482020, ... ) == 0x0
 00562   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00563   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00564   408   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00565   408   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00566   408   NtClose  (-2147482032, ... ) == 0x0
 00567   408   NtClose  (-2147482020, ... ) == 0x0
 00557   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00568   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00569   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 92, {status=0x0, info=1}, ) }, 1, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00570   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 92, ... 96, ) == 0x0
 00571   408   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 593920, ) == 0x0
 00572   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   408   NtQueryDefaultLocale  (1, 1237888, ... ) == 0x0
 00574   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\226\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 408, 1496, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\226\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 396, 408, 1496, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\226\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 408, 1496, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\226\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ) == 0x0
 00576   408   NtClose  (92, ... ) == 0x0
 00577   408   NtClose  (96, ... ) == 0x0
 00578   408   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00579   408   NtUnmapViewOfSection  (-1, 0x12edd8, ... ) == STATUS_NOT_MAPPED_VIEW
 00580   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00581   408   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00582   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00583   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00584   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236428, ... ) }, 1236428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00585   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00586   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00587   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00588   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237020, ... ) }, 1237020, ... ) == 0x0
 00589   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 96, {status=0x0, info=1}, ) }, 3, 33, ... 96, {status=0x0, info=1}, ) == 0x0
 00590   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00591   408   NtCreateKey  (0x2001f, {24, 80, 0x40, 0, 0,  (0x2001f, {24, 80, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 92, 2, ) }, 0, 0x0, 0, ... 92, 2, ) == 0x0
 00592   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00594   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00596   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00597   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 104, ) == 0x0
 00598   408   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00599   408   NtClose  (100, ... ) == 0x0
 00600   408   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00601   408   NtClose  (104, ... ) == 0x0
 00602   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00603   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00605   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00606   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00607   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 100, ) == 0x0
 00608   408   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00609   408   NtClose  (104, ... ) == 0x0
 00610   408   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00611   408   NtClose  (100, ... ) == 0x0
 00612   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00613   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00614   408   NtTestAlert  (... ) == 0x0
 00615   408   NtContinue  (1244464, 1, ...
 00616   408   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x4760c9,}, 4, ... ) == 0x0
 00617   408   NtQueryPerformanceCounter  (... {97549488, 0}, {3579545, 0}, ) == 0x0
 00618   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00619   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9371648, 65536, ) == 0x0
 00620   408   NtAllocateVirtualMemory  (-1, 9371648, 0, 4096, 4096, 4, ... 9371648, 4096, ) == 0x0
 00621   408   NtAllocateVirtualMemory  (-1, 9375744, 0, 8192, 4096, 4, ... 9375744, 8192, ) == 0x0
 00622   408   NtAllocateVirtualMemory  (-1, 9383936, 0, 4096, 4096, 4, ... 9383936, 4096, ) == 0x0
 00623   408   NtAllocateVirtualMemory  (-1, 9388032, 0, 4096, 4096, 4, ... 9388032, 4096, ) == 0x0
 00624   408   NtAllocateVirtualMemory  (-1, 0, 0, 6, 12288, 64, ... 9437184, 4096, ) == 0x0
 00625   408   NtProtectVirtualMemory  (-1, (0x900000), 6, 64, ...
 00626   408   NtContinue  (-136380628, 0, ...
 00625   408   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 00627   408   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 4096, ) == 0x0
 00628   408   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 100, 2, ) }, 0, 0x0, 0, ... 100, 2, ) == 0x0
 00629   408   NtDeleteValueKey  (100,  (100, "Skype Startup", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00630   408   NtClose  (100, ... ) == 0x0
 00631   408   NtCreateFile  (0x40100080, {24, 0, 0x42, 0, 1241352,  (0x40100080, {24, 0, 0x42, 0, 1241352, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 0x0, 128, 3, 5, 96, 0, 0, ... }, 0x0, 128, 3, 5, 96, 0, 0, ...
 00632   408   NtClose  (-2147482020, ... ) == 0x0
 00631   408   NtCreateFile  ... 100, {status=0x0, info=2}, ) == 0x0
 00633   408   NtQueryVolumeInformationFile  (100, 1241456, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00634   408   NtAllocateVirtualMemory  (-1, 9392128, 0, 8192, 4096, 4, ... 9392128, 8192, ) == 0x0
 00635   408   NtWriteFile  (100, 0, 0, 0,  (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) u:\work\packed.exe (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) u:\work\packed.exe (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) %0 (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) , 94, 0x0, 0, ... {status=0x0, info=94}, ) == 0x0
 00636   408   NtClose  (100, ... ) == 0x0
 00637   408   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00638   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1235052, ... ) }, 1235052, ... ) == 0x0
 00639   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00640   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 104, ) == 0x0
 00641   408   NtClose  (100, ... ) == 0x0
 00642   408   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 262144, ) == 0x0
 00643   408   NtClose  (104, ... ) == 0x0
 00644   408   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00645   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00646   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00647   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00648   408   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 00649   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 104, {status=0x0, info=0}, ) }, 7, 16, ... 104, {status=0x0, info=0}, ) == 0x0
 00650   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\325\312\244\236\261mF\341\372\254X\3042\0\372Q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00651   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00652   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00653   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00654   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00655   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00656   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00657   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00658   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00659   408   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\343,b\216\256;\265\311\264\220\32n\321xda\233sS\375"\26V\204GQ\330\337\327\324%\177\332^\276\342\223\211\267\346\371\377\260kU'\310\36\376LP4\262aZ?A=Cu6\342g\213\263m>\264\313\304YZ\207/\343\363\224cS\331", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\343,b\216\256;\265\311\264\220\32n\321xda\233sS\375"\26V\204GQ\330\337\327\324%\177\332^\276\342\223\211\267\346\371\377\260kU'\310\36\376LP4\262aZ?A=Cu6\342g\213\263m>\264\313\304YZ\207/\343\363\224cS\331", 80, ... ) \26V\204GQ\330\337\327\324%\177\332^\276\342\223\211\267\346\371\377\260kU'\310\36\376LP4\262aZ?A=Cu6\342g\213\263m>\264\313\304YZ\207/\343\363\224cS\331", 80, ... ) == 0x0
 00660   408   NtClose  (-2147482020, ... ) == 0x0
 00650   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\2\30\361\311\255\210\355H\200\\226\270\321\2478\13@\354\257\246\25\139\207%\263T\301\13\367y\274\341\336r\256\266/\241\276\20\257\365Y1'\266\306i0\26VN> \22"\242\2\324\372@\257\343\245]\14\266\7u\344^\0Ld\336\212\353\260\366Y\252\374X\352\377\202\250\20\320\252\0E\31T*\244\210\12\360\354\365\241\203\316\2375\377\330:\203J\275\375\240Tr\235\330\13s\256\357\26\230\240\31zy~5\367\215\270\357\330\373\333\315\215\30\225\324\352a\4h\221\272SM\22\335\360L\253\344\362\2"\323\310\367l{\221_\360\242=+#\252\10\3246\36\235w.|\314\207\201a8\26\34"O\243U\265\205\346\211\211\11x-\317\15\337\21\0)@\2566L\347\261\34]4b\246\246\222\336\13\271`R\22\321\264!\215\253N\303\20qx242\2\324\372@\257\343\245]\14\266\7u\344^\0Ld\336\212\353\260\366Y\252\374X\352\377\202\250\20\320\252\0E\31T*\244\210\12\360\354\365\241\203\316\2375\377\330:\203J\275\375\240Tr\235\330\13s\256\357\26\230\240\31zy~5\367\215\270\357\330\373\333\315\215\30\225\324\352a\4h\221\272SM\22\335\360L\253\344\362\2 ... {status=0x0, info=256}, "\2\30\361\311\255\210\355H\200\\226\270\321\2478\13@\354\257\246\25\139\207%\263T\301\13\367y\274\341\336r\256\266/\241\276\20\257\365Y1'\266\306i0\26VN> \22"\242\2\324\372@\257\343\245]\14\266\7u\344^\0Ld\336\212\353\260\366Y\252\374X\352\377\202\250\20\320\252\0E\31T*\244\210\12\360\354\365\241\203\316\2375\377\330:\203J\275\375\240Tr\235\330\13s\256\357\26\230\240\31zy~5\367\215\270\357\330\373\333\315\215\30\225\324\352a\4h\221\272SM\22\335\360L\253\344\362\2"\323\310\367l{\221_\360\242=+#\252\10\3246\36\235w.|\314\207\201a8\26\34"O\243U\265\205\346\211\211\11x-\317\15\337\21\0)@\2566L\347\261\34]4b\246\246\222\336\13\271`R\22\321\264!\215\253N\303\20qx265\205\346\211\211\11x-\317\15\337\21\0)@\2566L\347\261\34]4b\246\246\222\336\13\271`R\22\321\264!\215\253N\303\20qx314\262\13\201\233.\20|E\35^\210;\375\2\227\257\327", ) == 0x0
 00661   408   NtAllocateVirtualMemory  (-1, 1429504, 0, 16384, 4096, 4, ... 1429504, 16384, ) == 0x0
 00662   408   NtUserRegisterClassExWOW  (1237136, 1237216, 1237200, 1237232, 0, 384, 0, ... ) == 0x810dc038
 00663   408   NtUserGetAtomName  (49208, 1235900, ... ) == 0x15
 00664   408   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 00665   408   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00666   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1233424, ... ) }, 1233424, ... ) == 0x0
 00667   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00668   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 108, ) == 0x0
 00669   408   NtClose  (100, ... ) == 0x0
 00670   408   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 204800, ) == 0x0
 00671   408   NtClose  (108, ... ) == 0x0
 00672   408   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00673   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1233740, ... ) }, 1233740, ... ) == 0x0
 00674   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00675   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 100, ) == 0x0
 00676   408   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00677   408   NtClose  (108, ... ) == 0x0
 00678   408   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00679   408   NtClose  (100, ... ) == 0x0
 00680   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00681   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00682   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00683   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00684   408   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00685   408   NtClose  (100, ... ) == 0x0
 00686   408   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00687   408   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 108, ) }, ... 108, ) == 0x0
 00688   408   NtQueryValueKey  (108,  (108, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00689   408   NtClose  (108, ... ) == 0x0
 00690   408   NtClose  (100, ... ) == 0x0
 00691   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00692   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00693   408   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00694   408   NtClose  (100, ... ) == 0x0
 00695   408   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00696   408   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Control Panel\Desktop"}, ... 108, ) }, ... 108, ) == 0x0
 00697   408   NtQueryValueKey  (108,  (108, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00698   408   NtClose  (108, ... ) == 0x0
 00699   408   NtClose  (100, ... ) == 0x0
 00700   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1233240, ... ) }, 1233240, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00701   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1233240, ... ) }, 1233240, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00702   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1233240, ... ) }, 1233240, ... ) == 0x0
 00703   408   NtUserGetProcessWindowStation  (... ) == 0x28
 00704   408   NtUserGetObjectInformation  (40, 2, 0, 0, 1235536, ... ) == 0x0
 00705   408   NtUserGetObjectInformation  (40, 2, 1420760, 16, 1235536, ... ) == 0x1
 00706   408   NtUserGetGUIThreadInfo  (408, 1235492, ... ) == 0x1
 00707   408   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1235312, 64, ... 100, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1235312, 64, ... 100, 0x0, 0x0, 0x0, 64, ) == 0x0
 00708   408   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 396, 408, 1498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 396, 408, 1498, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 396, 408, 1498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00709   408   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 396, 408, 1499, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 396, 408, 1499, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 396, 408, 1499, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00710   408   NtUserCallNoParam  (29, ...
 00711   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232784, ... ) }, 1232784, ... ) == 0x0
 00710   408   NtUserCallNoParam  ... ) == 0x0
 00712   408   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00713   408   NtGdiHfontCreate  (1234864, 356, 0, 0, 1412928, ... ) == 0x130a032d
 00714   408   NtGdiHfontCreate  (1234864, 356, 0, 0, 1412920, ... ) == 0x160a03cc
 00715   408   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 396, 408, 1500, 0} "\0\0\0\0\0\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 396, 408, 1500, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 396, 408, 1500, 0} "\0\0\0\0\0\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00716   408   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x900000), {0, 0}, 331776, ) == 0x0
 00717   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00718   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00719   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00720   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00721   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00722   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00723   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00724   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00725   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00726   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00727   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00728   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00729   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00730   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00731   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00732   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00733   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00734   408   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x2a100323
 00735   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00736   408   NtUserCallNoParam  (29, ...
 00737   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232228, ... ) }, 1232228, ... ) == 0x0
 00736   408   NtUserCallNoParam  ... ) == 0x0
 00738   408   NtUserCallNoParam  (29, ...
 00739   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232224, ... ) }, 1232224, ... ) == 0x0
 00738   408   NtUserCallNoParam  ... ) == 0x0
 00740   408   NtUserMessageCall  (0x200b0, WM_NCCREATE, 0x0, 0x12db68, 0, 670, 0, ... ) == 0x1
 00741   408   NtUserMessageCall  (0x200b0, WM_NCCALCSIZE, 0x0, 0x12db90, 0, 670, 0, ... ) == 0x0
 00742   408   NtUserSetProp  (131248, 43288, -1, ... ) == 0x1
 00664   408   NtUserCreateWindowEx  ... ) == 0x200b0
 00743   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\325\312\244\236\261mF\203\251#7\10\223M\2750\0\354\2257C\365]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00744   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00745   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00746   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00747   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00748   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00749   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00750   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00751   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00752   408   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "/k\205\2551\345\263\376\325\25\370~\232\316\215\215Kj\2\373\\361\274\235\177\263\376\316Q\355\250\325\272_\322!D\26!\244!\223\373y\370A\200\354\271\334\326pk\20\12\317\304\231\17\205\6]SmVR\271\356x1\270\216\311g\362\340\342\0d", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "/k\205\2551\345\263\376\325\25\370~\232\316\215\215Kj\2\373\\361\274\235\177\263\376\316Q\355\250\325\272_\322!D\26!\244!\223\373y\370A\200\354\271\334\326pk\20\12\317\304\231\17\205\6]SmVR\271\356x1\270\216\311g\362\340\342\0d", 80, ... ) , 80, ... ) == 0x0
 00753   408   NtClose  (-2147482020, ... ) == 0x0
 00743   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\13(\23\217E#A\21\351\317\22\213,\307\223\263\226\335t\225\2541\322\367\177\13+\343\373\26\261\22\322>\3r:\203\357/\367\213\204\223-f\302t\11\302\225w@6\207x\306\351p\2\247\4\336\357$C\16'/H0\2632\254&X\220\274\341\242X\235\11m\355\374A<\230!q}A5-RH\373\332\266o@\370n\355\264\241\304m{|\306\351\327\317\275\207X\261\34\373\354:\3052\241\177w\204znt\316I\306\243{\333\34u\202\350s\225qA\23\274\27V\344vi\306\30\271\334\273\245\277\333)H\312\15\372\242?\372\205r\13\260g\376|\347D\375]vJ\16\346\376R\240\257"\13-b\271q\245\256\365\177]\313\370\346}\351\322\213\320L\106\217\343\14O\307\177^\300\317\313\251\252Q>]\245\323\2461\212sx\327+\361<\323\362\340\254\272\335\0\335\24*\307+\264\254\334\23x\246\336\345", ) \13-b\271q\245\256\365\177]\313\370\346}\351\322\213\320L\106\217\343\14O\307\177^\300\317\313\251\252Q>]\245\323\2461\212sx\327+\361<\323\362\340\254\272\335\0\335\24*\307+\264\254\334\23x\246\336\345", ) == 0x0
 00754   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\325\312\244\236\261mF\203\251#7\10\223M\337c\217\203Y\226\16\262<\0\354\2257C\365]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00755   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00756   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00757   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00758   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00759   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00760   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00761   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00762   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00763   408   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\243\235T\302N%\203w\217\235\217J\301V\2618\342\330\212R\32l\225T\212s"u\7\274\337\36\204\21\326\367u1u\25r\307W\265gP\253i~"K\254GW\321HM\374\226\253\362Qd\223\355r}\237\227\257\312\316\241\321\370\5\373\34\376\300", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\243\235T\302N%\203w\217\235\217J\301V\2618\342\330\212R\32l\225T\212s"u\7\274\337\36\204\21\326\367u1u\25r\307W\265gP\253i~"K\254GW\321HM\374\226\253\362Qd\223\355r}\237\227\257\312\316\241\321\370\5\373\34\376\300", 80, ... ) u\7\274\337\36\204\21\326\367u1u\25r\307W\265gP\253i~ (-2147482020, "Seed", 0, 3, "\243\235T\302N%\203w\217\235\217J\301V\2618\342\330\212R\32l\225T\212s"u\7\274\337\36\204\21\326\367u1u\25r\307W\265gP\253i~"K\254GW\321HM\374\226\253\362Qd\223\355r}\237\227\257\312\316\241\321\370\5\373\34\376\300", 80, ... ) , 80, ... ) == 0x0
 00764   408   NtClose  (-2147482020, ... ) == 0x0
 00754   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\333\322\366r\353\354\0;\224\215Fyh\364\355\235&\262\361\0P\235'rb\322;\376X\233\177\10S\277\S\204\265\3165I\314\3601\15\361U\355\264j\352\331=\24}\371\332EJ\365>\237Jz\357\373\304S\251=\244\230%|\250\311\244\366;\201*\35'~\360\262\223\217\250\24\350\30\240{Ao?\344\345[C\221\267\14p\343\36\232eYMck\17\254\271$\1!]\31B\14\314s\260\24H\311j\230\34\25h\232\177@\13\320\203\276sr\23\353kC\17\27\3545o\321\\237{\360H\347\16O\324\226\344\367\36\306\256\203M\30f\\237\302o\262\0!\324\1\260\0[\336*f\23\370f\220\21y'\356BG\11\252Z\357t\260\255\305\264\251\345\2\274|j\222\207w\364ve\257S\6\34\250B\252{\251@\240\220\36T\250\214\304K\233\2747\203\350\357\330\374!P\377\4\352\217\15Q\357\335", ) , ) == 0x0
 00765   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\325\312\244\236\261mF\203\251#7\10\223M\337c\217\203Y\226\16\320o\217\203Y\226\16\262<\0\354\2257C\365]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00766   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00767   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00768   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00769   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00770   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00771   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00772   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00773   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00774   408   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\370\207d'\276\275\334\251\357\371\264\264\2203\270\257\227\3337\276\353\236\241\214\253A\36\355S|\343r-z\261\312\17J\250\325\6j$\200\320\373\254M\326S79\203~\237.\15\320\360\33e\226\371\307\277\10\336\202\205\25\233\345\217\343\273\356\322`\30c", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\370\207d'\276\275\334\251\357\371\264\264\2203\270\257\227\3337\276\353\236\241\214\253A\36\355S|\343r-z\261\312\17J\250\325\6j$\200\320\373\254M\326S79\203~\237.\15\320\360\33e\226\371\307\277\10\336\202\205\25\233\345\217\343\273\356\322`\30c", 80, ... ) , 80, ... ) == 0x0
 00775   408   NtClose  (-2147482020, ... ) == 0x0
 00765   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\360\276\351\314N\10\367|\360\16x5\230\335}\357\327\321\342\200\373\335d\20 _o\233Mr\366\235\207&5s\35 \241\237d\2050\15(\222d\267\247<\214\25VGC\12\257\221\177\377\213l\200G\307\332\206\327MO\222\335\270=H\223\240cB\256\22N\363h\23Q\375\214\34-\0\346\3468\256D\364\20\317\271\26'YF\21\222V\3248\365\2\355$\24\273\264\221k\337\367\300\257\33\16\366K\232/\317g\304\313AAl{\257\307\37\343\267\10\375\340\266\202\315\251t|s\261\213\347\221\24450\231\330\212\362\263\304\234U\367\214\216?\251\32\375\4;\3\200\276\345b\256L]\365\336\177tn\212\217\35\370\275\260\7\275\314\252\336\221\363N.o\14}\16\334\346\366\213\30\344\307\27\33\204\\314\214\245\16\34\353t*\4\215#\251YKO\241G\256\217K\350> Tk\332\351v\241\344|\373Q\15\324-", ) , ) == 0x0
 00776   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\325\312\244\236\261mF\203\251#7\10\223M\337c\217\203Y\226\16\320o\217\203Y\226\16\320o\217\203Y\226\16\262<\0\354\2257C\365]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00777   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00778   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00779   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00780   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00781   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00782   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00783   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00784   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00785   408   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "4\2209A0\260kY\356O\37E\200\206\377g\35\273w\235\13\32\332\5\335\340\312f\345\247\2000C\353\371\25\325\332\12DH!\227\232'\25H8o\373\270#\357=\267\241\\314i\1r\3\0\352\205\320\225\363\343\303$t2\202\237]\204"g.", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "4\2209A0\260kY\356O\37E\200\206\377g\35\273w\235\13\32\332\5\335\340\312f\345\247\2000C\353\371\25\325\332\12DH!\227\232'\25H8o\373\270#\357=\267\241\\314i\1r\3\0\352\205\320\225\363\343\303$t2\202\237]\204"g.", 80, ... ) g.", 80, ... ) == 0x0
 00786   408   NtClose  (-2147482020, ... ) == 0x0
 00776   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "!\273\360\202fQ\34\31\367\234Y\372\202K!\357]\357\302\177\300\35\372m\341\355\323\307|s\361\344A\240M\310\26i\254\256\6'\206\275\26\357\337\314W\2545\350y9E\3700\334\270\237\24\261\21\204\216n\276\326\227\365\304\305z\311\262j\305\230\221\37\335\347+a\26\307\253\370~:\335D\3360:skk\201G\343\331H:\263a\263\310\345\201>O*&\375\301\235q\316\347\6\30;R\232nH\33>\264\340Co\262\270\264\6SsyMW\4\327$X\311`h\232\213\304\345Vj+%\3650\33N\344;\224x\223Q&\215W\363\225\330\3\33\376\227\343\4\16\301\201SJ\341\260Q\325Pw\12GYd\373\2255\11\373\11X\330\30\305\31\211\323L\347\254\12\273;\307[\231g\247\222?\311\225a\272\264\232"\333eU\202[\356Z\34\1\367j\33\372\307\7\10X\257*\25i\37\4\354\366\336\356i", ) \333eU\202[\356Z\34\1\367j\33\372\307\7\10X\257*\25i\37\4\354\366\336\356i", ) == 0x0
 00787   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\325\312\244\236\261mF\203\251#7\10\223M\337c\217\203Y\226\16\320o\217\203Y\226\16\320o\217\203Y\226\16\320o\217\203Y\226\16\262<\0\354\2257C\365]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00788   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00789   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00790   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00791   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00792   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00793   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00794   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00795   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00796   408   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\244\332\372\331\177"\210t\300\245:\253Qw\0x5\375\235r\212\26?_\303r\244\267n\340\222\247\GX\302S\272{\276A\332\311\22\347#)$c\362,\322\2\212!-.\310\253V\205\214\5'\25\232\231\30\257{*ir\332/\342\363\223\254\26", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\244\332\372\331\177"\210t\300\245:\253Qw\0x5\375\235r\212\26?_\303r\244\267n\340\222\247\GX\302S\272{\276A\332\311\22\347#)$c\362,\322\2\212!-.\310\253V\205\214\5'\25\232\231\30\257{*ir\332/\342\363\223\254\26", 80, ... ) \210t\300\245:\253Qw\0x5\375\235r\212\26?_\303r\244\267n\340\222\247\GX\302S\272{\276A\332\311\22\347#)$c\362,\322\2\212!-.\310\253V\205\214\5'\25\232\231\30\257{*ir\332/\342\363\223\254\26", 80, ... ) == 0x0
 00797   408   NtClose  (-2147482020, ... ) == 0x0
 00787   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "US\244\253\270\0\313K0\337!\20\233\370\16\214q\274\166\343j\304\257nS8[3\6b\343\14+~\2074r\16X\312i^g\372\34\347\31Z\267\365d\214vN\275\317\244gr\332\235K\2617\341\254o\241\205\223\261F\337\241\342\356\24\361\4\332fZRf\320OF/\357\222\237c\232\325\211\212\223\273\272#\203m]\13\335\11G\245\377=\337@~\351q\244\255\17\3345\220\177\3)R\230\244:j\273\327\240\332k\334\356o\333W\340\2469\241\367\271Kg\271\321Vh\324V\277'\310\236n\20\340\12\254\235\274\2552\23\267M\266\257\235\6b\325\237l\371_\332q\334\334\312?\1B`\336\35\177h{\252\241;T\365\3\302\332N:\344-\316\37\262\10#]\226\5\13\6.iI_?\21\302}\2\220-\301\240o\267\225'e\3065I\370\220\240\346\3226j\17+\300\327A\232\371w{>\263B", ) , ) == 0x0
 00798   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\325\312\244\236\261mF\203\251#7\10\223M\337c\217\203Y\226\16\320o\217\203Y\226\16\320o\217\203Y\226\16\320o\217\203Y\226\16\320o\217\203Y\226\16\262<\0\354\2257C\365]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00799   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00800   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00801   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00802   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00803   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00804   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00805   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00806   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00807   408   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\207[}\263':\242\331\316\34v\274>\350\236\267\323\20\330JC\252\4"o\214L\272\242)g\216=y\250e\7\360\262\325\2530=\33\221_\314\b'\274z\260\16\230H9\260\214\255\267\2108\6\231F\240Z\331\7\35\2\27w\345\254\271\225\334\367", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\207[}\263':\242\331\316\34v\274>\350\236\267\323\20\330JC\252\4"o\214L\272\242)g\216=y\250e\7\360\262\325\2530=\33\221_\314\b'\274z\260\16\230H9\260\214\255\267\2108\6\231F\240Z\331\7\35\2\27w\345\254\271\225\334\367", 80, ... ) o\214L\272\242)g\216=y\250e\7\360\262\325\2530=\33\221_\314\b'\274z\260\16\230H9\260\214\255\267\2108\6\231F\240Z\331\7\35\2\27w\345\254\271\225\334\367", 80, ... ) == 0x0
 00808   408   NtClose  (-2147482020, ... ) == 0x0
 00798   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\357\333`<$\=\240\210~\361q\360\241J\\324\336\203\354\263a\245.\20\277mjN\336\206e\260J\307\325\241c\321o4a\253\243\260\366P\364\236\326Q,\352J\351\355\363f(\233%]e\231\211`\33\273\365)\2745Wr/YJ,\6\332X=\24\375k\360Fhs\244"\373\22\244\367\233\322(\205J\270!\305AY|\251\275n\215s\231\367\235\312[\200xG\6\211F\13\350\272\277\204o\2507o\354e\377\374\277\211\213\227\4\16U@X\327\3032\30\343M y*t;\221\326/@\262\31\7;\351&jUV\246\323D\23\1'\237)\3\\372\1\353\262\207\253\301a\300\11\337\334?)_\220t\367\372\355\335\312\234(\267\301\31\251\224\277\322\25E`\372\23\260iQ\215\321\321M\37y0\37\333\325\221 \17Z\335X\200\371\267\346]\36{\353m\357\234\377\336\264\21\340w\25\341i\220\371", ) \373\22\244\367\233\322(\205J\270!\305AY|\251\275n\215s\231\367\235\312[\200xG\6\211F\13\350\272\277\204o\2507o\354e\377\374\277\211\213\227\4\16U@X\327\3032\30\343M y*t;\221\326/@\262\31\7;\351&jUV\246\323D\23\1'\237)\3\\372\1\353\262\207\253\301a\300\11\337\334?)_\220t\367\372\355\335\312\234(\267\301\31\251\224\277\322\25E`\372\23\260iQ\215\321\321M\37y0\37\333\325\221 \17Z\335X\200\371\267\346]\36{\353m\357\234\377\336\264\21\340w\25\341i\220\371", ) == 0x0
 00809   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\325\312\244\236\261mF\203\251#7\10\223M\337c\217\203Y\226\16\320o\217\203Y\226\16\320o\217\203Y\226\16\320o\217\203Y\226\16\320o\217\203Y\226\16\320o\217\203Y\226\16\262<\0\354\2257C\365]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00810   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00811   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00812   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00813   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00814   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00815   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00816   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00817   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00818   408   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\271(\225\377\27&JB\217[\321\357\323\303VJ\13\253\337A\227']{q\237\322\0\243{\363K\200\334\311\336\213\365J&tz\240\267\24099\211\326\'8={Z\332\17C_R;Z\362\342\312\9s'0\364\34749\260\210\223\255Qk", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\271(\225\377\27&JB\217[\321\357\323\303VJ\13\253\337A\227']{q\237\322\0\243{\363K\200\334\311\336\213\365J&tz\240\267\24099\211\326\'8={Z\332\17C_R;Z\362\342\312\9s'0\364\34749\260\210\223\255Qk", 80, ... ) , 80, ... ) == 0x0
 00819   408   NtClose  (-2147482020, ... ) == 0x0
 00809   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\374\232\326"\302\376m\311\376d\251%\257\334\372\22\202\26x\355KWt\235T\210\236\35\273m}->\13\16\26\236c}}\326\23\362\321T\371\0\350|\351j\254\235{\305\300\0\23\313\335\273z63\311\6\2326\2021\37IV\334\327\312\365\37Oj\26\276\31\3719\0$O\323\2420\311\370p"\37g\350\200pp\366=\207q\337Z\233\10\27M\10\23\36\338Gw3\226\303ouQ891\30Q\251H\374\221\200dtj\233\351$\377\313h\215H\265f\304{\366\301N2\177;4U\233~r\245*\2110\3201@\254H\21\357\336\247N?pj\357\341\210\356P[\4T'\272\35\32\0-W\10\231\337\276\367\362J\310Q\261U\270\301W%\331\270V[\244(\266\375\251A3S\14y\377\306\227;\37\202\4P\376\330\342Xs\252:\314K\310\303\302\245\272Q\355O\316\232\370\321\261mA0\265", ) \302\376m\311\376d\251%\257\334\372\22\202\26x\355KWt\235T\210\236\35\273m}->\13\16\26\236c}}\326\23\362\321T\371\0\350|\351j\254\235{\305\300\0\23\313\335\273z63\311\6\2326\2021\37IV\334\327\312\365\37Oj\26\276\31\3719\0$O\323\2420\311\370p ... {status=0x0, info=256}, "\374\232\326"\302\376m\311\376d\251%\257\334\372\22\202\26x\355KWt\235T\210\236\35\273m}->\13\16\26\236c}}\326\23\362\321T\371\0\350|\351j\254\235{\305\300\0\23\313\335\273z63\311\6\2326\2021\37IV\334\327\312\365\37Oj\26\276\31\3719\0$O\323\2420\311\370p"\37g\350\200pp\366=\207q\337Z\233\10\27M\10\23\36\338Gw3\226\303ouQ891\30Q\251H\374\221\200dtj\233\351$\377\313h\215H\265f\304{\366\301N2\177;4U\233~r\245*\2110\3201@\254H\21\357\336\247N?pj\357\341\210\356P[\4T'\272\35\32\0-W\10\231\337\276\367\362J\310Q\261U\270\301W%\331\270V[\244(\266\375\251A3S\14y\377\306\227;\37\202\4P\376\330\342Xs\252:\314K\310\303\302\245\272Q\355O\316\232\370\321\261mA0\265", ) , ) == 0x0
 00820   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 112, ) }, ... 112, ) == 0x0
 00821   408   NtQueryValueKey  (112,  (112, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00822   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 00823   408   NtQueryValueKey  (116,  (116, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00824   408   NtClose  (116, ... ) == 0x0
 00825   408   NtClose  (112, ... ) == 0x0
 00826   408   NtAllocateVirtualMemory  (-1, 1445888, 0, 24576, 4096, 4, ... 1445888, 24576, ) == 0x0
 00827   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00828   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1235296, ... ) }, 1235296, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00829   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1235296, ... ) }, 1235296, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00830   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1235296, ... ) }, 1235296, ... ) == 0x0
 00831   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00832   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 112, ... 116, ) == 0x0
 00833   408   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00834   408   NtClose  (112, ... ) == 0x0
 00835   408   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00836   408   NtClose  (116, ... ) == 0x0
 00837   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00838   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00839   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 00840   408   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00841   408   NtClose  (116, ... ) == 0x0
 00842   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00843   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00844   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00845   408   NtQuerySystemTime  (... {-287809952, 29873161}, ) == 0x0
 00846   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00847   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00848   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00849   408   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00850   408   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00851   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 00852   408   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 128, ) == 0x0
 00853   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00854   408   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "ActiveComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00855   408   NtQueryValueKey  (136,  (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00856   408   NtClose  (136, ... ) == 0x0
 00857   408   NtClose  (132, ... ) == 0x0
 00858   408   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 132, ) == 0x0
 00859   408   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 136, ) == 0x0
 00860   408   NtDuplicateObject  (-1, 132, -1, 0x0, 0, 2, ... 140, ) == 0x0
 00861   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00862   408   NtAllocateVirtualMemory  (-1, 1470464, 0, 4096, 4096, 4, ... 1470464, 4096, ) == 0x0
 00863   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00864   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00865   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00866   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235664,  (0xc0100080, {24, 0, 0x40, 0, 1235664, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 00867   408   NtSetInformationFile  (148, 1235720, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00868   408   NtSetInformationFile  (148, 1235712, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00869   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00870   408   NtWriteFile  (148, 125, 0, 0,  (148, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00871   408   NtReadFile  (148, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (148, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20@\36\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00872   408   NtFsControlFile  (148, 125, 0x0, 0x0, 0x11c017,  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20@\36\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20@\36\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00873   408   NtClose  (144, ... ) == 0x0
 00874   408   NtClose  (148, ... ) == 0x0
 00875   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1235708, ... ) }, 1235708, ... ) == 0x0
 00876   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00877   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00878   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1235528, ... ) }, 1235528, ... ) == 0x0
 00879   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00880   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00881   408   NtCreateSemaphore  (0x1f0003, {24, 72, 0x80, 1474216, 0,  (0x1f0003, {24, 72, 0x80, 1474216, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 148, ) }, 0, 2147483647, ... 148, ) == STATUS_OBJECT_NAME_EXISTS
 00882   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00883   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00884   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00886   408   NtQueryValueKey  (144,  (144, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00887   408   NtClose  (144, ... ) == 0x0
 00888   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00889   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00890   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00891   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00892   408   NtQueryValueKey  (144,  (144, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893   408   NtClose  (144, ... ) == 0x0
 00894   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00895   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00896   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00898   408   NtQueryValueKey  (144,  (144, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   408   NtClose  (144, ... ) == 0x0
 00900   408   NtAllocateVirtualMemory  (-1, 1474560, 0, 4096, 4096, 4, ... 1474560, 4096, ) == 0x0
 00901   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00902   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00903   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00905   408   NtQueryValueKey  (144,  (144, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00906   408   NtClose  (144, ... ) == 0x0
 00907   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00909   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00910   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00912   408   NtQueryValueKey  (144,  (144, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00913   408   NtClose  (144, ... ) == 0x0
 00914   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00915   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00916   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00918   408   NtQueryValueKey  (144,  (144, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   408   NtClose  (144, ... ) == 0x0
 00920   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00921   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 00922   408   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00923   408   NtClose  (144, ... ) == 0x0
 00924   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 144, ) }, ... 144, ) == 0x0
 00925   408   NtSetInformationObject  (146, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00926   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00927   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 152, ) }, ... 152, ) == 0x0
 00929   408   NtQueryKey  (154, Name, 392, ... {Name= (154, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 00930   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00931   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 00932   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00933   408   NtClose  (156, ... ) == 0x0
 00934   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   408   NtQueryValueKey  (154, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (154, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00936   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1233436, ... ) }, 1233436, ... ) == 0x0
 00937   408   NtClose  (154, ... ) == 0x0
 00938   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00939   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 152, ) }, ... 152, ) == 0x0
 00941   408   NtQueryKey  (154, Name, 392, ... {Name= (154, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 00942   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00943   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 00944   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00945   408   NtClose  (156, ... ) == 0x0
 00946   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   408   NtEnumerateKey  (154, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (154, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 00948   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00949   408   NtAllocateVirtualMemory  (-1, 1478656, 0, 4096, 4096, 4, ... 1478656, 4096, ) == 0x0
 00950   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 156, ) }, ... 156, ) == 0x0
 00952   408   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 00953   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00954   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 00955   408   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00956   408   NtClose  (160, ... ) == 0x0
 00957   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   408   NtQueryValueKey  (158,  (158, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (158, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00959   408   NtClose  (158, ... ) == 0x0
 00960   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00961   408   NtEnumerateKey  (154, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 00962   408   NtClose  (154, ... ) == 0x0
 00963   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00964   408   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 152, ) }, ... 152, ) == 0x0
 00965   408   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "FileExts"}, ... 156, ) }, ... 156, ) == 0x0
 00966   408   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00968   408   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 00970   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 160, ) }, ... 160, ) == 0x0
 00972   408   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 00973   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00974   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 00975   408   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00976   408   NtClose  (164, ... ) == 0x0
 00977   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00978   408   NtQueryValueKey  (162, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (162, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 00979   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00980   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 164, ) }, ... 164, ) == 0x0
 00982   408   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 00983   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00984   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 00985   408   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00986   408   NtClose  (168, ... ) == 0x0
 00987   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988   408   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00989   408   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 00990   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00991   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 00992   408   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00993   408   NtClose  (168, ... ) == 0x0
 00994   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00995   408   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0, ""}, ... 168, ) == 0x0
 00996   408   NtClose  (166, ... ) == 0x0
 00997   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00998   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00999   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01000   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01001   408   NtQueryValueKey  (164,  (164, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002   408   NtClose  (164, ... ) == 0x0
 01003   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01004   408   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0, ""}, ... 164, ) == 0x0
 01005   408   NtQueryValueKey  (164,  (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01006   408   NtQueryValueKey  (164,  (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01007   408   NtClose  (164, ... ) == 0x0
 01008   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01009   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01010   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01011   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01012   408   NtQueryValueKey  (164,  (164, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01013   408   NtClose  (164, ... ) == 0x0
 01014   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01015   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01016   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01017   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01018   408   NtQueryValueKey  (164,  (164, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01019   408   NtClose  (164, ... ) == 0x0
 01020   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01021   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01022   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01023   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01024   408   NtQueryValueKey  (164,  (164, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01025   408   NtClose  (164, ... ) == 0x0
 01026   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01027   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01028   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01029   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01030   408   NtQueryValueKey  (164,  (164, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01031   408   NtClose  (164, ... ) == 0x0
 01032   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01033   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01034   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01035   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01036   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01037   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01038   408   NtQueryValueKey  (164,  (164, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   408   NtClose  (164, ... ) == 0x0
 01040   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01041   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01042   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01043   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01044   408   NtQueryValueKey  (164,  (164, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01045   408   NtClose  (164, ... ) == 0x0
 01046   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01047   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01048   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01049   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01050   408   NtQueryValueKey  (164,  (164, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01051   408   NtClose  (164, ... ) == 0x0
 01052   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01053   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01054   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01055   408   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "Advanced"}, ... 164, ) }, ... 164, ) == 0x0
 01056   408   NtQueryValueKey  (164,  (164, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 01057   408   NtQueryValueKey  (164,  (164, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01058   408   NtQueryValueKey  (164,  (164, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01059   408   NtQueryValueKey  (164,  (164, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01060   408   NtQueryValueKey  (164,  (164, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01061   408   NtQueryValueKey  (164,  (164, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01062   408   NtQueryValueKey  (164,  (164, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01063   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01064   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01065   408   NtQueryValueKey  (164,  (164, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01066   408   NtQueryValueKey  (164,  (164, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01067   408   NtQueryValueKey  (164,  (164, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01068   408   NtQueryValueKey  (164,  (164, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01069   408   NtQueryValueKey  (164,  (164, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01070   408   NtClose  (164, ... ) == 0x0
 01071   408   NtCreateSemaphore  (0x1f0003, {24, 72, 0x80, 1474216, 0,  (0x1f0003, {24, 72, 0x80, 1474216, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 164, ) }, 0, 2147483647, ... 164, ) == STATUS_OBJECT_NAME_EXISTS
 01072   408   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 01073   408   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 01074   408   NtQueryKey  (170, Name, 384, ... {Name= (170, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01075   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01076   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01077   408   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01078   408   NtClose  (172, ... ) == 0x0
 01079   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01080   408   NtOpenKey  (0x1, {24, 170, 0x40, 0, 0,  (0x1, {24, 170, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01081   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01082   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01083   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01084   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 01085   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01086   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 172, ) }, ... 172, ) == 0x0
 01087   408   NtQueryKey  (174, Name, 392, ... {Name= (174, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01088   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01089   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01090   408   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01091   408   NtClose  (176, ... ) == 0x0
 01092   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01093   408   NtQueryValueKey  (174,  (174, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01094   408   NtClose  (174, ... ) == 0x0
 01095   408   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01096   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01097   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01098   408   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01099   408   NtClose  (172, ... ) == 0x0
 01100   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01101   408   NtQueryValueKey  (170,  (170, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01102   408   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01103   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01104   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01105   408   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01106   408   NtClose  (172, ... ) == 0x0
 01107   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01108   408   NtQueryValueKey  (170,  (170, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01109   408   NtQueryKey  (170, Name, 384, ... {Name= (170, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01110   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01111   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01112   408   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01113   408   NtClose  (172, ... ) == 0x0
 01114   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115   408   NtOpenKey  (0x1, {24, 170, 0x40, 0, 0,  (0x1, {24, 170, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01116   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01117   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01118   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 172, ) }, ... 172, ) == 0x0
 01119   408   NtQueryKey  (174, Name, 384, ... {Name= (174, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 01120   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01121   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01122   408   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01123   408   NtClose  (176, ... ) == 0x0
 01124   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01125   408   NtOpenKey  (0x1, {24, 174, 0x40, 0, 0,  (0x1, {24, 174, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   408   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01127   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01128   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01129   408   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01130   408   NtClose  (176, ... ) == 0x0
 01131   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01132   408   NtQueryValueKey  (170,  (170, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01133   408   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01134   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01135   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01136   408   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01137   408   NtClose  (176, ... ) == 0x0
 01138   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01139   408   NtQueryValueKey  (170,  (170, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01140   408   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01141   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01142   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01143   408   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01144   408   NtClose  (176, ... ) == 0x0
 01145   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01146   408   NtQueryValueKey  (170,  (170, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147   408   NtClose  (162, ... ) == 0x0
 01148   408   NtClose  (170, ... ) == 0x0
 01149   408   NtClose  (174, ... ) == 0x0
 01150   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01151   408   NtCreateSemaphore  (0x1f0003, {24, 72, 0x80, 1474216, 0,  (0x1f0003, {24, 72, 0x80, 1474216, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 172, ) }, 0, 2147483647, ... 172, ) == STATUS_OBJECT_NAME_EXISTS
 01152   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01153   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01154   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01155   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01156   408   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01157   408   NtQueryValueKey  (168,  (168, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01158   408   NtClose  (168, ... ) == 0x0
 01159   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01160   408   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01161   408   NtSetValueKey  (168,  (168, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 0, 1,  (168, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 96, ... ) == 0x0
 01162   408   NtClose  (168, ... ) == 0x0
 01163   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01164   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01165   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 168, ... 160, ) == 0x0
 01166   408   NtClose  (168, ... ) == 0x0
 01167   408   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x960000), 0x0, 262144, ) == 0x0
 01168   408   NtClose  (160, ... ) == 0x0
 01169   408   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 01170   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01171   408   NtOpenEvent  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "_fCanRegisterWithShellService"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1233648, ... ) }, 1233648, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1233648, ... ) }, 1233648, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01175   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1233648, ... ) }, 1233648, ... ) == 0x0
 01176   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 01177   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 160, ... 168, ) == 0x0
 01178   408   NtQuerySection  (168, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01179   408   NtClose  (160, ... ) == 0x0
 01180   408   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01181   408   NtClose  (168, ... ) == 0x0
 01182   408   NtAllocateVirtualMemory  (-1, 9125888, 0, 4096, 4096, 4, ... 9125888, 4096, ) == 0x0
 01183   408   NtQueryDefaultLocale  (1, 1233480, ... ) == 0x0
 01184   408   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01185   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01186   408   NtQueryValueKey  (168,  (168, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01187   408   NtClose  (168, ... ) == 0x0
 01188   408   NtUserGetProcessWindowStation  (... ) == 0x28
 01189   408   NtUserGetObjectInformation  (40, 1, 1233152, 12, 1233164, ... ) == 0x1
 01190   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 168, ) }, ... 168, ) == 0x0
 01191   408   NtQueryValueKey  (168,  (168, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 01192   408   NtClose  (168, ... ) == 0x0
 01193   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01194   408   NtQueryValueKey  (168,  (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01195   408   NtQueryValueKey  (168,  (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01196   408   NtClose  (168, ... ) == 0x0
 01197   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01198   408   NtQueryValueKey  (168,  (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01199   408   NtQueryValueKey  (168,  (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01200   408   NtClose  (168, ... ) == 0x0
 01201   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01202   408   NtQueryValueKey  (168,  (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01203   408   NtQueryValueKey  (168,  (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01204   408   NtClose  (168, ... ) == 0x0
 01205   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01206   408   NtQueryValueKey  (168,  (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01207   408   NtQueryValueKey  (168,  (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01208   408   NtClose  (168, ... ) == 0x0
 01209   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01210   408   NtQueryValueKey  (168,  (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01211   408   NtQueryValueKey  (168,  (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01212   408   NtClose  (168, ... ) == 0x0
 01213   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 168, ) }, ... 168, ) == 0x0
 01214   408   NtQueryValueKey  (168,  (168, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 01215   408   NtAllocateVirtualMemory  (-1, 1482752, 0, 4096, 4096, 4, ... 1482752, 4096, ) == 0x0
 01216   408   NtClose  (168, ... ) == 0x0
 01217   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 168, ) == 0x0
 01218   408   NtCreateMutant  (0x1f0001, 0x0, 0, ... 160, ) == 0x0
 01219   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01220   408   NtCreateMutant  (0x1f0001, 0x0, 0, ... 180, ) == 0x0
 01221   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0
 01222   408   NtCreateMutant  (0x1f0001, 0x0, 0, ... 188, ) == 0x0
 01223   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 192, ) }, ... 192, ) == 0x0
 01224   408   NtQueryValueKey  (192,  (192, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01225   408   NtQueryValueKey  (192,  (192, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01226   408   NtOpenKey  (0x1, {24, 192, 0x40, 0, 0,  (0x1, {24, 192, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   408   NtClose  (192, ... ) == 0x0
 01228   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1233072, ... ) }, 1233072, ... ) == 0x0
 01229   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 192, ) }, ... 192, ) == 0x0
 01230   408   NtQueryValueKey  (192,  (192, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (192, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (192, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01231   408   NtClose  (192, ... ) == 0x0
 01232   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 192, ) }, ... 192, ) == 0x0
 01233   408   NtQueryValueKey  (192,  (192, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (192, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (192, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01234   408   NtClose  (192, ... ) == 0x0
 01235   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01236   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 192, ) }, ... 192, ) == 0x0
 01237   408   NtQueryValueKey  (192,  (192, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (192, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (192, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01238   408   NtClose  (192, ... ) == 0x0
 01239   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01240   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 01241   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01242   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01243   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233852,  (0xc0100080, {24, 0, 0x40, 0, 1233852, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01244   408   NtSetInformationFile  (196, 1233908, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01245   408   NtSetInformationFile  (196, 1233900, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01246   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01247   408   NtWriteFile  (196, 125, 0, 0,  (196, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01248   408   NtReadFile  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\21\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01249   408   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\21\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\21\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01250   408   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0[\373j)\375?\334\21\261\310\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0[\373j)\375?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 106, 1024, ... {status=0x103, info=48},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0[\373j)\375?\334\21\261\310\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0[\373j)\375?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01251   408   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0[\373j)\375?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0[\373j)\375?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01252   408   NtClose  (192, ... ) == 0x0
 01253   408   NtClose  (196, ... ) == 0x0
 01254   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01255   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 196, ) == 0x0
 01256   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01257   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01258   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233852,  (0xc0100080, {24, 0, 0x40, 0, 1233852, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01259   408   NtSetInformationFile  (192, 1233908, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01260   408   NtSetInformationFile  (192, 1233900, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01261   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01262   408   NtWriteFile  (192, 125, 0, 0,  (192, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01263   408   NtReadFile  (192, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (192, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\22\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01264   408   NtFsControlFile  (192, 125, 0x0, 0x0, 0x11c017,  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\22\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\22\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01265   408   NtFsControlFile  (192, 125, 0x0, 0x0, 0x11c017,  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\\373j)\375?\334\21\261\310\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\\373j)\375?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\\373j)\375?\334\21\261\310\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\\373j)\375?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\\373j)\375?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01266   408   NtFsControlFile  (192, 125, 0x0, 0x0, 0x11c017,  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\\373j)\375?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\\373j)\375?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01267   408   NtClose  (196, ... ) == 0x0
 01268   408   NtClose  (192, ... ) == 0x0
 01269   408   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01270   408   NtOpenProcessToken  (-1, 0x20, ... 192, ) == 0x0
 01271   408   NtAdjustPrivilegesToken  (192, 0, 1482296, 0, 0, 0, ... ) == 0x0
 01272   408   NtClose  (192, ... ) == 0x0
 01273   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01274   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 01275   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01276   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01277   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234092,  (0xc0100080, {24, 0, 0x40, 0, 1234092, "\??\PIPE\ntsvcs"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01278   408   NtSetInformationFile  (196, 1234148, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01279   408   NtSetInformationFile  (196, 1234140, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01280   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01281   408   NtWriteFile  (196, 125, 0, 0,  (196, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01282   408   NtReadFile  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\362\34\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01283   408   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\362\34\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\362\34\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01284   408   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01285   408   NtOpenProcessToken  (-1, 0x20, ... 200, ) == 0x0
 01286   408   NtAdjustPrivilegesToken  (200, 0, 1482376, 0, 0, 0, ... ) == 0x0
 01287   408   NtClose  (200, ... ) == 0x0
 01288   408   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x103, info=32},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , ) == 0x103
 01289   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 200, {status=0x0, info=1}, ) }, 3, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01290   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 204, ) }, ... 204, ) == 0x0
 01291   408   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\FloppyPDO0", 38, ) , 38, ) == 0x0
 01292   408   NtClose  (204, ... ) == 0x0
 01293   408   NtQueryVolumeInformationFile  (200, 1234552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01294   408   NtClose  (200, ... ) == 0x0
 01295   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 200, {status=0x0, info=1}, ) }, 3, 16, ... 200, {status=0x0, info=1}, ) == 0x0
 01296   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32},  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32}, "\36\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", ) , ) == 0x0
 01297   408   NtClose  (200, ... ) == 0x0
 01298   408   NtQueryInformationFile  (-1, 1234552, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01299   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234504,  (0x100080, {24, 0, 0x40, 0, 1234504, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01300   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 32, ... , 54, 32, ...
 01301   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01302   408   NtClose  (-2147482020, ... ) == 0x0
 01300   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01303   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 374, ... , 54, 374, ...
 01304   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01305   408   NtClose  (-2147482020, ... ) == 0x0
 01303   408   NtDeviceIoControlFile  ... {status=0x0, info=374},  ... {status=0x0, info=374}, "v\1\0\0\2\0\0\0\372\0\0\0`\0\0\08\0\0\0\244\0\0\0\334\0\0\0\36\0v\0Z\1\0\0\34\0\\08\0\0\0\244\0p\0\334\0\0\0\36\0\0\0\\0?\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0A\0:\0", ) , ) == 0x0
 01306   408   NtClose  (200, ... ) == 0x0
 01307   408   NtAllocateVirtualMemory  (-1, 1486848, 0, 4096, 4096, 4, ... 1486848, 4096, ) == 0x0
 01308   408   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01309   408   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01310   408   NtClose  (200, ... ) == 0x0
 01311   408   NtQueryValueKey  (204,  (204, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01312   408   NtQueryValueKey  (204,  (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0!\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0!\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0"\5\0\0\214\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0!\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0!\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0"\5\0\0\214\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) \5\0\0\214\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) == 0x0
 01313   408   NtClose  (204, ... ) == 0x0
 01314   408   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01315   408   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 200, ) }, ... 200, ) == 0x0
 01316   408   NtClose  (204, ... ) == 0x0
 01317   408   NtQueryValueKey  (200,  (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01318   408   NtClose  (200, ... ) == 0x0
 01319   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 200, {status=0x0, info=0}, ) }, 3, 96, ... 200, {status=0x0, info=0}, ) == 0x0
 01320   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 204, ) }, ... 204, ) == 0x0
 01321   408   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\Ide\IdeDeviceP1T0L0-e", 60, ) , 60, ) == 0x0
 01322   408   NtClose  (204, ... ) == 0x0
 01323   408   NtQueryVolumeInformationFile  (200, 1234552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01324   408   NtClose  (200, ... ) == 0x0
 01325   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 200, {status=0x0, info=0}, ) }, 3, 16, ... 200, {status=0x0, info=0}, ) == 0x0
 01326   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30},  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30}, "\34\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", ) , ) == 0x0
 01327   408   NtClose  (200, ... ) == 0x0
 01328   408   NtQueryInformationFile  (-1, 1234552, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01329   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234504,  (0x100080, {24, 0, 0x40, 0, 1234504, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01330   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 32, ... , 52, 32, ...
 01331   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01332   408   NtClose  (-2147482020, ... ) == 0x0
 01330   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01333   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 490, ... , 52, 490, ...
 01334   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01335   408   NtClose  (-2147482020, ... ) == 0x0
 01333   408   NtDeviceIoControlFile  ... {status=0x0, info=490},  ... {status=0x0, info=490}, "\352\1\0\0\2\0\0\0n\1\0\0`\0\0\08\0\0\0\32\1\0\0R\1\0\0\34\0v\0\316\1\0\0\34\0\\08\0\0\0\32\1o\0R\1\0\0\34\0\0\0\\0?\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0D\0:\0", ) , ) == 0x0
 01336   408   NtClose  (200, ... ) == 0x0
 01337   408   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01338   408   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01339   408   NtClose  (200, ... ) == 0x0
 01340   408   NtQueryValueKey  (204,  (204, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01341   408   NtQueryValueKey  (204,  (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0>\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0>\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0?\5\0\0\214\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0>\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0>\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0?\5\0\0\214\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01342   408   NtClose  (204, ... ) == 0x0
 01343   408   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01344   408   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 200, ) }, ... 200, ) == 0x0
 01345   408   NtClose  (204, ... ) == 0x0
 01346   408   NtQueryValueKey  (200,  (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01347   408   NtClose  (200, ... ) == 0x0
 01348   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 200, {status=0x0, info=0}, ) }, 3, 96, ... 200, {status=0x0, info=0}, ) == 0x0
 01349   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 204, ) }, ... 204, ) == 0x0
 01350   408   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01351   408   NtClose  (204, ... ) == 0x0
 01352   408   NtQueryVolumeInformationFile  (200, 1234552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01353   408   NtClose  (200, ... ) == 0x0
 01354   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 200, {status=0x0, info=0}, ) }, 3, 16, ... 200, {status=0x0, info=0}, ) == 0x0
 01355   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48},  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48}, ".\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", ) , ) == 0x0
 01356   408   NtClose  (200, ... ) == 0x0
 01357   408   NtQueryInformationFile  (-1, 1234552, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01358   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234504,  (0x100080, {24, 0, 0x40, 0, 1234504, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01359   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 32, ... , 70, 32, ...
 01360   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01361   408   NtClose  (-2147482020, ... ) == 0x0
 01359   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01362   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 238, ... , 70, 238, ...
 01363   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01364   408   NtClose  (-2147482020, ... ) == 0x0
 01362   408   NtDeviceIoControlFile  ... {status=0x0, info=238},  ... {status=0x0, info=238}, "\356\0\0\0\2\0\0\0r\0\0\0`\0\0\08\0\0\0\14\0\0\0D\0\0\0.\0v\0\322\0\0\0\34\0\\08\0\0\0\14\0d\0D\0\0\0.\0k\0;\357;\357\0~\0\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0C\0:\0", ) , ) == 0x0
 01365   408   NtClose  (200, ... ) == 0x0
 01366   408   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01367   408   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01368   408   NtClose  (200, ... ) == 0x0
 01369   408   NtQueryValueKey  (204,  (204, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01370   408   NtQueryValueKey  (204,  (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0[\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0[\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\\5\0\0\214\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0[\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0[\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\\5\0\0\214\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01371   408   NtClose  (204, ... ) == 0x0
 01372   408   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01373   408   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 200, ) }, ... 200, ) == 0x0
 01374   408   NtClose  (204, ... ) == 0x0
 01375   408   NtQueryValueKey  (200,  (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01376   408   NtClose  (200, ... ) == 0x0
 01377   408   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01378   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01379   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01380   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01381   408   NtClose  (-2147482020, ... ) == 0x0
 01379   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01382   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01383   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01384   408   NtClose  (-2147482020, ... ) == 0x0
 01382   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01385   408   NtClose  (200, ... ) == 0x0
 01386   408   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01387   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01388   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01389   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01390   408   NtClose  (-2147482020, ... ) == 0x0
 01388   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01391   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01392   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01393   408   NtClose  (-2147482020, ... ) == 0x0
 01391   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01394   408   NtClose  (200, ... ) == 0x0
 01395   408   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01396   408   NtSetValueKey  (200,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01397   408   NtClose  (200, ... ) == 0x0
 01398   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01399   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01400   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01401   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01402   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01403   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01404   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01405   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01406   408   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01407   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01408   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01409   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01410   408   NtClose  (-2147482020, ... ) == 0x0
 01408   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01411   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01412   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01413   408   NtClose  (-2147482020, ... ) == 0x0
 01411   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01414   408   NtClose  (200, ... ) == 0x0
 01415   408   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01416   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01417   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01418   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01419   408   NtClose  (-2147482020, ... ) == 0x0
 01417   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01420   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01421   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01422   408   NtClose  (-2147482020, ... ) == 0x0
 01420   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01423   408   NtClose  (200, ... ) == 0x0
 01424   408   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01425   408   NtSetValueKey  (200,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01426   408   NtClose  (200, ... ) == 0x0
 01427   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01428   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01429   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01430   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01433   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01435   408   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01436   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01437   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01438   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01439   408   NtClose  (-2147482020, ... ) == 0x0
 01437   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01440   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01441   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01442   408   NtClose  (-2147482020, ... ) == 0x0
 01440   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01443   408   NtClose  (200, ... ) == 0x0
 01444   408   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01445   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01446   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01447   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01448   408   NtClose  (-2147482020, ... ) == 0x0
 01446   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01449   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01450   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01451   408   NtClose  (-2147482020, ... ) == 0x0
 01449   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01452   408   NtClose  (200, ... ) == 0x0
 01453   408   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01454   408   NtSetValueKey  (200,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01455   408   NtClose  (200, ... ) == 0x0
 01456   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01457   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01458   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01462   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01463   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01465   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01466   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\F:"}, 3, 96, ... 200, {status=0x0, info=1}, ) }, 3, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01467   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\F:"}, ... 204, ) }, ... 204, ) == 0x0
 01468   408   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\WinDfs\F:000000000000922c", 66, ) , 66, ) == 0x0
 01469   408   NtClose  (204, ... ) == 0x0
 01470   408   NtQueryVolumeInformationFile  (200, 1235800, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01471   408   NtClose  (200, ... ) == 0x0
 01472   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01473   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 200, {status=0x0, info=1}, ) }, 3, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01474   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 204, ) }, ... 204, ) == 0x0
 01475   408   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\WinDfs\U:000000000000922c", 66, ) , 66, ) == 0x0
 01476   408   NtClose  (204, ... ) == 0x0
 01477   408   NtQueryVolumeInformationFile  (200, 1235800, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01478   408   NtClose  (200, ... ) == 0x0
 01479   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01480   408   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01481   408   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01482   408   NtClose  (200, ... ) == 0x0
 01483   408   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01484   408   NtClose  (204, ... ) == 0x0
 01485   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01486   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233988, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233988, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01487   408   NtClose  (204, ... ) == 0x0
 01488   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01489   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 204, ) }, ... 204, ) == 0x0
 01491   408   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01492   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01493   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01494   408   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01495   408   NtClose  (200, ... ) == 0x0
 01496   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01497   408   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01498   408   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01499   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01500   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01501   408   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01502   408   NtClose  (200, ... ) == 0x0
 01503   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504   408   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0, ""}, ... 200, ) == 0x0
 01505   408   NtClose  (206, ... ) == 0x0
 01506   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01507   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01508   408   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 01509   408   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 01510   408   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01511   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01512   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01513   408   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01514   408   NtClose  (204, ... ) == 0x0
 01515   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01516   408   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01517   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01518   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01519   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01520   408   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01521   408   NtClose  (204, ... ) == 0x0
 01522   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01523   408   NtQueryValueKey  (202,  (202, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01525   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01526   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01527   408   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01528   408   NtClose  (204, ... ) == 0x0
 01529   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01530   408   NtQueryValueKey  (202,  (202, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01531   408   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01532   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01533   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01534   408   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01535   408   NtClose  (204, ... ) == 0x0
 01536   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01537   408   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01538   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01539   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01540   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 204, ) }, ... 204, ) == 0x0
 01541   408   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 01542   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01543   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01544   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01545   408   NtClose  (208, ... ) == 0x0
 01546   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01547   408   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01548   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01549   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01550   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01551   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01552   408   NtClose  (208, ... ) == 0x0
 01553   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01554   408   NtQueryValueKey  (202,  (202, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01555   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01556   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01557   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01558   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01559   408   NtClose  (208, ... ) == 0x0
 01560   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01561   408   NtQueryValueKey  (202,  (202, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (202, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01562   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01563   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01564   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01565   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01566   408   NtClose  (208, ... ) == 0x0
 01567   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568   408   NtQueryValueKey  (202,  (202, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01569   408   NtClose  (202, ... ) == 0x0
 01570   408   NtClose  (206, ... ) == 0x0
 01571   408   NtAllocateVirtualMemory  (-1, 1490944, 0, 4096, 4096, 4, ... 1490944, 4096, ) == 0x0
 01572   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01573   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233892, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233892, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01574   408   NtClose  (204, ... ) == 0x0
 01575   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01576   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233812, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233812, 616, BothDirectory, 1, "My Documents", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01577   408   NtClose  (204, ... ) == 0x0
 01578   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01579   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01580   408   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01581   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229184, ... ) }, 1229184, ... ) == 0x0
 01582   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01583   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01584   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01585   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01586   408   NtQueryInformationFile  (204, 1483376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01587   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9830400, 1052672, ) == 0x0
 01588   408   NtAllocateVirtualMemory  (-1, 9830400, 0, 83, 4096, 4, ... 9830400, 4096, ) == 0x0
 01589   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01590   408   NtFreeVirtualMemory  (-1, (0x960000), 1052672, 32768, ... (0x960000), 1052672, ) == 0x0
 01591   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01592   408   NtClose  (204, ... ) == 0x0
 01593   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01594   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01595   408   NtQueryInformationFile  (204, 1483376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01596   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9830400, 1052672, ) == 0x0
 01597   408   NtAllocateVirtualMemory  (-1, 9830400, 0, 83, 4096, 4, ... 9830400, 4096, ) == 0x0
 01598   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01599   408   NtFreeVirtualMemory  (-1, (0x960000), 1052672, 32768, ... (0x960000), 1052672, ) == 0x0
 01600   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01601   408   NtClose  (204, ... ) == 0x0
 01602   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01603   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01604   408   NtClose  (204, ... ) == 0x0
 01605   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01606   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01607   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229184, ... ) }, 1229184, ... ) == 0x0
 01608   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01609   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01610   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01611   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01612   408   NtQueryInformationFile  (204, 1483376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01613   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9830400, 1052672, ) == 0x0
 01614   408   NtAllocateVirtualMemory  (-1, 9830400, 0, 83, 4096, 4, ... 9830400, 4096, ) == 0x0
 01615   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01616   408   NtFreeVirtualMemory  (-1, (0x960000), 1052672, 32768, ... (0x960000), 1052672, ) == 0x0
 01617   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01618   408   NtClose  (204, ... ) == 0x0
 01619   408   NtAllocateVirtualMemory  (-1, 1495040, 0, 4096, 4096, 4, ... 1495040, 4096, ) == 0x0
 01620   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01621   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01622   408   NtQueryInformationFile  (204, 1483376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01623   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9830400, 1052672, ) == 0x0
 01624   408   NtAllocateVirtualMemory  (-1, 9830400, 0, 83, 4096, 4, ... 9830400, 4096, ) == 0x0
 01625   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01626   408   NtFreeVirtualMemory  (-1, (0x960000), 1052672, 32768, ... (0x960000), 1052672, ) == 0x0
 01627   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01628   408   NtClose  (204, ... ) == 0x0
 01629   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01630   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01631   408   NtClose  (204, ... ) == 0x0
 01632   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01633   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01634   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1231240, ... ) }, 1231240, ... ) == 0x0
 01635   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01636   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01637   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01638   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01639   408   NtQueryInformationFile  (204, 1483376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01640   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9830400, 1052672, ) == 0x0
 01641   408   NtAllocateVirtualMemory  (-1, 9830400, 0, 83, 4096, 4, ... 9830400, 4096, ) == 0x0
 01642   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01643   408   NtFreeVirtualMemory  (-1, (0x960000), 1052672, 32768, ... (0x960000), 1052672, ) == 0x0
 01644   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01645   408   NtClose  (204, ... ) == 0x0
 01646   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01647   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01648   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 01649   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01650   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01651   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01652   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01653   408   NtQueryInformationFile  (204, 1483376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01654   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9830400, 1052672, ) == 0x0
 01655   408   NtAllocateVirtualMemory  (-1, 9830400, 0, 83, 4096, 4, ... 9830400, 4096, ) == 0x0
 01656   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01657   408   NtFreeVirtualMemory  (-1, (0x960000), 1052672, 32768, ... (0x960000), 1052672, ) == 0x0
 01658   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01659   408   NtClose  (204, ... ) == 0x0
 01660   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01661   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01662   408   NtClose  (204, ... ) == 0x0
 01663   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01664   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01665   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 01666   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01667   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01668   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01669   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01670   408   NtQueryInformationFile  (204, 1483376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01671   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9830400, 1052672, ) == 0x0
 01672   408   NtAllocateVirtualMemory  (-1, 9830400, 0, 83, 4096, 4, ... 9830400, 4096, ) == 0x0
 01673   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01674   408   NtFreeVirtualMemory  (-1, (0x960000), 1052672, 32768, ... (0x960000), 1052672, ) == 0x0
 01675   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01676   408   NtClose  (204, ... ) == 0x0
 01677   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01678   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01679   408   NtClose  (204, ... ) == 0x0
 01680   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01681   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01682   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 01683   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01684   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01685   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01686   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01687   408   NtQueryInformationFile  (204, 1483376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01688   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 9830400, 1052672, ) == 0x0
 01689   408   NtAllocateVirtualMemory  (-1, 9830400, 0, 83, 4096, 4, ... 9830400, 4096, ) == 0x0
 01690   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01691   408   NtFreeVirtualMemory  (-1, (0x960000), 1052672, 32768, ... (0x960000), 1052672, ) == 0x0
 01692   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01693   408   NtClose  (204, ... ) == 0x0
 01694   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01695   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01696   408   NtClose  (204, ... ) == 0x0
 01697   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01698   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01699   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01700   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01701   408   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01702   408   NtQueryValueKey  (204,  (204, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 01703   408   NtClose  (204, ... ) == 0x0
 01704   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01705   408   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01706   408   NtSetValueKey  (204,  (204, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 0, 1,  (204, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 92, ... ) == 0x0
 01707   408   NtClose  (204, ... ) == 0x0
 01708   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01709   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01710   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 200, ) == 0x0
 01711   408   NtClose  (204, ... ) == 0x0
 01712   408   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x960000), 0x0, 262144, ) == 0x0
 01713   408   NtClose  (200, ... ) == 0x0
 01714   408   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 01715   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01716   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01717   408   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01718   408   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01719   408   NtClose  (200, ... ) == 0x0
 01720   408   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01721   408   NtClose  (204, ... ) == 0x0
 01722   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01723   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233992, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233992, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01724   408   NtClose  (204, ... ) == 0x0
 01725   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01726   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233900, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233900, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01727   408   NtClose  (204, ... ) == 0x0
 01728   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01729   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233828, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233828, 616, BothDirectory, 1, "Documents", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01730   408   NtClose  (204, ... ) == 0x0
 01731   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01732   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01733   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229200, ... ) }, 1229200, ... ) == 0x0
 01734   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01735   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01736   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01737   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01738   408   NtQueryInformationFile  (204, 1483376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01739   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 9830400, 1052672, ) == 0x0
 01740   408   NtAllocateVirtualMemory  (-1, 9830400, 0, 142, 4096, 4, ... 9830400, 4096, ) == 0x0
 01741   408   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01742   408   NtFreeVirtualMemory  (-1, (0x960000), 1052672, 32768, ... (0x960000), 1052672, ) == 0x0
 01743   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01744   408   NtClose  (204, ... ) == 0x0
 01745   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01746   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01747   408   NtClose  (204, ... ) == 0x0
 01748   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01749   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01750   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229172, ... ) }, 1229172, ... ) == 0x0
 01751   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01752   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01753   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01754   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01755   408   NtQueryInformationFile  (204, 1483376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01756   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 9830400, 1052672, ) == 0x0
 01757   408   NtAllocateVirtualMemory  (-1, 9830400, 0, 142, 4096, 4, ... 9830400, 4096, ) == 0x0
 01758   408   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01759   408   NtFreeVirtualMemory  (-1, (0x960000), 1052672, 32768, ... (0x960000), 1052672, ) == 0x0
 01760   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01761   408   NtClose  (204, ... ) == 0x0
 01762   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01763   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01764   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229536, ... ) }, 1229536, ... ) == 0x0
 01765   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01766   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01767   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01768   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01769   408   NtQueryInformationFile  (204, 1483376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01770   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 9830400, 1052672, ) == 0x0
 01771   408   NtAllocateVirtualMemory  (-1, 9830400, 0, 142, 4096, 4, ... 9830400, 4096, ) == 0x0
 01772   408   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01773   408   NtFreeVirtualMemory  (-1, (0x960000), 1052672, 32768, ... (0x960000), 1052672, ) == 0x0
 01774   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01775   408   NtClose  (204, ... ) == 0x0
 01776   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01777   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01778   408   NtClose  (204, ... ) == 0x0
 01779   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01780   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01781   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229536, ... ) }, 1229536, ... ) == 0x0
 01782   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01783   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01784   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01785   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01786   408   NtQueryInformationFile  (204, 1483376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01787   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 9830400, 1052672, ) == 0x0
 01788   408   NtAllocateVirtualMemory  (-1, 9830400, 0, 142, 4096, 4, ... 9830400, 4096, ) == 0x0
 01789   408   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01790   408   NtFreeVirtualMemory  (-1, (0x960000), 1052672, 32768, ... (0x960000), 1052672, ) == 0x0
 01791   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01792   408   NtClose  (204, ... ) == 0x0
 01793   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01794   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01795   408   NtClose  (204, ... ) == 0x0
 01796   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01797   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01798   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229536, ... ) }, 1229536, ... ) == 0x0
 01799   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01800   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01801   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01802   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01803   408   NtQueryInformationFile  (204, 1483376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01804   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 9830400, 1052672, ) == 0x0
 01805   408   NtAllocateVirtualMemory  (-1, 9830400, 0, 142, 4096, 4, ... 9830400, 4096, ) == 0x0
 01806   408   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01807   408   NtFreeVirtualMemory  (-1, (0x960000), 1052672, 32768, ... (0x960000), 1052672, ) == 0x0
 01808   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01809   408   NtClose  (204, ... ) == 0x0
 01810   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01811   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01812   408   NtClose  (204, ... ) == 0x0
 01813   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01814   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01815   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01816   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01817   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01818   408   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01819   408   NtQueryValueKey  (204,  (204, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) }, 56, ) == 0x0
 01820   408   NtClose  (204, ... ) == 0x0
 01821   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Desktop"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01822   408   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01823   408   NtSetValueKey  (204,  (204, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 0, 1,  (204, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01824   408   NtClose  (204, ... ) == 0x0
 01825   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01826   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01827   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 200, ) == 0x0
 01828   408   NtClose  (204, ... ) == 0x0
 01829   408   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x960000), 0x0, 262144, ) == 0x0
 01830   408   NtClose  (200, ... ) == 0x0
 01831   408   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 01832   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01833   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01834   408   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01835   408   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01836   408   NtClose  (200, ... ) == 0x0
 01837   408   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01838   408   NtClose  (204, ... ) == 0x0
 01839   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01840   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1234000, 616, BothDirectory, 1,  (204, 0, 0, 0, 1234000, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01841   408   NtClose  (204, ... ) == 0x0
 01842   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01843   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233912, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233912, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01844   408   NtClose  (204, ... ) == 0x0
 01845   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01846   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233844, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233844, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01847   408   NtClose  (204, ... ) == 0x0
 01848   408   NtAllocateVirtualMemory  (-1, 1499136, 0, 4096, 4096, 4, ... 1499136, 4096, ) == 0x0
 01849   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01850   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01851   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01852   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01853   408   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01854   408   NtQueryValueKey  (204,  (204, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) }, 64, ) == 0x0
 01855   408   NtClose  (204, ... ) == 0x0
 01856   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Desktop"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01857   408   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01858   408   NtSetValueKey  (204,  (204, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 0, 1,  (204, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 88, ... ) == 0x0
 01859   408   NtClose  (204, ... ) == 0x0
 01860   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01861   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01862   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 200, ) == 0x0
 01863   408   NtClose  (204, ... ) == 0x0
 01864   408   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x960000), 0x0, 262144, ) == 0x0
 01865   408   NtClose  (200, ... ) == 0x0
 01866   408   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 01867   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01868   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01869   408   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01870   408   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01871   408   NtClose  (200, ... ) == 0x0
 01872   408   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01873   408   NtClose  (204, ... ) == 0x0
 01874   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01875   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233996, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233996, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01876   408   NtClose  (204, ... ) == 0x0
 01877   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01878   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233908, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233908, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01879   408   NtClose  (204, ... ) == 0x0
 01880   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01881   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233840, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233840, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01882   408   NtClose  (204, ... ) == 0x0
 01883   408   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 204, ) }, ... 204, ) == 0x0
 01884   408   NtEnumerateValueKey  (204, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (204, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (204, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 01885   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01886   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01887   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 200, ) }, ... 200, ) == 0x0
 01888   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01889   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01890   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01891   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01892   408   NtClose  (208, ... ) == 0x0
 01893   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01894   408   NtQueryValueKey  (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 01895   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01896   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01897   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01898   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01899   408   NtClose  (208, ... ) == 0x0
 01900   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01901   408   NtQueryValueKey  (202,  (202, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01902   408   NtClose  (202, ... ) == 0x0
 01903   408   NtEnumerateValueKey  (204, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01904   408   NtClose  (204, ... ) == 0x0
 01905   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 204, ) }, ... 204, ) == 0x0
 01906   408   NtQueryValueKey  (204,  (204, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (204, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (204, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 01907   408   NtClose  (204, ... ) == 0x0
 01908   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01909   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01910   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1236008, ... ) }, 1236008, ... ) == 0x0
 01911   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01912   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01913   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 204, ) }, ... 204, ) == 0x0
 01914   408   NtQueryValueKey  (204,  (204, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01915   408   NtQueryValueKey  (204,  (204, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (204, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01916   408   NtClose  (204, ... ) == 0x0
 01917   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01918   408   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01919   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01920   408   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01921   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESD"}, 138, ) }, 138, ) == 0x0
 01922   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01923   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 204, ) }, ... 204, ) == 0x0
 01924   408   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01925   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01926   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01927   408   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01928   408   NtClose  (200, ... ) == 0x0
 01929   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01930   408   NtQueryValueKey  (206, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (206, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 01931   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01932   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01933   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 200, ) }, ... 200, ) == 0x0
 01934   408   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01935   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01936   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01937   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01938   408   NtClose  (208, ... ) == 0x0
 01939   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01940   408   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01941   408   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01942   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01943   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01944   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01945   408   NtClose  (208, ... ) == 0x0
 01946   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01947   408   NtOpenKey  (0x2000000, {24, 202, 0x40, 0, 0, ""}, ... 208, ) == 0x0
 01948   408   NtClose  (202, ... ) == 0x0
 01949   408   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01950   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01951   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01952   408   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01953   408   NtClose  (200, ... ) == 0x0
 01954   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01955   408   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01956   408   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 01957   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01958   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01959   408   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01960   408   NtClose  (200, ... ) == 0x0
 01961   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01962   408   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01963   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01964   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01965   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01966   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 01967   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01968   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 200, ) }, ... 200, ) == 0x0
 01969   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01970   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01971   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01972   408   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01973   408   NtClose  (212, ... ) == 0x0
 01974   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01975   408   NtQueryValueKey  (202,  (202, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01976   408   NtClose  (202, ... ) == 0x0
 01977   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01978   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01979   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 200, ) }, ... 200, ) == 0x0
 01980   408   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 01981   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01982   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01983   408   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01984   408   NtClose  (212, ... ) == 0x0
 01985   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01986   408   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01987   408   NtClose  (206, ... ) == 0x0
 01988   408   NtClose  (210, ... ) == 0x0
 01989   408   NtClose  (202, ... ) == 0x0
 01990   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01991   408   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01992   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01993   408   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01994   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01995   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01996   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 200, ) }, ... 200, ) == 0x0
 01997   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01998   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01999   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02000   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02001   408   NtClose  (208, ... ) == 0x0
 02002   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02003   408   NtQueryValueKey  (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 02004   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02005   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02006   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 208, ) }, ... 208, ) == 0x0
 02007   408   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02008   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02009   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 02010   408   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02011   408   NtClose  (204, ... ) == 0x0
 02012   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02013   408   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02014   408   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02015   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02016   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 02017   408   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02018   408   NtClose  (204, ... ) == 0x0
 02019   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02020   408   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0, ""}, ... 204, ) == 0x0
 02021   408   NtClose  (210, ... ) == 0x0
 02022   408   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02023   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02024   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02025   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02026   408   NtClose  (208, ... ) == 0x0
 02027   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02028   408   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "shell"}, ... 208, ) }, ... 208, ) == 0x0
 02029   408   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell"}, 100, ) }, 100, ) == 0x0
 02030   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02031   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02032   408   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02033   408   NtClose  (212, ... ) == 0x0
 02034   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02035   408   NtQueryValueKey  (210, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02036   408   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell"}, 100, ) }, 100, ) == 0x0
 02037   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02038   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02039   408   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02040   408   NtClose  (212, ... ) == 0x0
 02041   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02042   408   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "open"}, ... 212, ) }, ... 212, ) == 0x0
 02043   408   NtClose  (210, ... ) == 0x0
 02044   408   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02045   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02046   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02047   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02048   408   NtClose  (208, ... ) == 0x0
 02049   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02050   408   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02051   408   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02052   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02053   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02054   408   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02055   408   NtClose  (216, ... ) == 0x0
 02056   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02057   408   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02058   408   NtClose  (210, ... ) == 0x0
 02059   408   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02060   408   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 02061   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02062   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02063   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02064   408   NtClose  (208, ... ) == 0x0
 02065   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02066   408   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02067   408   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02068   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02069   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02070   408   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02071   408   NtClose  (216, ... ) == 0x0
 02072   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02073   408   NtQueryValueKey  (210,  (210, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02074   408   NtClose  (210, ... ) == 0x0
 02075   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02076   408   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 02077   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02078   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02079   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02080   408   NtClose  (208, ... ) == 0x0
 02081   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02082   408   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02083   408   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02084   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02085   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02086   408   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02087   408   NtClose  (216, ... ) == 0x0
 02088   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02089   408   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02090   408   NtClose  (210, ... ) == 0x0
 02091   408   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02092   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02093   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02094   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02095   408   NtClose  (208, ... ) == 0x0
 02096   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02097   408   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02098   408   NtUserGetForegroundWindow  (... ) == 0x20062
 02099   408   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02100   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02101   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02102   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02103   408   NtClose  (208, ... ) == 0x0
 02104   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02105   408   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02106   408   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02107   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02108   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02109   408   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02110   408   NtClose  (216, ... ) == 0x0
 02111   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02112   408   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02113   408   NtClose  (210, ... ) == 0x0
 02114   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 02115   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 02116   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02117   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0
 02118   408   NtQueryValueKey  (208,  (208, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02119   408   NtClose  (208, ... ) == 0x0
 02120   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 02121   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 02122   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02123   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0
 02124   408   NtQueryValueKey  (208,  (208, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02125   408   NtClose  (208, ... ) == 0x0
 02126   408   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02127   408   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02128   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02129   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 02130   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 02131   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02132   408   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0
 02133   408   NtQueryValueKey  (208,  (208, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02134   408   NtClose  (208, ... ) == 0x0
 02135   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02136   408   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02137   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1231308, ... ) }, 1231308, ... ) == 0x0
 02138   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 02139   408   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02140   408   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 208, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 02141   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 216, ) }, ... 216, ) == 0x0
 02142   408   NtQueryValueKey  (216,  (216, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02143   408   NtClose  (216, ... ) == 0x0
 02144   408   NtQueryVolumeInformationFile  (208, 1231308, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02145   408   NtOpenMutant  (0x120001, {24, 72, 0x0, 0, 0,  (0x120001, {24, 72, 0x0, 0, 0, "ShimCacheMutex"}, ... 216, ) }, ... 216, ) == 0x0
 02146   408   NtWaitForSingleObject  (216, 0, {-1000000, -1}, ... ) == 0x0
 02147   408   NtOpenSection  (0x2, {24, 72, 0x0, 0, 0,  (0x2, {24, 72, 0x0, 0, 0, "ShimSharedMemory"}, ... 220, ) }, ... 220, ) == 0x0
 02148   408   NtMapViewOfSection  (220, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x960000), {0, 0}, 57344, ) == 0x0
 02149   408   NtReleaseMutant  (216, ... 0x0, ) == 0x0
 02150   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229292, ... ) }, 1229292, ... ) == 0x0
 02151   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 224, {status=0x0, info=1}, ) }, 5, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 02152   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 224, ... 228, ) == 0x0
 02153   408   NtClose  (224, ... ) == 0x0
 02154   408   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x970000), 0x0, 106496, ) == 0x0
 02155   408   NtClose  (228, ... ) == 0x0
 02156   408   NtUnmapViewOfSection  (-1, 0x970000, ... ) == 0x0
 02157   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229608, ... ) }, 1229608, ... ) == 0x0
 02158   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 228, {status=0x0, info=1}, ) }, 5, 96, ... 228, {status=0x0, info=1}, ) == 0x0
 02159   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 228, ... 224, ) == 0x0
 02160   408   NtQuerySection  (224, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02161   408   NtClose  (228, ... ) == 0x0
 02162   408   NtMapViewOfSection  (224, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 02163   408   NtClose  (224, ... ) == 0x0
 02164   408   NtAllocateVirtualMemory  (-1, 1503232, 0, 4096, 4096, 4, ... 1503232, 4096, ) == 0x0
 02165   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 224, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 224, {status=0x0, info=1}, ) == 0x0
 02166   408   NtQueryInformationFile  (224, 1229896, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02167   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 224, ... 228, ) == 0x0
 02168   408   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x970000), 0x0, 1028096, ) == 0x0
 02169   408   NtQueryInformationFile  (224, 1229992, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02170   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02171   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02172   408   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02173   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02174   408   NtQueryDirectoryFile  (232, 0, 0, 0, 1227556, 616, BothDirectory, 1,  (232, 0, 0, 0, 1227556, 616, BothDirectory, 1, "tmp-490-wlr.bat", 0, ... {status=0x0, info=124}, ) , 0, ... {status=0x0, info=124}, ) == 0x0
 02175   408   NtClose  (232, ... ) == 0x0
 02176   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02177   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02178   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1226944, ... ) }, 1226944, ... ) == 0x0
 02179   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02180   408   NtQueryDirectoryFile  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1,  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02181   408   NtClose  (232, ... ) == 0x0
 02182   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02183   408   NtQueryDirectoryFile  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1,  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02184   408   NtClose  (232, ... ) == 0x0
 02185   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02186   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02187   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02188   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02189   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 232, ) == 0x0
 02190   408   NtQueryInformationToken  (232, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02191   408   NtClose  (232, ... ) == 0x0
 02192   408   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02193   408   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02194   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02195   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02196   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1229224, ... ) }, 1229224, ... ) == 0x0
 02197   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02198   408   NtQueryDirectoryFile  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1,  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02199   408   NtClose  (232, ... ) == 0x0
 02200   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02201   408   NtQueryDirectoryFile  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1,  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02202   408   NtClose  (232, ... ) == 0x0
 02203   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02204   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02205   408   NtWaitForSingleObject  (216, 0, {-1000000, -1}, ... ) == 0x0
 02206   408   NtQueryVolumeInformationFile  (208, 1229868, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02207   408   NtQueryInformationFile  (208, 1229848, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02208   408   NtQueryInformationFile  (208, 1229888, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02209   408   NtReleaseMutant  (216, ... 0x0, ) == 0x0
 02210   408   NtUnmapViewOfSection  (-1, 0x970000, ... ) == 0x0
 02211   408   NtClose  (228, ... ) == 0x0
 02212   408   NtClose  (224, ... ) == 0x0
 02213   408   NtClose  (208, ... ) == 0x0
 02214   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1231284, ... ) }, 1231284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02215   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "cmd.exe"}, 1231284, ... ) }, 1231284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02216   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1231284, ... ) }, 1231284, ... ) == 0x0
 02217   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 02218   408   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02219   408   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 208, ... 224, ) == 0x0
 02220   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02221   408   NtQuerySection  (224, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02222   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02223   408   NtCreateProcessEx  (1233936, 2035711, 0, -1, 0, 224, 0, 0, 0, ... ) == 0x0
 02224   408   NtSetInformationProcess  (228, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02225   408   NtQueryInformationProcess  (228, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=564,ParentPid=396,}, 0x0, ) == 0x0
 02226   408   NtReadVirtualMemory  (228, 0x7ffdf008, 4, ...  (228, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 02227   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02228   408   NtAllocateVirtualMemory  (-1, 1507328, 0, 8192, 4096, 4, ... 1507328, 8192, ) == 0x0
 02229   408   NtReadVirtualMemory  (228, 0x4ad00000, 4096, ...  (228, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02230   408   NtReadVirtualMemory  (228, 0x4ad3b000, 256, ...  (228, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 02231   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02232   408   NtQueryInformationProcess  (228, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=564,ParentPid=396,}, 0x0, ) == 0x0
 02233   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 02234   408   NtAllocateVirtualMemory  (-1, 0, 0, 1676, 4096, 4, ... 9895936, 4096, ) == 0x0
 02235   408   NtAllocateVirtualMemory  (228, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 02236   408   NtWriteVirtualMemory  (228, 0x10000,  (228, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 02237   408   NtAllocateVirtualMemory  (228, 0, 0, 1676, 4096, 4, ... 131072, 4096, ) == 0x0
 02238   408   NtWriteVirtualMemory  (228, 0x20000,  (228, 0x20000, "\0\20\0\0\214\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0^\0`\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\00\6\0\0\36\0 \0h\6\0\0\0\0\2\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1676, ... 0x0, ) \0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0^\0`\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\00\6\0\0\36\0 \0h\6\0\0\0\0\2\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1676, ... 0x0, ) == 0x0
 02239   408   NtWriteVirtualMemory  (228, 0x7ffdf010,  (228, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02240   408   NtWriteVirtualMemory  (228, 0x7ffdf1e8,  (228, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02241   408   NtFreeVirtualMemory  (-1, (0x970000), 0, 32768, ... (0x970000), 4096, ) == 0x0
 02242   408   NtAllocateVirtualMemory  (228, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02243   408   NtAllocateVirtualMemory  (228, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 02244   408   NtCreateThread  (0x1f03ff, 0x0, 228, 1232200, 1232920, 1, ... 232, {564, 452}, ) == 0x0
 02245   408   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1234032, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1234032, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\344\0\0\0\350\0\0\04\2\0\0\304\1\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 396, 408, 1501, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\344\0\0\0\350\0\0\04\2\0\0\304\1\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 396, 408, 1501, 0}  (24, {168, 196, new_msg, 0, 0, 1234032, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\344\0\0\0\350\0\0\04\2\0\0\304\1\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 396, 408, 1501, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\344\0\0\0\350\0\0\04\2\0\0\304\1\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02246   408   NtResumeThread  (232, ... 1, ) == 0x0
 02247   408   NtClose  (208, ... ) == 0x0
 02248   408   NtClose  (224, ... ) == 0x0
 02249   408   NtClose  (214, ... ) == 0x0
 02250   408   NtClose  (202, ... ) == 0x0
 02251   408   NtClose  (206, ... ) == 0x0
 02252   408   NtClose  (228, ... ) == 0x0
 02253   408   NtClose  (232, ... ) == 0x0
 02254   408   NtUserDestroyWindow  (131248, ...
 02255   408   NtUserRemoveProp  (131248, 43288, ... ) == 0xffffffff
 02256   408   NtUserRemoveProp  (131248, 43282, ... ) == 0x0
 02257   408   NtUserRemoveProp  (131248, 43287, ... ) == 0x0
 02254   408   NtUserDestroyWindow  ... ) == 0x1
 02258   408   NtUserUnregisterClass  (1237380, 1998258176, 1237368, ... ) == 0x1
 02259   408   NtTerminateProcess  (0, 0, ... ) == 0x0
 02260   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 02261   408   NtWaitForMultipleObjects  (2, (168, 160, ), 1, 0, 0x0, ... ) == 0x1
 02262   408   NtClose  (160, ... ) == 0x0
 02263   408   NtSetEvent  (168, ... 0x0, ) == 0x0
 02264   408   NtClose  (168, ... ) == 0x0
 02265   408   NtWaitForMultipleObjects  (2, (176, 180, ), 1, 0, 0x0, ... ) == 0x1
 02266   408   NtClose  (180, ... ) == 0x0
 02267   408   NtSetEvent  (176, ... 0x0, ) == 0x0
 02268   408   NtClose  (176, ... ) == 0x0
 02269   408   NtWaitForMultipleObjects  (2, (184, 188, ), 1, 0, 0x0, ... ) == 0x1
 02270   408   NtClose  (188, ... ) == 0x0
 02271   408   NtSetEvent  (184, ... 0x0, ) == 0x0
 02272   408   NtClose  (184, ... ) == 0x0
 02273   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 02274   408   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 02275   408   NtClose  (108, ... ) == 0x0
 02276   408   NtGdiDeleteObjectApp  (705692451, ... ) == 0x1
 02277   408   NtUserGetProcessWindowStation  (... ) == 0x28
 02278   408   NtUserBuildNameList  (40, 256, 1419936, 1241844, ... ) == 0x0
 02279   408   NtUserGetProcessWindowStation  (... ) == 0x28
 02280   408   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x6c
 02281   408   NtUserBuildHwndList  (108, 0, 0, 0, 64, ... (0x60036, 0x20060, 0x20064, 0x2005e, 0x100a0, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100c6, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100ae, 0x20062, 0x100ac, 0x100a2, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 35, ) == 0x0
 02282   408   NtUserQueryWindow  (393270, 0, ... ) == 0x7d4
 02283   408   NtUserQueryWindow  (393270, 1, ... ) == 0x7d8
 02284   408   NtUserQueryWindow  (131168, 0, ... ) == 0x7d4
 02285   408   NtUserQueryWindow  (131168, 1, ... ) == 0x7d8
 02286   408   NtUserQueryWindow  (131172, 0, ... ) == 0x7d4
 02287   408   NtUserQueryWindow  (131172, 1, ... ) == 0x7d8
 02288   408   NtUserQueryWindow  (131166, 0, ... ) == 0x7d4
 02289   408   NtUserQueryWindow  (131166, 1, ... ) == 0x7d8
 02290   408   NtUserQueryWindow  (65696, 0, ... ) == 0x76c
 02291   408   NtUserQueryWindow  (65696, 1, ... ) == 0x784
 02292   408   NtUserQueryWindow  (65664, 0, ... ) == 0x76c
 02293   408   NtUserQueryWindow  (65664, 1, ... ) == 0x784
 02294   408   NtUserBuildHwndList  (0, 65664, 1, 0, 64, ... (0x10082, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0
 02295   408   NtUserQueryWindow  (65666, 0, ... ) == 0x76c
 02296   408   NtUserQueryWindow  (65666, 1, ... ) == 0x784
 02297   408   NtUserQueryWindow  (65670, 0, ... ) == 0x76c
 02298   408   NtUserQueryWindow  (65670, 1, ... ) == 0x784
 02299   408   NtUserQueryWindow  (65672, 0, ... ) == 0x76c
 02300   408   NtUserQueryWindow  (65672, 1, ... ) == 0x784
 02301   408   NtUserQueryWindow  (65674, 0, ... ) == 0x76c
 02302   408   NtUserQueryWindow  (65674, 1, ... ) == 0x784
 02303   408   NtUserQueryWindow  (65678, 0, ... ) == 0x76c
 02304   408   NtUserQueryWindow  (65678, 1, ... ) == 0x784
 02305   408   NtUserQueryWindow  (65680, 0, ... ) == 0x76c
 02306   408   NtUserQueryWindow  (65680, 1, ... ) == 0x784
 02307   408   NtUserQueryWindow  (65682, 0, ... ) == 0x76c
 02308   408   NtUserQueryWindow  (65682, 1, ... ) == 0x784
 02309   408   NtUserQueryWindow  (65684, 0, ... ) == 0x76c
 02310   408   NtUserQueryWindow  (65684, 1, ... ) == 0x784
 02311   408   NtUserQueryWindow  (65686, 0, ... ) == 0x76c
 02312   408   NtUserQueryWindow  (65686, 1, ... ) == 0x784
 02313   408   NtUserQueryWindow  (65690, 0, ... ) == 0x76c
 02314   408   NtUserQueryWindow  (65690, 1, ... ) == 0x784
 02315   408   NtUserQueryWindow  (65692, 0, ... ) == 0x76c
 02316   408   NtUserQueryWindow  (65692, 1, ... ) == 0x784
 02317   408   NtUserQueryWindow  (65694, 0, ... ) == 0x76c
 02318   408   NtUserQueryWindow  (65694, 1, ... ) == 0x784
 02319   408   NtUserQueryWindow  (65652, 0, ... ) == 0x76c
 02320   408   NtUserQueryWindow  (65652, 1, ... ) == 0x784
 02321   408   NtUserQueryWindow  (65640, 0, ... ) == 0x76c
 02322   408   NtUserQueryWindow  (65640, 1, ... ) == 0x784
 02323   408   NtUserQueryWindow  (196682, 0, ... ) == 0x76c
 02324   408   NtUserQueryWindow  (196682, 1, ... ) == 0x784
 02325   408   NtUserQueryWindow  (65638, 0, ... ) == 0x76c
 02326   408   NtUserQueryWindow  (65638, 1, ... ) == 0x784
 02327   408   NtUserQueryWindow  (196684, 0, ... ) == 0x76c
 02328   408   NtUserQueryWindow  (196684, 1, ... ) == 0x784
 02329   408   NtUserQueryWindow  (196668, 0, ... ) == 0x76c
 02330   408   NtUserQueryWindow  (196668, 1, ... ) == 0x784
 02331   408   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 02332   408   NtUserQueryWindow  (196670, 0, ... ) == 0x76c
 02333   408   NtUserQueryWindow  (196670, 1, ... ) == 0x784
 02334   408   NtUserQueryWindow  (196674, 0, ... ) == 0x76c
 02335   408   NtUserQueryWindow  (196674, 1, ... ) == 0x784
 02336   408   NtUserQueryWindow  (196672, 0, ... ) == 0x76c
 02337   408   NtUserQueryWindow  (196672, 1, ... ) == 0x784
 02338   408   NtUserQueryWindow  (196676, 0, ... ) == 0x76c
 02339   408   NtUserQueryWindow  (196676, 1, ... ) == 0x784
 02340   408   NtUserQueryWindow  (196678, 0, ... ) == 0x76c
 02341   408   NtUserQueryWindow  (196678, 1, ... ) == 0x784
 02342   408   NtUserQueryWindow  (196680, 0, ... ) == 0x76c
 02343   408   NtUserQueryWindow  (196680, 1, ... ) == 0x784
 02344   408   NtUserQueryWindow  (65642, 0, ... ) == 0x76c
 02345   408   NtUserQueryWindow  (65642, 1, ... ) == 0x784
 02346   408   NtUserQueryWindow  (65646, 0, ... ) == 0x76c
 02347   408   NtUserQueryWindow  (65646, 1, ... ) == 0x784
 02348   408   NtUserQueryWindow  (65650, 0, ... ) == 0x76c
 02349   408   NtUserQueryWindow  (65650, 1, ... ) == 0x784
 02350   408   NtUserQueryWindow  (65688, 0, ... ) == 0x76c
 02351   408   NtUserQueryWindow  (65688, 1, ... ) == 0x784
 02352   408   NtUserQueryWindow  (65676, 0, ... ) == 0x76c
 02353   408   NtUserQueryWindow  (65676, 1, ... ) == 0x784
 02354   408   NtUserQueryWindow  (65660, 0, ... ) == 0x76c
 02355   408   NtUserQueryWindow  (65660, 1, ... ) == 0x770
 02356   408   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 02357   408   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 02358   408   NtUserQueryWindow  (65734, 0, ... ) == 0x234
 02359   408   NtUserQueryWindow  (65734, 1, ... ) == 0x1c4
 02360   408   NtUserQueryWindow  (65726, 0, ... ) == 0x7e0
 02361   408   NtUserQueryWindow  (65726, 1, ... ) == 0x7e4
 02362   408   NtUserQueryWindow  (65724, 0, ... ) == 0x7e0
 02363   408   NtUserQueryWindow  (65724, 1, ... ) == 0x7e4
 02364   408   NtUserQueryWindow  (65722, 0, ... ) == 0x7e0
 02365   408   NtUserQueryWindow  (65722, 1, ... ) == 0x7e4
 02366   408   NtUserQueryWindow  (65720, 0, ... ) == 0x7e0
 02367   408   NtUserQueryWindow  (65720, 1, ... ) == 0x7e4
 02368   408   NtUserQueryWindow  (65718, 0, ... ) == 0x7e0
 02369   408   NtUserQueryWindow  (65718, 1, ... ) == 0x7e4
 02370   408   NtUserQueryWindow  (65716, 0, ... ) == 0x7e0
 02371   408   NtUserQueryWindow  (65716, 1, ... ) == 0x7e4
 02372   408   NtUserQueryWindow  (65714, 0, ... ) == 0x7e0
 02373   408   NtUserQueryWindow  (65714, 1, ... ) == 0x7e4
 02374   408   NtUserQueryWindow  (65710, 0, ... ) == 0x7e0
 02375   408   NtUserQueryWindow  (65710, 1, ... ) == 0x7e4
 02376   408   NtUserQueryWindow  (131170, 0, ... ) == 0x7f4
 02377   408   NtUserQueryWindow  (131170, 1, ... ) == 0x7f8
 02378   408   NtUserQueryWindow  (65708, 0, ... ) == 0x7d4
 02379   408   NtUserQueryWindow  (65708, 1, ... ) == 0x7d8
 02380   408   NtUserQueryWindow  (65698, 0, ... ) == 0x7c0
 02381   408   NtUserQueryWindow  (65698, 1, ... ) == 0x7c4
 02382   408   NtUserQueryWindow  (65644, 0, ... ) == 0x76c
 02383   408   NtUserQueryWindow  (65644, 1, ... ) == 0x79c
 02384   408   NtUserQueryWindow  (327760, 0, ... ) == 0x76c
 02385   408   NtUserQueryWindow  (327760, 1, ... ) == 0x770
 02386   408   NtUserQueryWindow  (262228, 0, ... ) == 0x76c
 02387   408   NtUserQueryWindow  (262228, 1, ... ) == 0x770
 02388   408   NtUserQueryWindow  (327758, 0, ... ) == 0x76c
 02389   408   NtUserQueryWindow  (327758, 1, ... ) == 0x770
 02390   408   NtUserQueryWindow  (65662, 0, ... ) == 0x76c
 02391   408   NtUserQueryWindow  (65662, 1, ... ) == 0x770
 02392   408   NtUserQueryWindow  (65654, 0, ... ) == 0x76c
 02393   408   NtUserQueryWindow  (65654, 1, ... ) == 0x770
 02394   408   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 02395   408   NtUserQueryWindow  (65656, 0, ... ) == 0x76c
 02396   408   NtUserQueryWindow  (65656, 1, ... ) == 0x770
 02397   408   NtUserQueryWindow  (65658, 0, ... ) == 0x76c
 02398   408   NtUserQueryWindow  (65658, 1, ... ) == 0x770
 02399   408   NtUserCloseDesktop  (108, ...
 02400   408   NtClose  (108, ... ) == 0x0
 02399   408   NtUserCloseDesktop  ... ) == 0x1
 02401   408   NtUserGetProcessWindowStation  (... ) == 0x28
 02402   408   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02403   408   NtUserGetProcessWindowStation  (... ) == 0x28
 02404   408   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02405   408   NtGdiDeleteObjectApp  (319423277, ... ) == 0x1
 02406   408   NtGdiDeleteObjectApp  (369755084, ... ) == 0x1
 02407   408   NtClose  (100, ... ) == 0x0
 02408   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02409   408   NtClose  (92, ... ) == 0x0
 02410   408   NtUnmapViewOfSection  (-1, 0x8d0000, ... ) == 0x0
 02411   408   NtClose  (96, ... ) == 0x0
 02412   408   NtClose  (88, ... ) == 0x0
 02413   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 02414   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc03b
 02415   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02416   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc03d
 02417   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02418   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc03f
 02419   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02420   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc041
 02421   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02422   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc043
 02423   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02424   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc045
 02425   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02426   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc047
 02427   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02428   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc049
 02429   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02430   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc04b
 02431   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02432   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc04d
 02433   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02434   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc04f
 02435   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02436   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc051
 02437   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02438   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc053
 02439   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02440   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc057
 02441   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02442   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc059
 02443   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02444   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc05b
 02445   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02446   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc05d
 02447   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02448   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc05f
 02449   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02450   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc03b
 02451   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02452   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc03d
 02453   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02454   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc03f
 02455   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02456   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc041
 02457   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02458   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc043
 02459   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02460   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc045
 02461   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02462   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc047
 02463   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02464   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc049
 02465   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02466   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc04b
 02467   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02468   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc04d
 02469   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02470   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc04f
 02471   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02472   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc051
 02473   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02474   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc053
 02475   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02476   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc057
 02477   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02478   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc059
 02479   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02480   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc05b
 02481   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02482   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc05d
 02483   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02484   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc05f
 02485   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02486   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc017
 02487   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02488   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc019
 02489   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02490   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc018
 02491   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02492   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01a
 02493   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02494   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01c
 02495   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02496   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01e
 02497   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02498   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01b
 02499   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02500   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc068
 02501   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02502   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc06a
 02503   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02504   408   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 02505   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02506   408   NtClose  (172, ... ) == 0x0
 02507   408   NtClose  (148, ... ) == 0x0
 02508   408   NtClose  (164, ... ) == 0x0
 02509   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 02510   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 02511   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02512   408   NtClose  (152, ... ) == 0x0
 02513   408   NtClose  (156, ... ) == 0x0
 02514   408   NtClose  (104, ... ) == 0x0
 02515   408   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 02516   408   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 396, 408, 1526, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 396, 408, 1526, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 396, 408, 1526, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02517   408   NtTerminateProcess  (-1, 0, ...
 02518   408   NtClose  (44, ... ) == 0x0
NtAccessCheck(>)	1	NtAdjustPrivilegesToken(>)	2	NtUserBuildHwndList(>)	4	NtFreeVirtualMemory(>)	18
NtAddAtom(>)	1	NtContinue(>)	2	NtWriteVirtualMemory(>)	4	NtOpenThreadToken(>)	20
NtCallbackReturn(>)	1	NtCreateIoCompletion(>)	2	NtGdiGetStockObject(>)	5	NtUnmapViewOfSection(>)	20
NtConnectPort(>)	1	NtEnumerateKey(>)	2	NtQueryDefaultLocale(>)	5	NtCreateKey(>)	22
NtCreateProcessEx(>)	1	NtGdiCreateSolidBrush(>)	2	NtWriteFile(>)	5	NtCreateSection(>)	24
NtCreateThread(>)	1	NtGdiHfontCreate(>)	2	NtCreateSemaphore(>)	6	NtOpenSection(>)	27
NtDeleteValueKey(>)	1	NtOpenDirectoryObject(>)	2	NtOpenSymbolicLinkObject(>)	6	NtQueryInformationFile(>)	27
NtGdiCreateBitmap(>)	1	NtOpenMutant(>)	2	NtQuerySymbolicLinkObject(>)	6	NtReleaseSemaphore(>)	31
NtGdiCreatePatternBrushInternal(>)	1	NtQueryInstallUILanguage(>)	2	NtUserGetProcessWindowStation(>)	6	NtSetInformationProcess(>)	31
NtGdiInit(>)	1	NtReleaseMutant(>)	2	NtUserCallNoParam(>)	7	NtWaitForSingleObject(>)	33
NtGdiQueryFontAssocInfo(>)	1	NtTerminateProcess(>)	2	NtQueryDefaultUILanguage(>)	8	NtProtectVirtualMemory(>)	36
NtGdiSelectBitmap(>)	1	NtUserCloseDesktop(>)	2	NtSetInformationFile(>)	8	NtMapViewOfSection(>)	44
NtNotifyChangeKey(>)	1	NtUserCreateWindowEx(>)	2	NtFlushInstructionCache(>)	9	NtUserUnregisterClass(>)	46
NtOpenKeyedEvent(>)	1	NtUserDestroyWindow(>)	2	NtQuerySection(>)	9	NtUserFindExistingCursorIcon(>)	48
NtOpenProcess(>)	1	NtUserMessageCall(>)	2	NtQueryVolumeInformationFile(>)	9	NtQueryInformationProcess(>)	51
NtQueryInformationJobObject(>)	1	NtCreateMutant(>)	3	NtFsControlFile(>)	10	NtDeviceIoControlFile(>)	55
NtQueryObject(>)	1	NtDuplicateObject(>)	3	NtUserGetWindowDC(>)	10	NtOpenProcessTokenEx(>)	60
NtQueryPerformanceCounter(>)	1	NtEnumerateValueKey(>)	3	NtRequestWaitReplyPort(>)	11	NtOpenThreadTokenEx(>)	60
NtQuerySystemTime(>)	1	NtGdiCreateCompatibleDC(>)	3	NtUserCallOneParam(>)	11	NtQueryAttributesFile(>)	63
NtRegisterThreadTerminatePort(>)	1	NtGdiDeleteObjectApp(>)	3	NtUserSystemParametersInfo(>)	11	NtUserRegisterClassExWOW(>)	64
NtResumeThread(>)	1	NtOpenEvent(>)	3	NtLockFile(>)	13	NtQueryInformationToken(>)	72
NtSecureConnectPort(>)	1	NtQueryVirtualMemory(>)	3	NtUnlockFile(>)	13	NtQueryKey(>)	73
NtTestAlert(>)	1	NtReadVirtualMemory(>)	3	NtCreateEvent(>)	14	NtQuerySystemInformation(>)	78
NtUserBuildNameList(>)	1	NtSetEvent(>)	3	NtOpenProcessToken(>)	14	NtAllocateVirtualMemory(>)	80
NtUserGetAtomName(>)	1	NtUserGetObjectInformation(>)	3	NtSetValueKey(>)	15	NtUserGetClassInfo(>)	82
NtUserGetDC(>)	1	NtUserOpenDesktop(>)	3	NtQueryDebugFilterState(>)	16	NtOpenFile(>)	87
NtUserGetForegroundWindow(>)	1	NtUserRegisterWindowMessage(>)	3	NtQueryDirectoryFile(>)	17	NtUserQueryWindow(>)	114
NtUserGetGUIThreadInfo(>)	1	NtUserRemoveProp(>)	3	NtReadFile(>)	17	NtQueryValueKey(>)	125
NtUserGetThreadDesktop(>)	1	NtWaitForMultipleObjects(>)	3	NtSetInformationThread(>)	17	NtOpenKey(>)	282
NtUserSetProp(>)	1	NtSetInformationObject(>)	4	NtCreateFile(>)	18	NtClose(>)	377